Shulou(Shulou.com)05/31 Report--

How to carry out Nuxeo authentication bypass and RCE loophole analysis, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Brief introduction

Nuxeo Platform is a cross-platform open source enterprise content management system (CMS).

The nuxeo-jsf-ui component does not properly handle the facelet template. When the visited facelet template does not exist, the relevant file name will be output to the error page, and the error page will be parsed as a template, and the file name containing expression will also be output and parsed for execution, resulting in remote code execution vulnerabilities.

In the process of vulnerability mining, it is found that the nuxeo-jsf component is not installed by default in 10.2, and the historical version is installed by default. It can be installed through the nuxeoctl mp-install nuxeo-jsf-ui command.

Scope of influence

Nuxeo Server version

< 10.3 漏洞复现 通过在官网下载Nuxeo 10.2的安装包在本地安装，使用默认密码登陆Administrator/Administrator。 在登陆状态下访问test${11*11}.xhtml，可以看到表达式被执行 执行系统命令 Nuxeo 是构建在Seam Framework之上的, Seam是由Jboss开发的Web应用程序框架，在前几年比较流行，但依然有很多应用程序使用了Seam。 当用EL来执行任意系统命令时，Seam内部对EL的解析有一定的防护，用下面的Payload可绕过。 ${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc",null).toString()} 认证绕过 在不登陆的情况下，是无法访问facelet模板的，如果需要登陆才能命令执行，漏洞略显得有点鸡肋。发现可以通过 login.jsp/%24%7b%31%31%2a%31%31%7d.xhtml 绕过访问。 认证绕过分析 通过查看web.xml配置文件，开发者为*.xhtml资源注册了名为NuxeoAuthenticationFilter的过滤器和Faces Servlet。凭借经验认证工作应该在filter处理。 通过调试发现，在NuxeoAuthenticationFilter类中的bypassAuth方法中有相关逻辑 进入到该方法中，unAuthenticatedURLPrefix是一个列表，值为["login.jsp","webservices/"] ，requestPag 只要以 unAuthenticatedURLPrefix 数组中的字符串开头就不会验证用户身份。 根据注册的Faces Servlet规则"*.html"， login.jsp/test.xhtml 肯定是匹配的，如果要对资源进行访问控制肯定要先进入到访问控制逻辑中的，但是访问控制逻辑中只是通过startsWith方法来比较的，肯定也是符合的，所以login.jsp/test.xhtml这个路径可以绕过NuxeoAuthenticationFilter认证控制进入到Faces Servlet（模版相关）中。 可能会问，那我使用/webservices/xx.xhtml是不是也可以绕过呢？答案是不可以。对/webservices/*资源注册了另一个Servlet，一个请求只能被一个Servlet处理，这个注册方式优先级更高。 RCE 分析 先来一张案发现场的图，is变量含有用户可控的内容进入到了parse方法中。 src的handler为NuxeoNotFoundResourceHandler，看下实现， getInputStream中的错误信息中包含表达式，也会进入parse方法中执行， 即请求的路径不存在时将会把路径当成源内容返回给调用者，这里就会进入到模版的parse方法中，然后就被解析执行了。

Patch analysis

Https://github.com/nuxeo/nuxeo/commit/eb54a9145c6d8297eba9d7dafc74556e735fa388#diff-cf2094833ef0eea473d03bf6559f1798R97

This is fixed by filtering, and in getInputStream, the path is output to the input stream only if the path does not contain "#" and "$", so the EL cannot be executed.

After reading the above, have you mastered the methods of Nuxeo authentication bypass and RCE vulnerability analysis? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.