Analysis of CVE 2020 7350

Faraday Team
Jun 1, 2020 · 4 min read

Introduction

In the previous months, our team has been working over a Metasploit plugin to integrate it with Faraday. The plugin named as faraday_bridge tries to synchronize the information about hosts, service, or vulnerabilities between both tools. It would be available for the public in a short period of time, I guess. 🐌

We found inspiration in the libnotify and accidentally found a bug.

The vulnerability is not enabled by default, only users with the libnotify plugin enabled could be exploited, but we wrote the exploit just for fun.

What is libnotify?

libnotify is a plugin that displays a message through the system bar in order to inform us about new hostname or services detected, e.g.

Vulnerability details

As we said this plugin gives us information about discovered hosts or services through the system bar, to achieve this goal, the plugin registers many callbacks triggered when a new host or service is recognized:

the 4th line loads @bin with the full-path of the binary notify-send, and the last one adds an event subscriber to the database messages.

If the current workspace detects or modify any information about the hosts or services the following chunk would be executed:

last but not least we have the notify_send, which does a system call executing the binary notify-send without any kind of checks about command injection vulnerabilities:

and the window appears:

If we tamper the host or service name we would be able to inject commands to execute whatever we want in the system call.

unfortunately, there is not an easy way to do that, because most of the info is calculated through fingerprint. But we can exploit it if we import the names from another tool

the following XML, is an nmap scan to 192.168.20.121 with the service name manipulated:

the poisoned string is in the 9th line:

we will append an ls command to the original command, and this command will be fired after import it:

Limitations

the Metasploit’s payloads available for command injection are:

most of them are encoded with base64, for example:

those payloads can’t run successfully because the XML decoder used in Metasploit called ‘Nikigiri’ decode the payload as lower case. To overcome this, we wrapper the payload in a python one liner:

Now we are able to run payloads with upper and lower cases indifferently.

Pwning Metasploit with Metasploit

We made the pull request fixing the vulnerability and also delivering the fileformat module to exploit it, now we can own Metasploit with Metasploit:

in the following video, we have a scenario with a victim and attacker machine triggering the vulnerability with a reverse shell payload

Javier Aguinaga from Faraday Team

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://www.instagram.com/faradaysec/
https://www.linkedin.com/company/faradaysec

Faraday

Faraday Platform helps you perform security engineering by…

Faraday

Faraday Platform helps you perform security engineering by maximizing your team’s resources, increasing risk visibility by converting all your data into valuable information https://www.faradaysec.com/

Faraday Team

Written by

Faraday

Faraday Platform helps you perform security engineering by maximizing your team’s resources, increasing risk visibility by converting all your data into valuable information https://www.faradaysec.com/