CVE-2022-31656 VMware Workspace ONE Access UrlRewriteFilter 权限绕过

在我之前文章中写过,vm为了修复CVE-2022-22972加了一个HostHeaderFilter,拦截了Hostname,防止身份验证被绕过,建议看过之前的洞再来看这个。

Petrus Viet在UrlRewriteFilter过滤器中找到了用RequestDispatcher绕过权限校验的点。

原理如图,直接跳过HostHeaderFilter的校验(图来自Petrus Viet)

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/1.png

org.tuckey.web.filters.urlrewrite.UrlRewriteFilter#doFilter

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/2.png

通过getUrlRewriter读路由重写规则

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/3.png

配置文件来自于file:/opt/vmware/horizon/workspace/webapps/SAAS/WEB-INF/urlrewrite.xml

拿到重写规则之后调用org.tuckey.web.filters.urlrewrite.UrlRewriter#processRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain)进行处理

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/4.png

processRequest通过requestURI构建一条路由规则链RuleChain,然后调用org.tuckey.web.filters.urlrewrite.RuleChain#doRules

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/5.png

先做规则处理,遍历rules调用doRuleProcessing,然后再handleRewrite处理重写

来看doRuleProcessing

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/6.png

取rules当前遍历索引对应的规则rewrittenUrl,然后和this.finalToUrl还有request进行match得到rewrittenUrl

如果rewrittenUrl不为null,那么修改自身的finalToUrl字段和重写之后的请求字段finalRewrittenRequest

1
2
this.finalRewrittenRequest = rewrittenUrl;
this.finalToUrl = rewrittenUrl.getTarget();

相当于是遍历urlrewrite.xml找对应的规则进行匹配,然后传递结果给下一个rule当作参数。

来看urlrewrite.xml

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/7.png

匹配^/t/([^/]*)($|/)(((?!META-INF|WEB-INF).*))$重写到/$3,举个例子

/t/_/;/common.js 会被重写为/;/common.js

接着拿/;/common.js匹配剩下的rule匹配不上了,所以最终的finalToUrl = "/;/common.js"并且finalRewrittenRequest = rewrittenUrl

回到org.tuckey.web.filters.urlrewrite.RuleChain#doRules接着看handleRewrite

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/8.png

因为上文finalRewrittenRequest不等于null,所以进入this.finalRewrittenRequest.doRewrite

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/9.png

forward转发之后不再继续走filter,跳过了HostHeaderFilter过滤,并且经过getRequestDispatcher之后servletPath变为/common.js,分号被去除,完美绕过。

关于为什么分号被去除,老知识了,懂得都懂。

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/10.png

rce

Petrus Viet提到的rce所涉及的类和controller我这个版本的ova没有,简单记录一下算了,

1
2
3
4
TenantMigrationResource.migrateTenant() 
-> TenantMigrationServiceImpl.migrateTenant() 
-> CustomGroupMigrationServiceImpl.migrateCustomGroup() 
-> ExportCustomGroup.getVidmUserIds()

命令注入并不是在java的runtime.exec,而是在sh的参数中,通过pgsql的参数达到命令执行的效果,类似于pgsql堆叠。具体构造没有代码不写了。

修复

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/11.png

过滤分号

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/12.png

修改用户密码登录验证方式,不从外部接受参数作为校验api的地址。

后记

和作者沟通了一下,另一个CVE-2022-31658 jdbc的rce应该是在另一个servlet容器cfg中。

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/13.png

/cfg/setup/test

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/14.png

补丁升级了pgsql的版本

参考

https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。