Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection #19425

Closed
wants to merge 1 commit into from

Conversation

0x45dd
Copy link
Contributor

@0x45dd 0x45dd commented Aug 27, 2024

This module exploits a command injection vulnerability in the Cypress Solutions CTM-200 version 2.7.1.
By injecting commands via the fw_url POST parameter in the ctm-config-upgrade.sh script, an attacker can execute arbitrary commands as the root user.

 This module exploits a command injection vulnerability in the Cypress Solutions CTM-200 version 2.7.1.
          By injecting commands via the `fw_url` POST parameter in the `ctm-config-upgrade.sh` script,
          an attacker can execute arbitrary commands as the root user.
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @0x45dd, thank you so much for the module contribution!

I took a quick look at the code and left a couple quick comments although there's a couple things I've noticed about the PR itself that needs addressing first:

I think you may have accidentally included a couple extra files from your data/exploits/ directory. If you could remove those that would be appreciated.
I noticed you forked the metasploit-framework repository which is great but you've submitted a PR from your master branch - we'll need you to resubmit the module from a unique branch from your own fork.
The Linting tests are failing and there's no documentation file included with the module. I'll add some labels to this PR which will auto generate some responses and guide you through how to address those issues.

Thanks again for the PR and if you have any questions please don't hesitate to ask.

Comment on lines +44 to +46
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When looking up this device I noticed:

The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.
The ARM Cortex-A8 is a 32-bit processor core licensed by ARM Holdings implementing the ARMv7-A architecture.

The linux/x86/meterpreter/reverse_tcp payload has an Arch of ARCH_X86.

In the module you've defined the only supported Arch to be ARCH_CMD so I don't think this would run as is.

You'd likely want to keep ARCH_CMD defined and find a CMD based payload this is supported by the device. Then if you also want to include a Linux Dropper payload which would make use of the include Msf::Exploit::CmdStager mixin you would want to define that target to use one of our ARM based meterpreter payloads.

Comment on lines +53 to +55
OptString.new('RHOST', [true, 'The target address']),
OptString.new('LHOST', [true, 'The local host for reverse shell']),
OptString.new('LPORT', [true, 'The local port for reverse shell'])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These datastore options don't need to be explicitly defined here. The payload the user selects will include them if necessary.

Suggested change
OptString.new('RHOST', [true, 'The target address']),
OptString.new('LHOST', [true, 'The local host for reverse shell']),
OptString.new('LPORT', [true, 'The local port for reverse shell'])


register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the vulnerable application', '/cgi-bin/webif/ctm-config-upgrade.sh']),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TARGETURI option is used in a slightly different way. If the user installs the application in a directory like: /cypress and the vulnerable endpoint then becomes /cypress/cgi-bin/webif/ctm-config-upgrade.sh - the TARGETURI options is then used to account for the non-standard installtion directory and would be set to /cypress.

In this case the default value can be set to / and then vulernable endpoint can be moved down to the send_request_cgi statement.

# Send the POST request to the target
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'uri' => normalize_uri(target_uri.path),
'uri' => normalize_uri(target_uri.path, '/cgi-bin/webif/ctm-config-upgrade.sh'),

@jheysel-r7 jheysel-r7 added the needs-unique-branch The pull request must not be from the master branch label Aug 27, 2024
Copy link

Thanks for your pull request! We require for all contributed code to come from a from a unique branch in your repository before it can be merged.

Please create a new branch in your fork of framework and resubmit this from that branch.

If you are using Git on the command line that may look like:

# Checkout the master branch
git checkout master

# Create a new branch for your feature
git checkout -b <BRANCH_NAME>

# Add your new files
git add modules/my-cool-new-module

# Commit your changes with a relevant message
git commit

# Push your changes to GitHub
git push origin <BRANCH_NAME>

# Now browse to the following URL and create your pull request!
# - https://github.com/rapid7/metasploit-framework/pulls

This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.

Please do resubmit from a unique branch, we greatly value your contribution! 🎉

@github-actions github-actions bot closed this Aug 27, 2024
@jheysel-r7 jheysel-r7 added the needs-linting The module needs additional work to pass our automated linting rules label Aug 27, 2024
Copy link

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@jheysel-r7
Copy link
Contributor

Hey @0x45dd,

I forgot that by adding the needs-unique-branch label it would automatically close the PR. Don't be alarmed, we still would love to have this module added to the framework. Please work through the suggestions added by the github-actions bot above and let me know if you have any questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-docs needs-linting The module needs additional work to pass our automated linting rules needs-unique-branch The pull request must not be from the master branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants