Supervisord Remote Command Execution Vulnerability Analysis (cve-2017-11610)

Supervisord is a tool developed by the Python language for managing back-end applications (services), allowing operations personnel to manage them using a graphical interface.

recently, Supervisord exposed a remote command execution vulnerability that requires authentication (cve-2017-11610), through the POST request Supervisord management interface malicious data, can obtain the server operation permission, there is a serious security risk.


   
   

Supervisor IntroductionSupervisor is a Python-based process management tool that helps us to start, restart, and stop background processes on the server more easily, and is a productivity tool for Linux server management. The supervisor has four components: 1. Supervisord runs supervisor's background service, which is used to start and manage child processes that you need to supervisor manage, respond to requests from clients, restart unexpectedly exited child processes, write stdout and stderr of child processes to logs, respond to events, and so on. It is the most central part of supervisor. 2. Supervisorctl corresponds to the Supervisord client, which is a command-line tool that allows the user to send instructions to the Supervisord service, such as viewing the status of a child process and starting or closing a child process. It can connect different Supervisord services, including services on remote machines. 3. Web server This is a Supervisord Web client that allows users to perform supervisorctl-like functionality on a Web page. 4. Xml-rpc interface This is the interface that is reserved for third-party integration, and your service can call these XML-RPC interfaces remotely to control Supervisord-managed sub-processes. The Web server above is actually implemented through this XML-RPC interface. Introduction to VulnerabilityThis vulnerability is in the XML-RPC interface to the data processing. By default, supervisor does not open this interface, but this does not mean that the vulnerability is unimportant, but rather, in the use of supervisor, many people prefer to use web pages to manage rather than use the SUPERVISORCTL command-line tools mentioned earlier. The convenience of using Web pages is that, with simple configuration, users can access and control supervisor through URLs on other machines ' browsers. Eliminate the hassle of not having to configure locally (for example, using supervisor in Docker without having to enter the container control supervisor every time). To enable Web Access, configure the following Vulnerability AnalysisThis analysis from the supervisor entrance, according to the disclosure of the vulnerability, layers of analysis. First look at the entrance: Supervisord startup file supervisord.py. Since it is known beforehand that the attack data is passed to the sever end via HTTP, it is important to focus on the start HTTP service method in the Supervisord startup method (run), which is self.options.openhttpservers () Follow the options.py file: Here you can see that self.httpservers = Self.make_http_servers (Supervisord) here calls the Make_http_servers () method                                                                           Find the Make_http_servers () method in the Options class: This method is imported from Supervisor.http, we continue to follow http.py file View Make_http_servers () method implementation Based on the disclosure of the vulnerability, we know that this vulnerability is problematic on calls to the Xml-rpc interface, in the last line of the code above supervisor_x The Mlrpc_handler () method is used to handle RPC calls. We start from the supervisor entrance, the way to find the culprit, followed by follow-up Supervisor_xmlrpc_handler () method to see the cause of the vulnerability supervisor_xmlrpc_ The handler method is implemented in the xmlrpc.py file,         Find the Traverse method of vulnerability, you can see Supervisor_xmlrpc_handler () The call function in the method will parse out the method as well as the params passed into the Tracerse methods. Let's take a look at where the call function is called and what Method,params is: In the Supervisor_xmlrpc_handler class, there is a continue_request () function, as shown below                                   in PA Rams, method = Self.loads (data) row, you can see the creation of the params and method, and in the bottom line of this function, it is seen that call () is called to return values to value. Let's take a look at the loads function in this class, as follows:                       Visible params and method are XML tag in the MethodName and params in the worth of. Some of the above-mentioned abstract, in order to facilitate the understanding of the following loopholes, here is an example: here, using Python to use the RPC protocol to send a request to Supervisord, to see the structure of the RPC protocol and the params, method, respectively.         crawled traffic as shown below:                                 The Supervisor.supervisord.options.warnings.linecache.os.system here is the method parameter value, and the value of param is touch/tmp/success1 normal interaction, These two values are often method=supervisor.startprocess;param= to startThe call () function is now clear, and then look at the Tracerse method in the call function. Continue to follow Tracerse method                           in Tracerse method, The passed method passes the "." To split, assign a value to the path to determine whether the beginning is "_", if it is, then error and then look at OB = GetAttr (ob, name, None) This line, GetAttr () is a self-reflection function, below a simple example illustrated under GetAttr ()             We carefully analyze the following code:             This is similar to a recursive method that iterates through the methods in the original chain, such as Metho D The original structure is a.b.c.d here the path list should be [A,b,c,d], and then traverse name. With OB = GetAttr (ob, Name, None), the A method in the OB is first assigned to the new OB, and the new OB (now a method) is taken out of the B method to assign to the new OB. And so on, the final OB will be the last method of the chain (that is, d), and then pass in the params value and be executed so if you want to exploit success, you must find a call chain, such as the following call chain     The following diagram is the call relationship:           Options warnings method                     warnings L Inecache methods                   Linecache OS methods Exploit Exploits   Solution SolutionsUpgrade supervisor to the latest version or modify the [Inet_http_server] configuration in the configuration

View Original: http://blog.nsfocus.net/supervisord-cve-2017-11610/