!185 添加poc CVE-2021-3156

Merge pull request !185 from 宋帮诚晋/master
2023-03-07 08:22:41 +00:00 · 2023-03-07 08:22:41 +00:00 · fd1ed805af
parent 5d9452f29a e8a4c34e77
commit fd1ed805af
6 changed files with 80 additions and 6 deletions
--- a/data/BaseLine/BaseLine.yaml
+++ b/data/BaseLine/BaseLine.yaml
@ -1,6 +1,6 @@
 ConfigFilePrefix: ../data/BaseLine/
 Type: baseline
-RootPasswd: sbcj1999            #部分检测需要用到高权限
+RootPasswd:             #部分检测需要用到高权限，不为root用户
 ExplorerItems:
      - ConfigFile: UserAnalysis/checkUser.yaml #检测root权限用户
      - ConfigFile: UserAnalysis/checkGid.yaml #检测特权组用户
--- a/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.sh
+++ b/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.sh
@ -0,0 +1,2 @@
+#/bin/bash
+LANG=C sudoedit -s /
--- a/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml
+++ b/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml
@ -0,0 +1,46 @@
+FormatVer: 20230307
+Id: CVE-2021-3156
+Belong: system
+PocHazardLevel: low
+Source: https://github.com/worawit/CVE-2021-3156
+    Name: Polkit（PolicyKit）是类Unix系统中一个应用程序级别的工具集，通过定义和审核权限规则，实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分，可以使授权非特权用户根据定义的策略以特权用户的身份执行命令。
+    Severity: high
+    Description:
+        Sudo before 1.9.5p2 存在缓冲区错误漏洞，攻击者可使用sudoedit -s和一个以单个反斜杠字符结束的命令行参数升级到root。
+    ScopeOfInfluence:
+        小于1.9.5p2
+    References:
+        - https://nvd.nist.gov/vuln/detail/CVE-2021-3156
+        - http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
+    SiteClassification:
+        CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+        CvssScore: 7.8
+        CveId: CVE-2021-3156
+        CweId: CWE-193
+        CnvdId: None
+        KveId: None
+    Tags:
+        - cve2021
+        - 权限提升
+        - 堆缓冲区溢出漏洞
+SiteRequests:
+    Implement: 
+        ImArray:
+            - Inter : bash
+              Exec : CVE-2021-3156.sh
+              Args : 
+        ExpireTime:       #second
+
+        # < input
+        # > output 
+        # . wait
+        # ? condition
+        # : content
+        #
+        #组合起来
+        # >. 等待直到输出 
+        # << 输入字符
+        # >?判断条件
+        Inter:
+            - ">:sudoedit; /: not a regular file"
+        Condition: None
--- a/data/SystemPocs/SystemPocs.yaml
+++ b/data/SystemPocs/SystemPocs.yaml
@ -9,4 +9,5 @@ ExplorerItems:
    - ConfigFile: CVE-2022-1292/CVE-2022-1292.yaml
    - ConfigFile: CVE-2021-44142/CVE-2021-44142.yaml
    - ConfigFile: CVE-2021-3560/CVE-2021-3560.yaml
-    - ConfigFile: CVE-2021-4043/CVE-2021-4043.yaml
+    - ConfigFile: CVE-2021-4043/CVE-2021-4043.yaml
+    - ConfigFile: CVE-2021-3156/CVE-2021-3156.yaml    
--- a/src/tools/FastScan/FastScan.go
+++ b/src/tools/FastScan/FastScan.go
@ -15,7 +15,7 @@ import (
 var (
    dbhostsip  = "172.17.20.121:3306"
    dbusername = "root"
-    dbpassword = ""
+    dbpassword = "Kylin123-"
    dbname     = "kylincve"
 )

@ -41,9 +41,11 @@ func StrTrimSpace(v1str,v2str string )(v1,v2 string ){
 func comparSlice(v1slice,v2slice []string )int{
 	for index,_ :=range v1slice{
 		if v1slice[index] > v2slice[index]{
+			fmt.Println(1111,v1slice[index],v2slice[index])
 			return version1
 		}
 		if v1slice[index] < v2slice[index]{
+			fmt.Println(v1slice[index],v2slice[index])
 			return version2
 		}
 		if len(v1slice)-1 == index {
@ -150,7 +152,7 @@ func fastScan(dpkgInfo []string){
                dpkgInfoStr:=dpkgInfo[i+1]
                result:=PushCompareVersion(s.cve_no,dpkgInfoStr,s.ubuntu_v10_1_edition)
                if result==2{
-					FastScanResult:="ID:"+s.cve_no+" PackageName"+s.package_name+" Role:"+s.role_level+" Security_Version:"+s.ubuntu_v10_1_edition+" Current_Version:"+dpkgInfoStr
+					FastScanResult:="ID:"+s.cve_no+" level:"+s.package_name+" Role:"+s.role_level+" Security_Version:"+s.ubuntu_v10_1_edition+" Current_Version:"+dpkgInfoStr
 					fmt.Printf("%c[%d;%d;%dm%s%c[0m\n", 0x1B, 0, 0, 32, FastScanResult, 0x1B)
                }
            }
@ -166,9 +168,16 @@ func PushCompareVersion(cve_no string,dpkgInfoStr string,ubuntu_v10_1_edition st
        return
    }else{
        v1 := strings.ReplaceAll(dpkgInfoStr, "ubuntu", ".")
-        v1  = strings.ReplaceAll(dpkgInfoStr, "kylin", ".")
+        v1  = strings.ReplaceAll(v1, "kylin", ".")
+		v1  = strings.ReplaceAll(v1, "k", ".")
+		buildDislodge:=strings.LastIndex(v1, "build")
+		if buildDislodge !=-1 {
+			v1=string([]byte(v1)[0:buildDislodge])	
+		}
        v2 := strings.ReplaceAll(ubuntu_v10_1_edition, "ubuntu", ".")
-        v2  = strings.ReplaceAll(ubuntu_v10_1_edition, "kylin", ".")
+        v2  = strings.ReplaceAll(v2, "kylin", ".")
+		v1="2.2.10-3.2"
+		v2="2.2.8-1.1"
        result=compareStrVer(v1,v2)
        return result

--- a/z-container/test123.go
+++ b/z-container/test123.go
@ -0,0 +1,16 @@
+package main
+import (
+   "fmt"
+   "strings"
+
+)
+func main() {
+	s:="2.0.2kylin0.2k3"
+    i:=strings.LastIndex(s, "c") //9
+	if i != -1{
+		s = string([]byte(s)[0:i])
+		fmt.Println(s)
+	}else{
+		fmt.Println(2)
+	}
+}