Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of network security penetration test deserialization vulnerability analysis and reproduction methods, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value. I believe that after reading this network security penetration test deserialization vulnerability analysis and recurrence method article will gain something, let's take a look at it.

Overview of 0x00

Multiple versions of the GENESIS64 software have deserialization vulnerabilities that affect multiple components, such as:

According to the description of CVE vulnerability, download the corresponding GENESIS software version to build the environment, analyze and reproduce the vulnerability.

0x01 service analysis

After the installation is completed, we are familiar with the whole system and find that the Web program interface uses Silverlight for data exchange, so we need to find the relevant functional files for analysis. After some time searching, the configuration file opened by the system service is found, and the access interface information and the relevant profile information of the call are defined in the configuration file:

After multi-party analysis, the FwxServer class is found, and the startup and registration configurations of important services are defined in the class. Follow StartAsyncServer () to check:

The configuration item is processed in the StartAsyncServer () function, and the configuration in the configuration item is loaded. After that, there is a FwxServerBase () function that handles a lot of parameters. Continue to follow up:

The FwxServerBase () function only makes some settings for the configuration in the configuration file, but here it is found that it inherits AsyncServer, so follow up AsyncServer again:

The AsyncServer () function finishes configuring the relevant parameters and starts. At this point, you will complete the creation and startup of the entire service. Of course, only one startup project has been seen here, and the registration and startup of other services are similar:

0x02 vulnerability analysis

Based on the analysis of the previous service startup process and configuration items, it is finally located in the Asyncserver interface for handling submission requests. Several interfaces are defined in this interface, all of which are for the processing of submission requests, so this is used as a breakthrough for analysis.

A service contract is defined in the following figure, in which there are multiple operational contracts that handle submission requests:

Let's do a simple analysis of the relevant parameters, because only PutRequests handles the submit request, so let's take a look at it first. Here is to determine whether the Session in the submitted data is invalid. If the failure returns false, if the Session does not fail, go to the second layer to process Request:

In the following figure, you can see that the Request () function processes the data we submitted:

The main SOAP packet tag headers:

The cat tag in the tag corresponds to the following submission types, and several types correspond to the relevant processing methods:

Other tags are treated more or less the same. Come to the PutRequest () function, where there is an a function dealing with session, follow up and analyze:

In the a () function, the tag Actor and the data submitted by the user are judged, and the overloaded function a (Abeli1) is followed up:

You can see that there is only a value option in the a (Abeli1) overloaded function. Go back to before, follow up the a (Abeli0) overloaded function:

A (Abeli0) overloaded function processes Session-related data, and there is nothing to analyze, so move on:

Next, we see that there is an if judgment, and a value judgment is made for the tags PointName and PointHandle. Because there is usually a value, the local process generally does not enter into the else branch analysis:

A series of tag values are judged in the else branch, and the following code processes the submitted data

PointManager.ValidationResult validationResult = this.a (session, request, out pointManagerWrapper, out pointHint)

As long as the values of validationResult are invalid and Unknown, the request data will not be processed, otherwise it will be returned when the processing is complete:

To move on, the IsRequestAllowed () function is called here, which belongs to the ISecurityManager interface. Follow up and take a look at the processing:

In the IsRequestAllowed () function, the relevant label value is also judged. Here, it is judged whether the cat tag value is 4 and whether the InParams value is SubscribeProcedureInParams;. Then it determines whether the Session information is invalid, and then determines whether the PointName value begins with "cfg:". If so, enter the tj.a () function and follow up the tj.a () function:

The function is processed according to the value of the cat tag. If we submit that the value of cat is 4 and the value of InParams is SubscribeProcedureInParams, we will enter the case 4 branch processing and follow up the tj.a () overload handler again to see:

First of all, a judgment is made, using the RepositoryIdentifier class to follow up the RepositoryIdentifier.TryParse () function:

Here, the PointName data submitted by the user is divided with "|" and added to the list variable:

After processing the data, we judge whether the format of the data is normal or not. Here we mainly judge the length of the data, Guid. Value, "rpt:", "ctx:", "tag:", and then processed the "tag:" tag. You can see that the "tag:" tag Base64 is decrypted and deserialized, following up the Deserialize () function:

Deserialization calls DataContractSerializer for serialization:

By analyzing the code in the figure above, we can see that there is a hole in the code: the code customizes the data submitted by the user for serialization, so it cannot generate POC directly. It must be processed in advance before it can be used. After entering the Deserialize () function, the function first gets the first four bytes of the serialized data, and then reads the serialized data as the previous four bytes as length, so we must add the length before it, otherwise it cannot be deserialized successfully because we read the wrong data in the previous GetType acquisition.

We can see that in the DataContractSerializer () function, the parameters of GetType can be controlled. Analyze the processing of type: first, use the tool to generate a test poc, and then bring in the function for processing:

We can see that the function has processed the data, and after processing the data, we find that the value of the extracted variable is not complete.

Next, bring it into the system to find the type:

The final type result returned is null, that is, if the type to which it belongs is not found, the deserialization will naturally fail:

The list of serialization types here is put in the list list. System.Security.Principal.WindowsPrincipal is in list, but it is not found because of the format problem of the data:

According to the deletion construction of POC according to the serialization processing code, you can successfully obtain type:

0x03 POC construction

Based on the vulnerability analysis in the previous section, we can construct a vulnerability to exploit POC and test it using DataContractSerializer () as a carrier for deserialization:

You can see the requested data by grabbing the packet. In the packet, you can see that the label cat is 4 and the type is 0, but Inparams is not SubscribeProcedureInParams yet. Use the captured packet to construct POC, delete some unnecessary data in the packet and add some data that can trigger the vulnerability:

After the packet construction is completed, use the tool to generate POC. Here, ysoserial.NET is used. The vulnerability can be successfully exploited by modifying POC and adding to the packet:

This is the end of the article on "Analysis and recurrence of deserialization vulnerabilities in Network Security Penetration testing". Thank you for reading! I believe you all have a certain understanding of the knowledge of "network security penetration test deserialization vulnerability analysis and reproduction method". If you want to learn more, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.