编码问题引起的RCE分析
一、前言 CVE-2024-12356命令注入漏洞影响BeyondTrust的Privileged Remote Access和Remote Support系列产品,并实际上依赖于PostgreSQL的CVE-2025-1094漏洞。本文从BeyondTrust的CVE-2024-12356为场景入口,逐步分析到PostgreSQL的CVE-2025-1094,解释引起命令注入的核心编码问题。 二、关键点分析 CVE-2024-12356命令注入漏洞通过WebSocket访问BeyondTrust认证前路由/nw,将HTTP中的Sec-WebSocket-Protocol子协议头设定为ingredi support desk customer thin(以及设定一些其它类似Host的必需参数),即可访问到thin-scc-wrapper脚本。 2.1 thin-scc-wrapper分析(CVE-2024-12356) thin-scc-wrapper文件补丁前后主要变化: ## ... omit if [[ "$authType" == "0" ]]; then ## read a normal sdcust gskey + blog "reading gskey" read -t 30 gskey || exit 1 + blog "read gskey as [$gskey]" ## ... omit - quoted=$(export PHPRC="$BG_app_root/config/php-cli.ini"; echo $gskey | $ingrediRoot/app/dbquote) + quoted=$(export PHPRC="$BG_app_root/config/php-cli.ini"; echo "$gskey" | $ingrediRoot/app/dbquote) if [[ $(echo "SELECT COUNT(1) FROM gw_sessions WHERE session_key = $quoted AND session_type = 'sdcust' AND (expiration IS NULL OR expiration>NOW())" | $db) !...