Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for CVE-2020-11853: Micro Focus Multiple Products Authenticated Remote Code Execution #14671

Merged
merged 12 commits into from
Feb 9, 2021

Conversation

pedrib
Copy link
Contributor

@pedrib pedrib commented Jan 28, 2021

This module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products:

  • Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
  • Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \
  • Data Center Automation version 2019.11
  • Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11
  • Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30
  • Hybrid Cloud Management version 2020.05
  • Service Management Automation versions 2020.5 and 2020.02

Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows.
Authentication is required, the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module.
Any authenticated user can exploit this vulnerability, even the lowest privileged ones.

The exploit uses a modified ysoserial c3p0 payload. The only part that is modified is that c3p0 is built using version 0.9.1.2, so that the serialVersionUid of the target is the same as the exploit. This can be achieved by patching ysoserial's pom.xml.

This module was only tested with Operations Bridge Manager 2020.05. It should work as is with earlier Operations Bridge Manager versions, but it might require small modifications (to the cookie name or vulnerable URI) for the other affected products. However it is equally likely that it works out of the box with the other products, as HPE / Micro Focus is well known for re-using (vulnerable) code.

For more information refer to the advisory link:

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. use exploit/multi/http/microfocus_obm_auth_rce
  4. set rhost TARGET'
  5. set lhost YOUR_IP
  6. set srvhost YOUR_IP
  7. set lwsso_cookie_key AUTHENTICATED_COOKIE
  8. run
  9. You should get a shell.

As in PR #14654, it might be hard for you to get a vulnerable version of the product. I have pcaps ready for Linux and Windows, let me know if you need them, but if you could test them and confirm my results that would be awesome.

This module has been tested on both Linux and Windows and it works perfectly.

@pedrib pedrib changed the title Obm Add exploit for CVE-2020-11853: Micro Focus Multiple Products Authenticated Remote Code Execution Jan 28, 2021
@pedrib
Copy link
Contributor Author

pedrib commented Jan 30, 2021

Tested on 2019.11 too, working!

@cdelafuente-r7 cdelafuente-r7 self-assigned this Feb 3, 2021
@cdelafuente-r7
Copy link
Contributor

Thanks @pedrib for this contribution! As you mentioned, I don't think we can get a vulnerable version of the product. Would you mind sending the PCAP's to msfdev [at] metasploit [.] com? Thanks!

@pedrib
Copy link
Contributor Author

pedrib commented Feb 6, 2021

@cdelafuente-r7 all done!

@pedrib
Copy link
Contributor Author

pedrib commented Feb 7, 2021

@cdelafuente-r7 I tried sending it to you, but Google blocks me from sending (from my Gmail) and you from receiving (if I send over any other email address). What's the alternative?

@cdelafuente-r7
Copy link
Contributor

@pedrib, what errors did receive? I'm wondering if Gmail is getting stricter with attachments... If it is a content issue, maybe just compressing/encrypting would work. If it is a size issue (>25MB), would it be possible to send a Google Drive link (or any other cloud service)?

@pedrib
Copy link
Contributor Author

pedrib commented Feb 8, 2021

@cdelafuente-r7 sent you a gdrive link with an encrypted file, let me know if you can get it.

@cdelafuente-r7
Copy link
Contributor

@pedrib, perfect, I got the PCAP's. Thank you!

Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @pedrib ! It looks good to me. I just left a few minor comments regarding the documentation and the two vulnerable URI's.

I also reviewed the PCAP's and, even if SSL is enabled for the first query, I verified the remote loading of Java classes over HTTP.

@pedrib
Copy link
Contributor Author

pedrib commented Feb 9, 2021

All done, thanks for reviewing! I am going to push another module soon, the next one is a local LPE for Windows.

@cdelafuente-r7
Copy link
Contributor

Thanks for making these changes @pedrib! Everything looks good now. I'll go ahead and land it.

@cdelafuente-r7 cdelafuente-r7 merged commit 85b7e85 into rapid7:master Feb 9, 2021
@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Feb 9, 2021

Release Notes

New module exploits/multi/http/microfocus_obm_auth_rce leverages an insecure Java deserialization vulnerability in multiple Micro Focus products to achieve remote code execution as the root user (on Linux) or the SYSTEM user (on Windows). Initial authentication is required, but any low-privileged user can be used to successfully run this exploit.

@pedrib
Copy link
Contributor Author

pedrib commented Feb 10, 2021

Thank you!

@pedrib pedrib deleted the obm branch February 10, 2021 06:18
@agalway-r7 agalway-r7 added the rn-modules release notes for new or majorly enhanced modules label Feb 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants