In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Ivanti Avalanche enterprise mobility management program. Other Ivanti products have recently been under active exploitation, and the mobile device management system is an attractive target. This bug was originally reported to the ZDI program by an anonymous researcher and was also discovered by Lucas Miller of Trend Micro Research. Successful exploitation of this vulnerability would allow an authenticated attacker to execute code in the context of SYSTEM. The following is a portion of their write-up covering CVE-2023-46263, with a few minimal modifications.
在趋势科技漏洞研究服务漏洞报告的摘录中,趋势科技研究团队的Lucas米勒和Dusan Stevanovic详细介绍了Ivanti Avalanche企业移动管理程序中最近修补的远程代码执行漏洞。Ivanti的其他产品最近也受到了积极的利用,其中移动终端管理系统是一个有吸引力的目标。这个bug最初是由一位匿名研究人员报告给ZDI程序的,也是由趋势科技研究公司的卢卡斯米勒发现的。成功利用此漏洞将允许经过身份验证的攻击者在系统上下文中执行代码。以下是他们撰写的涵盖CVE-2023-46263的部分内容,其中有一些最小的修改。
An arbitrary file upload vulnerability has been reported for Ivanti Avalanche. This vulnerability is due to improper input validation in the FileStoreConfig app.
已报告Ivanti Avalanche存在任意文件上传漏洞。此漏洞是由于FileStoreConfig应用程序中的输入验证不正确造成的。
A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploring this vulnerability could result in remote code execution as SYSTEM.
经身份验证的远程攻击者可以通过向目标服务器发送精心编制的请求来利用此漏洞。成功探索此漏洞可能导致以SYSTEM身份远程执行代码。
The Vulnerability 该漏洞
Ivanti Avalanche is a mobile device management system. The Central FileStore and the Central File Server in Avalanche are used to store and distribute files that are associated with payloads for mobile device configuration. For example, .apk files or OS update files could be stored in the Central FileStore. The Central FileStore is relevant to understanding this vulnerability.
Ivanti Avalanche是一个移动终端管理系统。Avalanche中的Central FileStore和Central File Server用于存储和分发与移动终端配置的有效负载相关的文件。例如,.apk文件或操作系统更新文件可以存储在Central FileStore中。Central FileStore有助于了解此漏洞。
The Avalanche web interface can be accessed over HTTP on TCP port 8080 as follows:
Avalanche Web界面可以通过TCP端口8080上的HTTP访问,如下所示:
HTTP is a request/response protocol described in RFCs 7230 – 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body:
HTTP是RFC 7230 – 7237和其他RFC中描述的请求/响应协议。请求由客户端发送到服务器,服务器反过来将响应发送回客户端。一个HTTP请求由一个请求行、多个头部、一个空行和一个可选的消息体组成:
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like:
其中CRLF表示新的行序列回车(CR)后接换行(LF)。SP表示空格字符。根据使用的方法和Content-Type标头,参数可以在请求URI或消息体中作为名称-值对从客户端传递到服务器。例如,一个简单的HTTP请求使用GET方法传递一个名为“param”的参数,其值为“1”,可能如下所示:
A corresponding HTTP request using the POST method might look like:
使用POST方法的相应HTTP请求可能如下所示:
If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:
如果有多个参数/值对,它们将被编码为以&分隔的name=value对:
Avalanche allows users to change the location where the Central FileStore saves files by changing the FileStore path through the web interface. To change the FileStore path a request to AvalancheWeb/app/ FileStoreConfig.jsf
is made and the request is handled by the com.wavelink.amc.web.view.FileStoreConfigBean
class. The request includes a txtUncPath request parameter that contains the new path to store files. Before saving the new values the validateFileStoreUncPath
method is called to verify the new path is allowed. The path is checked against a deny list of disallowed values and for directory traversal characters. If the path passes the checks the new path is saved. Future uploads to the FileStore will be stored in the new location.
Avalanche允许用户通过Web界面更改FileStore路径来更改Central FileStore保存文件的位置。要更改FileStore路径,请向 AvalancheWeb/app/ FileStoreConfig.jsf
发出请求,请求由 com.wavelink.amc.web.view.FileStoreConfigBean
类处理。该请求包括一个txtUncPath请求参数,其中包含存储文件的新路径。在保存新值之前,调用 validateFileStoreUncPath
方法来验证新路径是否允许。根据不允许值的拒绝列表和目录遍历字符检查路径。如果路径通过检查,则保存新路径。将来上传到FileStore的内容将存储在新位置。
An arbitrary file upload vulnerability exists in the Central FileStore. The vulnerability is due to insufficient sanitization of the txtUncPath field in the Central FileStore configuration settings. The validateFileStoreUncPath
attempts to prevent the new path from containing the webroot folders for Avalanche servers in the path. However, the validateFileStoreUncPath
method does not prevent the use of the parent folder of the RemoteControl server webroot folder at: “C:\ProgramData\Wavelink\Avalanche\RemoteControlServer\app\”. An attacker can set the txtUncPath value to “C:\ProgramData\Wavelink\Avalanche”, bypassing the disallowed path checks. Then an attacker can send a request to upload a malicious file to the “RemoteControlServer\app” subfolder. The RemoteControl server is typically used to control connected Windows Mobile/CE devices and can be accessed by sending an HTTP request to http://<hostname>:1900/
. By default, the RemoteControl server executes Velocity macro code. By uploading a crafted file to the RemoteControl server webroot, an attacker could execute arbitrary commands on the system.
Central FileStore中存在任意文件上载漏洞。此漏洞是由于Central FileStore配置设置中的txtUncPath字段未得到充分清理造成的。 validateFileStoreUncPath
尝试阻止新路径包含路径中Avalanche服务器的webroot文件夹。但是, validateFileStoreUncPath
方法不会阻止使用位于“C:\ProgramData\Wavelink\Avalanche\RemoteControlServer\app\”的RemoteControl服务器webroot文件夹的父文件夹。攻击者可以将txtUncPath值设置为“C:\ProgramData\Wavelink\Avalanche”,从而绕过不允许的路径检查。然后,攻击者可以向“RemoteControlServer\app”子文件夹发送上传恶意文件的请求。RemoteControl服务器通常用于控制连接的Windows移动的/CE设备,可以通过向 http://<hostname>:1900/
发送HTTP请求来访问。默认情况下,RemoteControl服务器执行Velocity宏代码。 通过将精心编制的文件上载到RemoteControl服务器webroot,攻击者可以在系统上执行任意命令。
Source Code Walkthrough 源代码详解
The following code snippet was taken from Ivanti Avalanche version 6.4.1. Comments added by Trend Micro have been highlighted.
下面的代码片段取自Ivanti Avalanche 6.4.1版。Trend Micro添加的评论已被突出显示。
From app/FileStoreConfigSettings.xhtml
in AvalancheWeb.jar
.
从 app/FileStoreConfigSettings.xhtml
到 AvalancheWeb.jar
。
From the decompiled WEB-INF.classes.com.wavelink.amc.web.view
. CentralFileStoreDialog
class in AvalancheWeb.jar
.
从反编译的 WEB-INF.classes.com.wavelink.amc.web.view
。 AvalancheWeb.jar
中的 CentralFileStoreDialog
类。
Detection Guidance 检测指导
To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on TCP ports 8080 (HTTP) and 8443 (HTTPS). Note that the traffic may be SSL encrypted. The detection device may be required to decrypt the traffic before proceeding through the next steps.
要检测利用此漏洞的攻击,检测设备必须监视和解析TCP端口8080(HTTP)和8443(HTTPS)上的流量。请注意,流量可能是SSL加密的。检测设备可能需要在继续进行下一步骤之前对流量进行解密。
The detection device must monitor all HTTP POST requests to a request-URI containing the following path:
检测设备必须监视所有对包含以下路径的请求URI的HTTP POST请求:
/AvalancheWeb/app/FileStoreConfig.jsf
If such a request is found, then the detection device must search the request body for the linkFileStoreConfigSave
parameter. If the linkFileStoreConfigSave
parameter value is “linkFileStoreConfigSave”, the value of the txtUncPath
parameter must be inspected for the following string:
如果找到这样的请求,则检测设备必须在请求主体中搜索 linkFileStoreConfigSave
参数。如果 linkFileStoreConfigSave
参数值为“linkFileStoreConfigSave”,则必须检查 txtUncPath
参数的值是否存在以下字符串:
ProgramData\Wavelink\Avalanche
If found, the request should be considered suspicious as an attack exploiting this vulnerability is likely underway. Below is an example of a malicious request:
如果发现该请求,则应将其视为可疑,因为利用此漏洞的攻击可能正在进行中。下面是一个恶意请求的例子:
Conclusion 结论
Ivanti patched this vulnerability and several others with the release of version 6.4.2. No other mitigations are listed, so it is recommended that users of Ivanti Avalanche test and deploy this patch to fully address this vulnerability.
Ivanti在6.4.2版本中修补了这个漏洞和其他几个漏洞。未列出其他缓解措施,因此建议Ivanti Avalanche用户测试并部署此修补程序以完全解决此漏洞。
Special thanks to Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
特别感谢趋势科技研究团队的Lucas米勒和Dusan Stevanovic对该漏洞进行了如此透彻的分析。有关趋势科技研究服务的概述,请访问http://go.trendmicro.com/tis/。
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
威胁研究团队将在未来提供其他优秀的漏洞分析报告。在此之前,请在Twitter、Mastodon、LinkedIn或Instagram上关注该团队,以获取最新的漏洞利用技术和安全补丁。
原文始发于Trend Micro Research Team:CVE-2023-46263: IVANTI AVALANCHE ARBITRARY FILE UPLOAD VULNERABILITY
转载请注明:CVE-2023-46263: IVANTI AVALANCHE ARBITRARY FILE UPLOAD VULNERABILITY | CTF导航