it-swarm-pt.tech

Como hackear o linux através da vulnerabilidade de inclusão local de arquivos?

Durante meu teste de penetração, encontrei uma vulnerabilidade de inclusão de arquivo local. De fato, essa vulnerabilidade existia no mailwatch <= 1.0.4 e sua exploração existia no Exploit-DB.

Tentei explorar o sistema operacional (CentOS 6) por meio desta vulnerabilidade, dependendo do arquivo /proc/self/environ, mas falhei porque quando ele retorna uma página em branco quando estou tentando ver o conteúdo do /proc/self/environ Arquivo.

Existe alguma idéia de como invadir o sistema operacional?

5
user1028

Pode ser explorado pela injeção de arquivos de log. pode ser possível injetar arquivos de log do Apache, mas esses arquivos precisam de acesso root para serem abertos, portanto, não será possível abri-los via LFI. para resolver esse problema, injetamos arquivos de log temporários do Apache, existentes neste caminho:

proc/self/fd/12

ou

proc/self/fd/14

ou

proc/<apachi pid>/fd/12

ou

proc/<Apache pid>/fd/14

nós injetamos o arquivo de log com código php nos permite fazer o que quisermos.

5
user1028

Apenas postando minha configuração:

  • Instalação genérica do Centos 6 + Virtualmin mais recente + SELinux, parece explorável se for simples Centos, ou Virtualmin com PHP/Suexec.

/ var/log/httpd:

-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20120805
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20120930
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20121007
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20121014
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20121021
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20120930
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20121007
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20121014
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20121021
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_debug.log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_access_log-20120805
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_access_log-20120812
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20120930
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20121007
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20121014
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20121021
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_request_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_request_log-20120805
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_request_log-20120812
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20120930
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20121007
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20121014
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20121021

O PHP é executado no suexec:

unconfined_u:system_r:httpd_suexec_t:s0 502 17648 0.0  4.7 314004 23624 ?      Sl   Oct21   0:07 /usr/bin/php-cgi

Arquivos de log do Vhost:

-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48  1008958 Oct 24 00:19 blackhatconsulting.co.uk_access_log
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48 11592222 Aug  5 03:41 blackhatconsulting.co.uk_access_log-20120805
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48  9418101 Aug 12 03:15 blackhatconsulting.co.uk_access_log-20120812
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   207759 Sep 23 03:21 blackhatconsulting.co.uk_access_log-20120923.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   176072 Sep 30 03:36 blackhatconsulting.co.uk_access_log-20120930.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   158753 Oct  7 03:23 blackhatconsulting.co.uk_access_log-20121007.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   170740 Oct 14 03:49 blackhatconsulting.co.uk_access_log-20121014.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   199233 Oct 21 03:43 blackhatconsulting.co.uk_access_log-20121021.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48  3972681 Oct 24 00:19 blackhatconsulting.co.uk_error_log
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48   715308 Aug  5 03:41 blackhatconsulting.co.uk_error_log-20120805
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48 10871995 Aug 12 03:15 blackhatconsulting.co.uk_error_log-20120812
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    21122 Sep 23 03:21 blackhatconsulting.co.uk_error_log-20120923.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    18896 Sep 30 03:36 blackhatconsulting.co.uk_error_log-20120930.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    18423 Oct  7 03:23 blackhatconsulting.co.uk_error_log-20121007.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    18458 Oct 14 03:49 blackhatconsulting.co.uk_error_log-20121014.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    30181 Oct 21 03:43 blackhatconsulting.co.uk_error_log-20121021.gz

E, finalmente, o processo PHP:

lrwx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 0 -> socket:[331211]
l-wx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 1 -> /var/log/httpd/error_log
lr-x------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 18 -> pipe:[302590]
l-wx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 2 -> /var/log/httpd/error_log
l-wx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 21 -> pipe:[302591]
lrwx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 4 -> socket:[331227]

E o httpd:

r-x------. 1 root root 64 Oct 24 00:26 0 -> /dev/null
l-wx------. 1 root root 64 Oct 24 00:26 1 -> /dev/null
l-wx------. 1 root root 64 Oct 24 00:26 10 -> pipe:[302583]
l-wx------. 1 root root 64 Oct 24 00:26 11 -> /var/log/virtualmin/blackhatconsulting.co.uk_error_log
l-wx------. 1 root root 64 Oct 24 00:26 12 -> /var/log/httpd/ssl_error_log
l-wx------. 1 root root 64 Oct 24 00:26 13 -> /var/log/httpd/access_log
l-wx------. 1 root root 64 Oct 24 00:26 14 -> /var/log/virtualmin/blackhatconsulting.co.uk_access_log
l-wx------. 1 root root 64 Oct 24 00:26 15 -> /var/log/virtualmin/blackhatconsulting.co.uk_access_log
l-wx------. 1 root root 64 Oct 24 00:26 16 -> /var/log/httpd/ssl_access_log
l-wx------. 1 root root 64 Oct 24 00:26 17 -> /var/log/httpd/ssl_request_log
lr-x------. 1 root root 64 Oct 24 00:26 18 -> pipe:[302590]
l-wx------. 1 root root 64 Oct 24 00:26 19 -> pipe:[302590]
l-wx------. 1 root root 64 Oct 24 00:26 2 -> /var/log/httpd/error_log
lr-x------. 1 root root 64 Oct 24 00:26 20 -> pipe:[302591]
l-wx------. 1 root root 64 Oct 24 00:26 21 -> pipe:[302591]
lr-x------. 1 root root 64 Oct 24 00:26 3 -> /dev/urandom
lrwx------. 1 root root 64 Oct 24 00:26 4 -> socket:[271909]
lrwx------. 1 root root 64 Oct 24 00:26 5 -> socket:[271911]
l-wx------. 1 root root 64 Oct 24 00:26 6 -> /var/log/httpd/modsec_debug.log
l-wx------. 1 root root 64 Oct 24 00:26 7 -> /var/log/httpd/modsec_audit.log
lrwx------. 1 root root 64 Oct 24 00:26 8 -> socket:[271913]
lr-x------. 1 root root 64 Oct 24 00:26 9 -> pipe:[302583]

Portanto, sem o SELinux, usando o Virtualmin no Centos, é possível acessar os arquivos de log de PHP sem problemas, pois eles são executados no mesmo uid. No entanto, com o SELinux, isso não é possível porque impede a leitura de qualquer conteúdo)/var/log usando o processo invocado a partir da rede.Também mod_security também não permite (para passar PHP)).

0
Andrew Smith