New Module: codoforum_rce_authenticated

modules/vulnerabilities/unix/http/codoforum_rce_authenticated/codoforum_rce_authenticated.pp

@@ -0,0 +1,11 @@
+# begining of puppet code execution
+#force sequential install -> apache -> configure ordering
+
+contain codoforum_rce_authenticated::install
+contain codoforum_rce_authenticated::apache
+contain codoforum_rce_authenticated::mysql
+contain codoforum_rce_authenticated::configure
+Class['codoforum_rce_authenticated::install'] ->
+Class['codoforum_rce_authenticated::apache'] ->
+Class['codoforum_rce_authenticated::mysql']->
+Class['codoforum_rce_authenticated::configure'] 

modules/vulnerabilities/unix/http/codoforum_rce_authenticated/manifests/apache.pp

@@ -0,0 +1,66 @@
+class codoforum_rce_authenticated::apache {
+	#secgen parameters commented out and hardcode inputs used for testing
+	##$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+	$port = '80' ##$secgen_parameters['port'][0]
+	$docroot = '/var/www/html/codoforum'
+	$releasename = 'codoforum-v-5-1'
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+
+	class { '::apache':
+		default_vhost => false,
+		default_mods => ['rewrite'],
+		overwrite_ports => false,
+		mpm_module => 'prefork'	
+	} 
+	exec { 'codoforum':
+		cwd => '/usr/local/src',
+		command => "unzip ${releasename}.zip -d $docroot",
+		creates => "$docroot",
+		notify => Exec['chown-codoforum']
+	} 
+	exec { 'chown-codoforum':
+		command => "chown www-data. /var/www/html -R",
+		notify => Exec['chown-codoforum-permissions']
+	}
+	exec { 'chown-codoforum-permissions':
+		command => "chown 755 /var/www/html -R"
+	} ->
+	::apache::vhost { 'www-codoforum':
+		port    => $port,
+		docroot => $docroot
+	} 
+
+	file{ 'remove-default-index':
+		path => '/var/www/html/index.html',
+		ensure => absent,
+		require => Class['::apache']
+    }
+	file{ 'remove-apache2-default-page-enabled':
+		path => '/etc/apache2/sites-enabled/000-default.conf',
+		ensure => absent,
+		require => Class['::apache']
+    }
+
+	file{ 'remove-apache2-default-page-available':
+		path => '/etc/apache2/sites-available/000-default.conf',
+		ensure => absent,
+		require => Class['::apache']
+    }
+
+
+	exec { 'restart-apache-codoforum':
+		command => 'systemctl restart apache2',
+		logoutput => true,
+		notify => Exec['wait-apache-codoforum']
+	}
+	exec { 'wait-apache-codoforum':
+		command => 'sleep 4',
+		logoutput => true
+	}
+
+
+
+
+
+}

modules/vulnerabilities/unix/http/codoforum_rce_authenticated/manifests/configure.pp

@@ -0,0 +1,29 @@
+class codoforum_rce_authenticated::configure {
+	#secgen parameters commented out and hardcode inputs used for testing
+	##$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+	$leaked_filenames = ["flagtest"] ##$secgen_parameters['leaked_filenames']
+	$strings_to_leak = ["this is a list of strings that are secrets / flags","another secret"] ##$secgen_parameters['strings_to_leak']
+	$strings_to_pre_leak =  ["The username is admin", "The password is password"] ##$secgen_parameters['strings_to_pre_leak']
+	$web_pre_leak_filename = "TODO" ##$secgen_parameters['web_pre_leak_filename'][0]  
+
+	# sets the default paths to use
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+  	#remove install folder
+	file{ 'remove-codoforum-install':
+		path => '/var/www/html/codoforum/install',
+		ensure => absent,
+		recurse => true,
+		force   => true
+    }
+
+#   ::secgen_functions::leak_files { 'codoforum-flag-leak':
+#     	storage_directory => '/var/www/html/codoforum/cf-content/tmp',
+#     	leaked_filenames  => $leaked_filenames,
+#     	strings_to_leak   => $strings_to_leak,
+#     	owner             => 'www-data',
+#     	mode              => '0750',
+#     	leaked_from       => 'codoforum_rce_authenticated',
+#   }
+
+
+}

modules/vulnerabilities/unix/http/codoforum_rce_authenticated/manifests/install.pp

@@ -0,0 +1,17 @@
+class codoforum_rce_authenticated::install {
+	$releasename = 'codoforum-v-5-1'
+
+
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+	# install dependencies
+	ensure_packages(['php-xml','php-gd','php.mbstring','php-json','libapache2-mod-php','php','mariadb-server','php-mysqli'])
+
+    # copy and unzip archive
+	file { "/usr/local/src/$releasename.zip" :
+		ensure => file,
+		source => "puppet:///modules/codoforum_rce_authenticated/$releasename.zip",
+	} 
+
+
+}

modules/vulnerabilities/unix/http/codoforum_rce_authenticated/manifests/mysql.pp

@@ -0,0 +1,60 @@
+class codoforum_rce_authenticated::mysql{
+	#install mysql using module
+	#secgen parameters commented out and hardcode inputs used for testing
+	$docroot = '/var/www/html/codoforum'
+	$db_password = 'db_password' ##$secgen_parameters['db_password'][0]
+	$db_admin = 'db_admin' ##$secgen_parameters['db_admin'][0]
+	$db_name = 'codoforum'##$secgen_parameters['db_name'][0]
+	$db_driver='mysql'
+	$db_host= 'localhost' 
+	$uid = fqdn_uuid('localhost.com')
+	$secret = fqdn_uuid($::fqdn)
+	##$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+	##$secgen_parameters['organisation'][0]
+	$raw_org = '{"business_name":"Artisan Bakery","business_motto":"The loaves are in the oven.","business_address":"1080 Headingley Lane, Headingley, Leeds, LS6 1BN","domain":"artisan-bakery.co.uk","office_telephone":"0113 222 1080","office_email":"[email protected]","industry":"Bakers","manager":{"name":"Maxie Durgan","address":"1080 Headingley Lane, Headingley, Leeds, LS6 1BN","phone_number":"07645 289149","email_address":"[email protected]","username":"maxie","password":""},"employees":[{"name":"Matthew Riley","address":"1080 Headingley Lane, Headingley, Leeds, LS6 1BN","phone_number":"07876 518651","email_address":"[email protected]","username":"matt","password":""},{"name":"Emelie Lowe","address":"1080 Headingley Lane, Headingley, Leeds, LS6 1BN","phone_number":"07560 246931","email_address":"[email protected]","username":"emelie","password":""},{"name":"Antonio Durgan","address":"1080 Headingley Lane, Headingley, Leeds, LS6 1BN","phone_number":"07943 250930","email_address":"[email protected]","username":"antonio","password":""}],"product_name":"Baked goods","intro_paragraph":["Finest bakery in Headingley since 1900. Baked fresh daily. Bread loaves, teacakes, sweet and savoury treats. We are open from 9 am til 6 pm, every day except for bank holidays."]}'
+	if $raw_org and $raw_org != '' {
+		$organisation = parsejson($raw_org)
+	}
+	if $organisation and $organisation != '' {
+		$business_name = $organisation['business_name']
+		$business_motto = $organisation['business_motto']
+		$manager_profile = $organisation['manager']
+		$business_address = $organisation['business_address']
+		$office_telephone = $organisation['office_telephone']
+		$office_email = $organisation['office_email']
+		$industry = $organisation['industry']
+		$product_name = $organisation['product_name']
+		$employees = $organisation['employees']
+		$intro_paragraph = $organisation['intro_paragraph']
+	}
+	$website_theme = '2k18'##$secgen_parameters['website_theme'][0]
+	$known_username = "known_username" ##$secgen_parameters['known_username'][0]
+	$known_password = "known_password" ##$secgen_parameters['known_password'][0]
+	$known_email = "[email protected]" ##$secgen_parameters['known_email'][0]
+
+	# sets the default paths to use
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+
+	file { '/usr/local/src/codoforum_tables.sql' :
+		 ensure => present,
+		 content  => template('codoforum_rce_authenticated/codoforum_tables.sql.erb'),
+    }->
+	mysql::db { 'cf_database':
+		user     => $db_admin,
+		password => $db_password,
+		dbname   => $db_name,
+		host     => $db_host,
+		grant    =>  ['ALL'],
+		sql => ['/usr/local/src/codoforum_tables.sql'],
+   }
+   #update config file
+   file { "${docroot}/sites/default/config.php":
+		ensure  => present,
+		content  => template('codoforum_rce_authenticated/config.php.erb')
+   }
+
+
+
+
+}

modules/vulnerabilities/unix/http/codoforum_rce_authenticated/secgen_metadata.xml

@@ -0,0 +1,130 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>CodoForum v5.1 - Remote Code Execution (RCE) - Authenticated Vulnerabilty</name>
+  <author>Sofia Markusfeld</author>
+  <module_license>Creative Commons Attribution-NoDerivs 3.0 Unported License</module_license>
+  <description>Codoforum v5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel.  </description>
+
+  <type>remote</type>
+  <type>in_the_wild</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>organisation</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+  <read_fact>known_username</read_fact>
+  <read_fact>known_password</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+  <read_fact>web_pre_leak_filename</read_fact>
+
+  <default_input into="port">
+    <value>80</value>
+  </default_input>
+
+  <default_input into="organisation">
+    <generator type="realistic_organisation" />
+  </default_input>
+
+  <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator"/>
+  </default_input>
+
+  <!-- these details need to be known or bruteforced to successful exploit the service -->
+  <!-- By default the username is admin, but it can be something else, so long as they can easily guess it (for example leak it to them) -->
+  <default_input into="known_username">
+		<!-- <generator type="random_sanitised_word">
+			<input into="wordlist">
+				<value>admin_name</value>
+			</input>
+		</generator> -->
+    <value>admin</value>
+  </default_input>
+
+  <default_input into="known_password">
+    <generator type="weak_password_generator" />
+  </default_input>
+
+  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden content or hosted files -->
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <!-- ideally something found by dirbuster -->
+  <default_input into="web_pre_leak_filename">
+    <generator type="random_sanitised_word">
+			<input into="wordlist">
+				<value>www_buster_filename</value>
+			</input>
+		</generator>
+  </default_input>
+
+  <!--optional vulnerability details-->
+  <!-- image upload vuln -->
+  <cve>CVE-2019-16113</cve>
+  <!-- bruteforce vuln -->
+  <cve>CVE-2019-17240</cve>
+
+  <cvss_base_score>9</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:S/C:C/I:C/A:C</cvss_vector>
+  <reference>https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/bludit_upload_images_exec.rb</reference>
+  <reference>https://github.com/bludit/bludit/issues/1081</reference>
+  <software_name>bludit</software_name>
+  <software_license>MIT</software_license>
+
+
+  <!--optional hints-->
+  <msf_module>exploit/linux/http/bludit_upload_images_exec</msf_module>
+  <hint>Visit the webapp in a browser at: ip:80/bludit </hint>
+
+  <!-- can't live alongside other web sites, since it accepts any virtual host name -->
+  <conflict>
+    <type>webapp</type>
+  </conflict>
+
+  <requires>
+    <module_path>.*apache.*compatible.*</module_path>
+  </requires>
+
+  <requires>
+    <module_path>.*php.*compatible.*</module_path>
+  </requires>
+
+  <!-- CyBOK metadata - related security concepts / knowledge required -->
+  <CyBOK KA="WAM" topic="Fundamental Concepts and Approaches">
+    <keyword>authentication</keyword>
+    <keyword>passwords and alternatives</keyword>
+  </CyBOK>
+  <CyBOK KA="AAA" topic="Authentication">
+    <keyword>user authentication</keyword>
+    <keyword>BRUTEFORCE</keyword>
+  </CyBOK>
+
+  <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+    <keyword>server-side misconfiguration and vulnerable components</keyword>
+    <keyword>FILE UPLOAD VULNERABILITY</keyword>
+  </CyBOK>
+  <CyBOK KA="MAT" topic="Attacks and exploitation">
+    <keyword>EXPLOITATION</keyword>
+    <keyword>EXPLOITATION FRAMEWORKS</keyword>
+  </CyBOK>
+  <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+    <keyword>CVEs and CWEs</keyword>
+  </CyBOK>
+  <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+    <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+    <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+  </CyBOK>
+
+</vulnerability>