In-depth analysis of Commons Collections Java deserialization Vulnerability

In-depth analysis of Commons Collections Java deserialization Vulnerability
0x01 background

So far this year, the most influential Java vulnerability is the CommonsCollections deserialization vulnerability that has been booming for some time.

@ Breenmachine from FoxGlove Security team published a long blog in November 6, 2015, the real cases of using Java deserialization and Apache Commons Collections as the basic class library to implement remote command execution come to people's eyes, and the major Java Web servers lie down one after another, this vulnerability swept the latest versions of WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. Nearly 10 months ago, Gabriel Lawrence and Chris Frohoff mentioned the idea of exploiting this vulnerability in an AppSecCali report.

Currently, Major Affected Java application vendors have released fixed versions targeting the "most undervalued" vulnerability in 2015, the Apache Commons Collections project also handles vulnerable class libraries securely.

0x02 start with Apache CommonsCollections

Apache Commons Collections is a third-party base library that extends the Collection structure of the Java standard library. It provides many powerful data structure types and implements various Collection tool classes. As an important component of Apache open-source projects, Commons Collections is widely used in the development of various Java applications.

Commons Collections implements a TransformedMap class, which is an extension of the Java standard data structure Map interface. This class automatically performs specific modification and transformation on an element when it is added to the set. The specific transformation logic is defined by the Transformer class, and Transformer is passed as a parameter during TransformedMap instantiation.

We can use the TransformedMap. decorate () method to obtain a TransformedMap instance.

When the key or value in TransformedMap changes, the transform () method of Transformer is triggered. In addition, you can use the Transformer array to construct a ChainedTransformer. When triggered, ChainedTransformer can call a series of transformations in sequence. Apache Commons Collections has some commonly used Transformer built-in, among which the InvokerTransformer class is the main character of today.

Its transform method is as follows:

In this transform (Object input), the Java reflection mechanism is used to call a method of the input Object. The method name is the iMethodName member variable passed in when InvokerTransformer class is instantiated:

 

That is to say, the method name and Class object called in this reflection code can be controlled. Therefore, we can construct a malicious Transformer chain and use InvokerTransformer. transform () to execute any command. The test code is as follows:

 

In the above Code, ConstantTransformer can change the object to be transformed into a constant. Its transform () method code is as follows:

 

In this way, the malicious code uses reflection to call Runtime () to execute a system command. The function is equivalent:

 

That is to say, a specially constructed TransformedMap can trigger a transformation when any of its key values are modified to execute any command.

How can we use remote command execution?

0x03 implement RCE using Java deserialization

Java serialization refers to the process of converting a Java object into a byte sequence, while Java deserialization refers to the process of restoring a byte sequence to a Java object. Many Java applications use serialization to transmit data. The application receives a byte sequence from the user and deserializes it to a Java object.

Here, if the Java application does not check the security of the imported serialized data, we can remotely submit the malicious TransformedMap to the Java application after serialization. If the Java application can trigger the transformation, the Remote Command is successfully executed. So how can we let the Java application trigger the Transformer transformation?

During deserialization, we will call the readObject () method of the ObjectInputStream class. If the deserialized class overrides readObject (), Java will give priority to calling the rewritten readObject () method during deserialization.

In combination with the aforementioned Commons Collections features, if a serializable class overwrites the readObject () method and modifies the Map type variables in readObject, and the Map variable is controllable to achieve our attack targets.

So I found this class: AnnotationInvocationHandler. The code for this class is as follows:

 

Perfect. Its member variable memberValue is Map Type, and the rewritten readObject () method contains the memberValue. setValue () operation.

We can instantiate an AnnotationInvocationHandler class and assign its member variable memberValues to a specially crafted malicious TransformedMap object. Serialize it and submit it to a Java application that does not perform security detection. During deserialization, a Java application triggers the TransformedMap transform function and runs the preset commands.

0x04 detailed analysis of Jenkins

To use this vulnerability to use a Java application, you need to find a receiving entry for the serialized object, and the Java application uses the Commons Collections library.

Based on Traffic Analysis, the serialized data in java starts with a mark (ac ed 00 05) and features after base64 encoding are rO0AB. From code analysis, you can focus on the usage of the readObject () method.

In the articles published by foxglovesecurity.com, affected Java applications include WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS.

Taking Jenkins as an example, Jenkins is an open source continuous integration software. After Jenkins is started, multiple ports are opened. Besides the Web Console, there is also a CLI port. The CLI port is a random high port that can communicate with the CLI port through the WEB-INF/jenkins-cli.jar program under the jenkins directory. Analysis of communication data packets found that base64 encoded Java serialization feature value rO0AB exists.

 

Therefore, we can replace the Base64 encoded serialized data in the data packet with the constructed malicious data and send it to the Jenkins server for remote command execution.

When you directly use wireshark to capture this communication packet, you will find that it is encrypted by SSL.

 

 

The analysis packet found that the jenkins-cli.jar before communicating with the CLI port, first http get request jenkins Web Console, from the response packet to parse the CLI port, then subsequent communication.

 

If the X-Jenkins-CLI2-Port header is not parsed, the X-Jenkins-CLI-Port header is parsed, And the Jenkins-CLI communication protocol is automatically downgraded to Version1 without SSL encryption.

So we can use BurpSuit to tamper with the HTTP response packet in the communication, delete the X-Jenkins-CLI2-Port Response Header, so that wireshark can catch the plaintext packet.

Set the HTTP proxy of the command line terminal. Generally, the environment variable http_proxy can be used.

Export http_proxy = http: // proxyaddress: port

For Java programs, _ JAVA_OPTIONS is required.

Export_JAVA_OPTIONS = '-Dhttp. proxyHost = 127.0.0.1-Dhttp. proxyPort = 8080'

Then execute the jenkins-cli.jar, tamper with the packet, you can use wireshark to catch the plaintext Jenkins-CLI communication package.

Java-jar jenkins-cli.jar-shttp: // x. x: 8888/

@ Breenmachine:

Usage:

./Jenkins. pyhost port/path/to/payload

The script is used to simulate the communication process with the Jenkins-CLI port. payload is the serialized byte data of the AnnotationInvocationHandler class, which can be constructed using the ysoserial tool on github.

Gitclone -- depth = 50 -- branch = master https://github.com/frohoff/ysoserial.gitfrohoff/ysoserial

Use

Mvn install-DskipTests = true-Dmaven. javadoc. skip = true-B-V

Compile to get the ysoserial-0.0.2-SNAPSHOT-all.jar. The command for generating payload is as follows:

Java-jar ysoserial-0.0.2-SNAPSHOT-all.jar CommonsCollections1 'echo 123>/tmp/tmp_test '> tmp_test.ser

0x05 impact and repair

Apache CommonsCollections

Apache Commons Collections has been fixed in version 3.2.2 and added a switch to support serialization of these insecure Java classes, which is disabled by default. Classes involved include CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, and WhileClosure.

For example, the InvokerTransformer class overrides the serialization-related methods writeObject () and readObject ().

 

 

If the serialization of unsafe classes is not enabled, the UnsupportedOperationException will be thrown:

 

Jenkins

Jenkins released a Security Bulletin and fixed the vulnerability in version 1.638.

Jboss

Solutions for JBoss-related products released by RedHat: https://access.redhat.com/solutions/2045023

Affected JBoss products include:

 

Weblogic

Oracle has also released a security warning: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html

Affected Versions include: Oracle WebLogic Server, 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0.

Websphere

IBM Websphere Security Announcement: http://www-01.ibm.com/support/docview.wss? Uid = swg21970575

Affected WebSphere Application Server and IBMWebSphere Application Server Hypervisor Edition versions include:

Version8.5 and 8.5.5 Full Profile and Liberty Profile

Version8.0

Version7.0

0x06 related CVE

CVE-2015-7501

CVE-2015-4852 (Weblogic)

Websphere CVE-2015-7450)