One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 7831 |
| Date de publication | 2016-05-08 11:15:23 (vue: 2016-05-08 11:15:23) |
| Titre | Return of the Rhino: An old gadget revisited |
| Texte | [Update 08/05/2015: Added reference to CVE-2012-3213 of James Forshaw. Thanks for the heads up]As already mentioned in our Infiltrate '16 and RuhrSec '16 talks, Code White spent some research time to look for serialization gadgets. Apart from the Javassist/Weld gadget we also found an old but interesting gadget, only using classes from the Java Runtime Environment (so called JRE gadget).We called the gadget Return of the Rhino since the relevant gadget classes are part of the Javascript engine Rhino, bundled with Oracle JRE6 and JRE7.As you may already know, the Rhino Script engine has already been abused in JVM sandbox escapes in the past (e.g. CVE-2011-3544 of Michael Schierl and CVE-2012-3213 of James Forshaw).We stumbled over the gadget just by accident as we realized that there is a huge difference between the official Oracle JRE and the JRE's bundled in common Linux distros.Most may not know that the Rhino Script Engine is actively developed by the Mozilla Project and distributed as a standalone package/jar (packages under org.mozilla.*). Furthermore, Oracle JRE6/7 is bundling an old fork of Rhino (packages under sun.org.mozilla.*). Surprisingly, Oracle applied some hardening to Rhino core classes with JRE7u1513, not being serializable anymore. The changes were made to fix a sandbox escape (CVE-2012-3213) of James Forshaw (see James' blog post). But those hardening changes were not incorporated into Mozilla's Rhino mainline, which happens once in a while. So the gadget still works if you are using OpenJdk bundled with Ubuntu or Debian.Let's take a look at the static view of some Rhino core classes: In the Rhino Javascript domain almost every Javascript language object is represented as a ScriptableObject in the Java domain.Functions, Types, Regexes and several other Javascript objects are implemented in Java classes, extending ScriptableObject.A ScriptableObject has two interesting members. A reference to its prototype object and an array of Slot objects. The slots store the properties of a Javascript object. The Slot can either be Slot, GetterSlot or RelinkedSlot. For our gadget we only focus on the GetterSlot inner class.Every Slot class has a getValue() method used to retrieve the value of the property. In case of a GetterSlot the value is taken from a call to either a MemberBox or Function instance. And both MemberBox and Function instances do dynamic method calls using Java's Reflection API. That's already the essence of the story :-). But let's go into details.The class NativeError is a successor of IdScriptableObject which inherits from ScriptableObject. ScriptableObject implements the tagging interface Serializable, hence all successors like NativeError are serializable. The class NativeError has an interesting way of how toString() is performed: |
| Envoyé | Oui |
| Condensat | but cve js scriptableobject$getterslot slidedecks surprisingly 08/05/2015: 2011 2012 3213 3544 a scriptableobject has a scriptableobject in able about abused accesses accident account actively adam added advance again algorithm all all successors almost already also although always ancestor and cve another anymore apache apart api apperently applied applies are argument arguments around array assigned associated back bad badattributevalueexpexception battle been before beginning being between blog both bundled bundling but calculates call called calling calls can case cases changes checked class classes classes:in code com comes coming common complex constructor context control core could create created creating current cve debian delegates delegateto depends deserialization deserialize details developed difference distributed distros does domain during dynamic either element empty end engine enter environment escape escapes essence eventually every exception:looks execute execution extending face figure finally findcachedfunction findfunction first fix focus following following: fork forshaw found from function functions further furthermore gadget gadgets get getproperty getprototype gets getter getterslot getterthis getting getvalue gowdiak had half happening happens hardening has have heads hence here hey hope how huge idscriptableobject ignored implementation implemented implementing implements incorporated index infiltrate inherits inner instance instances interesting interface internal invocation invoke invoked its james java javaobject javascript javassist/weld javax jdbcrowsetimpl jre jre6 jre6/7 jre7 jre7u1513 jumped just jvm keep know known lang language later less let like line linux load look looking loop luckily made mainline management marked may member memberbox memberobject members mentioned meth method methodbox methods michael might mind more most mozilla name nativeerror nativeerror:the nativejavamethod nativejavaobject nearly need needed needs newtransformer nor not now object object/method objects obviously official old once one only openjdk oracle org other over package/jar packages part past performed:in plenty point post primitive problem project properties property prototype prototypeobject quick reach readmember readobject ready realized really reassigns reference reflect reflection regexes relevant relinkedslot remaining represented research resolution retrieve retrieved return returned returns revealed revisited rhino rhino since rhino: rmi rowset ruhrsec runtime sandbox schierl script scriptableobject scriptableobject$getterslot second see see james seen serializable serialization serialize serialized server set sets several shown slidedecks slot slots some sounds specifically specify spent standalone start statement static store story stream stumbled successor such sun tagging take taken taking talks target technique templatesimpl thanks that them then there thing thisobject those thread time tosting tostring trampoline transient trax trick trigger triggered trivial two type types ubuntu under unwrap update use used using valid value values variable very view way what where which while:when white will works would wrapper wraps xalan xsltc your |
| Tags | |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.