CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

admin 2022年8月4日10:10:47安全漏洞评论22 views6406字阅读21分21秒阅读模式

环境

https://archives2.manageengine.com/passwordmanagerpro/12100/ManageEngine_PMP_64bit.exe

补丁

https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm

补丁diff

org.apache.xmlrpc.parser.SerializableParser#getResult 关了反序列化

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

分析

通过漏洞描述可知为XML-RPC的反序列化RCE

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

回顾 CVE-2020-9496 Apache Ofbiz XMLRPC RCE漏洞 漏洞由XmlRpcRequestParser解析xml时触发,由此我们用tabby来查询谁调用了XmlRpcRequestParser

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

从路径的源头查询

org.apache.xmlrpc.webserver.PmpApiServlet#doPost

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

调用super的post函数 org.apache.xmlrpc.webserver.XmlRpcServlet#doPost

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

继续跟进 org.apache.xmlrpc.webserver.XmlRpcServletServer#execute

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

继续调用 org.apache.xmlrpc.server.XmlRpcStreamServer#execute

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

其中getRequest函数会从原始request构建XmlRpcRequest org.apache.xmlrpc.server.XmlRpcStreamServer#getRequest


CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

在这里就开始解析xml,触发rpc了。poc和CVE-2020-9496一样

贴一下堆栈。

getResult:36, SerializableParser (org.apache.xmlrpc.parser)
endValueTag:78, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
endElement:185, MapParser (org.apache.xmlrpc.parser)
endElement:103, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
endElement:165, XmlRpcRequestParser (org.apache.xmlrpc.parser)
endElement:-1, AbstractSAXParser (org.apache.xerces.parsers)
scanEndElement:-1, XMLNSDocumentScannerImpl (org.apache.xerces.impl)
dispatch:-1, XMLDocumentFragmentScannerImpl$FragmentContentDispatcher (org.apache.xerces.impl)
scanDocument:-1, XMLDocumentFragmentScannerImpl (org.apache.xerces.impl)
parse:-1, XML11Configuration (org.apache.xerces.parsers)
parse:-1, XML11Configuration (org.apache.xerces.parsers)
parse:-1, XMLParser (org.apache.xerces.parsers)
parse:-1, AbstractSAXParser (org.apache.xerces.parsers)
parse:-1, SAXParserImpl$JAXPSAXParser (org.apache.xerces.jaxp)
getRequest:76, XmlRpcStreamServer (org.apache.xmlrpc.server)
execute:212, XmlRpcStreamServer (org.apache.xmlrpc.server)
execute:112, XmlRpcServletServer (org.apache.xmlrpc.webserver)
doPost:196, XmlRpcServlet (org.apache.xmlrpc.webserver)
doPost:117, PmpApiServlet (org.apache.xmlrpc.webserver)
service:681, HttpServlet (javax.servlet.http)
service:764, HttpServlet (javax.servlet.http)
internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:53, WsFilter (org.apache.tomcat.websocket.server)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:76, ADSFilter (com.manageengine.ads.fw.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:300, PassTrixFilter (com.adventnet.passtrix.client)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:414, SecurityFilter (com.adventnet.iam.security)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:34, NTLMV2CredentialAssociationFilter (com.adventnet.authentication)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:155, NTLMV2Filter (com.adventnet.authentication)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:118, MSPOrganizationFilter (com.adventnet.passtrix.client)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:149, PassTrixUrlRewriteFilter (com.adventnet.passtrix.client)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:109, SetCharacterEncodingFilter (org.apache.catalina.filters)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:32, ClientFilter (com.adventnet.cp)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:80, ParamWrapperFilter (com.adventnet.filters)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:51, RememberMeFilter (com.adventnet.authentication.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:65, AssociateCredential (com.adventnet.authentication.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
invoke:197, StandardWrapperValve (org.apache.catalina.core)
invoke:97, StandardContextValve (org.apache.catalina.core)
invoke:540, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:135, StandardHostValve (org.apache.catalina.core)
invoke:92, ErrorReportValve (org.apache.catalina.valves)
invoke:687, AbstractAccessLogValve (org.apache.catalina.valves)
invoke:261, SingleSignOn (org.apache.catalina.authenticator)
invoke:78, StandardEngineValve (org.apache.catalina.core)
service:357, CoyoteAdapter (org.apache.catalina.connector)
service:382, Http11Processor (org.apache.coyote.http11)
process:65, AbstractProcessorLight (org.apache.coyote)
process:895, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1681, Nio2Endpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
processSocket:1171, AbstractEndpoint (org.apache.tomcat.util.net)
completed:104, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
completed:97, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
invokeUnchecked:126, Invoker (sun.nio.ch)
run:218, Invoker$2 (sun.nio.ch)
run:112, AsynchronousChannelGroupImpl$1 (sun.nio.ch)
runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads)
run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:748, Thread (java.lang)

合影留念

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

poc不放了 懂得都懂。

曲折

其实刚开始找的并不直接是漏洞点,而是在找xml parse的点 com.adventnet.tools.prevalent.InputFileParser#parse


CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

经过多次调试发现这个类自己实现了startElement和endElement,并不会调用endValueTag(),进而没有type parse一说,所以根本不会触发反序列化。

后来重新看了历史的漏洞文章,换了思路直接找org.apache.xmlrpc.webserver.XmlRpcServlet的引用就发现了漏洞点,瞬间感觉自己太蠢了。u1s1,静态软件分析工具还是有用。


来源先知(https://xz.aliyun.com/t/11578#toc-0)


注:如有绘画请联系删除





CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

欢迎大家一起加群讨论学习和交流

CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

快乐要懂得分享,

加倍的快乐。


原文始发于微信公众号(衡阳信安):CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年8月4日10:10:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE http://cn-sec.com/archives/1220750.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: