Apache Mina 2.0.13 - Remote Command Execution

新浪微博:

http://weibo.com/u/2275304001/home?wvr=5

微信公众号

DebugPwn

Apache Mina 2.0.13 - Remote Command Execution

2016-09-22  0c0c0f译  0c0c0f

Apache Mina介绍：

Apache Mina是一个能够帮助用户开发高性能和高伸缩性网络应用程序的框架。它通过Java nio技术基于TCP/IP和UDP/IP协议提供了抽象的、事件驱动的、异步的API。

漏洞详情：

Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.

IoSessionFinder构造函数存在代码执行漏洞，IoServiceMBean引用了IoSessionFinder对象，IoServiceMBean通过JMX暴露给外界就会导致远程代码执行漏洞。

下面是IoSessionFinder构造函数,直接调用了Ognl.parseExpression(query),如果query可控我们就可以rce了。

public class IoSessionFinder {

    private final String query;

    private final TypeConverter typeConverter = new PropertyTypeConverter();

    private final Object expression;

    /**
     * Creates a new instance with the specified OGNL expression that returns
     * a boolean value (e.g. <tt>"id == 0x12345678"</tt>).
     * 
     * @param query The OGNL expression 
     */
    public IoSessionFinder(String query) {
        if (query == null) {
            throw new IllegalArgumentException("query");
        }

        query = query.trim();
        
        if (query.length() == 0) {
            throw new IllegalArgumentException("query is empty.");
        }

        this.query = query;
        
        try {
            expression = Ognl.parseExpression(query);
        } catch (OgnlException e) {
            throw new IllegalArgumentException("query: " + query);
        }
    }

    /**
     * Finds a {@link Set} of {@link IoSession}s that matches the query
     * from the specified sessions and returns the matches.
     * @throws OgnlException if failed to evaluate the OGNL expression
     * 
     * @param sessions The list of sessions to check
     * @return A set of the session that matches the query
     * @throws OgnlException If we can't find a boolean value in a session's context
     */
    public Set<IoSession> find(Iterable<IoSession> sessions) throws OgnlException {
        if (sessions == null) {
            throw new IllegalArgumentException("sessions");
        }

        Set<IoSession> answer = new LinkedHashSet<IoSession>();
        
        for (IoSession s : sessions) {
            OgnlContext context = (OgnlContext) Ognl.createDefaultContext(s);
            context.setTypeConverter(typeConverter);
            context.put(AbstractPropertyAccessor.READ_ONLY_MODE, true);
            context.put(AbstractPropertyAccessor.QUERY, query);
            Object result = Ognl.getValue(expression, context, s);
            
            if (result instanceof Boolean) {
                if (((Boolean) result).booleanValue()) {
                    answer.add(s);
                }
            } else {
                throw new OgnlException("Query didn't return a boolean value: " + query);
            }
        }

        return answer;
    }

检索IoSessionFinder的引用，包package org.apache.mina.integration.jmx; IoServiceMBean类中

最直观的利用demo:

攻击场景一:

JMX控制

作者基于Apache Mina文档开发一个小项目。

1、启动服务器，暴露JMX对外的接口。

2、telnet服务端口使服务器生成session

3、使用JConsole连接JMX接口,执行ognl表达式。

攻击场景二:

结合反序列化漏洞利用，但是IoSessionFinder并没有实现接口Serializable所以这个漏洞结合反序列化不行。

public class IoSessionFinder {
    private final String query;
    private final TypeConverter typeConverter = new PropertyTypeConverter();
    private final Object expression;

修复方案:

// Only accept queries like [a-zA-Z_$ ]+ (== | < | > | <= | >=) [a-zA-Z\-$\.0-9 ]+
int comp = -1;

for (int i=0; i<query.length();i++) {
   char c = query.charAt(i);
   /*查找运算符的位置*/
   if ((c == '=') || (c == '<') || (c == '>') || (c == '!')) {
      comp = i;
   } else if ( !Character.isJavaIdentifierPart(c) && (c != ' ')) {//非空并且非java标识符
        throw new IllegalArgumentException("Invalid query.");
   } else {
      if ( comp > 0) {
         break;
      }
   }
}

if (comp<=0) {
    throw new IllegalArgumentException("Invalid query.");
}

for (int i=comp+1; i<query.length();i++) {
   char c = query.charAt(i);

   if (!Character.isJavaIdentifierPart(c) && (c != ' ') && (c != '"') && (c != '\'')) {
        throw new IllegalArgumentException("Invalid query.");
   }
}

熟悉ognl表达式的同学可以绕以绕~~~

修复方案:

<version>2.0.14</version>

https://www.exploit-db.com/exploits/40382/

https://remoteawesomethoughts.blogspot.com/2016/09/apache-mina-2013-remote-command.html

https://mina.apache.org/mina-project/userguide/ch16-jmx-support/ch16-jmx-support.html

http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3CCAG8=FRhN5gHCRabSosKKfhG9Muz6+pfnQHmrQ+CwvE4tyPe-_Q@mail.gmail.com%3E

http://docs.oracle.com/javase/6/docs/technotes/guides/management/jconsole.html