by emptiness prodigal heart http://www.inbreak.net Twitter: http://t.qq.com/javasecurity
2 0 1 2 year, I in the attack JAVA WEB action, the text of Titus on“the classLoader that caused the particular environment under DOS vulnerability”at the time and no more in-depth explanation, these days the struts official patched this vulnerability, this article is about the vulnerability of in-depth research.
All this, from We control the classLoader speaking, once wrote an article that mentioned a small technical detail, a very humble one tasteless. Reference the Spring framework cve-2 0 1 0-1 6 2 2）exploit guide: — Struts2 in fact this is a lead to a remote code execution vulnerability, just because it's a field mapping issue, only mapping of underlying type, the default is not responsible for mapping other types, so when the attacker directly submit URLs=xxx, a direct proof field type conversion error, the result was narrowly escaped. —
tomcat8. 0 out after this issue broke out, it was a tasteless vulnerability to counter-attack it.
In struts2 any one action to run before, once accepted to the user-submitted parameters xx=zzzzz, by the Ognl responsible for the call corresponding to the current action of the setXxx method, as for the set method in the end is what, in fact, is not important, the inside of the logic is not important, We only pay attention to this method call, parameter passing. This attribute of change, sometimes is can be a large degree of influence subsequent complex logic.
Universal point base
The Object is a java based class, all the class of the generated object will inherit the Object all properties and methods, so the current action no matter what the code, there must be an Object that comes with the getClass method, this method will return a Class object, the Class object and must have the getClassLoader method, ultimately, in each action can be
Get the current ClassLoader is.
I study this problem, a few years ago, this stuff understand it is not easy, especially the respective web container is inconsistent, it happens that there was a Alibaba inside the tomcat container classLoader to load principles of training, harvest bandit shallow. Space is limited, simply speaking.
In the JRE start-up, each Class will have their own ClassLoader in. the web container, in order to facilitate the management of the boot process, usually have to implement a custom ClassLoader in. The Spring framework on the vulnerability of the use of scenarios really very lucky, use a web container properties getURLs method, all of the container of the servlet's ClassLoader will inherit the parent class UrlClassLoader get getURLs this method, so this vulnerability may not be subject to vessel impact. In fact, each container ClassLoader is implemented, the environment will inevitably be different, that struts2 Fluke escaped, so one of my concerns, are placed in several web container ClassLoader code change, which days to see tomcat8 actually put resources into the ClassLoader, and the ServletContext just hanging in the resources, suddenly know the meat drama came.
Upload webshell the possibility of research
Multiple remote code execution vulnerabilities baptism, I have been in the mind simulation“ServletContext controlled, this stem what”, exactly what route may be leading to code execution in the field. For example: Struts2 will go to the servletContext take to one values, then put it as an Ognl execution. This is too simple, I do not believe.
Ognl Context tree structure: