΢ÈíSQL Server Reporting ServicesÔ¶³Ì´úÂëÖ´ÐÐÎó²îΣº¦Í¨¸æ

Ðû²¼Ê±¼ä 2020-02-17

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2020-0618£¬£¬£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Microsoft SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)

Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)

Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)

Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)

Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU)

Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)


Îó²î¸ÅÊö


¿ËÈÕ£¬£¬£¬£¬£¬£¬£¬±¾ÔÂ΢Èí²¹¶¡¸üеÄÎó²î£¬£¬£¬£¬£¬£¬£¬Î¢ÈíSQL Server Reporting ServicesÔ¶³Ì´úÂëÖ´ÐÐÎó²îµÄPoC±»¹ûÕ棬£¬£¬£¬£¬£¬£¬SQL Server Reporting ServicesÌṩһ×éÍâµØ¹¤¾ßºÍЧÀÍ£¬£¬£¬£¬£¬£¬£¬ÓÃÓÚ½¨Éè¡¢°²ÅźÍÖÎÀí±¨±í¡£¡£¡£¡£¡£SQL Server Reporting ServicesÖб£´æÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¬£¬£¬£¬£¬£¬£¬½öÐè»ñµÃµÍȨÏ޵Ĺ¥»÷Õß¿ÉÒÔÏòÊÜÓ°Ïì°æ±¾µÄReporting ServicesʵÀýÌύȫÐĽṹµÄÇëÇóÀ´Ê¹ÓôËÎó²î¡£¡£¡£¡£¡£ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÔÚReport ServerЧÀÍÕÊ»§ÉÏÏÂÎÄÖÐÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£


´ËÎó²îλÓÚReportingServicesWebServer.dllÎļþÖеÄBrowserNavigationCorrectorÀ࣬£¬£¬£¬£¬£¬£¬ÈçÏÂͼËùʾ:


Z6¡¤×ðÁú¿­Ê±¡¸ÖйúÇø¡¹¹Ù·½ÍøÕ¾


´ÓÉÏͼ¿É¼û£¬£¬£¬£¬£¬£¬£¬ BrowserNavigationCorrectorÀàÖеÄOnLoadÒªÁìʹÓÃLosFormatterÀà¾ÙÐз´ÐòÁл¯²Ù×÷¡£¡£¡£¡£¡£


LosFormatterÒ»Ñùƽ³£ÓÃÓÚÐòÁл¯ºÍ·´ÐòÁл¯Web´°ÌåÒ³µÄÊÓͼ״̬(ViewState) £¬£¬£¬£¬£¬£¬£¬µ±Î´¾­ÓÉÂ˵ÄÓû§ÊäÈë±»LosFormatterÀà¾ÙÐз´ÐòÁл¯²Ù×÷ʱ£¬£¬£¬£¬£¬£¬£¬¾Í»á±¬·¢·´ÐòÁл¯Îó²î¡£¡£¡£¡£¡£


BrowserNavigationCorrectorÀà±»Microsoft.ReportingServices.WebServer.ReportViewerPageÀàŲÓ㬣¬£¬£¬£¬£¬£¬ÈçÏÂͼ£º


Z6¡¤×ðÁú¿­Ê±¡¸ÖйúÇø¡¹¹Ù·½ÍøÕ¾


ReportViewerPageÀà¿ÉÒÔÓÉ/ReportServer/pages/ReportViewer.aspxÒ³Ãæ¾ÙÐд«²ÎŲÓ㬣¬£¬£¬£¬£¬£¬µ±¹¥»÷ÕßŲÓøÃÒ³Ãæ²¢´«Èë¶ñÒâ½á¹¹µÄÐòÁл¯payload£¬£¬£¬£¬£¬£¬£¬¼´¿É´¥·¢Îó²î¡£¡£¡£¡£¡£


Îó²îÑéÖ¤


PoC£ºhttps://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/¡£¡£¡£¡£¡£


ÐÞ¸´½¨Òé


ÏÖÔÚ΢ÈíÒÑÐû²¼²¹¶¡ÐÞ¸´Îó²î£¬£¬£¬£¬£¬£¬£¬²Î¿¼Á´½Ó£ºhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618¡£¡£¡£¡£¡£


ÈôÊÇÄúµÄSQL Server°æ±¾ºÅδÔÚÉÏÎÄÖУ¬£¬£¬£¬£¬£¬£¬ÄÇôÄúµÄSQL Server°æ±¾½«²»ÔÙÊܵ½Î¢Èí¹Ù·½Ö§³Ö¡£¡£¡£¡£¡£Í¬ÑùÓб»´ËÎó²îÓ°ÏìµÄΣº¦¡£¡£¡£¡£¡£ÇëÉý¼¶µ½×îеÄSQL Server£¬£¬£¬£¬£¬£¬£¬ÒÔÃâÔâÊÜÎó²î¹¥»÷¡£¡£¡£¡£¡£


²Î¿¼Á´½Ó


https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/