CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE
字数 1102 2025-08-26 22:11:15

Zoho Password Manager Pro XML-RPC 反序列化远程代码执行漏洞(CVE-2022-35405)分析

漏洞概述

CVE-2022-35405是Zoho Password Manager Pro中存在的一个XML-RPC反序列化远程代码执行漏洞。攻击者可以通过构造恶意的XML-RPC请求,在目标服务器上执行任意代码。

受影响版本

  • ManageEngine Password Manager Pro 12100及之前版本

环境搭建

  1. 下载受影响版本安装包:

    https://archives2.manageengine.com/passwordmanagerpro/12100/ManageEngine_PMP_64bit.exe

  2. 补丁下载(12101版本修复):

    https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm

漏洞分析

补丁对比

关键修复点在org.apache.xmlrpc.parser.SerializableParser#getResult方法中,补丁关闭了反序列化功能。

漏洞触发路径

  1. 请求首先到达org.apache.xmlrpc.webserver.PmpApiServlet#doPost方法
  2. 调用父类org.apache.xmlrpc.webserver.XmlRpcServlet#doPost
  3. 继续调用org.apache.xmlrpc.webserver.XmlRpcServletServer#execute
  4. 调用org.apache.xmlrpc.server.XmlRpcStreamServer#execute
  5. getRequest方法中从原始request构建XmlRpcRequest
  6. 开始解析XML,触发反序列化

调用栈分析

getResult:36, SerializableParser (org.apache.xmlrpc.parser)
endValueTag:78, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
endElement:185, MapParser (org.apache.xmlrpc.parser)
endElement:103, RecursiveTypeParserImpl (org.apache.xmlrpc.parser)
endElement:165, XmlRpcRequestParser (org.apache.xmlrpc.parser)
endElement:-1, AbstractSAXParser (org.apache.xerces.parsers)
scanEndElement:-1, XMLNSDocumentScannerImpl (org.apache.xerces.impl)
dispatch:-1, XMLDocumentFragmentScannerImpl$FragmentContentDispatcher (org.apache.xerces.impl)
scanDocument:-1, XMLDocumentFragmentScannerImpl (org.apache.xerces.impl)
parse:-1, XML11Configuration (org.apache.xerces.parsers)
parse:-1, XML11Configuration (org.apache.xerces.parsers)
parse:-1, XMLParser (org.apache.xerces.parsers)
parse:-1, AbstractSAXParser (org.apache.xerces.parsers)
parse:-1, SAXParserImpl$JAXPSAXParser (org.apache.xerces.jaxp)
getRequest:76, XmlRpcStreamServer (org.apache.xmlrpc.server)
execute:212, XmlRpcStreamServer (org.apache.xmlrpc.server)
execute:112, XmlRpcServletServer (org.apache.xmlrpc.webserver)
doPost:196, XmlRpcServlet (org.apache.xmlrpc.webserver)
doPost:117, PmpApiServlet (org.apache.xmlrpc.webserver)
service:681, HttpServlet (javax.servlet.http)
service:764, HttpServlet (javax.servlet.http)
internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:53, WsFilter (org.apache.tomcat.websocket.server)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:76, ADSFilter (com.manageengine.ads.fw.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:300, PassTrixFilter (com.adventnet.passtrix.client)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:414, SecurityFilter (com.adventnet.iam.security)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:34, NTLMV2CredentialAssociationFilter (com.adventnet.authentication)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:155, NTLMV2Filter (com.adventnet.authentication)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:118, MSPOrganizationFilter (com.adventnet.passtrix.client)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:149, PassTrixUrlRewriteFilter (com.adventnet.passtrix.client)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:109, SetCharacterEncodingFilter (org.apache.catalina.filters)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:32, ClientFilter (com.adventnet.cp)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:80, ParamWrapperFilter (com.adventnet.filters)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:51, RememberMeFilter (com.adventnet.authentication.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:65, AssociateCredential (com.adventnet.authentication.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
invoke:197, StandardWrapperValve (org.apache.catalina.core)
invoke:97, StandardContextValve (org.apache.catalina.core)
invoke:540, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:135, StandardHostValve (org.apache.catalina.core)
invoke:92, ErrorReportValve (org.apache.catalina.valves)
invoke:687, AbstractAccessLogValve (org.apache.catalina.valves)
invoke:261, SingleSignOn (org.apache.catalina.authenticator)
invoke:78, StandardEngineValve (org.apache.catalina.core)
service:357, CoyoteAdapter (org.apache.catalina.connector)
service:382, Http11Processor (org.apache.coyote.http11)
process:65, AbstractProcessorLight (org.apache.coyote)
process:895, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1681, Nio2Endpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
processSocket:1171, AbstractEndpoint (org.apache.tomcat.util.net)
completed:104, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
completed:97, SecureNio2Channel$HandshakeReadCompletionHandler (org.apache.tomcat.util.net)
invokeUnchecked:126, Invoker (sun.nio.ch)
run:218, Invoker$2 (sun.nio.ch)
run:112, AsynchronousChannelGroupImpl$1 (sun.nio.ch)
runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads)
run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:748, Thread (java.lang)

漏洞利用

该漏洞与CVE-2020-9496 (Apache Ofbiz XMLRPC RCE)类似,可以使用相同的POC进行利用。利用时需要构造恶意的XML-RPC请求,其中包含可被反序列化的Java对象。

修复建议

  1. 立即升级到最新版本(12101或更高版本)
  2. 如果无法立即升级,可以禁用XML-RPC功能
  3. 在网络边界实施严格的输入验证,过滤可疑的XML-RPC请求

分析技巧

  1. 使用静态分析工具(如tabby)查找XmlRpcRequestParser的调用链
  2. 从路径源头org.apache.xmlrpc.webserver.PmpApiServlet开始分析
  3. 关注org.apache.xmlrpc.parser.SerializableParser类的反序列化逻辑

总结

该漏洞源于Zoho Password Manager Pro中XML-RPC实现的反序列化功能未做适当限制,攻击者可以通过构造恶意请求实现远程代码执行。建议用户及时更新到修复版本,并关注XML-RPC相关组件的安全配置。

Zoho Password Manager Pro XML-RPC 反序列化远程代码执行漏洞(CVE-2022-35405)分析 漏洞概述 CVE-2022-35405是Zoho Password Manager Pro中存在的一个XML-RPC反序列化远程代码执行漏洞。攻击者可以通过构造恶意的XML-RPC请求,在目标服务器上执行任意代码。 受影响版本 ManageEngine Password Manager Pro 12100及之前版本 环境搭建 下载受影响版本安装包: 补丁下载(12101版本修复): 漏洞分析 补丁对比 关键修复点在 org.apache.xmlrpc.parser.SerializableParser#getResult 方法中,补丁关闭了反序列化功能。 漏洞触发路径 请求首先到达 org.apache.xmlrpc.webserver.PmpApiServlet#doPost 方法 调用父类 org.apache.xmlrpc.webserver.XmlRpcServlet#doPost 继续调用 org.apache.xmlrpc.webserver.XmlRpcServletServer#execute 调用 org.apache.xmlrpc.server.XmlRpcStreamServer#execute 在 getRequest 方法中从原始request构建XmlRpcRequest 开始解析XML,触发反序列化 调用栈分析 漏洞利用 该漏洞与CVE-2020-9496 (Apache Ofbiz XMLRPC RCE)类似,可以使用相同的POC进行利用。利用时需要构造恶意的XML-RPC请求,其中包含可被反序列化的Java对象。 修复建议 立即升级到最新版本(12101或更高版本) 如果无法立即升级,可以禁用XML-RPC功能 在网络边界实施严格的输入验证,过滤可疑的XML-RPC请求 分析技巧 使用静态分析工具(如tabby)查找 XmlRpcRequestParser 的调用链 从路径源头 org.apache.xmlrpc.webserver.PmpApiServlet 开始分析 关注 org.apache.xmlrpc.parser.SerializableParser 类的反序列化逻辑 总结 该漏洞源于Zoho Password Manager Pro中XML-RPC实现的反序列化功能未做适当限制,攻击者可以通过构造恶意请求实现远程代码执行。建议用户及时更新到修复版本,并关注XML-RPC相关组件的安全配置。