verlihub <= 0.9.8d-RC2 Remote Command Execution Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052310 漏洞类型
发布时间 2008-12-23 更新时间 2008-12-23
CVE编号 CVE-2008-5705
CVE-2008-5706
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2008120186
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
== verlihub <=0.9.8d-RC2 remote r00t / command execution =======================
                                                             |     '       /   |
                                                             /__      ___ (   / 
                                                             \\--`-'-|`---\\ |  
                                                              |' _/   ` __/ /   
                                                              '._  V    ,--'    
                                                                 '_:_._/        

description:--------------------------------------------------------------------
  "Verlihub  is a Direct Connect protocol server; runs on Linux OS; written in
  C++."
    -- <http://www.verlihub-project.org/>

  Verlihub  does not sanitize user input passed to the shell via its "trigger"
  mechanism.  Furthermore, the Verlihub daemon can optionally be configured to
  run  as  root.  This allows for the arbitrary execution of commands by users
  connected  to  the  hub  and,  in  the  case  of the daemon running as root,
  complete commandeering of the machine.

    -- Code Listing: src/ctrigger.cpp : cTrigger::DoIt() -------------------    
      106  string command(buf);                                        :        
      107  filename = server.mConfigBaseDir;                          ,:        
      108  filename.append("/tmp/trigger.tmp");                    | /  \ |     
      109  command.append(" > ");                                 \_\\  //_/    
      110  command.append(filename);                               .'/()\'.     
      111  cout << command << endl;                                 \\  //      
      112  system(command.c_str());
    ------------------------------------------------------------------------    

vulnerability check:------------------------------------------------------------
  # grep allow_exec /etc/verlihub/dbconfig
  allow_exec = 1

  or

  # grep allow_exec $HOME/.verlihub/dbconfig
  allow_exec = 1

exploit:------------------------------------------------------------------------
  1. Connect  to  a  hub  with  user  triggers  allowed  and  set up to accept
     arguments;
  2. Run a trigger with a specially crafted argument, e.g.:
       +<trigger> `cat /etc/passwd`
     where <trigger> is the name of the trigger.
  3. ...

patch:--------------------------------------------------------------------------
  $ diff src/ctrigger.cpp src/ctrigger.cpp.new
  9a10
  > #include <stdio.h>
  19a21,33
  > void strip( char * str, char c )
  > {
  >     char * p1 = str;
  >     while ( *p1++ )
  >         if( *p1 == c )
  >         {
  >             char * p2 = p1;
  >             while( *p2 && *p2 == c ) { ++p2; }
  >             if(*p2) { *p1 = *p2; *p2 = c; }
  >             else { *p1 = '\0'; break; }
  >         }
  > }
  >
  107,114c121,145
  <                               filename = server.mConfigBaseDir;
  <                               filename.append("/tmp/trigger.tmp");
  <                               command.append(" > ");
  <                               command.append(filename);
  <                               cout << command << endl;
  <                               system(command.c_str());
  <                               buf = "";
  <                               if (!LoadFileInString(filename,buf)) return 0;
  ---
  >                                 char buffer[ 1024 ];
  >                                 FILE * stream;
  >                                 buf = "";
  >                                 char * cmd = command.c_str();
  >
  >                                 strip( cmd, ';'  ); strip( cmd, '\"' );
  >                                 strip( cmd, '\'' ); strip( cmd, '\\' );
  >                                 strip( cmd, '`'  ); strip( cmd, ':'  );
  >                                 strip( cmd, '!'  ); strip( cmd, '$'  );
  >                                 strip( cmd, '{'  ); strip( cmd, '}'  );
  >                                 strip( cmd, '['  ); strip( cmd, ']'  );
  >                                 strip( cmd, '&'  ); strip( cmd, '>'  );
  >                                 strip( cmd, '<'  ); strip( cmd, '|'  );
  >                                 strip( cmd, '~'  ); strip( cmd, '/'  );
  >
  >                                 cout << cmd << endl;
  >                                 stream = popen( cmd, "r" );
  >                                 if ( stream == NULL )
  >                                     perror( NULL );
  >                                 else
  >                                     while( fgets( buffer, 1024, stream )
  >                                            != NULL )
  >                                         buf.append( buffer );
  >                                 if ( pclose( stream ) == -1 )
  >                                     perror( NULL );

== eof ======================================== by v4lkyrius at gmail dot com ==