Shulou(Shulou.com)06/01 Report--

Author: Badcode and Longofo@ knows that Chuangyu 404 laboratory

Date: February 9, 2020

Original link: https://paper.seebug.org/1260/

English link: https://paper.seebug.org/1261/

Preface

In early September 2019, we responded to the Nexus Repository Manager 2.x command injection vulnerability (CVE-2019-5475). The general cause and recurrence steps are in the activationCondition method of YumCapability.

The value set in the above Path of "createrepo" is obtained through getConfig (). GetCreaterepoPath (), and after getting the value, call the this.validate () method

The incoming path is user-controllable, and then the path is concatenated-- version is then passed to the commandLineExecutor.exec () method, which looks like a way to execute a command, and that's the case. Follow up the exec method of the CommandLineExecutor class

Parse the command before executing the command, CommandLine.parse (), separated by spaces, to get the executable file and parameters.

Finally, Runtime.getRuntime (). Exec () is called to execute the command.

For example, the command passed in by the user is cmd.exe / c whoami, and finally the getRuntime () .exec () method is Runtime.getRuntime () .exec ({"cmd.exe", "/ c", "whoami"}).

So the principle of the vulnerability is also very simple, that is, when the createrepo or mergerepo path is set, the path can be specified by the user, concatenate the version string halfway, and finally getRuntime.exec () executes the command.

Loophole recurrence

Enter payload in the Path of "createrepo".

You can see the result of execution in the Status column.

First bypass analysis, first patch analysis.

The official patch has been changed in several places, and the key point is here.

As a general practice, you filter commands before executing them. A new getCleanCommand () method has been added to filter commands.

AllowedExecutables is a HashSet with only two values, createrepo and mergerepo. First determine whether the command passed by the user is in the allowedExecutables. If so, directly concatenate the params, that is, the version is returned directly. Then determine the path of the command passed in by the user, and return null directly if it starts with the working directory of nexus (applicationDirectories.getWorkDirectory (). GetAbsolutePath ()). Continue to determine that if the file name is not in allowedExecutables, it returns null, which means that the command needs to end with / createrepo or / mergerepo. After passing the judgment, the absolute path stitching of the file-version becomes cmd.exe\ c whoami, which cannot be executed later. You can execute exe directly, and note that it will be concatenated later-- version, so many commands cannot be executed, but there are ways to use the ability to execute arbitrary exe to do subsequent attacks.

The second bypass analysis, the second patch analysis

After I submitted the above bypass, the authorities fixed the bypass. Take a look at the official patch.

In getCleanCommand () C:\\ Windows\\ System32\\ calc.exe\.\..\\ win.ini

Bypassed the test for the second time by parse ()

Test environment version 2.14.15-01 Windows test steps

Enter payload in the Path of "createrepo".

To view the process, notepad.exe started

As you can see, the patch was successfully bypassed.

Bypass analysis for the second time +

After bypassing the analysis for the second time, Master Badcode can see that the command can be successfully executed on the Windows system. But there is one big limitation:

Nexus needs to be installed on the system disk. Some commands with parameters cannot be used.

In the Artifacts Upload upload place mentioned above, you can upload any file, and the names of the uploaded files are all concatenated by custom parameters, so you can guess. Then you can upload any exe file you have written.

Bypass the analysis + test environment version 2.14.15-01 Windows test steps for the second time

Navigate to Views/Repositories- > Repositories- > 3rd party- > Configuration, and we can see the absolute path of the default local storage location (later uploaded content is also in this directory):

Navigate to Views/Repositories- > Repositories- > 3rd party- > Artifact Upload, and we can upload malicious exe files:

The exe file will be renamed to createrepo-1.exe (concatenated by custom parameters):

Also input payload in Path of "createrepo" (note that the previous part begins with the nexus installation directory, which will be judged in the patch, so you can add..\ or get a fake layer aaa\. Etc.)

You can see that createrepo-1.exe has been executed:

Latest version analysis the latest version patch analysis

After the second patch was bypassed, the official fix was carried out again, and the main official patches are as follows

Remove the previous fix, add the YumCapabilityUpdateValidator class, and verify the absolute equality between the value obtained in validate and the value set in properties using equals. This value can only be modified through sonatype-work/nexus/conf/capabilities.xml

Verification of the latest version

Modification is directly prohibited at the front end, by grabbing the package to modify the test:

Break to the YumCapabilityUpdateValidator.validate

You can see that this fix can no longer be bypassed unless the configuration file is overwritten where the file is overwritten, such as unzipping the overlay, but it is not found.

However, the place where any file can be uploaded in Artifacts Upload is still there, and it can still be used if the above situation occurs again in other places.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.