Analysis and recurrence of network security vulnerabilities

Preface

4 month 6 Day and 5 month 18 Japan ,VMware Two official safety announcements show , Related to its products CVE Up to 10 individual , There are many CVSSv3 score 9.8 High risk vulnerability ！ Such a high rate of hole exit , It attracted the attention of the author . The author will discuss CVE-2022-22954 VMware Workspace ONE Access SSTI RCE Analyze vulnerabilities carefully .

Vulnerability description

according to 4 month 6 Japan VMware Official safety bulletin , The official has updated and solved the safety problems of many products . among CVE-2022-22954,CVSS The score is 9.8, The hazard level is serious . The vulnerability is due to VMware Workspace ONE Access and Identity Manager Contains a server-side template injection vulnerability , A malicious attacker with network access can perform remote code execution .

Scope of utilization

• VMware Workspace ONE Access 21.08.0.1, 21.08.0.0,20.10.0.1, 20.10.0.0

• VMware Identity Manager（vIDM） 3.3.6, 3.3.5, 3.3.4, 3.3.3

• VMware vRealize Automation(vIDM)  7.6

• VMware Cloud Foundation (vIDM) 4.x

Vulnerability analysis

Use the built-in function to calculate the string as FTL expression ,FTL Expressions can access variables , And call Java Method , for example “1+2”?eval Will return a number 3, therefore ?eval The previous string is from an untrusted source , May become an attack medium .

stay Vmware Medium endusercatalog-ui-1.0-SNAPSHOT-classes.jar Self contained template customError.ftl It's called freemarker Engine eval Function to render errObj, This led to this SSTI Inject holes .

【 Help safe learning , All resources are obtained from one by one 】
① Network Security Learning Route
②20 Penetration test ebook
③ Safe attack and defense 357 Page notes
④50 A security attack and defense interview guide
⑤ Safety red team penetration Kit
⑥ information gathering 80 Search syntax
⑦100 Three actual cases of vulnerability
⑧ Internal video resources of the safety factory
⑨ Calendar year CTF Analysis of the flag race

Environment building

The location of the source code of this vulnerability analysis ：/opt/vmware/horizon/workspace/webapps/catalog-portal/WEB-INF/lib.

Dynamic mode

We have located the security problem , Next, look for rendering customError.ftl The relevant code of the template .

stay com.vmware.endusercatalog.ui.web.UiErrorController#handleGenericError Function .

errorObj Pass in by the parameter .

lookup handleGenericError The callee relationship of the function is found .

handleGenericError The function is affected by two requestMapping Where the controller is UiErrorController call .

Follow up what appears getErrorPage function , be located com.vmware.endusercatalog.ui.web.UiErrorController#getErrorPage.

Except for direct use handleGenericError Function to get the template to be rendered , There is still handleUnauthorizedError Functions are judged by conditions , Only one branch enters handleGenericError

How to construct parameters ？

In two requestMapping in , Among them /ui/view/error by API Interface , Direct access cannot be extracted from the request javax.servlet.error.message, Therefore, it is impossible to control errorObj.

seek /ui/view/error Other calls to , be located com.vmware.endusercatalog.ui.web.UiApplicationExceptionResolver#resolveException function .

Existence is right javax.servlet.error.message The process of assignment .

see resolveException The callee relationship of the function , Above by handleAnyGenericException Function call .

among @ExceptionHandler indicate , This is the exception handler , When the program directly throws Exception Type of exception will enter handleAnyGenericException, And then by calling resolveException function , Assign a value , Will eventually return /ui/view/error.

And in the handleAnyGenericException in , Get into resolveException Different parameters will be passed in according to the type of exception , If the exception class is not LocalizationParamValueException Subclasses are passed into uiRequest.getRequestId(), So we need to throw when the parameters are controllable LocalizationParamValueException Exception class or its subclass exception , such errorObj what is needed Attribute errorJson come from LocalizationParamValueException Anomalous getArgs.

stay LocalizationParamValueException function , If you can control the parameters that throw exceptions , You can put the payload Pass in errorObj.

stay endusercatalog-auth-1.0-SNAPSHOT.jar in com.vmware.endusercatalog.auth.InvalidAuthContextException, There is one. InvalidAuthContextException abnormal , Inherited from LocalizationParamValueException.

stay com.vmware.endusercatalog.auth.AuthContext Exception thrown in constructor .

Generate AuthContext The place of the object is AuthContextPopulationInterceptor In the interceptor , And all parameters are obtained from the request , Here the injection point can be constructed .

But normally , stay endusercatalog-auth-1.0-SNAPSHOT.jar Interceptor class in cannot access class .

But in com.vmware.endusercatalog.ui.UiApplication, Use @ComponentScan Annotation declaration will automatically com.vmware.endusercatalog.auth The class of the package is assembled into bean Containers .

In the bag com.endusercatalog.ui.config.WebConfig You can find .

Constructable url.

Through the above analysis , Constructible payload, To carry out an order .

Loophole recurrence

Repair suggestions