1

CVE-2022-31656 VMware Workspace ONE Access UrlRewriteFilter 权限绕过

 1 year ago
source link: https://y4er.com/posts/cve-2022-31656-vmware-workspace-one-access-urlrewritefilter-auth-bypass/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

CVE-2022-31656 VMware Workspace ONE Access UrlRewriteFilter 权限绕过

 2022-08-14  2022-08-14  约 1683 字   预计阅读 4 分钟 

在我之前文章中写过,vm为了修复CVE-2022-22972加了一个HostHeaderFilter,拦截了Hostname,防止身份验证被绕过,建议看过之前的洞再来看这个。

Petrus Viet在UrlRewriteFilter过滤器中找到了用RequestDispatcher绕过权限校验的点。

原理如图,直接跳过HostHeaderFilter的校验(图来自Petrus Viet)

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/1.png

org.tuckey.web.filters.urlrewrite.UrlRewriteFilter#doFilter

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/2.png

通过getUrlRewriter读路由重写规则

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/3.png

配置文件来自于file:/opt/vmware/horizon/workspace/webapps/SAAS/WEB-INF/urlrewrite.xml

拿到重写规则之后调用org.tuckey.web.filters.urlrewrite.UrlRewriter#processRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain)进行处理

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/4.png

processRequest通过requestURI构建一条路由规则链RuleChain,然后调用org.tuckey.web.filters.urlrewrite.RuleChain#doRules

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/5.png

先做规则处理,遍历rules调用doRuleProcessing,然后再handleRewrite处理重写

来看doRuleProcessing

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/6.png

取rules当前遍历索引对应的规则rewrittenUrl,然后和this.finalToUrl还有request进行match得到rewrittenUrl

如果rewrittenUrl不为null,那么修改自身的finalToUrl字段和重写之后的请求字段finalRewrittenRequest

this.finalRewrittenRequest = rewrittenUrl;
this.finalToUrl = rewrittenUrl.getTarget();

相当于是遍历urlrewrite.xml找对应的规则进行匹配,然后传递结果给下一个rule当作参数。

来看urlrewrite.xml

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/7.png

匹配^/t/([^/]*)($|/)(((?!META-INF|WEB-INF).*))$重写到/$3,举个例子

/t/_/;/common.js 会被重写为/;/common.js

接着拿/;/common.js匹配剩下的rule匹配不上了,所以最终的finalToUrl = "/;/common.js"并且finalRewrittenRequest = rewrittenUrl

回到org.tuckey.web.filters.urlrewrite.RuleChain#doRules接着看handleRewrite

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/8.png

因为上文finalRewrittenRequest不等于null,所以进入this.finalRewrittenRequest.doRewrite

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/9.png

forward转发之后不再继续走filter,跳过了HostHeaderFilter过滤,并且经过getRequestDispatcher之后servletPath变为/common.js,分号被去除,完美绕过。

关于为什么分号被去除,老知识了,懂得都懂。

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/10.png

Petrus Viet提到的rce所涉及的类和controller我这个版本的ova没有,简单记录一下算了,

TenantMigrationResource.migrateTenant() 
-> TenantMigrationServiceImpl.migrateTenant() 
-> CustomGroupMigrationServiceImpl.migrateCustomGroup() 
-> ExportCustomGroup.getVidmUserIds()

命令注入并不是在java的runtime.exec,而是在sh的参数中,通过pgsql的参数达到命令执行的效果,类似于pgsql堆叠。具体构造没有代码不写了。

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/11.png

和作者沟通了一下,另一个CVE-2022-31658 jdbc的rce应该是在另一个servlet容器cfg中。

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/12.png

/cfg/setup/test

https://y4er.com/img/uploads/CVE-2022-31656-VMware-Workspace-ONE-Access-UrlRewriteFilter-Auth-Bypass/13.png

补丁升级了pgsql的版本

https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK