Nexus Repository Manager 3 RCE 分析 -【CVE-2019-7238】

摘要： 漏洞公告 https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Cod...

漏洞公告

https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019

膜 Rico 和 voidfyoo. orz

漏洞分析

定位到如下位置 plugins/nexus-coreui-plugin/src/main/java/org/sonatype/nexus/coreui/ComponentComponent.groovy:185

@Named
@Singleton
@DirectAction(action = 'coreui_Component')
class ComponentComponent
extends DirectComponentSupport
{
...

@DirectMethod
@Timed
@ExceptionMetered
PagedResponse<AssetXO> previewAssets(final StoreLoadParameters parameters) {

String repositoryName = parameters.getFilter('repositoryName')
String expression = parameters.getFilter('expression')
String type = parameters.getFilter('type')
// 接收三個引數 repositoryName 、 expression 、 type

if (!expression || !type || !repositoryName) {
return null
}

// 設定 repositoryName
RepositorySelector repositorySelector = RepositorySelector.fromSelector(repositoryName)

// 根據 type 分別呼叫不同的 validate
if (type == JexlSelector.TYPE) {
jexlExpressionValidator.validate(expression)
}
else if (type == CselSelector.TYPE) {
cselExpressionValidator.validate(expression)
}

List<Repository> selectedRepositories = getPreviewRepositories(repositorySelector)
if (!selectedRepositories.size()) {
return null
}

def result = browseService.previewAssets(
repositorySelector,
selectedRepositories,
expression,
toQueryOptions(parameters))
return new PagedResponse<AssetXO>(
result.total,
result.results.collect(ASSET_CONVERTER.rcurry(null, null, [:], 0)) // buckets not needed for asset preview screen
)
} 
...
}

Nexus為了查詢方便，特地在jexl的基礎上引入了csel表示式。簡單起見，這裡不做展開。接著我們跟入 browseService.previewAssets ，介面定義在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/browse/BrowseService.java:59

/**
* Returns a {@link BrowseResult} for previewing the specified repository based on an arbitrary content selector.
*/
BrowseResult<Asset> previewAssets(final RepositorySelector selectedRepository,
final List<Repository> repositories,
final String jexlExpression,
final QueryOptions queryOptions);

具體實現在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/browse/internal/BrowseServiceImpl.java:233

@Named
@Singleton
public class BrowseServiceImpl
extends ComponentSupport
implements BrowseService
{
...
@Override
public BrowseResult<Asset> previewAssets(final RepositorySelector repositorySelector,
final List<Repository> repositories,
final String jexlExpression,
final QueryOptions queryOptions)
{
checkNotNull(repositories);
checkNotNull(jexlExpression);
final Repository repository = repositories.get(0);
try (StorageTx storageTx = repository.facet(StorageFacet.class).txSupplier().get()) {
storageTx.begin();
List<Repository> previewRepositories;
if (repositories.size() == 1 && groupType.equals(repository.getType())) {
previewRepositories = repository.facet(GroupFacet.class).leafMembers();
}
else {
previewRepositories = repositories;
}

PreviewAssetsSqlBuilder builder = new PreviewAssetsSqlBuilder(
repositorySelector,
jexlExpression,
queryOptions,
getRepoToContainedGroupMap(repositories));

String whereClause = String.format("and (%s)", builder.buildWhereClause());

//The whereClause is passed in as the querySuffix so that contentExpression will run after repository filtering
return new BrowseResult<>(
storageTx.countAssets(null, builder.buildSqlParams(), previewRepositories, whereClause),
Lists.newArrayList(storageTx.findAssets(null, builder.buildSqlParams(),
previewRepositories, whereClause + builder.buildQuerySuffix()))
);
}
}
...
}

注意上面程式碼中的英文註釋，大意為 whereClause 條件在完成 repository filtering 後將會進行 contentExpression 。而 whereClause 是通過前面一系列Builder構建的。可以跟入 builder.buildWhereClause() ，在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/browse/internal/PreviewAssetsSqlBuilder.java:51 ， 這裡最終引入了contentExpression和jexlExpression:

public class PreviewAssetsSqlBuilder
{
...
public String buildWhereClause() {
return whereClause("contentExpression(@this, :jexlExpression, :repositorySelector, " +
":repoToContainedGroupMap) == true", queryOptions.getFilter() != null);
}
...
}

接下來即考慮如何進一步執行 contentExpression 。在 components/nexus-repository/src/main/java/org/sonatype/nexus/repository/selector/internal/ContentExpressionFunction.java 。當 contentExpression 執行時，會呼叫 execute 方法：

public class ContentExpressionFunction
extends OSQLFunctionAbstract
{
public static final String NAME = "contentExpression";
...
@Inject
public ContentExpressionFunction(final VariableResolverAdapterManager variableResolverAdapterManager,
final SelectorManager selectorManager,
final ContentAuthHelper contentAuthHelper)
{
super(NAME, 4, 4);
this.variableResolverAdapterManager = checkNotNull(variableResolverAdapterManager);
this.selectorManager = checkNotNull(selectorManager);
this.contentAuthHelper = checkNotNull(contentAuthHelper);
}

@Override
public Object execute(final Object iThis,
final OIdentifiable iCurrentRecord,
final Object iCurrentResult,
final Object[] iParams,
final OCommandContext iContext)
{
OIdentifiable identifiable = (OIdentifiable) iParams[0];
// asset 
ODocument asset = identifiable.getRecord();
RepositorySelector repositorySelector = RepositorySelector.fromSelector((String) iParams[2]);
// jexlExpression 即 iParams[1]
String jexlExpression = (String) iParams[1];
List<String> membersForAuth;

...

return contentAuthHelper.checkAssetPermissions(asset, membersForAuth.toArray(new String[membersForAuth.size()])) &&
checkJexlExpression(asset, jexlExpression, asset.field(AssetEntityAdapter.P_FORMAT, String.class));
}

其中的 iParams 即可對應傳入的引數。 contentExpression(@this, :jexlExpression, :repositorySelector, " +":repoToContainedGroupMap) == true iParams[0] 即 @this , iParams[1] 即 jexlExpression , iParams[2] 即 repositorySelector 。在完成初步篩選出 asset 後進入最後的 checkJexlExpression

...
private boolean checkJexlExpression(final ODocument asset,
final String jexlExpression,
final String format)
{
VariableResolverAdapter variableResolverAdapter = variableResolverAdapterManager.get(format);
// variableSource 從 asset 中來
VariableSource variableSource = variableResolverAdapter.fromDocument(asset);

SelectorConfiguration selectorConfiguration = new SelectorConfiguration();

selectorConfiguration.setAttributes(ImmutableMap.of("expression", jexlExpression));
// JexlSelector.TYPE 是常量 定義為 'jexl'
selectorConfiguration.setType(JexlSelector.TYPE);
selectorConfiguration.setName("preview");

try {
// 解析表示式
return selectorManager.evaluate(selectorConfiguration, variableSource);
}
catch (SelectorEvaluationException e) {
log.debug("Unable to evaluate expression {}.", jexlExpression, e);
return false;
}
}

}

selectorConfiguration 儲存要生成的表示式config。 jexlExpression 即前面傳入的引數。跟入 selectorManager.evaluate ，在 components/nexus-core/src/main/java/org/sonatype/nexus/internal/selector/SelectorManagerImpl.java:156 ，最終執行了表示式

@Override
@Guarded(by = STARTED)
public boolean evaluate(final SelectorConfiguration selectorConfiguration, final VariableSource variableSource)
throws SelectorEvaluationException
{
// 根據傳入的 selectorConfiguration 生成對應的 selector 
// 前面指定了 JexlSelector.TYPE ，這裡將生成 JexlSelector
Selector selector = createSelector(selectorConfiguration);

try {
// 呼叫 selector 的 evaluate 方法
return selector.evaluate(variableSource);
}
catch (Exception e) {
throw new SelectorEvaluationException("Selector '" + selectorConfiguration.getName() + "' evaluation in error",
e);
}
}

漏洞復現

其對應介面位置如下圖

如果是新搭建的環境，為復現成功，還需要先往現有的Repository新增asset。這樣在查詢確實存在asset後，才會進一步根據 whereClause 對查詢結果asset進行篩選，也才會對 whereClause 進行表示式解析。不過在實際環境中，Repository中早就各種asset了。下面隨便選了一個logging.jar上傳。

POC如下：

漏洞修復

增加了許可權要求 @RequiresPermissions('nexus:selectors:*')