΢ÈíSQL Server Reporting ServicesÔ¶³Ì´úÂëÖ´ÐÐÎó²îΣº¦Í¨¸æ

Ðû²¼Ê±¼ä 2020-02-17

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2020-0618£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Microsoft SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)

Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)

Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)

Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)

Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU)

Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)


Îó²î¸ÅÊö


¿ËÈÕ£¬±¾ÔÂ΢Èí²¹¶¡¸üеÄÎó²î£¬Î¢ÈíSQL Server Reporting ServicesÔ¶³Ì´úÂëÖ´ÐÐÎó²îµÄPoC±»¹ûÕ棬SQL Server Reporting ServicesÌṩһ×éÍâµØ¹¤¾ßºÍ·þÎñ£¬ÓÃÓÚ½¨Éè¡¢°²ÅźÍÖÎÀí±¨±í¡£SQL Server Reporting ServicesÖб£´æÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¬½öÐè»ñµÃµÍȨÏ޵Ĺ¥»÷Õß¿ÉÒÔÏòÊÜÓ°Ïì°æ±¾µÄReporting ServicesʵÀýÌύȫÐĽṹµÄÇëÇóÀ´Ê¹ÓôËÎó²î¡£ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÔÚReport Server·þÎñÕÊ»§ÉÏÏÂÎÄÖÐÖ´ÐÐí§Òâ´úÂë¡£


´ËÎó²îλÓÚReportingServicesWebServer.dllÎļþÖеÄBrowserNavigationCorrectorÀ࣬ÈçÏÂͼËùʾ:


×ðÁú¿­Ê±¡¤(ÖйúÇø)ÈËÉú¾ÍÊDz«!


´ÓÉÏͼ¿É¼û£¬ BrowserNavigationCorrectorÀàÖеÄOnLoadÒªÁìʹÓÃLosFormatterÀà¾ÙÐз´ÐòÁл¯²Ù×÷¡£


LosFormatterÒ»Ñùƽ³£ÓÃÓÚÐòÁл¯ºÍ·´ÐòÁл¯Web´°ÌåÒ³µÄÊÓͼ״̬(ViewState) £¬µ±Î´¾­ÓÉÂ˵ÄÓû§ÊäÈë±»LosFormatterÀà¾ÙÐз´ÐòÁл¯²Ù×÷ʱ£¬¾Í»á±¬·¢·´ÐòÁл¯Îó²î¡£


BrowserNavigationCorrectorÀà±»Microsoft.ReportingServices.WebServer.ReportViewerPageÀàŲÓã¬ÈçÏÂͼ£º


×ðÁú¿­Ê±¡¤(ÖйúÇø)ÈËÉú¾ÍÊDz«!


ReportViewerPageÀà¿ÉÒÔÓÉ/ReportServer/pages/ReportViewer.aspxÒ³Ãæ¾ÙÐд«²ÎŲÓ㬵±¹¥»÷ÕßŲÓøÃÒ³Ãæ²¢´«Èë¶ñÒâ½á¹¹µÄÐòÁл¯payload£¬¼´¿É´¥·¢Îó²î¡£


Îó²îÑéÖ¤


PoC£ºhttps://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/¡£


ÐÞ¸´½¨Òé


ÏÖÔÚ΢ÈíÒÑÐû²¼²¹¶¡ÐÞ¸´Îó²î£¬²Î¿¼Á´½Ó£ºhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618¡£


ÈôÊÇÄúµÄSQL Server°æ±¾ºÅδÔÚÉÏÎÄÖУ¬ÄÇôÄúµÄSQL Server°æ±¾½«²»ÔÙÊܵ½Î¢Èí¹Ù·½Ö§³Ö¡£Í¬ÑùÓб»´ËÎó²îÓ°ÏìµÄΣº¦¡£ÇëÉý¼¶µ½×îеÄSQL Server£¬ÒÔÃâÔâÊÜÎó²î¹¥»÷¡£


²Î¿¼Á´½Ó


https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/