automatic module_metadata_base.json update

rapid7 · Nov 28, 2024 · f2e5dd6 · f2e5dd6
1 parent caa483a
commit f2e5dd6
Showing 1 changed file with 63 additions and 0 deletions.
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -96055,6 +96055,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/acronis_cyber_protect_unauth_rce_cve_2022_3405": {
+    "name": "Acronis Cyber Protect/Backup remote code execution",
+    "fullname": "exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-08",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <[email protected]>",
+      "Sandro Tolksdorf of usd AG."
+    ],
+    "description": "Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,\n          compute, storage and application resources. Businesses and Service Providers are using it\n          to protect and backup all IT assets in their IT environment.\n          The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous\n          registration of new protect/backup agents on new endpoints. This API endpoint also\n          generates bearer tokens which the agent then uses to authenticate to the appliance.\n          As the management web console is running on the same port as the API for the agents, this\n          bearer token is also valid for any actions on the web console. This allows an attacker\n          with network access to the appliance to start the registration of a new agent, retrieve a\n          bearer token that provides admin access to the available functions in the web console.\n\n          The web console contains multiple possibilities to execute arbitrary commands on both the\n          agents (e.g., via PreCommands for a backup) and also the appliance (e.g., via a Validation\n          job on the agent of the appliance). These options can easily be set with the provided bearer\n          token, which leads to a complete compromise of all agents and the appliance itself.\n\n          You can either use the module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`\n          to collect target info for exploitation in this module. Or just run this module standalone and\n          it will try to exploit the first online endpoint matching your target and payload settings\n          configured at the module.\n\n          Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and\n          Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.",
+    "references": [
+      "CVE-2022-3405",
+      "URL-https://herolab.usd.de/security-advisories/usd-2022-0008/",
+      "URL-https://attackerkb.com/topics/WVI3r5eNIc/cve-2022-3405"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 9877,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command",
+      "Windows Command"
+    ],
+    "mod_time": "2024-11-28 08:57:21 +0000",
+    "path": "/modules/exploits/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405.rb",
+    "is_install_path": true,
+    "ref_name": "multi/acronis_cyber_protect_unauth_rce_cve_2022_3405",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/browser/adobe_flash_hacking_team_uaf": {
     "name": "Adobe Flash Player ByteArray Use After Free",
     "fullname": "exploit/multi/browser/adobe_flash_hacking_team_uaf",