Apache Guacamole Çå¾²Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-07-03

0x00 Îó²î¸ÅÊö


²úÆ·

CVE ID

Àà ÐÍ

Îó²îÆ·¼¶

Ô¶³ÌʹÓÃ

Ó°Ïì¹æÄ£

Apache Guacamole

CVE-2020-9497

II

ÑÏÖØ

ÊÇ

Apache Guacamole < 1.2.0

CVE-2020-9498

MC

ÑÏÖØ

ÊÇ


0x01 Îó²îÏêÇé


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


Check PointµÄÇ徲ר¼ÒÔÚApache GuacamoleÖз¢Ã÷Á˶à¸öÑÏÖصķ´ÏòRDPÎó²î¡£¡£¡£¡£Apache GuacamoleÊÇϵͳÖÎÀíÔ±ÓÃÓÚÔ¶³Ì»á¼ûºÍÖÎÀíWindowsºÍLinuxÅÌËã»úµÄÊ¢ÐÐÔ¶³Ì×ÀÃæÓ¦ÓóÌÐò¡£¡£¡£¡£¹¥»÷Õß¿ÉÒÔʹÓÃÕâЩÎó²îʵÏÖ¶ÔGuacamoleЧÀÍÆ÷µÄÍêÈ«¿ØÖÆ£¬£¬£¬£¬²¢×èµ²ºÍ¿ØÖÆGuacamoleÉϵÄËùÓлỰ¡£¡£¡£¡£

ÐÅϢй¶Îó²î£¨CVE-2020-9497£©£º

ΪÁËÔÚRDPÅþÁ¬ºÍ¿Í»§¶ËÖ®¼ä´«ÊäÐÂÎÅ£¬£¬£¬£¬¿ª·¢Ö°Ô±ÎªÄ¬ÈÏRDPͨµÀʵÏÖÁËÀ©Õ¹£¬£¬£¬£¬ÓÃÓÚ´¦Öóͷ£À´×ÔЧÀÍÆ÷µÄÒôƵÊý¾Ý°ü£¨¡°rdpsnd¡±£©£¬£¬£¬£¬´«ÈëµÄÐÂÎÅÓÉFreeRDPµÄwStream¹¤¾ß·â×°£¬£¬£¬£¬²¢ÇÒʹÓøù¤¾ßµÄAPIÀ´ÆÊÎöÊý¾Ý¡£¡£¡£¡£¿ÉÊÇÓÉÓÚȱÉÙÊäÈë¹ýÂ˵¼ÖÂÔ½½ç¶ÁÈ¡¡£¡£¡£¡£ÈçͼËùʾ£º


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


¹¥»÷Õßͨ¹ý·¢ËÍÒ»Ìõ¶ñÒârdpsndÐÂÎÅ»ñÈ¡µ½RDP¿Í»§¶ËµÄÄÚ´æÐÅÏ¢¡£¡£¡£¡£

ÔÚͳһRDPͨµÀÖУ¬£¬£¬£¬²î±ðµÄÐÂΞßÓÐÀàËƵÄÎó²î¡£¡£¡£¡£Õâ´Î½«Ô½½çÊý¾Ý·¢Ë͵½ÅþÁ¬µÄ¿Í»§¶Ë£¬£¬£¬£¬¶ø²»ÊÇ·¢ËÍ»ØRDPЧÀÍÆ÷¡£¡£¡£¡£


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


¶ÁÈ¡µÄ½çÏßÀàËÆ£¬£¬£¬£¬Õâ´Î½«Êý¾Ý鶵½¿Í»§¶Ë¡£¡£¡£¡£

ÄÚ´æËð»µÎó²î£¨CVE-2020-9498£©

RDPЭÒ齫²î±ðµÄ¡°devices¡±·Ö³Éµ¥¶ÀµÄ¡°channels¡±£¬£¬£¬£¬°üÀ¨rdpsndÉùÒôµÄͨµÀ£¬£¬£¬£¬cliprdr¼ôÌù°åµÄͨµÀµÈµÈ¡£¡£¡£¡£×÷ΪÁýͳ²ã£¬£¬£¬£¬Í¨µÀÐÂÎÅÖ§³Ö·Ö¶Î£¬£¬£¬£¬´Ó¶øÔÊÐíÆäÐÂÎÅ×Ϊ4GB¡£¡£¡£¡£ÎªÁË׼ȷµØÖ§³ÖrdpsndºÍrdpdr£¨×°±¸Öض¨Ïò£©Í¨µÀ£¬£¬£¬£¬guacamole-serverµÄ¿ª·¢Ö°Ô±Ìí¼ÓÁËÒ»¸ö¸½¼ÓµÄÁýͳ²ã£¬£¬£¬£¬¸ÃÁýͳ²ãÔÚÎļþÖÐʵÏÖ£ºguac_common_svc.c¡£¡£¡£¡£ÏÂͼÏÔʾÁËÔÚ´ËÎļþÖÐʵÏֵĴ«ÈëͨµÀµÄƬ¶Ï´¦Öóͷ££º


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


ÎÒÃÇ¿ÉÒÔ¿´µ½µÚÒ»¸öƬ¶Ï±ØÐè°üÀ¨¸ÃCHANNEL_FLAG_FIRSTƬ¶Ï£¬£¬£¬£¬²¢ÇÒÔÚ´¦Öóͷ£¸ÃƬ¶Ïʱ£¬£¬£¬£¬½«Æ¾Ö¤total_length·ÖÅÉÁ÷¡£¡£¡£¡£¿ÉÊÇ£¬£¬£¬£¬ÈôÊǹ¥»÷Õß·¢ËͲ»´ø¸Ã±ê¼ÇµÄƬ¶Ï»áÔõÑù£¿£¿£¿£¿ËƺõÖ»Êǽ«Æ丽¼Óµ½ÏÈÇ°µÄÊ£ÓàÁ÷ÖС£¡£¡£¡£¿£¿£¿£¿É¼ûÕâÊÇÓÉÄÚ´æÇå¾²³åÍ»ÒýÆðµÄÐü¿ÕÖ¸ÕëÎó²î¡£¡£¡£¡£ÏÖÔÚ£¬£¬£¬£¬ÎÒÃÇÖ»ÐèÒª¼ì²é¿ª·¢Ö°Ô±ÊÇ·ñ¼ÇµÃÉÏÒ»ÌõÐÂÎÅ´¦Öóͷ£Íê³ÉʱÊÇ·ñ½«Ðü¿ÕÖ¸ÕëÉèÖÃΪNULL¡£¡£¡£¡£


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


ͼÖпÉÒÔ¿´³ö£¬£¬£¬£¬ÐÂÎÅ´¦Öóͷ£Íê³Éºó£¬£¬£¬£¬ÊÍ·ÅʹÓõÄÁ÷¶øûÓÐɨ³ýÐü¿ÕÖ¸Õë¡£¡£¡£¡£

ͨ¹ýʹÓÃÎó²îCVE-2020-9497ºÍCVE-2020-9498£¬£¬£¬£¬µ±Ô¶³ÌÓû§ÇëÇóÅþÁ¬µ½Êܺ¦ÕßµÄÅÌËã»úʱ£¬£¬£¬£¬ÊÜѬȾµÄÅÌËã»ú£¨RDPЧÀÍÆ÷£©¿ÉÒÔ¿ØÖÆguacdÀú³Ì£¬£¬£¬£¬´Ó¶øʵÏÖÔ¶³Ì´úÂëÖ´ÐС£¡£¡£¡£


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


ÖµµÃ×¢ÖصÄÊÇ£¬£¬£¬£¬µ½ÏÖÔÚΪֹ£¬£¬£¬£¬Apache GuacamoleÔ¶³Ì×ÀÃæÓ¦ÓóÌÐòÔÚDocker HubÉϵÄÏÂÔØÁ¿ÒÑÁè¼Ý1000Íò£¬£¬£¬£¬¸ÃÎó²îÓ°Ïì¹æÄ£½Ï´ó£¬£¬£¬£¬ÇëÏà¹ØÓû§Éý¼¶µ½Apache Guacamole 1.2.0°æ±¾¡£¡£¡£¡£


0x02 ´¦Öóͷ£½¨Òé


ÏÖÔÚ³§ÉÌÒÑÐû²¼²¹¶¡£¬£¬£¬£¬ÏÂÔØÁ´½Ó£º

https://guacamole.apache.org/releases/1.2.0/


0x03 Ïà¹ØÐÂÎÅ


https://thehackernews.com/2020/07/apache-guacamole-hacking.html


0x04 ²Î¿¼Á´½Ó


https://research.checkpoint.com/2020/apache-guacamole-rce/


0x05 ʱ¼äÏß


2020-07-02 Check PointÐû²¼Ñо¿±¨¸æ

2020-07-03 VSRCÐû²¼Îó²îͨ¸æ

¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾