Change source code/fix CVE-2016-1000027 vulnerability analysis in Java
Article directory
1. Basic knowledge:
To analyze, you must first understand what Spring HTTP Invoker is. HttpInvoker provides RPC based on HTTP, and at the same time uses Java's object serialization mechanism to realize communication between firewalls or multiple systems.
The specific implementation process is very complicated. We don't need to understand it too deeply. We only need to know that HttpInvoker mainly uses the http protocol to realize communication by transmitting serialized data. Once the serialized data is transmitted, if it is used improperly, a deserialization vulnerability will occur. .
2. Vulnerability causes:
Vulnerability version: spring-web<6.0 version
The vulnerability occurs in HttpInvokerServiceExporter and RemoteInvocationSerializingExporter, serialized data is not detected, when malicious serialized data is transmitted, malicious code will be executed during deserialization.
First check where the vulnerability exists, here you can see the stack relationship of execution:
The call level is as follows. First, receive the sent data through handleRequest, then call readRemoteInvocation, createObjectInputStream, and finally realize deserialization through readObject of doReadRemoteInvocation.
httpinvoker.HttpInvokerServiceExporter.handleRequest
httpinvoker.HttpInvokerServiceExporter.readRemoteInvocation
RemoteInvocationSerializingExporter.createObjectInputStream
RemoteInvocationSerializingExporter.doReadRemoteInvocation
RemoteInvocationSerializingExporter.readObject
3. Solution:
Bug fixes can be directly upgraded to version 6.0, but the troublesome point is:
spring-web 6.0版本变动比较大,6.0之后jdk1.8的版本就不支持了.
转而Spring6jdk版本要求至少jdk17以上
对maven版本的要求是3.6以上
The jBPM 6.2.0 and Hibernate 4.2 used in the project are not compatible with Spring Framework 6. Spring Framework 6 requires JPA 2.2 or higher. Hibernate 4.2 is also based on JPA 2.0 and is not compatible with Spring Framework 6. In this case, if you want to fix the vulnerability, you cannot use the upgrade method, you can only fix it manually:
1. 第一种方案就是添加执行限制,对序列化数据进行限制,如果存在调用恶意cc链就禁止,但是这样存在被绕过风险,并不安全
2. 第二种方案就是直接把HttpInvokerServiceExporter功能关闭,如果业务上没有使用并不会产生什么影响。
这里就采用第二种方案,将handleRequest方法置空,关闭其回调。
The modified code is as follows:
4. Modify the source code:
Take the spring-web package as an example. Essentially, it is to create a HttpInvokerServiceExporter.java file with the same content as HttpInvokerServiceExporter.class, then remove the redundant code in handleRequest, and then generate a new HttpInvokerServiceExporter.java file. class file, and then replace the new .class file into the original jar package of the original spring-web;
1.将新生成的HttpInvokerServiceExporter.java文件放到这个目录下面
2.进入cmd
3.javac -cp C:\Users\wonder\Desktop\spring-web漏洞修复\jar\* HttpInvokerServiceExporter.java
4.cp是指向这个HttpInvokerServiceExporter.java依赖的jar包的位置,javac是将.java文件生成.class文件
5.如果在执行javac -cp C:\Users\wonder\Desktop\spring-web漏洞修复\jar\* HttpInvokerServiceExporter.java出现了notfound的时候,检查自己的依赖是否正确,直到执行命令之后无异常.
6.执行命令成功之后会在当前目录下面生成.class文件,然后将生成的.class文件直接替换到原有的jar中的位置即可.
7.复制这两个.class文件,将spring-web-5.3.29.jar通过解压工具预览,注意不要解压;找到原来当中这个文件在jar中的原始位置;
8.替换即可;打开idea刷新maven之后重新验证,可以看到已经成功修改;
反编译工具:
jd-gui:https://github.com/java-decompiler/jd-gui/releases
reference:
Manually implement third-party jar package modification and repackage