Source |
SkullSecurity |
Identifiant |
8303535 |
Date de publication |
2023-01-23 20:14:17 (vue: 2023-01-23 21:06:07) |
Titre |
Blast from the Past: How Attackers Compromised Zimbra With a Patched Vulnerability |
Texte |
Last year, I worked on a vulnerability in Zimbra
(CVE-2022-41352 - my
AttackerKB analysis for Rapid7)
that turned out to be a new(-ish) exploit path for a really old bug in cpio -
CVE-2015-1194. But that was patched in 2019, so what happened?
(I posted this as a tweet-thread awhile back, but I decided to flesh it out and
make it into a full blog post!)
cpio is an archive tool commonly used for system-level stuff (firmware images
and such). It can also extract other format, like .tar, which we'll use since
it's more familiar.
cpio has a flag (--no-absolute-filenames), off by default,
that purports to prevent writing files outside of the target directory. That's
handy when, for example, extracting untrusted files with Amavis
(like Zimbra does).
The problem is, symbolic links can point to absolute paths, and therefore, even
with --no-absolute-filenames, there was no safe way to extract an untrusted
archive (outside of using a chroot environment or something similar, which
they really ought to do).
Much later, in 2019, the cpio team released cpio version 2.13, which
includes a patch for
CVE-2015-1194,
with unit tests and everything.
Some (not all) modern OSes include the patched version of cpio, which should be
the end of the story, but it's not!
I'm currently writing this on Fedora 35, so let's try exploiting it. We can
confirm that the version of cpio installed with the OS is, indeed, the fixed
version:
ron@fedora ~ $ cpio --version
cpio (GNU cpio) 2.13
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Phil Nelson, David MacKenzie, John Oleynick,
and Sergey Poznyakoff.
That means that we shouldn't be able to use symlinks to write outside of the
target directory, so let's create a .tar file that includes a symlink and a
file written through that symlink (this is largely copied from
this mailing list post:
ron@fedora ~ $ mkdir cpiotest
ron@fedora ~ $ cd cpiotest
ron@fedora ~/cpiotest $ ln -s /tmp/ ./demo
ron@fedora ~/cpiotest $ echo 'hello' > demo/imafile
ron@fedora ~/cpiotest $ tar -cvf demo.tar demo demo/imafile
demo
demo/imafile
ron@fedora ~/cpiotest $ |
Envoyé |
Oui |
Condensat |
/demo /tmp/ /tmp/imafile 1194 15:03 15:09 2015 2017 2019 2022 2023 41352 able about absolute accounts actually all also amavis analysis and anybody archive are attackerkb attackers awhile back backported because biggest blast blocks blog both bug but can cannot certainly change chroot citing come commonly compromise compromised confirm confused confusion copied copyright cpio cpiotest create current currently cve cvf david debian debs decided default demo demo/imafile demo/imafile: demo@ derived details did directory directory: does don due echo end enough environment errors even eventually ever everything example executable executable: exiting exploit exploited exploiting extent extract extracting fact failure familiar far fedora file filenames files find firmware fix fixed flag flesh for format forum found foundation free from full fun gnu goes going got gpl gplv3+: had handy happened happening happy has hat have hello how hurdle images imagine impacted inc include includes indeed initrd installed into ish isn jan john just kind largely last later law let level license like links list look looked lrwxrwxrwx mackenzie mailing make means messed mkdir modern more much nearly nelson new nobody not now october off old oleynick one only open: oses other ought out outside past: patch patched patched… path paths pax permitted phil point post post: posted poznyakoff prevent previous problem purports ran rapid7 really recently recognized red redistribute released remove removing report requires research right roll ron ron/ron ron@fedora rpms safe says seen sergey should shouldn similar since software software: some somebody something sorted source specifically spelunking standard status story stuff such symbolic symlink symlinks system systems tar tar: target team tell testing tests that the theory there therefore they think this thread through took tool try turned tvf tweet ubuntu unit unravel untrusted use used uses using verbose version version: very vulnerability vulnerable wait warranty was wasn way weirdness what when where which why with worked would write writing written wrote xvf year years you zimbra ~/cpiotest |
Tags |
Tool
Vulnerability
|
Stories |
APT 17
|
Notes |
★★★★
|
Move |
|