Nexus Repository Manager 3 RCE 分析 -【CVE-2019-7238】
漏洞公告
膜 Rico 和 voidfyoo. orz
漏洞分析
定位到如下位置 plugins/nexus-coreui-plugin/src/main/java/org/sonatype/nexus/coreui/ComponentComponent.groovy:185
@Named @Singleton @DirectAction(action = 'coreui_Component') class ComponentComponent extends DirectComponentSupport { ... @DirectMethod @Timed @ExceptionMetered PagedResponse<AssetXO> previewAssets(final StoreLoadParameters parameters) { String repositoryName = parameters.getFilter('repositoryName') String expression = parameters.getFilter('expression') String type = parameters.getFilter('type') // 接收三個引數 repositoryName 、 expression 、 type if (!expression || !type || !repositoryName) { return null } // 設定 repositoryName RepositorySelector repositorySelector = RepositorySelector.fromSelector(repositoryName) // 根據 type 分別呼叫不同的 validate if (type == JexlSelector.TYPE) { jexlExpressionValidator.validate(expression) } else if (type == CselSelector.TYPE) { cselExpressionValidator.validate(expression) } List<Repository> selectedRepositories = getPreviewRepositories(repositorySelector) if (!selectedRepositories.size()) { return null } def result = browseService.previewAssets( repositorySelector, selectedRepositories, expression, toQueryOptions(parameters)) return new PagedResponse<AssetXO>( result.total, result.results.collect(ASSET_CONVERTER.rcurry(null, null, [:], 0)) // buckets not needed for asset preview screen ) } ... }
Nexus為了查詢方便,特地在jexl的基礎上引入了csel表示式。簡單起見,這裡不做展開。接著我們跟入 browseService.previewAssets
,介面定義在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/browse/BrowseService.java:59
/** * Returns a {@link BrowseResult} for previewing the specified repository based on an arbitrary content selector. */ BrowseResult<Asset> previewAssets(final RepositorySelector selectedRepository, final List<Repository> repositories, final String jexlExpression, final QueryOptions queryOptions);
具體實現在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/browse/internal/BrowseServiceImpl.java:233
@Named @Singleton public class BrowseServiceImpl extends ComponentSupport implements BrowseService { ... @Override public BrowseResult<Asset> previewAssets(final RepositorySelector repositorySelector, final List<Repository> repositories, final String jexlExpression, final QueryOptions queryOptions) { checkNotNull(repositories); checkNotNull(jexlExpression); final Repository repository = repositories.get(0); try (StorageTx storageTx = repository.facet(StorageFacet.class).txSupplier().get()) { storageTx.begin(); List<Repository> previewRepositories; if (repositories.size() == 1 && groupType.equals(repository.getType())) { previewRepositories = repository.facet(GroupFacet.class).leafMembers(); } else { previewRepositories = repositories; } PreviewAssetsSqlBuilder builder = new PreviewAssetsSqlBuilder( repositorySelector, jexlExpression, queryOptions, getRepoToContainedGroupMap(repositories)); String whereClause = String.format("and (%s)", builder.buildWhereClause()); //The whereClause is passed in as the querySuffix so that contentExpression will run after repository filtering return new BrowseResult<>( storageTx.countAssets(null, builder.buildSqlParams(), previewRepositories, whereClause), Lists.newArrayList(storageTx.findAssets(null, builder.buildSqlParams(), previewRepositories, whereClause + builder.buildQuerySuffix())) ); } } ... }
注意上面程式碼中的英文註釋,大意為 whereClause
條件在完成 repository filtering
後將會進行 contentExpression
。而 whereClause
是通過前面一系列Builder構建的。可以跟入 builder.buildWhereClause()
,在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/browse/internal/PreviewAssetsSqlBuilder.java:51
, 這裡最終引入了contentExpression和jexlExpression:
public class PreviewAssetsSqlBuilder { ... public String buildWhereClause() { return whereClause("contentExpression(@this, :jexlExpression, :repositorySelector, " + ":repoToContainedGroupMap) == true", queryOptions.getFilter() != null); } ... }
接下來即考慮如何進一步執行 contentExpression
。在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/selector/internal/ContentExpressionFunction.java
。當 contentExpression
執行時,會呼叫 execute
方法:
public class ContentExpressionFunction extends OSQLFunctionAbstract { public static final String NAME = "contentExpression"; ... @Inject public ContentExpressionFunction(final VariableResolverAdapterManager variableResolverAdapterManager, final SelectorManager selectorManager, final ContentAuthHelper contentAuthHelper) { super(NAME, 4, 4); this.variableResolverAdapterManager = checkNotNull(variableResolverAdapterManager); this.selectorManager = checkNotNull(selectorManager); this.contentAuthHelper = checkNotNull(contentAuthHelper); } @Override public Object execute(final Object iThis, final OIdentifiable iCurrentRecord, final Object iCurrentResult, final Object[] iParams, final OCommandContext iContext) { OIdentifiable identifiable = (OIdentifiable) iParams[0]; // asset ODocument asset = identifiable.getRecord(); RepositorySelector repositorySelector = RepositorySelector.fromSelector((String) iParams[2]); // jexlExpression 即 iParams[1] String jexlExpression = (String) iParams[1]; List<String> membersForAuth; ... return contentAuthHelper.checkAssetPermissions(asset, membersForAuth.toArray(new String[membersForAuth.size()])) && checkJexlExpression(asset, jexlExpression, asset.field(AssetEntityAdapter.P_FORMAT, String.class)); }
其中的 iParams
即可對應傳入的引數。 contentExpression(@this, :jexlExpression, :repositorySelector, " +":repoToContainedGroupMap) == true
iParams[0]
即 @this
, iParams[1]
即 jexlExpression
, iParams[2]
即 repositorySelector
。在完成初步篩選出 asset
後進入最後的 checkJexlExpression
... private boolean checkJexlExpression(final ODocument asset, final String jexlExpression, final String format) { VariableResolverAdapter variableResolverAdapter = variableResolverAdapterManager.get(format); // variableSource 從 asset 中來 VariableSource variableSource = variableResolverAdapter.fromDocument(asset); SelectorConfiguration selectorConfiguration = new SelectorConfiguration(); selectorConfiguration.setAttributes(ImmutableMap.of("expression", jexlExpression)); // JexlSelector.TYPE 是常量 定義為 'jexl' selectorConfiguration.setType(JexlSelector.TYPE); selectorConfiguration.setName("preview"); try { // 解析表示式 return selectorManager.evaluate(selectorConfiguration, variableSource); } catch (SelectorEvaluationException e) { log.debug("Unable to evaluate expression {}.", jexlExpression, e); return false; } } }
selectorConfiguration
儲存要生成的表示式config。 jexlExpression
即前面傳入的引數。跟入 selectorManager.evaluate
,在 components/nexus-core/src/main/java/org/sonatype/nexus/internal/selector/SelectorManagerImpl.java:156
,最終執行了表示式
@Override @Guarded(by = STARTED) public boolean evaluate(final SelectorConfiguration selectorConfiguration, final VariableSource variableSource) throws SelectorEvaluationException { // 根據傳入的 selectorConfiguration 生成對應的 selector // 前面指定了 JexlSelector.TYPE ,這裡將生成 JexlSelector Selector selector = createSelector(selectorConfiguration); try { // 呼叫 selector 的 evaluate 方法 return selector.evaluate(variableSource); } catch (Exception e) { throw new SelectorEvaluationException("Selector '" + selectorConfiguration.getName() + "' evaluation in error", e); } }
漏洞復現
其對應介面位置如下圖
如果是新搭建的環境,為復現成功,還需要先往現有的Repository新增asset。這樣在查詢確實存在asset後,才會進一步根據 whereClause
對查詢結果asset進行篩選,也才會對 whereClause
進行表示式解析。不過在實際環境中,Repository中早就各種asset了。下面隨便選了一個logging.jar上傳。
POC如下:
漏洞修復
增加了許可權要求 @RequiresPermissions('nexus:selectors:*')