CVE-2022-22955 VMware Workspace ONE Access OAuth2TokenResourceController Auth Bypass
2022-8-14 13:17:47 Author: y4er.com(查看原文) 阅读量:60 收藏

参考 https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/1.png

https://id.test.local/SAAS/API/1.0/REST/oauth2/generateActivationToken/acs 对应com.vmware.horizon.rest.controller.oauth2.OAuth2TokenResourceController#generateActivationToken

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/2.png

generateActivationToken为oauth2客户端生成激活码

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/3.png

https://id.test.local/SAAS/API/1.0/REST/oauth2/activate 对应com.vmware.horizon.rest.controller.oauth2.OAuth2TokenResourceController#activateOauth2Client

通过交换activation激活码激活oauth2客户端

然后拿着client_secret去做认证

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/4.png

会拿到jwt token,用这个token就可以访问任意资源了。

在安装的时候

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/5.png

会调用com.vmware.horizon.rest.controller.system.BootstrapController做初始化,这样会调用到com.vmware.horizon.components.authentication.OAuth2RemoteAccessServiceImpl#createDefaultServiceOAuth2Client

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/6.png

第一次创建OAuth2服务时会使用Service__OAuth2Client创建一个system scope的oauth。所以我们可以用https://id.test.local/SAAS/API/1.0/REST/oauth2/generateActivationToken/[id] 去申请system scope的auth。

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/7.png

iam有几个默认的oauth,所以这几个都可以拿来申请权限。

看了官方通告才发现这是个老洞,和模板注入那个是一批。

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

https://y4er.com/img/uploads/CVE-2022-22955-VMware-Workspace-ONE-Access-OAuth2TokenResourceController-Auth-Bypass/8.png

加鉴权修复

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


文章来源: https://y4er.com/posts/cve-2022-22955-vmware-workspace-one-access-oauth2tokenresourcecontroller-auth-bypass/
如有侵权请联系:admin#unsafe.sh