2

CVE-2022-22955 VMware Workspace ONE Access OAuth2TokenResourceController Auth By...

 1 year ago
source link: https://y4er.com/posts/cve-2022-22955-vmware-workspace-one-access-oauth2tokenresourcecontroller-auth-bypass/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

CVE-2022-22955 VMware Workspace ONE Access OAuth2TokenResourceController Auth Bypass

 2022-08-14  2022-08-14  约 771 字   预计阅读 2 分钟 

参考 https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/1.png

https://id.test.local/SAAS/API/1.0/REST/oauth2/generateActivationToken/acs 对应com.vmware.horizon.rest.controller.oauth2.OAuth2TokenResourceController#generateActivationToken

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/2.png

generateActivationToken为oauth2客户端生成激活码

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/3.png

https://id.test.local/SAAS/API/1.0/REST/oauth2/activate 对应com.vmware.horizon.rest.controller.oauth2.OAuth2TokenResourceController#activateOauth2Client

通过交换activation激活码激活oauth2客户端

然后拿着client_secret去做认证

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/4.png

会拿到jwt token,用这个token就可以访问任意资源了。

在安装的时候

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/5.png

会调用com.vmware.horizon.rest.controller.system.BootstrapController做初始化,这样会调用到com.vmware.horizon.components.authentication.OAuth2RemoteAccessServiceImpl#createDefaultServiceOAuth2Client

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/6.png

第一次创建OAuth2服务时会使用Service__OAuth2Client创建一个system scope的oauth。所以我们可以用https://id.test.local/SAAS/API/1.0/REST/oauth2/generateActivationToken/[id] 去申请system scope的auth。

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/7.png

iam有几个默认的oauth,所以这几个都可以拿来申请权限。

看了官方通告才发现这是个老洞,和模板注入那个是一批。

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/8.png

加鉴权修复

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK