Progress软件OpenEdge安全漏洞的PoC利用方式

Technical specifics and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer, which could be potentially exploited to bypass authentication protections.

最近披露的Progress Software OpenEdge Authentication Gateway和AdminServer中存在的关键安全漏洞的技术细节和概念证明（PoC）漏洞已经公开，可能被潜在利用来绕过认证保护。

Tracked as CVE-2024-1403, the vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system. It impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.

此漏洞跟踪为CVE-2024-1403，根据CVSS评分系统，该漏洞的最高严重性评级为10.0。它影响OpenEdge版本11.7.18及更早版本，12.2.13及更早版本，以及12.8.0。

"When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins," the company said in an advisory released late last month.

公司在上个月发布的一份咨询中表示：“当OpenEdge Authentication Gateway（OEAG）配置为使用OS本地认证提供程序在OpenEdge的活动版本支持的操作平台上授予用户ID和密码登录时，认证例程中的漏洞可能会导致在尝试登录时未经授权的访问。”

"Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access."

“同样，当OpenEdge Explorer（OEE）和OpenEdge Management（OEM）通过AdminServer连接时，它还会在支持的平台上使用OS本地认证提供程序来授予用户ID和密码登录，这也可能导致未经授权的登录访问。”

Progress Software said the vulnerability incorrectly returns authentication success from an OpenEdge local domain if unexpected types of usernames and passwords are not appropriately handled, leading to unauthorized access sans proper authentication.

Progress Software表示，如果未正确处理意外类型的用户名和密码，漏洞会错误地从OpenEdge本地域返回认证成功，导致未经适当认证的访问。

The flaw has been addressed in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1.

该漏洞已在OpenEdge LTS Update 11.7.19、12.2.14和12.8.1中得到解决。

Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has since released a PoC for CVE-2024-1403, stating the issue is rooted in a function called connect() that's invoked when a remote connection is made.

Horizon3.ai对易受攻击的AdminServer服务进行了逆向工程，并随后发布了CVE-2024-1403的PoC，指出问题根源于一个名为connect()的函数，当进行远程连接时调用该函数。

This function, in turn, calls another function called authorizeUser() that validates that the supplied credentials meet certain criteria, and passes control to another part of the code that directly authenticates the user if the provided username matches "NT AUTHORITYSYSTEM."

此函数反过来调用另一个名为authorizeUser()的函数，验证提供的凭据是否符合某些标准，并将控制传递给代码的另一部分，如果提供的用户名与“NT AUTHORITYSYSTEM”匹配，则直接对用户进行身份验证。

"Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages," security researcher Zach Hanley said.

安全研究人员Zach Hanley表示：“更深层次的攻击面看起来可能允许用户通过远程WAR文件引用部署新应用程序，但要达到这种攻击面，由于使用内部服务消息代理和自定义消息，复杂性显著增加。”

"We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort."

“我们相信，通过足够的研究工作，很可能再次存在通过内置功能进行远程代码执行的途径。”

参考资料

[1]https://thehackernews.com/2024/03/proof-of-concept-exploit-released-for.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：Progress软件OpenEdge安全漏洞的PoC利用方式