Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze vulnerabilities in jackson-databind remote code execution. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

1. Vulnerability description

Baidu Cloud Security team tracked down to jackson-databind and updated a new deserialization utilization class com.caucho.config.types.ResourceRef,issue number 2660 on github, which bypassed the blacklist class previously maintained by jackson-databind. If the project contains resin-kernel libraries and the JDK version is lower, please upgrade jackson-databind to the secure version in time.

two。 Scope of influence

Jackson-databind

< 2.9.10.4 JDK < 6u201、7u191、8u182、11.0.1（LDAP） 3. 漏洞分析 该漏洞本质是java的JNDI注入，我们先来了解下JNDI基础知识。简单来说，JNDI是一组应用程序接口，它为开发人员查找和访问各种资源提供了统一的通用接口，可以用来定位用户、网络、机器、对象和服务等各种资源。比如可以利用JNDI在局域网上定位一台打印机，也可以用JNDI来定位数据库服务或一个远程Java对象。JNDI底层支持RMI远程对象，RMI注册的服务可以通过JNDI接口来访问和调用。JNDI接口在初始化时，可以将RMI URL作为参数传入，而JNDI注入就出现在客户端的lookup()函数中，如果lookup()的参数可控就可能被攻击。 因此分析的时候，可以直接先搜索受影响类的lookup方法，看看漏洞入口在哪里，本文复现的时候用的是resin-kernel-4.0.52版本。

First of all, locate the com.caucho.config.types.ResourceRef class, we found the jdni.lookup method in the getValue method, but need to satisfy that the getLookupName method is not empty.

Following up to the parent class ResourceGroupConfig,getLookupName method directly returns the _ lookupName variable, but assigns the value in the setLookupName method.

So we can make sure that the remote object call entry is lookupName, and we can write the following deserialized test code. Because the trigger is in the getValue method, you need to call the writeValueAsString method to serialize after deserialization to trigger the get method. You can use marshalsec to listen to the ldap service and make class files that can execute commands.

In fact, you also need to explain why you need to call mapper.enableDefaultTyping (). When you call enableDefaultTyping with no parameters, you will set DefaultTyping to OBJECT_AND_NON_CONCRETE.

DefaultTyping has four options:

JAVA_LANG_OBJECT: takes effect when the object property type is Object

OBJECT_AND_NON_CONCRETE: takes effect when the object attribute type is Object or non-concrete type (abstract class and interface)

NON_CONCRETE_AND+_ARRAYS: as above, all array elements are of non-concrete type or object type

NON_FINAL: an array of all non-final type or non-final type elements.

Therefore, when DefaultTyping is turned on, the developer specifies the class to be restored during deserialization, calling its constructor setter method or some special getter method, which results in code execution when there are some dangerous operations in these methods.

The official update measure (https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15) in github is still to add com.caucho.config.types.ResourceRef as the blacklist class, but this approach addresses the symptoms rather than the root cause, and other gdaget that bypass the blacklist may appear later.

4. Defensive measures

1. Upgrade jackson-databind to secure version in time (> = 2.9.10.4, > 2.10.0)

two。 Upgrade to a later version of JDK.

On how to carry out jackson-databind remote code execution vulnerability analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.