JackSon DriverAdapterCPDS gadget CVE-2020-36179分析

Day1发现有分析 jackson 的DriverAdapterCPDS 这个gadget

背景知识

其实是参考【1】大佬上报的CVE-2020-36179

Gadget:

1
2
3
4
DriverAdapterCPDS
    ->seturl
        ->getPooledConnection
            ->DirverManager.getConnection(this.url,username,pass)

漏洞复现

gadget流程很简单,但是在复现的时候发现卡在getParentLogger这里,不会执行到getPooledConnection

1
2
3
4
@Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
    throw new SQLFeatureNotSupportedException();
}

可见getParentLogger简单粗暴直接throw Exception,直接GG

多次测试发现getParentLogger,getPooledConnection执行顺序并不是有序的,如下:

失败
upload successful

成功
upload successful

原理分析

背景知识:jackson反序列化会执行部分getter

getter的产生流程跟踪:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
_addMemberMethods:110, AnnotatedMethodCollector (com.fasterxml.jackson.databind.introspect)
collect:42, AnnotatedMethodCollector (com.fasterxml.jackson.databind.introspect)
collectMethods:33, AnnotatedMethodCollector (com.fasterxml.jackson.databind.introspect)
_methods:365, AnnotatedClass (com.fasterxml.jackson.databind.introspect)
memberMethods:305, AnnotatedClass (com.fasterxml.jackson.databind.introspect)
_addMethods:525, POJOPropertiesCollector (com.fasterxml.jackson.databind.introspect)
collectAll:309, POJOPropertiesCollector (com.fasterxml.jackson.databind.introspect)
getPropertyMap:287, POJOPropertiesCollector (com.fasterxml.jackson.databind.introspect)
getProperties:170, POJOPropertiesCollector (com.fasterxml.jackson.databind.introspect)
_properties:164, BasicBeanDescription (com.fasterxml.jackson.databind.introspect)
findProperties:239, BasicBeanDescription (com.fasterxml.jackson.databind.introspect)
_findCreatorsFromProperties:361, BasicDeserializerFactory (com.fasterxml.jackson.databind.deser)
_constructDefaultValueInstantiator:345, BasicDeserializerFactory (com.fasterxml.jackson.databind.deser)
findValueInstantiator:269, BasicDeserializerFactory (com.fasterxml.jackson.databind.deser)
buildBeanDeserializer:214, BeanDeserializerFactory (com.fasterxml.jackson.databind.deser)
createBeanDeserializer:137, BeanDeserializerFactory (com.fasterxml.jackson.databind.deser)
_createDeserializer2:411, DeserializerCache (com.fasterxml.jackson.databind.deser)
_createDeserializer:349, DeserializerCache (com.fasterxml.jackson.databind.deser)
_createAndCache2:264, DeserializerCache (com.fasterxml.jackson.databind.deser)
_createAndCacheValueDeserializer:244, DeserializerCache (com.fasterxml.jackson.databind.deser)
findValueDeserializer:142, DeserializerCache (com.fasterxml.jackson.databind.deser)
findContextualValueDeserializer:444, DeserializationContext (com.fasterxml.jackson.databind)
_findDeserializer:194, TypeDeserializerBase (com.fasterxml.jackson.databind.jsontype.impl)
_deserialize:97, AsArrayTypeDeserializer (com.fasterxml.jackson.databind.jsontype.impl)
deserializeTypedFromAny:71, AsArrayTypeDeserializer (com.fasterxml.jackson.databind.jsontype.impl)
deserializeWithType:712, UntypedObjectDeserializer$Vanilla (com.fasterxml.jackson.databind.deser.std)
deserialize:68, TypeWrappedDeserializer (com.fasterxml.jackson.databind.deser.impl)
_readMapAndClose:4014, ObjectMapper (com.fasterxml.jackson.databind)
readValue:3005, ObjectMapper (com.fasterxml.jackson.databind)

最终观察发现jackson通过 ClassUtil.getClassMethods(cls)获取所有的函数,最终调用的是getDeclaredMethods(),而getDeclaredMethods()返回数组中的元素没有排序,也没有任何特定的顺序,从而导致随机触发。

小结

简单跟踪分析了CVE-2020-36179 这个链,发现2处有意思的点

  1. jdbc url 可控情况下,利用H2 sql可攻击h2 server()
  2. getDeclaredMethods 随机特性

拓展思考

  1. jdbc url可控是个通用问题
  2. getDeclaredMethods 随机特性有绕过方法吗?

参考

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true