One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 459502 |
| Date de publication | 2018-01-23 10:30:55 (vue: 2018-01-23 10:30:55) |
| Titre | Handcrafted Gadgets |
| Texte | IntroductionIn Q4 2017 I was pentesting a customer. Shortly before, I had studied json attacks when I stumbled over an internet-facing B2B-portal-type-of-product written in Java they were using (I cannot disclose more details due to responsible disclosure). After a while, I found that one of the server responses sent a serialized Java object, so I downloaded the source code and found a way to make the server deserialize untrusted input. Unfortunately, there was no appropriate gadget available. However, they are using groovy-2.4.5 so when I saw [1] end of december on twitter, I knew I could pwn the target if I succeeded to write a gadget for groovy-2.4.5. This led to this blog post which is based on work by Sam Thomas [2], Wouter Coekaerts [3] and Alvaro Muñoz (pwntester) [4]. Be careful when you fix your readObject() implementation...We'll start by exploring a popular mistake some developers made during the first mitigation attempts, after the first custom gadgets surfaced after the initial discovery of a vulnerability. Let's check out an example, the Jdk7u21 gadget. A brief recap of what it does: It makes use of a hashcode collision that occurs when a specially crafted instance of java.util.LinkedHashSet is deserialized (you need a string with hashcode 0 for this). It uses a java.lang.reflect.Proxy to create a proxied instance of the interface javax.xml.transform.Templates, with sun.reflect.annotation.AnnotationInvocationHandler as InvocationHandler. Ultimately, in an attempt to determine equality of the provided 2 objects the invocation handler calls all argument-less methods of the provided TemplatesImpl class which yields code execution through the malicious byte code inside the TemplatesImpl instance. For further details, check out what the methods AnnotationInvocationHandler.equalsImpl() and TemplatesImpl.newTransletInstance() do (and check out the links related to this gadget). The following diagram, taken from [5], depicts a graphical overview of the architecture of the gadget. So far, so well known. In recent Java runtimes, there are in total 3 fixes inside AnnotationInvocationHandler which break this gadget (see epilogue). But let's start with the first and most obvious bug. The code below is from AnnotationInvocationHandler in Java version 1.7.0_21: There is a try/catch around an attempt to get the proxied annotation type. But the proxied interface javax.xml.transform.Templates is not an annotation. This constitutes a clear case of potentially dangerous input that would need to be dealt with. However, instead of throwing an exception there is only a return statement inside the catch-branch. Fortunately for the attacker, the instance of the class is already fit for purpose and does not need the rest of the readObject() method in order to be able to do its malicious work. So the "return" is problematic and would have to be replaced by a throw new Exception of some sort. Let's check how this method looks like in Java runtime 1.7.0_80: Ok, so problem fixed? Well, yes and no. On the one hand, the use of the exception in the catch-clause will break the gadget which currently ships with ysoserial. On the other hand, this fix is a perfect example of the popular mistake I'm talking about. Wouter Coekaerts (see [3]) came up with an idea how to bypass such "fixes" and Alvaro Muñoz (see [4]) provided a gadget for JRE8u20 which utilizes this technique (in ca |
| Envoyé | Oui |
| Condensat | /bin /home/kai/jre8u20 044/http://wouter 1048done 1094done 1094writing 10adjusting 1172adjusting 11adjusting 150 151 16adjusting 19adjusting 19kai@codevm:~/eworkspace/deser$a 2016 2017 21: 4blogpost 4blogpost2 4blogpostwriting 5based 80: 8adjusting :/home/kai/jre8u20 able about above access accessible actually adding advantages after again again: ahead all allow allows almost already also alvaro analyze annotation annotationinvocationhandler annotationinvocationhandler@10f87f48 another anymore applied approach appropriate architecture are argument around array assume attack attacker attacks attempt attempts attribute attributes available away b2b back based basewirehandle basically bcsserializationtest be/2015/annotationinvocationhandlerhttps://github beancontext beancontextsupport beancontextsupport@723279cf=sun beancontextsupport@723279cf=whatever beancontextsupportthe beancontextsupportwouter beans because been before beloved below below:if between binary blog both branch break breakpoint breaks brief brings bug build building built but bypass byte cache cachenow cachereferencesif call called calling calls came can cannot care careful case cast catch catches caught cdwhere certain chain change check child class class: classcastexception classes clause clear click code code: codehaus coekaerts collision com com/advisories/zdi com/blog/2017/12/19/apache com/frohoff/24af7913611f8406eaf3https://github com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/groovy1 com/pwntester/jre8u20 coming command compiling complete completely completeness completes comyou concerned concludes confused considered consists constant constitutes construct construct: constructor contained contains continue convertedclosure could couple crafted create created creating cunning currently custom customer dangerous data dealing dealt debug debugging december default defaultreadobject defeaultreadobject definitely delegated depicts derived described deser deserialization deserialize deserialized deserializer deserializes design detail detailed details determine developer developers diagram difference: different disclose disclosure discovery discuss docall does does: doing don done down downloaded due during easily effect efficiently empty enables end entry entryset epilogue epiloguei equality equalsimpl equalsimpl: even eventually every exactly example exception execute executed execution exercise exist existing explained explanation explicitely exploit exploring facing fact fails fair familiar fancy far fashion fields file filter final finally find fine first firstly fit fix fixed fixes fixing flat focus followed following following: follows follows: fortunately found frequently from from: fully function functional fundamental further gadget gadget/blob/master/src/main/java/exploitgenerator gadget/target/jre8exploit gadgets gadgetsat general get getmembermethods getoutputproperties github global good graphical groovy had hand handcrafted handle handler handles happens has hash hashcode hashmap hashmap: have helper here hex highlighted hold how however idea ideathe identical illegal immediately implementation important improvement improvements incorporated index indication information initial initialized input inside insight instance instances instantiated instead instruction interesting interface internal internet introduction introductionin invalidobjectexception invocation invocationhandler ioe ioexception ioexception: is: its jar java javac javahttps://gist javakai@codevm:~/eworkspace/deser$ javax jdk jdk1 jdk7u21 jre8 jre8u20 json kai@codevm:~/eworkspace/deser$ keep keeps key key/value kind knew known krb5 krberror lang last late later latter least leave led legal less let level like like: line linkedhashset links list little loadfactor located logarithmic look looking looks lot made main make makes malicious manually many map means meant member membervalues mentioned metadata method methodclosure methodclosure: methods might mind mistake mitigation more most must muñoz myself necessary need nest nested never new newtransformer |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.