exp-linux 提权 渗透测试 ·

CVE-2018-1111

Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.

A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.

Red Hat官方发布通告称修复了一个DHCP Client相关的漏洞(CVE-2018-1111)。当系统使用NetworkManager并配置了DHCP协议时,攻击者可以利用一个恶意的DHCP服务器或者本地网络构造的DHCP响应,在该系统上以root权限执行任意命令。

漏洞背景:

The DHCP protocol is used to configure network related information in hosts from a central server. When a host is connected to a network, it can issue DHCP requests to fetch network configuration parameter such as IP address, default router IP, DNS servers, and more.

The DHCP client package dhclient provided by Red Hat has a script /etc/NetworkManager/dispatcher.d/11-dhclient (in Red Hat Enterprise Linux 7) or /etc/NetworkManager/dispatcher.d/10-dhclient (in Red Hat Enterprise Linux 6) for the NetworkManager component, which is executed each time NetworkManager receives a DHCP response from a DHCP server. A malicious DHCP response could cause the script to execute arbitrary shell commands with root privileges.

Red Hat提供的DHCP客户端软件包dhclient的脚本为/etc/NetworkManager/dispatcher.d/11-dhclient(Red Hat Enterprise Linux 7)和/etc/NetworkManager/dispatcher.d/10-dhclient(Red Hat Enterprise Linux 6);当NetworkManager组件从DHCP服务器收到DHCP响应时执行该脚本。

使用单引号使参数值逃逸成功,导致了命令执行:

漏洞影响版本:

  • Red Hat Enterprise Linux Server 6
  • Red Hat Enterprise Linux Server 7
  • CentOS 6
  • CentOS 7

漏洞测试复现:

测试环境:

Centos7

kali2018.2

VMware fusion for mac

测试准备:

VM中将Centos7和kali的网卡设置为仅主机模式,并且将dhcp服务禁用

windows下vm禁用dhcp可通过虚拟网络编辑器如下设置即可。

mac下的话略有复杂,我们需要找到

/Library/Preferences/VMware Fusion

然后vim一下networking

这里会有2张网卡,你不确定哪张的话只需要去虚拟机里ifconfig看下是什么地址对应的即可。

我这里是192.168.194.0/24段的,所以我禁用掉它就行。

将第二行的yes改为no后重启VMware程序。

展示一下当前主机状态:

Centos7:

kali下:

开始测试攻击:

在kali的/etc下新建一个dnsmasq.conf的文件。

内容为:

各项参数各位百度即可,不难理解,这里的192.168.194.52是接下来我kali即将设置的自己的地址,不可被dhcp地址池指派或者被人占用,所以第5,6两行的3和6参数分别是为了这个需求和目的。

而后将自己的攻击者执行如下两条命令,配置好静态地址和网关,并且开启nc监听任意端口:

开启dnsmasq服务:

Centos7中重启网卡使得他自动获取dhcp摘取地址:

此刻可以看到kali下nc收到回弹会话:

漏洞原理应该是使用了单引号导致了参数被执行。

 

参考视频:

参考福利:ChaMd5团队小伙伴提供一键exp,改个ip就行

漏洞修复:

安装最新dhcpclient即可:

如yum update dhclient

参与评论