[題目]
The purpose of this challenge is to demonstrate the #2 MITRE Top 25 programming flaw: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
In one of the previous challenges you were able to login in the admin's account and change the address of the updates server. That functionality has been enhanced to perform a connectivity check, in order to avoid mistakes when doing setting changes.
Rather than implementing the check in Java the developers are 'shelling out' and calling the ping command. They put in some sort of input validation/sanitization to prevent addition of commands other than ping. See if you can bypass it.
Your task is to get the contents of the /etc/passwd file. You can use either the cat or the less command to do so.
Here is the application code. See if you can spot the problem.
updateServer = request.getParameter("updateServer");
if(updateServer!=null){
updateServer = updateServer.replace("'","").replace("\"","").replace("`", "").replace("&", "").replace("|", "");
boolean isValidServer = Util.isValidServerName(updateServer);
String output = null;
if(isValidServer){
//ping the update server
String [] commandArgs = {"/bin/sh", "-c", String.format("ping -c 4 %s",updateServer)};
output = Util.exec(commandArgs);
}
|
[題目說明]
這一題是程式中提供的輸入欄位是用來作為Linux OS Command執行用的參數內容,如果你可以查覺程式漏洞,利用input欄位的值便可以用OS Command秀出etc/passwd 的內容。
[弱點提示]
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
From MITRE CWE78
意思是程式沒有handle好適當的輸入處理,造成hacker可以用特定的符號bypass 程式指令去執行他要的OS Command而取得敏感Linux Server File。
[解答]
- 進入網頁: https://abc.xxx.elasticbeanstalk.com/cwe78.jsp
- 登入admin account : pw=iloveyou(前面的密碼猜測攻擊獲得的結果)
- 在Update Server 欄位輸入 insecure.inc; cat /etc/passwd 即成功秀出/etc/passwd的內容在網頁上。
[安全原理]
從程式面看,漏洞出現在該程式未檢查並慮掉’ ; ’ 符號,該符號在Linux指令中代表一個指令的結束並執行下一個指令。因此按照程式碼"String [] commandArgs = {"/bin/sh", "-c", String.format("ping -c 4 %s",updateServer)}; "的指示,當%s = insecure.inc; cat /etc/passwd 時,完整的OS Command = ping insecure.inc; cat /etc/passwd,也就是ping完之後接著又cat /etc/passwd檔案,所以該檔案內容就這樣被秀在網頁上了。
2019年2月23日星期六
留言列表