CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE
2022-7-21 10:16:7 Author: y4er.com(查看原文) 阅读量:71 收藏
2022-7-21 10:16:7 Author: y4er.com(查看原文) 阅读量:71 收藏
其中getRequest函数会从原始request构建XmlRpcRequest org.apache.xmlrpc.server.XmlRpcStreamServer#getRequest
1getResult:36, SerializableParser (org.apache.xmlrpc.parser)
2endValueTag:78, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
3endElement:185, MapParser (org.apache.xmlrpc.parser)
4endElement:103, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
5endElement:165, XmlRpcRequestParser (org.apache.xmlrpc.parser)
6endElement:-1, AbstractSAXParser (org.apache.xerces.parsers)
7scanEndElement:-1, XMLNSDocumentScannerImpl (org.apache.xerces.impl)
8dispatch:-1, XMLDocumentFragmentScannerImpl$FragmentContentDispatcher (org.apache.xerces.impl)
9scanDocument:-1, XMLDocumentFragmentScannerImpl (org.apache.xerces.impl)
10parse:-1, XML11Configuration (org.apache.xerces.parsers)
11parse:-1, XML11Configuration (org.apache.xerces.parsers)
12parse:-1, XMLParser (org.apache.xerces.parsers)
13parse:-1, AbstractSAXParser (org.apache.xerces.parsers)
14parse:-1, SAXParserImpl$JAXPSAXParser (org.apache.xerces.jaxp)
15getRequest:76, XmlRpcStreamServer (org.apache.xmlrpc.server)
16execute:212, XmlRpcStreamServer (org.apache.xmlrpc.server)
17execute:112, XmlRpcServletServer (org.apache.xmlrpc.webserver)
18doPost:196, XmlRpcServlet (org.apache.xmlrpc.webserver)
19doPost:117, PmpApiServlet (org.apache.xmlrpc.webserver)
20service:681, HttpServlet (javax.servlet.http)
21service:764, HttpServlet (javax.servlet.http)
22internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core)
23doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
24doFilter:53, WsFilter (org.apache.tomcat.websocket.server)
25internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
26doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
27doFilter:76, ADSFilter (com.manageengine.ads.fw.filter)
28internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
29doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
30doFilter:300, PassTrixFilter (com.adventnet.passtrix.client)
31internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
32doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
33doFilter:414, SecurityFilter (com.adventnet.iam.security)
34internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
35doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
36doFilter:34, NTLMV2CredentialAssociationFilter (com.adventnet.authentication)
37internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
38doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
39doFilter:155, NTLMV2Filter (com.adventnet.authentication)
40internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
41doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
42doFilter:118, MSPOrganizationFilter (com.adventnet.passtrix.client)
43internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
44doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
45doFilter:149, PassTrixUrlRewriteFilter (com.adventnet.passtrix.client)
46internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
47doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
48doFilter:109, SetCharacterEncodingFilter (org.apache.catalina.filters)
49internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
50doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
51doFilter:32, ClientFilter (com.adventnet.cp)
52internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
53doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
54doFilter:80, ParamWrapperFilter (com.adventnet.filters)
55internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
56doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
57doFilter:51, RememberMeFilter (com.adventnet.authentication.filter)
58internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
59doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
60doFilter:65, AssociateCredential (com.adventnet.authentication.filter)
61internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
62doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
63invoke:197, StandardWrapperValve (org.apache.catalina.core)
64invoke:97, StandardContextValve (org.apache.catalina.core)
65invoke:540, AuthenticatorBase (org.apache.catalina.authenticator)
66invoke:135, StandardHostValve (org.apache.catalina.core)
67invoke:92, ErrorReportValve (org.apache.catalina.valves)
68invoke:687, AbstractAccessLogValve (org.apache.catalina.valves)
69invoke:261, SingleSignOn (org.apache.catalina.authenticator)
70invoke:78, StandardEngineValve (org.apache.catalina.core)
71service:357, CoyoteAdapter (org.apache.catalina.connector)
72service:382, Http11Processor (org.apache.coyote.http11)
73process:65, AbstractProcessorLight (org.apache.coyote)
74process:895, AbstractProtocol$ConnectionHandler (org.apache.coyote)
75doRun:1681, Nio2Endpoint$SocketProcessor (org.apache.tomcat.util.net)
76run:49, SocketProcessorBase (org.apache.tomcat.util.net)
77processSocket:1171, AbstractEndpoint (org.apache.tomcat.util.net)
78completed:104, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
79completed:97, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
80invokeUnchecked:126, Invoker (sun.nio.ch)
81run:218, Invoker$2 (sun.nio.ch)
82run:112, AsynchronousChannelGroupImpl$1 (sun.nio.ch)
83runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads)
84run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads)
85run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
86run:748, Thread (java.lang)
其实刚开始找的并不直接是漏洞点,而是在找xml parse的点 com.adventnet.tools.prevalent.InputFileParser#parse
经过多次调试发现这个类自己实现了startElement和endElement,并不会调用endValueTag(),进而没有type parse一说,所以根本不会触发反序列化。
后来重新看了历史的漏洞文章,换了思路直接找org.apache.xmlrpc.webserver.XmlRpcServlet的引用就发现了漏洞点,瞬间感觉自己太蠢了。u1s1,静态软件分析工具还是有用。
文章来源: https://y4er.com/post/cve-2022-35405-zoho-password-manager-pro-xml-rpc-rce/
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh