Adds auxiliary module for Pretalx File Read (CVE-2023-28459)

[msutovsky-r7]

This PR adds auxiliary file read module that exploits CVE-2023-28459. This PR should be merged before #20413.

Vulnerable Application

Pretalx is a web-based conference planning tool, used to manage call for paper submissions, talk selection and so on. It used by many major IT conferences - such as OffensiveCon, Hexacon,... Versions 2.3.1 and prior are vulnerable to arbitrary file read, which exploits unsanitized path in schedule export. The module requires set of credentials of Pretalx user and Pretalx needs to have existing conference, where the attacker can submit malicious proposal.

Installation steps:

1. git clone https://github.com/pretalx/pretalx-docker.git
2. Change content of docker-compose.yml to following:

services:
  pretalx:
    image: pretalx/standalone:v2.3.1
      # image: pretalx/dev
    # build: .
    container_name: pretalx
    restart: unless-stopped
    depends_on:
      - redis
      - db
    environment:
      # Hint: Make sure you serve all requests for the `/static/` and `/media/` paths when debug is False. See [installation](https://docs.pretalx.org/administrator/installation/#step-7-ssl) for more information
      PRETALX_FILESYSTEM_MEDIA: /public/media
      PRETALX_FILESYSTEM_STATIC: /public/static
    ports:
      - "80:80"
    volumes:
      - ./conf/pretalx.cfg:/etc/pretalx/pretalx.cfg:ro
      - pretalx-data:/data
      - pretalx-public:/public
  db:
    image: docker.io/library/postgres:15-alpine
    container_name: pretalx-db
    restart: unless-stopped
    volumes:
      - pretalx-database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: veryunsecureplschange # same password as one that you will put in pretalx.cfg file later on
      POSTGRES_USER: pretalx
      POSTGRES_DB: pretalx
  redis:
    image: redis:latest
    container_name: pretalx-redis
    restart: unless-stopped
    volumes:
      - pretalx-redis:/data
volumes:
  pretalx-database:
  pretalx-data:
  pretalx-public:
  pretalx-redis:

1. sudo docker-compose up
2. Setup username and password
3. Go to orga/event/
4. Create new conference
5. Go to orga/event/[conference name]/schedule/rooms/
6. Create a room
7. Go to orga/event/[conference name]/
8. Make conference go live
9. sudo docker exec -u 0 -it pretalx /bin/bash
10. Make sure you have correct right on /data folder, so pretalx user can write export there

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use auxiliary/scanner/http/pretalx_file_read_cve_2023_28459
4. Do: set CONFERENCE_NAME [conference name]
5. Do: set USERNAME [username]
6. Do: set PASSWORD [password]
7. Do: set RHOSTS [target IP address]
8. Do: run

Options

CONFERENCE_NAME

The slug (shortcut) name of the conference. The module requires existing conference, where an attacker can submit malicious proposal (e.g. conference-secret-2025)

FILEPATH

Absolute path to the target file.

MEDIA_URL

Pretalx uses path to media folder, which is used as prepend to target file path to achieve arbitrary file read. The default value is /media, however, it can be modified by user.

USERNAME

Username of Pretalx user that can approve proposals and release schedule.

PASSWORD

Password of Pretalx user that can approve proposals and release schedule.

Scenarios

msf auxiliary(scanner/http/pretalx_file_read_cve_2023_28459) > run verbose=true 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected vulnerable version 2.3.1
[*] Register malicious proposal
[*] Logging with credentials: [username]/[password]
[*] Approving proposal
[*] Adding h85WcLe4t4 to schedule
[*] Releasing schedule
[*] Trying to extract target file
[*] Extraction successful
[*] Stored results in /home/ms/.msf4/loot/20250725165914_default_192.168.168.146_pretalx.etcpas_473038.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[mariomontecatine]

Hi @msutovsky-r7 ! Here you have the doc you asked for. Have a good day :)

[jheysel-r7]

Suggested change

Rex::Text.rand_text_alphanumeric(16).to_s

[jheysel-r7]

Suggested change

	fail_with Failure::NoAccess, 'Incorrect credentials' unless login(datastore['EMAIL'], datastore['PASSWORD'])
	fail_with(Failure::NoAccess, 'Incorrect credentials') unless login(datastore['EMAIL'], datastore['PASSWORD'])

[jheysel-r7]

Could you make this a datastore option?

[bwatters-r7]

This seems bad....

[bwatters-r7]

I'm using ubuntu_vert on the .211 hypervisor, if that helps.