SAE又允许JVM内存对象直接读写操作

admin
admin
admin
144141
文章
118
评论
2015年6月26日10:25:36评论289 views字数 212阅读0分42秒阅读模式
摘要

2014-09-29: 细节已通知厂商并且等待厂商处理中
2014-09-29: 厂商已经确认,细节仅向厂商公开
2014-10-09: 细节向核心白帽子及相关领域专家公开
2014-10-19: 细节向普通白帽子公开
2014-10-29: 细节向实习白帽子公开
2014-11-13: 细节向公众公开

漏洞概要 关注数(15) 关注此漏洞

缺陷编号: WooYun-2014-77763

漏洞标题: SAE又允许JVM内存对象直接读写操作

相关厂商: 新浪

漏洞作者: Nebula

提交时间: 2014-09-29 14:02

公开时间: 2014-11-13 14:04

漏洞类型: 设计缺陷/逻辑错误

危害等级: 高

自评Rank: 10

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 设计缺陷/边界绕过

2人收藏

漏洞详情

披露状态:

2014-09-29: 细节已通知厂商并且等待厂商处理中
2014-09-29: 厂商已经确认,细节仅向厂商公开
2014-10-09: 细节向核心白帽子及相关领域专家公开
2014-10-19: 细节向普通白帽子公开
2014-10-29: 细节向实习白帽子公开
2014-11-13: 细节向公众公开

简要描述:

RT!

详细说明:

在上一期的沙盒bypass漏洞中, WooYun: SAE允许JVM内存对象直接读写操作 的修复是直接Ban掉了sun.misc.Unsafe这个类的实例化访问:

SAE又允许JVM内存对象直接读写操作

漏洞证明:

但是SAE沙盒的设计者在设计沙盒之初,可能只对jdk默认沙盒权限控制了解了一部分,大致结构知道点,没有深读或不完整.默认沙盒环境每层权限做得是非常细致的,比如:前例中是对敏感包访问限制,SAE没做(sun.misc.*包,当然我之前看了一下,SAE好像就限制了这个类,不知道最近改了没有?这个问题以后再说,先说这个问题).

看到java.util.concurrent.atomic.AtomicLong这个类的源代码:

code 区域 
/*
  * %W% %E%
  *
  * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
  * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  */
 
 package java.util.concurrent.atomic;
 import sun.misc.Unsafe;
 
 /**
  * A  long} value that may be updated atomically.  See the
  *  java.util.concurrent.atomic} package specification for
  * description of the properties of atomic variables. An
  *  AtomicLong} is used in applications such as atomically
  * incremented sequence numbers, and cannot be used as a replacement
  * for a  java.lang.Long}. However, this class does extend
  *  Number} to allow uniform access by tools and utilities that
  * deal with numerically-based classes.
  *
  * @since 1.5
  * @author Doug Lea
  */
 public class AtomicLong extends Number implements java.io.Serializable {
     private static final long serialVersionUID = 1927816293512124184L;
 
     // setup to use Unsafe.compareAndSwapLong for updates
     private static final Unsafe unsafe = Unsafe.getUnsafe();
     private static final long valueOffset;
 
     /**
      * Records whether the underlying JVM supports lockless
      * CompareAndSet for longs. While the unsafe.CompareAndSetLong
      * method works in either case, some constructions should be
      * handled at Java level to avoid locking user-visible locks.
      */
     static final boolean VM_SUPPORTS_LONG_CAS = VMSupportsCS8();
 
     /**
      * Returns whether underlying JVM supports lockless CompareAndSet
      * for longs. Called only once and cached in VM_SUPPORTS_LONG_CAS.
      */
     private static native boolean VMSupportsCS8();
 
     static {
       try {
         valueOffset = unsafe.objectFieldOffset
             (AtomicLong.class.getDeclaredField("value"));
       } catch (Exception ex) { throw new Error(ex); }
     }
 
     private volatile long value;
 
     /**
      * Creates a new AtomicLong with the given initial value.
      *
      * @param initialValue the initial value
      */
     public AtomicLong(long initialValue) {
         value = initialValue;
     }
 
     /**
      * Creates a new AtomicLong with initial value  0}.
      */
     public AtomicLong() {
     }
 
     /**
      * Gets the current value.
      *
      * @return the current value
      */
     public final long get() {
         return value;
     }
 
     /**
      * Sets to the given value.
      *
      * @param newValue the new value
      */
     public final void set(long newValue) {
         value = newValue;
     }
 
     /**
      * Eventually sets to the given value.
      *
      * @param newValue the new value
      * @since 1.6
      */
     public final void lazySet(long newValue) {
         unsafe.putOrderedLong(this, valueOffset, newValue);
     }
 
     /**
      * Atomically sets to the given value and returns the old value.
      *
      * @param newValue the new value
      * @return the previous value
      */
     public final long getAndSet(long newValue) {
         while (true) {
             long current = get();
             if (compareAndSet(current, newValue))
                 return current;
         }
     }
 
     /**
      * Atomically sets the value to the given updated value
      * if the current value  ==} the expected value.
      *
      * @param expect the expected value
      * @param update the new value
      * @return true if successful. False return indicates that
      * the actual value was not equal to the expected value.
      */
     public final boolean compareAndSet(long expect, long update) {
  return unsafe.compareAndSwapLong(this, valueOffset, expect, update);
     }
 
     /**
      * Atomically sets the value to the given updated value
      * if the current value  ==} the expected value.
      *
      * <p>May <a href="package-summary.html#Spurious">fail spuriously</a>
      * and does not provide ordering guarantees, so is only rarely an
      * appropriate alternative to  compareAndSet}.
      *
      * @param expect the expected value
      * @param update the new value
      * @return true if successful.
      */
     public final boolean weakCompareAndSet(long expect, long update) {
  return unsafe.compareAndSwapLong(this, valueOffset, expect, update);
     }
 
     /**
      * Atomically increments by one the current value.
      *
      * @return the previous value
      */
     public final long getAndIncrement() {
         while (true) {
             long current = get();
             long next = current + 1;
             if (compareAndSet(current, next))
                 return current;
         }
     }
 
     /**
      * Atomically decrements by one the current value.
      *
      * @return the previous value
      */
     public final long getAndDecrement() {
         while (true) {
             long current = get();
             long next = current - 1;
             if (compareAndSet(current, next))
                 return current;
         }
     }
 
     /**
      * Atomically adds the given value to the current value.
      *
      * @param delta the value to add
      * @return the previous value
      */
     public final long getAndAdd(long delta) {
         while (true) {
             long current = get();
             long next = current + delta;
             if (compareAndSet(current, next))
                 return current;
         }
     }
 
     /**
      * Atomically increments by one the current value.
      *
      * @return the updated value
      */
     public final long incrementAndGet() {
         for (;;) {
             long current = get();
             long next = current + 1;
             if (compareAndSet(current, next))
                 return next;
         }
     }
 
     /**
      * Atomically decrements by one the current value.
      *
      * @return the updated value
      */
     public final long decrementAndGet() {
         for (;;) {
             long current = get();
             long next = current - 1;
             if (compareAndSet(current, next))
                 return next;
         }
     }
 
     /**
      * Atomically adds the given value to the current value.
      *
      * @param delta the value to add
      * @return the updated value
      */
     public final long addAndGet(long delta) {
         for (;;) {
             long current = get();
             long next = current + delta;
             if (compareAndSet(current, next))
                 return next;
         }
     }
 
     /**
      * Returns the String representation of the current value.
      * @return the String representation of the current value.
      */
     public String toString() {
         return Long.toString(get());
     }
 
 
     public int intValue() {
  return (int)get();
     }
 
     public long longValue() {
  return (long)get();
     }
 
     public float floatValue() {
  return (float)get();
     }
 
     public double doubleValue() {
  return (double)get();
     }
 
 }

看到正好有个unsafe 私有属性,还是直接实例化的:

code 区域 
private static final Unsafe unsafe = Unsafe.getUnsafe();

然后通过反射又可以获取实例,直接又bypass了...(利用见前例中的PoC,直接替换获取实例部分就好了)

code 区域 
Field field =java.util.concurrent.atomic.AtomicLong.class.getDeclaredField("unsafe");
   field.setAccessible(true);
   sun.misc.Unsafe unsafe = (sun.misc.Unsafe) field.get(null);

测试地址:http://1.unsafe.sinaapp.com/

SAE又允许JVM内存对象直接读写操作

code 区域 
默认jdk沙盒是有限制的,属性访问权限限制(前例是包访问限制),SAE这次又漏掉了...

SAE又允许JVM内存对象直接读写操作

修复方案:

建议SAE沙盒的设计者好好读一下jdk默认沙盒权限控制!(充点云豆吧?就测试了两次SAE,免费的云豆就快没了...)

版权声明:转载请注明来源 Nebula@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-09-29 16:11

厂商回复:

感谢关注新浪安全,我们马上通知相应开发人员处理修复。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-09-29 14:08 | 浮萍 ( 普通白帽子 | Rank:1077 漏洞数:217 )

    0

    这个又字用的颇好

  2. 2014-09-29 14:18 | luwikes ( 普通白帽子 | Rank:552 漏洞数:83 | 潜心学习~~~)

    0

    pia pia pia

  3. 2014-09-29 14:55 | he1renyagao ( 普通白帽子 | Rank:235 漏洞数:31 | 是金子总会发光,在还未发光之前,先磨磨)

    0

    高尚大

  4. 2014-10-20 10:10 | wefgod ( 核心白帽子 | Rank:1829 漏洞数:183 | 力不从心)

    0

    好给力。送豆了吗

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin