Merge pull request #248 from JD2344/linuxki_rce

Add LinuxKI RCE exploit
2026-02-21 11:18:06 +00:00 · 2023-04-04 10:54:32 +01:00
parent 02a9eb935c b3c0820572
commit 46a4af09f6
7 changed files with 191 additions and 0 deletions
--- a/modules/vulnerabilities/unix/http/linuxki_rce/files/linuxki_6.0-1_all.deb
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/files/linuxki_6.0-1_all.deb
--- a/modules/vulnerabilities/unix/http/linuxki_rce/linuxki_rce.pp
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/linuxki_rce.pp
@@ -0,0 +1,6 @@
+contain linuxki_rce::install
+contain linuxki_rce::apache
+contain linuxki_rce::configure
+Class['linuxki_rce::install']
+-> Class['linuxki_rce::apache']
+-> Class['linuxki_rce::configure']
--- a/modules/vulnerabilities/unix/http/linuxki_rce/manifests/apache.pp
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/apache.pp
@@ -0,0 +1,58 @@
+# Class: linuxki::apache
+# Apache configuration for linuxki
+#
+class linuxki_rce::apache {
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $port = $secgen_parameters['port'][0]
+
+  file { '/etc/apache2/sites-enabled/000-default.conf':
+    ensure => absent,
+  }
+
+  class { '::apache':
+    default_vhost   => false,
+    default_mods    => ['rewrite'], # php5 via separate module
+    overwrite_ports => false,
+    mpm_module      => 'prefork',
+  }
+  -> ::apache::vhost { 'linuxki':
+    port        => $port,
+    options     => 'FollowSymLinks',
+    override    => 'All',
+    docroot     => '/opt/',
+    directories => [{
+      path  => '/opt/',
+      allow => 'from all',
+    },{
+      path  => '/opt/linuxki/',
+      allow => 'from all',
+    }],
+  }
+
+  $dirmatch = '<Directory /var/www/>
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
+  </Directory>
+  
+  <Directory /opt/>
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
+  </Directory>'
+
+  # ugly way to append to the file... clean up potentially?
+  exec { 'append-directories':
+    command   => "grep -qE '<Directory (\/opt\/)>|<Directory (\/var\/www\/)>' /etc/apache2/apache2.conf && echo '' || echo \"${dirmatch}\" | sudo tee -a /etc/apache2/apache2.conf",
+  }
+  # restart apache
+  -> exec { 'restart-apache-linuxki':
+    command   => 'service apache2 restart',
+    logoutput => true
+  }
+  -> exec { 'wait-apache-linuxki':
+    command => 'sleep 4',
+  }
+}
--- a/modules/vulnerabilities/unix/http/linuxki_rce/manifests/configure.pp
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/configure.pp
@@ -0,0 +1,29 @@
+# Class: linuxki_rce::configure
+# LinuxKI configuration
+#
+class linuxki_rce::configure {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+
+  $user = $secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
+  ::secgen_functions::leak_files { 'linuxki-flag-leak':
+    storage_directory => $user_home,
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => $user,
+    mode              => '0644',
+    leaked_from       => 'linuxki_rce',
+  }
+}
--- a/modules/vulnerabilities/unix/http/linuxki_rce/manifests/install.pp
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/install.pp
@@ -0,0 +1,19 @@
+# Class: linuxki_rce::install
+# Install process for linuxKI toolkit
+#
+class linuxki_rce::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  # Maybe automate linux-headers to use uname -r?
+  ensure_packages(['make', 'elfutils', 'php', 'linux-headers-4.19.0-21-amd64'])
+
+  file { '/tmp/linuxki_6.0-1_all.deb':
+    ensure => file,
+    source => 'puppet:///modules/linuxki_rce/linuxki_6.0-1_all.deb',
+  }
+  -> package { 'linuxki':
+    ensure   => installed,
+    provider => dpkg,
+    source   => '/tmp/linuxki_6.0-1_all.deb'
+  }
+}
--- a/modules/vulnerabilities/unix/http/linuxki_rce/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/secgen_metadata.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>LinuxKI Toolset 6.01 Remote Command Execution</name>
+  <author>James Davis</author>
+  <module_license>MIT</module_license>
+  <description>
+    This module exploits a vulnerability in LinuxKI Toolset 6.01 and below which allows
+    remote code execution.
+    The kivis.php pid parameter received from the user is sent to the shell_exec function,
+    resulting in security vulnerability.
+  </description>
+
+  <type>web</type>
+  <type>in_the_wild</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+
+  <default_input into="port">
+    <generator module_path=".*/random_unregistered_port" />
+  </default_input>
+
+  <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="flag_generator" />
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator" />
+  </default_input>
+
+  <default_input into="leaked_username">
+    <generator type="username_generator" />
+  </default_input>
+
+  <!--optional
+  vulnerability details-->
+  <cve>CVE-2020-7209</cve>
+  <cvss_base_score>9.8</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/linuxki_rce.rb</reference>
+  <reference>https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1</reference>
+  <software_name>LinuxKI</software_name>
+  <software_license>GNU GPLv2</software_license>
+
+  <requires>
+    <type>update</type>
+  </requires>
+
+  <requires>
+    <module_path>.*apache.*compatible.*</module_path>
+  </requires>
+
+</vulnerability>
--- a/scenarios/examples/vulnerability_examples/linuxki_rce.xml
+++ b/scenarios/examples/vulnerability_examples/linuxki_rce.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>linuxki</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/linuxki_rce" />
+
+        <network type="private_network" range="dhcp" />
+    </system>
+
+</scenario>