Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to analyze the Apache ShardingShpere CVE-2020-1947 loophole. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

On March 9, 2020, Apache officially fixed a remote code execution vulnerability CVE-2020-1947 discovered and submitted by Qian Xinyun Shadow Lab maoge. Successful exploitation of this vulnerability could allow arbitrary code execution to take full control of the target host. At present, the exploit POC of this vulnerability has been made public.

Apache ShardingSphere is an ecological circle of open source distributed database middleware solutions, which consists of three independent products, Sharding-JDBC, Sharding-Proxy and Sharding-Sidecar (planned). They all provide standardized data slicing, distributed transaction and database governance functions, and can be applied to a variety of application scenarios, such as Java isomorphism, heterogeneous languages, cloud native, and so on. ShardingSphere does not verify the snakeyaml when parsing it. When there is a configuration center, when a user submits malicious code, it will still be parsed and deserialized, resulting in malicious code being executed. This vulnerability affects sharding-jdbc,sharding-proxy,sharding-ui, etc.

0x01 vulnerability verification 1. Environment building

1. Download version 4.0.0 sharding-ui on the official website. After downloading, go to the bin directory to start sharding-ui.

Use localhost:8088 admin/admin (default) to enter the configuration page.

Two. reappearance

1. First go to registry center to add a registry. The configuration is as follows.

2. Add a new rule when entering rule config, enter payload, and click commit to execute the command.

By instantiating a specially designed snakeyaml, the vulnerability can be triggered.

0x02 vulnerability Analysis of 1.snakeyaml Syntax

!! + class represents instantiating a class. We can dump out and have a look.

It just so happens that we have a ScriptEngineManager class that accepts a classloader parameter, and URLClassLoader just meets the requirement to dynamically load a jar. Payload can be instantiated through the syntax of snakeyaml.

Load the jar package of the external server remotely, where the jar package code contains the following methods:

Public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

Public AwesomeScriptEngineFactory () {

Try {

Runtime.getRuntime () .exec (open / System/Applications/Calculator.app)

} catch (IOException e) {

E.printStackTrace ()

}

}

……

}

Compile to jar and place it on the http server.

2. AwesomeScriptEngineFactory analysis

For the AwesomeScriptEngineFactory class above, why do you need to inherit ScriptEngineFactory. You can know by debugging that you need to be of type ScriptEngineFactory here. Command execution is placed in the constructor and is called when initialized.

3. Causes of loopholes

The essential reason is that developers directly unmarshal when loading yaml. Malicious loading is not considered.

Directly through new Yaml (). Load (), resulting in an antisequence malicious class.

This has been fixed in version 4.0.1. Compared with the new patch file, it is found that ClassFilterConstructor has been added to filter this.

There are a lot of places to search unmarshal. There are strong restrictions on acceptClasses.

0x03 repair scheme

At present, Apache has officially released a new version 4.0.1, please upgrade to the latest official version as soon as possible.

Https://github.com/apache/incubator-shardingsphere/releases

The above is how to analyze the vulnerability of Apache ShardingShpere CVE-2020-1947. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.