漏洞描述
近日,微软发布了2月安全更新公告,其中CVE-2020-0618 SQL Server 远程命令执行漏洞在国内存在危害,SQL Server 在国内使用量大。
Microsoft SQL Server(微软结构化查询语言服务器)是由微软公司所推出的关系型数据库解决方案。
漏洞存在于
ReportingServicesWebServer.dll
中,Microsoft.Reporting.WebForms.BrowserNavigationCorrector
的OnLoad()方法中,先从ViewState中取值,赋值给value变量,在对value变量进行非空判断后,初始化LosFormatter对象并对使用LosFormatter对象中的Deserialize()方法对value变量直接反序列化。
攻击者向 SQL Server 的Reporting Services发送特制请求会触发漏洞,攻击成功可获得SQL Server服务的对应控制权限。
漏洞分析
此漏洞在ReportingServicesWebServer.dll中
Microsoft.Reporting.WebForms.BrowserNavigationCorrector的OnLoad方法使用LosFormatter类反序列化了不受信任的用户输入:
protected override void OnInit(EventArgs e){ base.OnInit(e); ReportViewerHost reportViewer = this.ReportViewer; reportViewer.EnableHybrid = this.ShowHybrid; if (reportViewer != null) { PageRequestManagerErrorHandler child = new PageRequestManagerErrorHandler(); reportViewer.Parent.Controls.AddAt(reportViewer.Parent.Controls.IndexOf(reportViewer), child); BrowserNavigationCorrector child2 = reportViewer.CreateNavigationCorrector(); reportViewer.Parent.Controls.AddAt(reportViewer.Parent.Controls.IndexOf(reportViewer), child2);
回溯BrowserNavigationCorrector类来自
Microsoft.ReportingServices.WebServer.ReportViewerPage类:
protected override void OnInit(EventArgs e){ base.OnInit(e); ReportViewerHost reportViewer = this.ReportViewer; reportViewer.EnableHybrid = this.ShowHybrid; if (reportViewer != null) { PageRequestManagerErrorHandler child = new PageRequestManagerErrorHandler(); reportViewer.Parent.Controls.AddAt(reportViewer.Parent.Controls.IndexOf(reportViewer), child); BrowserNavigationCorrector child2 = reportViewer.CreateNavigationCorrector(); reportViewer.Parent.Controls.AddAt(reportViewer.Parent.Controls.IndexOf(reportViewer), child2);
可以通过在本地 SharePoint服务器中调用/ReportServer/pages/ReportViewer.aspx页面来调用此函数触发漏洞。
将以下HTTP请求发送到服务器验证漏洞:
POST /ReportServer/pages/ReportViewer.aspx HTTP/1.1Host: targetContent-Type: application/x-www-form-urlencodedContent-Length: XNavigationCorrector$PageState=NeedsCorrection&NavigationCorrector$ViewState=[PayloadHere]&__VIEWSTATE=
在PowerShell中使用ysoserial.net工具生成paylaod:
LosFormatter losFormatter = new LosFormatter(true, this.m_viewer.GetUserId());
使用上面生成的paylaod发送HTTP请求后得到了反向shell:
在微软2020年二月的patch中,使用LosFormatter类时,补丁启用了MAC验证来缓解此漏洞:
LosFormatter losFormatter = new LosFormatter(true, this.m_viewer.GetUserId());
漏洞危害
高危
影响版本
Microsoft SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)
Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)
安全建议
打补丁是修补此漏洞的唯一选择,要确保只有经过身份验证的用户才能访问该程序。
请根据微软官进行漏洞修复:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
参考信息
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
https://support.microsoft.com/zh-cn/help/321185/how-to-determine-the-version-edition-and-update-level-of-sql-server-an
https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/