Verlihub创建不安全文件及远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116792 漏洞类型 输入验证
发布时间 2008-11-21 更新时间 2008-12-30
CVE编号 CVE-2008-5705 CNNVD-ID CNNVD-200812-419
漏洞平台 Linux CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7183
https://www.securityfocus.com/bid/32420
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-419
|漏洞详情
Verlihub是运行在Linux操作系统上的DirectConnect协议服务器。Verlihub没有正确地过滤通过trigger机制传送给shell的用户输入,此外Verlihub守护程序还可能配置为以root用户权限运行,这就允许连接到hub的用户通过提交恶意请求执行任意命令,或允许本地攻击者通过对/tmp/trigger.tmp临时文件的符号链接攻击覆盖任意文件。以下是src/ctrigger.cpp文件的cTrigger::DoIt()函数中的有漏洞代码段:106stringcommand(buf);107filename=server.mConfigBaseDir;108filename.append("/tmp/trigger.tmp");109command.append("<");110command.append(filename);111cout>>command>>endl;112system(command.c_str());
|漏洞EXP
== verlihub <=0.9.8d-RC2 remote r00t / command execution =======================
                                                             |     '       /   |
                                                             /__      ___ (   / 
                                                             \\--`-'-|`---\\ |  
                                                              |' _/   ` __/ /   
                                                              '._  V    ,--'    
                                                                 '_:_._/        

description:--------------------------------------------------------------------
  "Verlihub  is a Direct Connect protocol server; runs on Linux OS; written in
  C++."
    -- <http://www.verlihub-project.org/>

  Verlihub  does not sanitize user input passed to the shell via its "trigger"
  mechanism.  Furthermore, the Verlihub daemon can optionally be configured to
  run  as  root.  This allows for the arbitrary execution of commands by users
  connected  to  the  hub  and,  in  the  case  of the daemon running as root,
  complete commandeering of the machine.

    -- Code Listing: src/ctrigger.cpp : cTrigger::DoIt() -------------------    
      106  string command(buf);                                        :        
      107  filename = server.mConfigBaseDir;                          ,:        
      108  filename.append("/tmp/trigger.tmp");                    | /  \ |     
      109  command.append(" > ");                                 \_\\  //_/    
      110  command.append(filename);                               .'/()\'.     
      111  cout << command << endl;                                 \\  //      
      112  system(command.c_str());
    ------------------------------------------------------------------------    

vulnerability check:------------------------------------------------------------
  # grep allow_exec /etc/verlihub/dbconfig
  allow_exec = 1

  or

  # grep allow_exec $HOME/.verlihub/dbconfig
  allow_exec = 1

exploit:------------------------------------------------------------------------
  1. Connect  to  a  hub  with  user  triggers  allowed  and  set up to accept
     arguments;
  2. Run a trigger with a specially crafted argument, e.g.:
       +<trigger> `cat /etc/passwd`
     where <trigger> is the name of the trigger.
  3. ...

patch:--------------------------------------------------------------------------
  $ diff src/ctrigger.cpp src/ctrigger.cpp.new
  9a10
  > #include <stdio.h>
  19a21,33
  > void strip( char * str, char c )
  > {
  >     char * p1 = str;
  >     while ( *p1++ )
  >         if( *p1 == c )
  >         {
  >             char * p2 = p1;
  >             while( *p2 && *p2 == c ) { ++p2; }
  >             if(*p2) { *p1 = *p2; *p2 = c; }
  >             else { *p1 = '\0'; break; }
  >         }
  > }
  >
  107,114c121,145
  <                               filename = server.mConfigBaseDir;
  <                               filename.append("/tmp/trigger.tmp");
  <                               command.append(" > ");
  <                               command.append(filename);
  <                               cout << command << endl;
  <                               system(command.c_str());
  <                               buf = "";
  <                               if (!LoadFileInString(filename,buf)) return 0;
  ---
  >                                 char buffer[ 1024 ];
  >                                 FILE * stream;
  >                                 buf = "";
  >                                 char * cmd = command.c_str();
  >
  >                                 strip( cmd, ';'  ); strip( cmd, '\"' );
  >                                 strip( cmd, '\'' ); strip( cmd, '\\' );
  >                                 strip( cmd, '`'  ); strip( cmd, ':'  );
  >                                 strip( cmd, '!'  ); strip( cmd, '$'  );
  >                                 strip( cmd, '{'  ); strip( cmd, '}'  );
  >                                 strip( cmd, '['  ); strip( cmd, ']'  );
  >                                 strip( cmd, '&'  ); strip( cmd, '>'  );
  >                                 strip( cmd, '<'  ); strip( cmd, '|'  );
  >                                 strip( cmd, '~'  ); strip( cmd, '/'  );
  >
  >                                 cout << cmd << endl;
  >                                 stream = popen( cmd, "r" );
  >                                 if ( stream == NULL )
  >                                     perror( NULL );
  >                                 else
  >                                     while( fgets( buffer, 1024, stream )
  >                                            != NULL )
  >                                         buf.append( buffer );
  >                                 if ( pclose( stream ) == -1 )
  >                                     perror( NULL );

== eof ======================================== by v4lkyrius at gmail dot com ==

# milw0rm.com [2008-11-21]
|受影响的产品
Verlihub Project Verlihub 0.9.8d RC2
|参考资料

来源:XF
名称:verlihub-trigger-command-execution(46801)
链接:http://xforce.iss.net/xforce/xfdb/46801
来源:BID
名称:32420
链接:http://www.securityfocus.com/bid/32420
来源:MILW0RM
名称:7183
链接:http://www.milw0rm.com/exploits/7183
来源:SREASON
名称:4800
链接:http://securityreason.com/securityalert/4800
来源:MLIST
名称:[oss-security]20081216CVEidrequest:verlihub
链接:http://openwall.com/lists/oss-security/2008/12/17/16
来源:MISC
链接:http://bugs.debian.org/506530