Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-11932 PoC — Canonical Subiquity 日志信息泄露漏洞

Source
https://github.com/Staubgeborener/CVE-2020-11932
Associated Vulnerability
Title:Canonical Subiquity 日志信息泄露漏洞 (CVE-2020-11932)
Description:Canonical Subiquity是英国科能(Canonical)公司的一款Ubuntu服务器安装程序。 Canonical Subiquity(使用在Ubuntu Server)中存在日志信息泄露漏洞。该漏洞源于网络系统或产品的日志文件非正常输出。
Description
Check CVE-2020-11932 (ubuntu server) and test host relating to this vulnerability
Readme
# CVE-2020-11932 :bug::mag:

Check CVE-2020-11932 and test for host relating to this vulnerability

## Usage
### Download
```console
git clone https://github.com/Staubgeborener/CVE-2020-11932
cd CVE-2020-11932
chmod +x cve-2020-11932.sh
./cve-2020-11932.sh
```

### With curl (so no download)
```console
bash <(curl -s https://raw.githubusercontent.com/Staubgeborener/CVE-2020-11932/master/cve-2020-11932.sh)
```

## Explanation
This is kind of a proof of concept of the vulnerability [CVE-2020-11932](https://nvd.nist.gov/vuln/detail/CVE-2020-11932). It's possible, that the `Ubuntu Server` logs the password of the `LUKS` full disk encryption in *plain text*. This one is tested on `Ubuntu Server 20.04`.

Created `LUKS` encryption (`LVM`) with password `T0pS3cr3tP4ssw0rd`. We can find five files that contain the password in plain text `sudo grep -Rl "T0pS3cr3tP4ssw0rd" /`:
* subiquity-curtin-install.conf
* curtin-install-cfg.yaml
* curtin-install.log
* installer-journal.txt
* autoinstall-user-data

```bash
user@encryptiontest:~$ sudo grep -Rl "T0pS3cr3tP4ssw0rd" /
/var/log/installer/subiquity-curtin-install.conf 
/var/log/installer/curtin-install-cfg.yaml 
/var/log/installer/curtin-install.log 
/var/log/installer/installer-journal.txt 
/var/log/installer/autoinstall-user-data 
```
```bash
user@encryptiontest:~$ grep "T0pS3cr3tP4ssw0rd" /var/log/installer/subiquity-curtin-install.conf
- {volume: partition-2, key: T0pS3cr3tP4ssw0rd, preserve: false, type: dm_crypt, 
```
```bash
user@encryptiontest:~$ sudo grep T0pS3cr3tP4ssw0rd /var/log/installer/curtin-install-cfg.yaml 
[sudo] password for user: 
key: T0pS3cr3tP4ssw0rd 
```
```bash
user@encryptiontest:~$ sudo grep "T0pS3cr3tP4ssw0rd" /var/log/installer/curtin-install.log 
get_path_to_storage_volume for volume dm_crypt-0({'volumel: 'partition-2', 'key': T0pS3cr3tP4ssw0rd, 'preserve': False, 'type': 'dm_crypt', 'id': 'dm_crypt-0'})
```
```bash
user@encryptiontest:~$ sudo grep -o "T0pS3cr3tP4ssw0rd" /var/log/installer/installer-journal.txt 
T0pS3cr3tP4ssw0rd 
T0pS3cr3tP4ssw0rd 
```
```bash
user@encryptiontest:~$ sudo grep T0pS3cr3tP4ssw0rd /var/log/installer/autoinstall-user-data
- {volume: partition-2, key: T0pS3cr3tP4ssw0rd, preserve: false, type: dm_crypt, 
```
```bash
root@encryptiontest:/home/user# ./CVE-2020-11932.sh 
Checking subiquity-curtin-install.conf: 
volume: partition-2, key: T0pS3cr3tP4ssw0rd, preserve: false, type: dm_crypt 
```


⇒ After running `cve-2020-11932.sh` you will get an output like this:

```bash
Checking curtin-install-cfg.yaml: 
key: T0pS3cr3tP4ssw0rd 

Checking curtin-install.log: 
get_path_to_storage_volume for volume dm_crypt-0({'volume': 'partition-2', 'key': 'T0pS3cr3tP4ssw0rd', 'preserve': False, 'type': 'dm_crypt', 'id': 'dm_crypt-01'}) 

Checking installer-journal.txt: 
'T0pS3cr3tP4ssw0rd', 'preserve': False, 'type': 'dm_crypt', 'id': 'dm_crypt-0'}, {'name': 'ubuntu-vg', 'devices': ['dm_crypt-0'], 'preserve': False, 'type': 'lvm_volgroup', 'id': lvm_volgroup-0', 'name': 'ubuntu-lv', 'volgroup': lvm_volgroup-0', 'size': '42949672966', 'preserve': False, 'type': 'lvm_partition', 'id': lvm_partition-01, {'fstype': 'ext4', 'volume': lvm_partition-0' 
'T0pS3cr3tP4ssw0rd' 

Checking autoinstall-user-data: 
{volume: partition-2, key: T0pS3cr3tP4ssw0rd, preserve: false, type: dm_crypt 

CVE-2020-11932 vulnerability on this Ubuntu Release: 20.04 ! 

Found: key1: T0pS3cr3tP4ssw0rd 
key2: T0pS3cr3tP4ssw0rd 
key3: get_path_to_storage_volume for volume dm_crypt-0({'volumel: 'partition-2', 'key': 'T0pS3cr3tP4ssw0rd', 'preserve': False, 'type': 'dm_crypt', 'id': 'dm_crypt-0'})
key4: T0pS3cr3tP4ssw0rd 
T0pS3cr3tP4ssw0rd 
key5: T0pS3cr3tP4ssw0rd 
```


## License
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
This project is licensed under The MIT License. Take a look at the [license file](https://github.com/Staubgeborener/CVE-2020-11932/blob/master/LICENSE) for more informations.
File Snapshot

 [4.0K]  /data/pocs/0fbac92b2bfdc59c729b72db47517ae39731230c
├── [1.6K]  cve-2020-11932.sh
├── [1.0K]  LICENSE
└── [3.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.