Foreword
After a few XMLDecoder Weblogic related to CVE (CVE-2017-3506, CVE-2017-10352, CVE-2019-2725), looked good analysis of the process XMLDecoder.
This paper analyzes to jdk7 version of XMLDecoder, jdk6 of XMLDecoder processes are written in a class inside (com.sun.beans.ObjectHandler)
Analyze analytic process XMLDecoder here, Weblogic specific vulnerabilities look at several other master writing Paper.
WebLogic RCE (CVE-2019-2725) vulnerability trip -Badcode
Weblogic CVE-2019-2725 Analysis Report - Liaoxin Xi
Do not like to look at the code can also see the official documentation on XMLDecoder's:
Long Term Persistence of JavaBeans Components: XML Schema
XMLDecoder several key categories
XMLDecoder overall resolution process is based on Java native SAX XML parsing performed.
The following classes are all in com.sun.beans.decoder package
DocumentHandler
DocumentHandler inherited from DefaultHandler, DefaultHandler using SAX XML parsing default Handler, so when the Weblogic XML object to validate the use of SAX, ensure process consistency.
DefaultHandler realized EntityResolver, DTDHandler, ContentHandler, ErrorHandler four interfaces.
DocumentHandler major rewrite of several interfaces ContentHandler, after all, primarily parsing for content, like others leave the default.
ElementHandler and related inherited class
XMLDecoder support for each label have achieved a kind of inheritance and ElementHandler, concrete can be seen in the constructor DocumentHandler in:
So XMLDecoder can only be used as labels.
Wherein the inheritance relation as a function of rewriting (large, enlarge their own or with a look idea generation):
As inheritance is used for the reason object tag can be replaced with void labels, he said detail later.
ValueObject and related inherited class
ValueObject is a wrapper class interface, the wrapped object is actually generated in the parsing process (including null)
Inheritance:
Generally the like by ValueObjectImpl package, and null \ true \ false (non-boolean tag) is directly represented by their own Handler, implementation-dependent interface.
Several key function XMLDecoder process
DocumentHandler XML parsing details of the correlation function can refer to the Java Sax ContentHandler documents .
ElementHandler correlation function can refer ElementHandler documents .
DocumentHandler create individual labels corresponding ElementHandler and make calls.
startElement
Processing the start tag, including attributes added
DocumentHandler: . XML parsing process parameters include the namespace URL, name tags, name tags intact, a list of attributes. Create a corresponding label based on the full name ElementHandler and add the relevant attribute, continue to call its startElement.
ElementHandler: In addition to tag array, have no operation.
endElement
结束标签处理函数
DocumentHandler: 调用对应ElementHandler的endElement函数,并将当前ElementHandler回溯到上一级的ElementHandler。
ElementHandler: 没看有重写的,都是调用抽象类ElementHandler的endElement函数,判断是否需要向parent写入参数和是否需要注册标签对象ID。
characters
DocumentHandler: 标签包裹的文本内容处理函数,比如处理<string>java.lang.ProcessBuilder</string>包裹的文本内容就会从这个函数走。函数中最终调用了对应ElementHandler的addCharacter函数。
addCharacter
ElementHandler: ElementHandler里的addCharacter只接受接种空白字符(空格\n\t\r),其余的会抛异常,而StringElementHandler中则进行了重写,会记录完整的字符串值。
addAttribute
ElementHandler: 添加属性,每种标签支持的相应的属性,出现其余属性会报错。
getContextBean
ElementHandler: 获取操作对象,比如method标签在执行方法时,要从获取上级object/void/new标签Handler所创建的对象。该方法一般会触发上一级的getValueObject方法。
getValueObject
ElementHandler: 获取当前标签所产生的对象对应的ValueObject实例。具体实现需要看每个ElementHandler类。
isArgument
ElementHandler: 判断是否为上一级标签Handler的参数。
addArgument
ElementHandler: 为当前级标签Handler添加参数。
XMLDecoder相关的其它
两个成员变量,在类的实例化之前,通过对parent的调用进行增加参数。
parent
最外层标签的ElementHandler的parent为null,而后依次为上一级标签对应的ElementHandler。
owner
ElementHandler: 固定owner为所属DocumentHandler对象。
DocumentHandler: owner固定为所属XMLDecoder对象。
简易版解析流程图
PPT画的:-D
跟着漏洞来波跟踪(Weblogic)
来一份简单的代码:
public static void main(String[] args) throws FileNotFoundException {
String filename = "1.xml";
XMLDecoder XD =new XMLDecoder(new FileInputStream(filename));
Object o = XD.readObject();
System.out.println(o);
}
Level1:什么过滤都没有
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1">
<void index="0">
<string>calc</string>
</void>
</array>
<void method="start"/>
</object>
</java>
首先看下DocumentHandler的startElement:
- 创建对应Handler,设置owner与parent
- 为Handler添加属性
- 调用Handler的startElement
(后面DocumentHandler的部分忽略,直接从ElementHandler开始)
下面从object标签对应的ObjectElementHandler开始看:
进入obejct标签,object标签带有class属性,进入:
可以看到判断的列表里没有class标签,会调用父类(NewElementHandler)的addAttribute方法。
给type赋值为java.lang.ProcessBuilder对应的Class对象。
中间创建array参数的部分略过,有兴趣的同学可以自己跟一下。
进入void标签,设置好method参数,由于继承关系,看上面那张addAttribute图就好。
退出void标签,进入elementHandler的endElement函数:
由于继承关系,调用NewElementHandler的getValueObject函数:
继续进入进入ObjectElementHandler的带参数getValueObject函数:
此处的getContextBean会调用上一级也就是Object标签的getValueObject来获取操作对象。
略过中间步骤,再次进入ObjectElementHandler的getValueObject方法:
最终通过Expression创建了对象:
(可以看出此处的Expression的首个参数是来自于上面getContextBean获取的Class对象,先记住,后面会用)
再次回到Void标签对应的getValueObject函数:
最终通过Expression调用了start函数:
如果对继承关系感觉比较蒙的话,可以看下一节的继承关系图。
PS: 虽然ObjectElementHandler继承自NewElementHandler,但是其重写了getValueObject函数,两者是使用不同方法创建类的实例的。
再PS: 其实不加java标签也能用,但是没法包含多个对象了。
Level2:只过滤了object标签
把上面的object标签替换为void即可。
VoidElementHandler的继承关系:
可以看到只改写了isArgument,而在整个触发过程中并无影响,所以此处使用void标签与object标签完全没有区别。
Level3:过滤一堆
过滤了object/new/method标签,void标签只允许用index,array的class只能用byte,并限制了长度。
CNVD-2018-2725(CVE-2019-2725)最初的poc使用了UnitOfWorkChangeSet这个类,这个类的构造方法如下(从Badcode师傅的Paper里盗的图):
最初的poc主要利用UnitOfWorkChangeSet类在构造函数中,会将输入的byte数组的内容进行反序列化,所以说刚开始说是反序列化漏洞。
其实这个洞是利用了存在问题的类的构造函数,因为没法用调用method了,就取了这种比较折中的方法。(其实还是有部分方法可以调用的:-D)。
在做这个实验时需要导入weblogic 10.3.6的modules目录下com.oracle.toplink_1.1.0.0_11-1-1-6-0.jar文件。
<java>
<class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>
<array class="byte" length="2">
<void index="0">
<byte>-84</byte>
</void>
<void index="0">
<byte>-19</byte>
</void>
</array>
</void>
</class>
</java>
由于class标签继承了继承了string标签的addCharacter函数,导致其会将标签中包裹的空白字符(空格\r\n\t)也加入到classname中,导致找class失败,所以至少要将<class>到<void>之间的空白字符删除。
PS: 其实这里不加string标签也没问题。
Level1中说到:
Expression的首个参数是来自于上面getContextBean获取的Class对象
也就是说,如果能够找到替代上面object/void+class属性的方法令getContextBean可以获取到Class对象,也久可以调用构造函数进行对象的创建。
We realize getContextBean look at here called:
in Level1 / 2 due Object (Void) Set the class attribute, there is a value type, so a direct return type.
The getContextBean parent class is to call the parent's getValueObject function to get the first-class objects, so in this case we make on the object is to obtain a Class can, so here is the use of the class labels so void of obtaining a the object is a Class object.
Because the void tag only allows the use of index attributes, so here can not use the method attribute to call a specific function, we can only expect to send constructor, there is a technique using the above method UnitOfWorkChangeSet class constructor to use deserialization vulnerability.
The same class may be utilized as well as before Jackson RCE a FileSystemXmlApplicationContext class used.
to sum up
XMLDecoder process is very interesting, the specific function of each label, detailed analysis of the process, we also need to look at themselves.
Incidentally important things to say three times:
we must look at myself!
Be sure to look at myself!
Be sure to look at myself!