WSO2 API Manager 是 WSO2 公司的一套 API 生命周期管理解决方案。
由于对文件上传接口缺少安全检查,导致存在任意文件上传漏洞,可直接GetShell。
影响版本
WSO2 API Manager 2.2.0 and above through 4.0.0;WSO2 Identity Server 5.2.0 and above through 5.11.0;WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0;WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0;WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
环境要求
1. Minimum memory - 2GB2. Processor - Pentium 800MHz or equivalent at minimum3. Java 1.8 or higher4. The Management Console requires you to enable Javascript of the Web browser, with MS IE 7. In addition to JavaScript, ActiveX should also be enabled with IE. This can be achieved by setting your security level to medium or lower.5. Apache Ant is required to compile and run the sample clients. Apache Ant 1.7.0 version is recommended.6. To build WSO2 API Manager from the source distribution, it is necessary that you have JDK 1.8 and Maven 3.0.4 or later.
漏洞分析
基于 product-apim 4.0.0 版本进行调试分析。
由已公开的 exp 可知问题接口在 /fileupload/toolsAny,先找 upload 相关配置,直接排除 backup 部分往下看
找到两个关键配置文件 ./repository/conf/carbon.xml 和 ./repository/conf/identity/identity.xml
先定位到配置文件 "WSO2AM_Homerepositoryconfidentityidentity.xml",可见修饰 /fileupload(.*) 接口的 secured 属性为 false,表示这个路由资源的访问可以不经过用户身份校验
再定位到 org.wso2.carbon.ui.transports.fileupload.ToolsFileUploadExecutor#execute 打个断点,为了不影响应用正常启动,可以先置为 Mute 状态
启动 wso2am 并指定 debug 端口为 7888,IDEA 开启监听后继续启动
成功启动后使能断点,并发包,成功截断
从调用栈着手跳过 doFilter 部分的处理直接看到 wso2am 对 Servlet 的处理,在 org.eclipse.equinox.http.servlet.internal.ProxyServlet#processAlias先取到 dispatchPathInfo 中的 /fileupload 作为 alias
再依据 alias 在 org.eclipse.equinox.http.helper.ContextPathServletAdaptor#service 中找到对应的 Servlet 为 FileUploadServlet
跟进来到 org.wso2.carbon.ui.transports.FileUploadServlet#doPost,所有上传表单的处理都在 FileUploadExecutorManager.execute() 方法
FileUploadExecutorManager 在初始化过程中会执行一个 loadExecutorMap 操作,实质是从服务器配置 serverConfiguration 中加载所有内置与上传表单处理相关的执行器 FileUploadExecutor,可以看到对应到 serverConfiguration 类的初始化过程中就是加载配置文件 carbon.xml 文件中的 FileUploadConfig
与之对应的就是就是加载下面这些 FileUpload 的 Actions
而 org.wso2.carbon.ui.transports.fileupload.FileUploadExecutorManager#execute,先从上传表单的请求路径中获取 actionString 为 toolsAny
org.wso2.carbon.ui.transports.fileupload.FileUploadExecutorManager.CarbonXmlFileUploadExecHandler#execute,再通过遍历内置 FileUploadExcutor 执行器 组成的集合与取到的 actionString 进行对比,若匹配到相应的执行器,则 foundExecutor 标志有默认的 false 置为 true,停止遍历
当我们传入的 actionString 为 toolsAny,匹配到的执行器为 ToolsAnyFileUploadExecutor,抵达我们的一开始的断点,接下来对表单的处理没有经过任何安全过滤,直接往 WSO2AM_Hometmpworkextra1.6509613160487183E12 这个临时目录下写文件,返回系统时间和随机数拼接而成的 uuid
因此可以通过上传表单中简单的文件名遍历实现将 webshell 写入 web 目录下的效果。
构造恶意上传表单、getshell、打完收工
顺手放一下调用栈
execute:39, ToolsAnyFileUploadExecutor (org.wso2.carbon.ui.transports.fileupload)executeGeneric:104, AbstractFileUploadExecutor (org.wso2.carbon.ui.transports.fileupload)execute:436, FileUploadExecutorManager$CarbonXmlFileUploadExecHandler (org.wso2.carbon.ui.transports.fileupload)startExec:320, FileUploadExecutorManager$FileUploadExecutionHandlerManager (org.wso2.carbon.ui.transports.fileupload)execute:127, FileUploadExecutorManager (org.wso2.carbon.ui.transports.fileupload)doPost:57, FileUploadServlet (org.wso2.carbon.ui.transports)service:660, HttpServlet (javax.servlet.http)service:741, HttpServlet (javax.servlet.http)service:37, ContextPathServletAdaptor (org.eclipse.equinox.http.helper)service:61, ServletRegistration (org.eclipse.equinox.http.servlet.internal)processAlias:128, ProxyServlet (org.eclipse.equinox.http.servlet.internal)service:68, ProxyServlet (org.eclipse.equinox.http.servlet.internal)service:741, HttpServlet (javax.servlet.http)service:68, DelegationServlet (org.wso2.carbon.tomcat.ext.servlet)internalDoFilter:231, ApplicationFilterChain (org.apache.catalina.core)doFilter:166, ApplicationFilterChain (org.apache.catalina.core)doFilter:53, WsFilter (org.apache.tomcat.websocket.server)internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)doFilter:166, ApplicationFilterChain (org.apache.catalina.core)doFilter:72, CsrfGuardFilter (org.owasp.csrfguard)internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)doFilter:166, ApplicationFilterChain (org.apache.catalina.core)doFilter:65, CharacterSetFilter (org.wso2.carbon.tomcat.ext.filter)internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)doFilter:166, ApplicationFilterChain (org.apache.catalina.core)doFilter:126, HttpHeaderSecurityFilter (org.apache.catalina.filters)internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)doFilter:166, ApplicationFilterChain (org.apache.catalina.core)invoke:202, StandardWrapperValve (org.apache.catalina.core)invoke:96, StandardContextValve (org.apache.catalina.core)invoke:541, AuthenticatorBase (org.apache.catalina.authenticator)invoke:139, StandardHostValve (org.apache.catalina.core)invoke:92, ErrorReportValve (org.apache.catalina.valves)invoke:107, TenantContextRewriteValve (org.wso2.carbon.identity.context.rewrite.valve)invoke:110, AuthorizationValve (org.wso2.carbon.identity.authz.valve)invoke:102, AuthenticationValve (org.wso2.carbon.identity.auth.valve)continueInvocation:101, CompositeValve (org.wso2.carbon.tomcat.ext.valves)invokeValves:49, TomcatValveContainer (org.wso2.carbon.tomcat.ext.valves)invoke:62, CompositeValve (org.wso2.carbon.tomcat.ext.valves)invoke:145, CarbonStuckThreadDetectionValve (org.wso2.carbon.tomcat.ext.valves)invoke:690, AbstractAccessLogValve (org.apache.catalina.valves)invoke:57, CarbonContextCreatorValve (org.wso2.carbon.tomcat.ext.valves)invoke:126, RequestCorrelationIdValve (org.wso2.carbon.tomcat.ext.valves)invoke:74, StandardEngineValve (org.apache.catalina.core)service:343, CoyoteAdapter (org.apache.catalina.connector)service:373, Http11Processor (org.apache.coyote.http11)process:65, AbstractProcessorLight (org.apache.coyote)process:868, AbstractProtocol$ConnectionHandler (org.apache.coyote)doRun:1590, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)run:49, SocketProcessorBase (org.apache.tomcat.util.net)runWorker:-1, ThreadPoolExecutor (java.util.concurrent)run:-1, ThreadPoolExecutor$Worker (java.util.concurrent)run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)run:-1, Thread (java.lang)
上传漏洞原理本身其实没什么好讲的,一句话足以解释:上传后路径没有经过校验直接拼接,可以通过路径遍历../../../../repository/deployment/server/webapps/authenticationendpoint/,将 webshell 上传到 web 目录下。
调试该案例主要是为了看看调用栈跟进一下WSO2AM 的 Servlet 以及 Handler 加载方式。
类似原理的上传漏洞还是比较常见的,比如泡菜国的某几款邮件服务器里,目前还是 0day 这里就不多言了。。简单看了下 WSO2AM 4.0.0 里脆弱点不止这一处,感兴趣的师傅可以再深挖一下 
Referer
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
https://www.cnblogs.com/ArtofDesign/p/9592453.html
声明:本文档仅用于技术研究,由于传播、使用此文档提供的信息而造成任何后果,均由使用者本人负责,Craft Security Group 团队及文章作者不为此承担任何法律责任。
Spring Framework RCE(CVE-2022-22965) 漏洞原理和利用分析
Spring Cloud Function SpEL 表达式注入漏洞(CVE-2022-22963) 分析
Spring Cloud Gateway SpEL 表达式注入漏洞(CVE-2022-22947) 分析
Zabbix setup.php 访问权限控制不当漏洞(CVE-2022-23134) 分析
Zabbix SAML SSO 认证绕过漏洞(CVE-2022-23131) 分析
原文始发于微信公众号(Craft Security Group):WSO2 API Manager 文件上传漏洞(CVE-2022-29464) 分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论