环境

https://archives2.manageengine.com/passwordmanagerpro/12100/ManageEngine_PMP_64bit.exe

补丁

https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm

补丁diff

org.apache.xmlrpc.parser.SerializableParser#getResult 关了反序列化

1.png

分析

通过漏洞描述可知为XML-RPC的反序列化RCE

2.png

回顾 CVE-2020-9496 Apache Ofbiz XMLRPC RCE漏洞 漏洞由XmlRpcRequestParser解析xml时触发,由此我们用tabby来查询谁调用了XmlRpcRequestParser

3.png

从路径的源头查询

org.apache.xmlrpc.webserver.PmpApiServlet#doPost

4.png

调用super的post函数 org.apache.xmlrpc.webserver.XmlRpcServlet#doPost

5.png

继续跟进 org.apache.xmlrpc.webserver.XmlRpcServletServer#execute

6.png

继续调用 org.apache.xmlrpc.server.XmlRpcStreamServer#execute

7.png

其中getRequest函数会从原始request构建XmlRpcRequest org.apache.xmlrpc.server.XmlRpcStreamServer#getRequest

8.png

在这里就开始解析xml,触发rpc了。poc和CVE-2020-9496一样

贴一下堆栈。

 1getResult:36, SerializableParser (org.apache.xmlrpc.parser)
 2endValueTag:78, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
 3endElement:185, MapParser (org.apache.xmlrpc.parser)
 4endElement:103, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
 5endElement:165, XmlRpcRequestParser (org.apache.xmlrpc.parser)
 6endElement:-1, AbstractSAXParser (org.apache.xerces.parsers)
 7scanEndElement:-1, XMLNSDocumentScannerImpl (org.apache.xerces.impl)
 8dispatch:-1, XMLDocumentFragmentScannerImpl$FragmentContentDispatcher (org.apache.xerces.impl)
 9scanDocument:-1, XMLDocumentFragmentScannerImpl (org.apache.xerces.impl)
10parse:-1, XML11Configuration (org.apache.xerces.parsers)
11parse:-1, XML11Configuration (org.apache.xerces.parsers)
12parse:-1, XMLParser (org.apache.xerces.parsers)
13parse:-1, AbstractSAXParser (org.apache.xerces.parsers)
14parse:-1, SAXParserImpl$JAXPSAXParser (org.apache.xerces.jaxp)
15getRequest:76, XmlRpcStreamServer (org.apache.xmlrpc.server)
16execute:212, XmlRpcStreamServer (org.apache.xmlrpc.server)
17execute:112, XmlRpcServletServer (org.apache.xmlrpc.webserver)
18doPost:196, XmlRpcServlet (org.apache.xmlrpc.webserver)
19doPost:117, PmpApiServlet (org.apache.xmlrpc.webserver)
20service:681, HttpServlet (javax.servlet.http)
21service:764, HttpServlet (javax.servlet.http)
22internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core)
23doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
24doFilter:53, WsFilter (org.apache.tomcat.websocket.server)
25internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
26doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
27doFilter:76, ADSFilter (com.manageengine.ads.fw.filter)
28internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
29doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
30doFilter:300, PassTrixFilter (com.adventnet.passtrix.client)
31internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
32doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
33doFilter:414, SecurityFilter (com.adventnet.iam.security)
34internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
35doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
36doFilter:34, NTLMV2CredentialAssociationFilter (com.adventnet.authentication)
37internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
38doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
39doFilter:155, NTLMV2Filter (com.adventnet.authentication)
40internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
41doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
42doFilter:118, MSPOrganizationFilter (com.adventnet.passtrix.client)
43internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
44doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
45doFilter:149, PassTrixUrlRewriteFilter (com.adventnet.passtrix.client)
46internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
47doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
48doFilter:109, SetCharacterEncodingFilter (org.apache.catalina.filters)
49internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
50doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
51doFilter:32, ClientFilter (com.adventnet.cp)
52internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
53doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
54doFilter:80, ParamWrapperFilter (com.adventnet.filters)
55internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
56doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
57doFilter:51, RememberMeFilter (com.adventnet.authentication.filter)
58internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
59doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
60doFilter:65, AssociateCredential (com.adventnet.authentication.filter)
61internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
62doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
63invoke:197, StandardWrapperValve (org.apache.catalina.core)
64invoke:97, StandardContextValve (org.apache.catalina.core)
65invoke:540, AuthenticatorBase (org.apache.catalina.authenticator)
66invoke:135, StandardHostValve (org.apache.catalina.core)
67invoke:92, ErrorReportValve (org.apache.catalina.valves)
68invoke:687, AbstractAccessLogValve (org.apache.catalina.valves)
69invoke:261, SingleSignOn (org.apache.catalina.authenticator)
70invoke:78, StandardEngineValve (org.apache.catalina.core)
71service:357, CoyoteAdapter (org.apache.catalina.connector)
72service:382, Http11Processor (org.apache.coyote.http11)
73process:65, AbstractProcessorLight (org.apache.coyote)
74process:895, AbstractProtocol$ConnectionHandler (org.apache.coyote)
75doRun:1681, Nio2Endpoint$SocketProcessor (org.apache.tomcat.util.net)
76run:49, SocketProcessorBase (org.apache.tomcat.util.net)
77processSocket:1171, AbstractEndpoint (org.apache.tomcat.util.net)
78completed:104, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
79completed:97, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
80invokeUnchecked:126, Invoker (sun.nio.ch)
81run:218, Invoker$2 (sun.nio.ch)
82run:112, AsynchronousChannelGroupImpl$1 (sun.nio.ch)
83runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads)
84run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads)
85run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
86run:748, Thread (java.lang)

合影留念

9.png

有一些公网开放的目标是需要cb183的,这个就不再写了。

曲折

其实刚开始找的并不直接是漏洞点,而是在找xml parse的点 com.adventnet.tools.prevalent.InputFileParser#parse

10.png

经过多次调试发现这个类自己实现了startElement和endElement,并不会调用endValueTag(),进而没有type parse一说,所以根本不会触发反序列化。

后来重新看了历史的漏洞文章,换了思路直接找org.apache.xmlrpc.webserver.XmlRpcServlet的引用就发现了漏洞点,瞬间感觉自己太蠢了。u1s1,静态软件分析工具还是有用。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。