Apache Click反序列化漏洞挖掘技术分析<\/h1>

一、漏洞背景<\/h2>
Apache Click是一个基于Java的轻量级Web框架，用于构建Java Web应用程序。在2.3.0版本中存在反序列化漏洞，攻击者可以通过构造恶意序列化数据实现远程代码执行。<\/p>

二、依赖环境<\/h2>

框架依赖<\/strong>:

org.apache.click:click-nodeps:2.3.0<\/li>
javax.servlet:javax.servlet-api:3.1.0<\/li> <\/ul> <\/li>
JDK版本<\/strong>: jdk8u201<\/li> <\/ul>
三、分析工具<\/h2>

Tabby工具套件<\/strong>:<\/p>

tabby:2.0<\/li>
tabby-vul-finder.jar<\/li>
neo4j数据库<\/li>
tabby idea插件（可视化分析工具）<\/li> <\/ul> <\/li>

插件使用参考<\/strong>:<\/p>

Tabby插件使用指南<\/a><\/li> <\/ul> <\/li> <\/ol>
四、漏洞分析<\/h2>
1. 现有利用链分析<\/h3>
Chain: <\/span><\/span> java.<\/span>util<\/span>.<\/span>PriorityQueue<\/span>.<\/span>readObject<\/span>()<\/span> <\/span><\/span> java.<\/span>util<\/span>.<\/span>PriorityQueue<\/span>.<\/span>heapify<\/span>()<\/span> <\/span><\/span> java.<\/span>util<\/span>.<\/span>PriorityQueue<\/span>.<\/span>siftDown<\/span>()<\/span> <\/span><\/span> java.<\/span>util<\/span>.<\/span>PriorityQueue<\/span>.<\/span>siftDownUsingComparator<\/span>()<\/span> <\/span><\/span> org.<\/span>apache<\/span>.<\/span>click<\/span>.<\/span>control<\/span>.<\/span>Column$ColumnComparator<\/span>.<\/span>compare<\/span>()<\/span> <\/span><\/span> org.<\/span>apache<\/span>.<\/span>click<\/span>.<\/span>control<\/span>.<\/span>Column<\/span>.<\/span>getProperty<\/span>()<\/span> <\/span><\/span> org.<\/span>apache<\/span>.<\/span>click<\/span>.<\/span>control<\/span>.<\/span>Column<\/span>.<\/span>getProperty<\/span>()<\/span> <\/span><\/span> org.<\/span>apache<\/span>.<\/span>click<\/span>.<\/span>util<\/span>.<\/span>PropertyUtils<\/span>.<\/span>getValue<\/span>()<\/span> <\/span><\/span> org.<\/span>apache<\/span>.<\/span>click<\/span>.<\/span>util<\/span>.<\/span>PropertyUtils<\/span>.<\/span>getObjectPropertyValue<\/span>()<\/span> <\/span><\/span> java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Method<\/span>.<\/span>invoke<\/span>()<\/span> <\/span><\/span> com.<\/span>sun<\/span>.<\/span>org<\/span>.<\/span>apache<\/span>.<\/span>xalan<\/span>.<\/span>internal<\/span>.<\/span>xsltc<\/span>.<\/span>trax<\/span>.<\/span>TemplatesImpl<\/span>.<\/span>getOutputProperties<\/span>()<\/span> <\/span><\/span> ...<\/span> <\/span><\/span><\/code><\/pre>2. 关键点分析<\/h3> 起点方法<\/strong>: readObject()<\/code>，这是Java反序列化的入口点<\/li> 接口实现<\/strong>: 若方法实现了接口，需要显式添加alias关系，否则链路会中断<\/li> 优先级<\/strong>: 找到完整链路的优先级高于判断起点方法是否为readObject方法<\/li> <\/ol> 3. Tabby查询语句<\/h3> MATCH (m1:Method{IS_SERIALIZABLE:true}) WHERE m1.CLASSNAME STARTS WITH 'org.apache.click' MATCH path=((m3:Method)-[:CALL*1..7]->(m2:Method)-[:ALIAS*1]->(m1)-[:CALL*1..5]->(m:Method{IS_SINK:true,NAME:'invoke'})) WHERE m3.NAME='readObject' RETURN path LIMIT 100 <\/code><\/pre> 4. 查询结果分析<\/h3> 查询结果显示了从readObject()<\/code>到invoke()<\/code>的完整调用链，其中关键点包括：<\/p> siftDownUsingComparator<\/code>通过PriorityQueue的成员变量this.comparator<\/code>调用<\/li> 需要添加alias关系才能完整连接调用链<\/li> 最终通过反射调用TemplatesImpl.getOutputProperties()<\/code>实现代码执行<\/li> <\/ol> 五、POC构造要点<\/h2> PriorityQueue构造<\/strong>:<\/p> 设置自定义的ColumnComparator<\/code><\/li> 控制队列元素触发比较操作<\/li> <\/ul> <\/li> ColumnComparator利用<\/strong>:<\/p> 利用PropertyUtils<\/code>的反射机制<\/li> 最终指向TemplatesImpl<\/code>类<\/li> <\/ul> <\/li> TemplatesImpl利用<\/strong>:<\/p> 通过getOutputProperties()<\/code>触发字节码加载<\/li> 构造恶意字节码实现任意代码执行<\/li> <\/ul> <\/li> <\/ol> 六、其他潜在利用链分析<\/h2> 1. javax.management.MBeanInfo路径<\/h3> javax.<\/span>management<\/span>.<\/span>MBeanInfo<\/span>#<\/span>readObject <\/span><\/span> -><\/span> javax.<\/span>management<\/span>.<\/span>ImmutableDescriptor<\/span>#<\/span>ImmutableDescriptor <\/span><\/span> -><\/span> javax.<\/span>management<\/span>.<\/span>ImmutableDescriptor<\/span>#<\/span>makeMap <\/span><\/span> -><\/span> java.<\/span>util<\/span>.<\/span>TreeMap<\/span>#<\/span>put <\/span><\/span> -><\/span> java.<\/span>util<\/span>.<\/span>TreeMap<\/span>#<\/span>compare <\/span><\/span><\/code><\/pre>限制<\/strong>: TreeMap的comparator无法修改为ColumnComparator，无法利用<\/p> 2. com.sun.jndi.ldap.LdapName路径<\/h3> com.<\/span>sun<\/span>.<\/span>jndi<\/span>.<\/span>ldap<\/span>.<\/span>LdapName<\/span>.<\/span>Rdn<\/span>#<\/span>add <\/span><\/span> -><\/span> com.<\/span>sun<\/span>.<\/span>jndi<\/span>.<\/span>ldap<\/span>.<\/span>LdapName<\/span>.<\/span>TypeAndValue<\/span>#<\/span>compareTo <\/span><\/span> -><\/span> java.<\/span>lang<\/span>.<\/span>String<\/span>#<\/span>compareToIgnoreCase <\/span><\/span><\/code><\/pre>限制<\/strong>: 无法控制比较逻辑，无法利用<\/p> 3. java.net.URLPermission路径<\/h3> java.<\/span>net<\/span>.<\/span>URLPermission<\/span>#<\/span>readObject <\/span><\/span> -><\/span> java.<\/span>net<\/span>.<\/span>URLPermission<\/span>#<\/span>init <\/span><\/span><\/code><\/pre>限制<\/strong>: 参数不可控，无法利用<\/p> 七、防御建议<\/h2> 升级Apache Click<\/strong>到最新安全版本<\/li> 限制反序列化<\/strong>操作，使用白名单控制可反序列化的类<\/li> 使用安全框架<\/strong>如SerialKiller或Hibernate Validator进行输入验证<\/li> 启用Java安全管理器<\/strong>限制敏感操作<\/li> <\/ol> 八、总结<\/h2> Apache Click反序列化漏洞展示了Java反序列化漏洞的典型利用模式：<\/p> 从readObject()<\/code>入口点开始<\/li> 通过一系列方法调用和对象属性访问<\/li> 最终到达危险的反射调用或代码执行点<\/li> <\/ol> 这种漏洞挖掘方法可以推广到其他Java框架的反序列化漏洞分析中，关键在于：<\/p> 理解Java反序列化机制<\/li> 掌握静态分析工具的使用<\/li> 熟悉常见的危险调用模式<\/li> 能够构造完整的调用链路<\/li> <\/ol> 通过Tabby等工具可以大大提高反序列化漏洞挖掘的效率，但同时也需要深入理解底层原理才能准确判断利用可行性。<\/p>

Apache Click反序列化漏洞挖掘技术分析<\/h1>

一、漏洞背景<\/h2> Apache Click是一个基于Java的轻量级Web框架，用于构建Java Web应用程序。在2.3.0版本中存在反序列化漏洞，攻击者可以通过构造恶意序列化数据实现远程代码执行。<\/p>

四、漏洞分析<\/h2>

六、其他潜在利用链分析<\/h2>

一、漏洞背景<\/h2>
Apache Click是一个基于Java的轻量级Web框架，用于构建Java Web应用程序。在2.3.0版本中存在反序列化漏洞，攻击者可以通过构造恶意序列化数据实现远程代码执行。<\/p>