fail2ban - Remote Code Execution - research.securitum.com

This article is about the recently published security advisory for a pretty popular software – fail2ban (CVE-2021-32749). The vulnerability, which could be massively exploited and lead to root-level code execution on multiple boxes, however this task is rather hard to achieve by regular person. It all has its roots in mailutils package and I’ve found it by a total accident when playing with mailcommand. 

The fail2ban analyses logs (or other data sources) in search of brute force traces in order to block such attempts based on the IP address. There are plenty of rules for different services (SSH, SMTP, HTTP, etc.). There are also defined actions which could be performed after blocking a client. One of these actions is sending an e-mail. If you search the Internet to find out how to send an e-mail from a command line, you will often get such solution:

$ echo "test e-mail" | mail -s "subject" user@example.org
1
$echo"test e-mail"|mail-s"subject"user@example.org

That is the exact way how one of fail2ban actions is configured to send e-mails about client getting blocked (./config/action.d/mail-whois.conf):

actionban = printf %%b "Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n Here is more information about <ip> :\n `%(_whois_command)s`\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
1
2
3
4
5
6
7
8
actionban=printf%%b"Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            `%(_whois_command)s`\n
            Regards,\n
            Fail2Ban"|mail-s"[Fail2Ban] <name>: banned <ip> from <fq-hostname>"<dest>
 

There is nothing suspicious about the above, until knowing about one specific thing that  can be found inside the mailutils manual. It is the tilde escape sequences:

The ‘~!’ escape executes specified command and returns you to mail compose mode without altering your message. When used without arguments, it starts your login shell. The ‘~|’ escape pipes the message composed so far through the given shell command and replaces the message with the output the command produced. If the command produced no output, mail assumes that something went wrong and retains the old contents of your message.

This is the way it works in real life:

jz@fail2ban:~$ cat -n pwn.txt 1 Next line will execute command :) 2 ~! uname -a 3 4 Best, 5 JZ jz@fail2ban:~$ cat pwn.txt | mail -s "whatever" whatever@whatever.com Linux fail2ban 4.19.0-16-cloud-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux jz@fail2ban:~$
1
2
3
4
5
6
7
8
9
jz@fail2ban:~$cat-npwn.txt
1  Nextlinewillexecutecommand:)
2  ~!uname-a
3
4  Best,
5  JZ
jz@fail2ban:~$catpwn.txt|mail-s"whatever"whatever@whatever.com
Linuxfail2ban4.19.0-16-cloud-amd64#1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
jz@fail2ban:~$

If you get back to the previously mentioned fail2ban e-mail action you can notice there is a whoisoutput attached to the e-mail body. So if we could add some tilde escape sequence to whois output of our IP address – well, it should end up with code execution. As root.

What are our options? 

As attackers we need to control the whois output – how to achieve that? Well, the first thing which came into my mind was to kindly ask my ISP to contact RIPE and make a pretty custom entry for my particular IP address. Unfortunately – it doesn’t work like that. RIPE/ARIN/APNIC and others put entries for whole IP classes as minimum, not for particular one IP address. Also, I’m more than sure that achieving it is extremely hard in a formal way, plus the fact that putting malicious payload as a whois entry would make people ask questions.

Is there a way to start my own whois server? Surprisingly  – there is, and you can find a couple of them running over the Internet. By digging whois related RFC you can find information about an attribute called ReferralServer. If your whois client will find such an attribute in the response, it will query the server that was set in the value to get more information about the IP address or domain. Just take a look what happens when getting whois for 157.5.7.5 IP address:

$ whois 157.5.7.5 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2021, American Registry for Internet Numbers, Ltd. # NetRange: 157.1.0.0 - 157.14.255.255 CIDR: 157.4.0.0/14, 157.14.0.0/16, 157.1.0.0/16, 157.12.0.0/15, 157.2.0.0/15, 157.8.0.0/14 NetName: APNIC-ERX-157-1-0-0 NetHandle: NET-157-1-0-0-1 Parent: NET157 (NET-157-0-0-0-0) NetType: Early Registrations, Transferred to APNIC OriginAS: Organization: Asia Pacific Network Information Centre (APNIC) [… cut …] ReferralServer: whois://whois.apnic.net ResourceLink: http://wq.apnic.net/whois-search/static/search.html OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3188 OrgTechEmail: search-apnic-not-arin@apnic.net [… cut …] Found a referral to whois.apnic.net. % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '157.0.0.0 - 157.255.255.255' % Abuse contact for '157.0.0.0 - 157.255.255.255' is 'helpdesk@apnic.net' inetnum: 157.0.0.0 - 157.255.255.255 netname: ERX-NETBLOCK descr: Early registration addresses [… cut …]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
$whois157.5.7.5
 
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#
 
 
NetRange:      157.1.0.0-157.14.255.255
CIDR:          157.4.0.0/14,157.14.0.0/16,157.1.0.0/16,157.12.0.0/15,157.2.0.0/15,157.8.0.0/14
NetName:        APNIC-ERX-157-1-0-0
NetHandle:      NET-157-1-0-0-1
Parent:        NET157(NET-157-0-0-0-0)
NetType:        EarlyRegistrations,TransferredtoAPNIC
OriginAS:
Organization:  AsiaPacificNetworkInformationCentre(APNIC)
 
[cut]
 
ReferralServer:  whois://whois.apnic.net
ResourceLink:  http://wq.apnic.net/whois-search/static/search.html
 
OrgTechHandle:AWC12-ARIN
OrgTechName:  APNICWhoisContact
OrgTechPhone:  +61738583188
OrgTechEmail:  search-apnic-not-arin@apnic.net
 
[cut]
 
Foundareferraltowhois.apnic.net.
 
%[whois.apnic.net]
%Whoisdatacopyrightterms    http://www.apnic.net/db/dbcopyright.html
 
%Informationrelatedto'157.0.0.0 - 157.255.255.255'
 
%Abusecontactfor'157.0.0.0 - 157.255.255.255'is'helpdesk@apnic.net'
 
inetnum:        157.0.0.0-157.255.255.255
netname:        ERX-NETBLOCK
descr:          Earlyregistrationaddresses
 
[cut]
 

In theory and while having a pretty big network you could probably ask your Regional Internet Registries to use RWhois for your network. 

On the other hand – simply imagine black hats breaking into a server running rwhois, putting a malicious entry there and then starting the attack. To be fair this scenario seems to be way easier than becoming a big company to legally have its own whois server. 

In case you’re a government and you can simply control network traffic – the task is way easier. By taking a closer look at the whois protocol, we can notice few things: 

  • it was designed really long time ago,
  • it’s pretty simple (you ask for IP or domain name and get the raw output),
  • it’s unencrypted on the network level.

By simply performing a MITM attack on an unencrypted protocol (which whois is) attackers could just put the tilde escape sequence and start an attack over multiple hosts. 

It’s worth remembering that the root problem here is mailutils which has this flaw by design. I believe a lot of people are unaware about such a feature, and there’s still plenty of software that could use the mail command this way. 

As could be noticed many times in history – security is hard and complex. Sometimes totally innocent functionality which you wouldn’t ever suspect for being a threat could be a cause of dangerous vulnerability.

Author: Jakub Żoczek

Tagged: ,

本文来源于: https://research.securitum.com/fail2ban-remote-code-execution/

相关推荐

NoteBurner 2.35 - Denial Of Service (DoS) (PoC) - Windows webapps Exploit

GHDB

XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated) - PHP webapps Exploit

GHDB

PHP :: Bug #81298 :: mb_detect_encoding() segfaults when 7bit encoding is specified

Bug #81298 mb_detect_encoding() segfaults when 7bit encoding is specified Submitted: 2021-07-26 09:13 UTC Modified: 2021

从今年强网杯的一道学习vm - 安全客,安全资讯平台

robots 概述 vm的题目在CTF的比赛中是一种很常见的题型,一般的做法都是找到其指令执行过程中自定义的指令的解释程序的一些漏洞(如溢出,offset_by_null等)在理解每条指令意义的前提下通过构造一个程序来触发漏洞实现提权。而今

关于JDK7u21 Gadgets两个问题的探讨 - 安全客,安全资讯平台

robots 最近在分析JDK7u21的Gadgets,有两个不解之处,阅读前辈们的文章发 现并未提起: 1.为什么有的POC入口是LinkedHashSet,有的是HashSet,两个都可以触发吗? 2.关于map.put("f5a5a6

赢 1000 元现金红包!助力奥运,猜金银牌数赢现金 - FreeBuf网络安全行业门户

第 32 届夏季奥林匹克运动会,2020 东京奥运会,已经于 2021 年 7 月 23 日在日本东京奥林匹克体育场开幕啦! 不知道大家有没有关注呢?二狗子可是准点守着电脑打开了直播的!虽然东京奥运会简直是一波三折,先是因为疫情被迫延期了一

全国移动App第二季度安全研究报告 - 安全客,安全资讯平台

robots 近日,移动互联网系统与应用安全国家工程实验室(以下简称:国家工程实验室)、中国信息通信研究院安全研究所(以下简称:信通院)、北京智游网安科技有限公司(爱加密)三方联合发布了《全国移动App第二季度安全研究报告》。 本次报告内容

迷你世界勒索病毒,你的文件被删了吗? - FreeBuf网络安全行业门户

前言 近日,笔者在某恶意软件沙箱平台分析样本的时候,发现了一款比较有意思的勒索病毒MiniWorld迷你世界勒索病毒,它的解密界面与此前的WannaCry勒索病毒的界面相似,应该是作者仿冒的WannaCry的UI,如下所示: 这款勒索病毒既

内网隐藏通信隧道技术——FRP隧道 - FreeBuf网络安全行业门户

本文介绍有关FRP代理配置以及使用FRP建立一级代理、二级代理、三级代理 frp是一个专注于内网穿透的高性能的反向代理应用,支持TCP、UDP、HTTP、HTTPS等多种协议。可以将内网服务以安全、便捷的方式通过具有公网IP节点的中转暴露到

About the security content of macOS Big Sur 11.5.1 - Apple Support

Released July 26, 2021 IOMobileFrameBuffer Available for: macOS Big Sur Impact: An application may be able to execute ar