VMware View Planner 远程代码执行漏洞复现分析(CVE-2021-21978)-爱代码爱编程
环境搭建
链接:https://pan.baidu.com/s/1Uw64KHr3hR553hz0a7xvrw
提取码:k3b0
双击使用vmware打开
提示输入账号密码,之后等待即可
使用刚才设置的账号密码进行登录
ifconfig|more
查看当前ip
之后使用其他管理软件链接,个人不太习惯默认的操作界面
链接之后
漏洞分析
通过查看公告发现需要上传恶意脚本文件覆盖特定的 web 程序
所以不能直接上传文件覆盖,需要先拿到一个源码修改之后上传,因为poc上的接口在logupload
通过查看发现在宿主机的
/root/viewplanner/apache_config/httpd.conf
下有配置
对应目录
/etc/httpd/html/wsgi_log_upload/log_upload_wsgi.py
对应文件
/root/viewplanner/httpd/wsgi_log_upload/log_upload_wsgi.py
#! /usr/bin/env python3
import cgi
import os,sys
import logging
import json
WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME = "workload_log_{}.zip"
class LogFileJson:
""" Defines format to upload log file in harness
Arguments:
itrLogPath : log path provided by harness to store log data
logFileType : Type of log file defined in api.agentlogFileType
workloadID [OPTIONAL] : workload id, if log file is workload specific
"""
def __init__(self, itrLogPath, logFileType, workloadID = None):
self.itrLogPath = itrLogPath
self.logFileType = logFileType
self.workloadID = workloadID
def to_json(self):
return json.dumps(self.__dict__)
@classmethod
def from_json(cls, json_str):
json_dict = json.loads(json_str)
return cls(**json_dict)
class agentlogFileType():
""" Defines various log file types to be uploaded by agent
"""
WORKLOAD_ZIP_LOG = "workloadLogsZipFile"
try:
# TO DO: Puth path in some config
logging.basicConfig(filename="/etc/httpd/html/logs/uploader.log",filemode='a', level=logging.ERROR)
except:
# In case write permission is not available in log folder.
pass
logger = logging.getLogger('log_upload_wsgi.py')
def application(environ, start_response):
logger.debug("application called")
if environ['REQUEST_METHOD'] == 'POST':
post = cgi.FieldStorage(
fp=environ['wsgi.input'],
environ=environ,
keep_blank_values=True
)
# TO DO: Puth path in some config or read from config is already available
resultBasePath = "/etc/httpd/html/vpresults"
try:
filedata = post["logfile"]
metaData = post["logMetaData"]
if metaData.value:
logFileJson = LogFileJson.from_json(metaData.value)
if not os.path.exists(os.path.join(resultBasePath, logFileJson.itrLogPath)):
os.makedirs(os.path.join(resultBasePath, logFileJson.itrLogPath))
if filedata.file:
if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):
filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))
else:
filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, logFileJson.logFileType)
with open(filePath, 'wb') as output_file:
while True:
data = filedata.file.read(1024)
# End of file
if not data:
break
output_file.write(data)
body = u" File uploaded successfully."
start_response(
'200 OK',
[
('Content-type', 'text/html; charset=utf8'),
('Content-Length', str(len(body))),
]
)
return [body.encode('utf8')]
except Exception as e:
logger.error("Exception {}".format(str(e)))
body = u"Exception {}".format(str(e))
else:
logger.error("Invalid request")
body = u"Invalid request"
start_response(
'400 fail',
[
('Content-type', 'text/html; charset=utf8'),
('Content-Length', str(len(body))),
]
)
return [body.encode('utf8')]
通过查看代码57-78行可以发现代码没有对参数进行任何过滤
从post过来的参数中获取logfile和logMetaData,如果metaData.value中itrLogPath与/etc/httpd/html/vpresults拼接,不存在则创建目录,如果存在filedata.file,即上传了文件,则将传入的文件写入对应目录,所以只需要传入一个log_upload_wsgi.py文件之后访问即可实现代码执行
漏洞复现
查看写入文件
cat /etc/httpd/html/wsgi_log_upload/log_upload_wsgi.py
参考文章
https://paper.seebug.org/1495/