发布日期:2013-01-03
更新日期:2013-01-06
受影响系统:
Rapid7 Nexpose < 5.5.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 57150
CVE(CAN) ID: CVE-2012-6494
Nexpose是漏洞管理软件。
Nexpose 5.5.3之前版本的Security Console中的auth.log包含已登录用户的registered session ID,可被具备访问auth.log权限的攻击者利用来进行会话劫持。
<*来源:Robert Gilbert
链接:
https://community.rapid7.com/docs/DOC-2065#release5
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Exploit steps for proof-of-concept:
1. Nexpose admin logs in.
2. While monitoring auth.log, the “Registered session” value is captured.
3. A request to the security console is made and intercepted using a proxy.
4. ‘JSESSIONID=<session>’ is replaced by ‘nexposeCCSessionID=<SESSION-CAPTURED-IN-STEP-2>;time-zone-offset=000.
5. Success.
Credit:
Robert Gilbert
HALOCK Security Labs
建议:
--------------------------------------------------------------------------------
厂商补丁:
Rapid7
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: