Jenkins-LDAP (CVE-2016-9299) deserialization vulnerability analysis-vulnerability warning-the black bar safety net


Source: [gone with the wind's Blog](<https://www.iswin.org/2017/01/25/Jenkins-LDAP-Deserializable-Vulnerablity-CVE-2016-9299-Analysis/>) Author: [iswin](<https://www.iswin.org/about>) This vulnerability in the last 11 month of official release announcement when I was concerned too, when he was looking for com. sun. jndi. ldap. LdapAttribute this class related to the deserialization was aware of this category inside the _getAttributeSyntaxDefinition()_ method and _getAttributeDefinition()_ there may be a deserialization problem, but at the time looking for a lot of classes, found in the sequence of time can trigger these two methods, the original thought is the jdk inside their own problems, and finally it didn't continue to talk down, Midway has Gaijin released a ppt inside presentation this vulnerability, probably looked under found is to use json to bypass Jenkins White List, The time has been busy with data analysis of things, things just ran aground, and shortly before just the MSF on the Payload, plus end up not so many things, so studied, this vulnerability was quite interesting, to the knowledge of the surface or slightly wide a bit, here have to admire those vulnerabilities found. Whenever a vulnerability is a vulnerability appears, I got to thinking why yourself can not be found, when every time a vulnerability analysis of the complete time only to find aspects of the gap really is not small. #### Technology is to share, so in order to progress. ### Vulnerability description 2016 11 May 16, Jenkins official released a security announcement, named [CVE-2016-9299](<https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16>) ,from the advertisement point of view, the vulnerability is still a reverse sequence of vulnerability, but this vulnerability deserialization and LDAP, but in the reverse sequence after the need to connect to a malicious LDAP server, Jenkins for before deserialization method of repair is for some malicious class to add a blacklist, so here first of all have to Bypass the official blacklist, for the vulnerability is only so much information, and in the official to the POC inside also merely referred to the com. sun. jndi. ldap. LdapAttribute this class, this vulnerability using the first authentication is not required, but can be arbitrary code execution, harm the evident. ### Vulnerability analysis From the official description as well as the back of the Payload point of view, the problem and the net. sf. json and the com. sun. jndi. ldap. LdapAttribute about, through the analysis of the LdapAttribute for this class of analysis, we can determine the following two methods are trigger deserialization vulnerability the root on the below LDAP reverse sequence-related knowledge please 16 years blackhat foreigners of the Paper “us-16-Munoz-A-Journey-From-the JNDI-LDAP-Manipulation-To-RCE”to * getAttributeSyntaxDefinition * getAttributeDefinition These two methods are invoked the _DirContext schema = getBaseCtx(). getSchema(rdn);_ code fragment which getBaseCtx()method is defined as follows: ! [](/Article/UploadPic/2017-2/201724165543569. png) The sections of the code using jndi way to access the LDAP service, where we can control the Context. PROVIDER_URL parameters, thereby controlling the jndi to access the LDAP server address. getSchema(rdn)method will eventually call the com. sun. jndi. ldap. LdapBindingEnumeration. createItem(String, Attributes, Vector) method to call the relationship too much, your go to debug, the method is defined in the following figure ! [](/Article/UploadPic/2017-2/201724165544831. png) In this method will eventually call Obj. decodeObject(attrs) method, in order to achieve the object deserialization. Here a little mention, com. sun. jndi. ldap. Obj object defines several object serialization and deserialization methods, there is a direct deserialization, but also directly through the remote loading, here is the deserialization a little with the deserialization of different points that we can't remote loading of objects, because com. sun. jndi. ldap. VersionHelper12. trustURLCodebase the default value is false, it directly determines the class loader can only load the current classpath the following class, on how to construct the object so that the LDAP in the deserialization can execute arbitrary code, see below. Here we know the com. sun. jndi. ldap. LdapAttribute related to the method can trigger a deserialization exploit, so now we have to do is go find a class at deserialization time can call we accordingly trigger the vulnerability function, that is, in the deserialization can call getAttributeSyntaxDefinition method or getAttributeDefinition method of the class, by a foreigner of the PPT and open the gadgets, we slightly analysis you'll find on the net. sf. json, this class library exists can call the class any of the getXXX functions in the place, then com. sun. jndi. ldap. LdapAttribute this class in the getXXX method is not also can through this way to call, first of all, we first determine what exactly is that class of that method can call the getXXX function, by the gadgets in the json Payload we find that eventually calls the object's getXXX function is as follows figure net. sf. json. JSONObject. defaultBeanProcessing(Object, JsonConfig) is shown in On the figure circled the two places that can call the getXXX function of the place, here will first traverse the JavaBeans of all the attributes, the last in the door-to-Door calls. Figured out able to function call the root causes, the next step is to find this function exactly what will trigger. By eclipse we can easily find the following call. ! [](/Article/UploadPic/2017-2/201724165544409. png) As shown in the above figure, we can see defaultBeanProcessing method will eventually be ConcurrentSkipListSet class in the equals method calls, to many people here might ask, so many call the relationship, why are you just looking for this class's equals method here might have some experience on the inside, because for and the equals method associated things too much, for java in some data structure, such as a Set,each time adding the element of time will determine whether the current key is present, there is compare whether two objects are equal when to call the hashcode and equals method, here if know through other deserialization of the students on this may be slightly touched, such as the jdk that deserialization of the trigger process. If this experience is not the case, then you can only one one to find. **[1] [[2]](<83274_2.htm>) [[3]](<83274_3.htm>) [[4]](<83274_4.htm>) [next](<83274_2.htm>)**