This is the sixth day of my participation in the August Text Challenge.More challenges in August

directory

One, foreword

Introduction to serialization and deserialization

How can deserialization be used?

1, description,

2. Key Class Description -Transformer

3. Key class Description -TransformedMap

4, the key class description – AnnotationInvocationHandler

5. Attack principle

6. Introduction to attack code

4. Dubbo deserialization vulnerability analysis

1. Introduction of Dubbo vulnerabilities

2. Steps of vulnerability recurrence

3. How to solve the vulnerability

5. More deserialization vulnerabilities

Sixth, practices

One, foreword

Dubbo deserialization vulnerability has been widely discussed recently. Surely each big V also pushed the relevant article. The first step is to describe the deserialization vulnerability of Dubbo (almost all of which is in the official documentation), and the second step is to explain how to fix it (upgrade the version). So I don’t think many of you know what the Dubbo deserialization vulnerability is; I don’t know how a hacker can exploit a vulnerability to attack.

If you’re interested in appeals, this article will ask you what a step-by-step solution to a deserialization vulnerability really is and how hackers typically exploit it.

If you are big ox, then excuse me, hahaha.

Introduction to serialization and deserialization

Let’s talk a little bit about serialization before we get into the main body. In Java, if a class needs to be serialized, we generally need to implement an interface Serializable, followed by serialization and deserialization.

There are two ways to serialize and deserialize. One is to use open source components such as Hessian. The other is to do serialization yourself, converting object instances between input and output streams.

It is easy to implement it yourself by using the readObject and writeObject methods of input and output streams.

If the object is complex and requires some processing during serialization or deserialization, you can simply have the classes that need to be serialized and deserialized implement the readObject and writeObject methods.

private void writeObject(java.io.ObjectOutputStream out)
     throws IOException
private void readObject(java.io.ObjectInputStream in)
     throws IOException, ClassNotFoundException;
Copy the code

How can deserialization be used?

1, description,

A deserialization vulnerability is when a hacker serializes an instance object containing malicious code (usually runtime. exec to execute background commands), and returns the object’s bytes of data. The byte data is then sent through the interface to the server (the attacked server). When the server deserializes the object (in the readObject method), it triggers malicious code execution to attack it.

Can deserialization of all objects be exploited? Of course not. Take the Person object we talked about above. It does nothing in deserialization (readObject). The hacker couldn’t break into the deserialization of Person.

So what kind of objects are used when deserializing? This is typically an object that overrides a readObject method, and some of the logic of the method is used. We’ll take a look at how deserialization can be exploited using a deserialization vulnerability with Commons-collections-3.1 in JDK7.

2. Key Class Description -Transformer

In Commons-collections there is an interface called Transformer that transforms one object into another. Multiple transformers can form a single Transformer execution chain, called a ChainedTransformer

There is a great implementation class in Transformer: InvokerTransformer, which executes a method on an input object by reflection and returns the result. The following composed of InvokeTransformer execution chain to reach a purpose, is in the execution transformedChain. When the transform can trigger the Runtime getRuntime (). The exec (” open. “). That is, open file manager on the Mac.

3,Key Class Description-TransformedMap

TransformedMap is a map constructed by Transformer. Any map can be decorated with a Transformer as a TransformedMap. The decorated TransformedMap is used when map.entry.setValue is executed to call Transformer to transform the value of the input parameter and then set the result of the transformation into the target (decorated) map.

4,Key Class Description-AnnotationInvocationHandler

This is a class that comes with the JDK and is an InvocationHandler (proxy execution class) that calls annotations. Here we are not concerned with its function, but rather with the fact that a memberValues member inside it is a map structure (see below). When object deserialization AnnotationInvocationHandler, it executes memberValues all entry. In the setValue method.

5. Attack principle

I believe that after reading the above several classes we have been dizzy, also did not see these classes and attack what relationship. Now let’s string together their functions.

A ChainedTransformer can construct A chain that calls the Runtime.getruntime.exec method (the execution chain is where the malicious code is executed). But to execute it, you need to call its transform method.

B. TransformedMap can then decorate the normal map using a Transformer(a ChainedTransformer, of course). The decorated TransformedMap triggers the execution of the Transformer. Transform method simply by executing its entry.setValue.

C, AnnotationInvocationHandler class members had a map, the deserialization of the class time will trigger its map entry. The setValue method is invoked.

So just to summarize, if you get A little bit of the sense, this is loop by loop. We only need to build an instance relationship as shown below to implement the attack.

Step 1: build a Transformer chain containing malicious instructions using ChainedTransformer; Step 2: build the ChainedTransformer and the regular Map into a decorative class: TransformedMap

Step 3: set TransformedMap for AnnotationInvocationHandler MemberValues member variables.

After the above three steps to get AnnotationInvocationHandler class is serialized attack function of binary data. Now let’s see how the attack is actually implemented during deserialization.

If the server takes the binary data and deserializes it, it triggers the following execution process:

  1. First trigger AnnotationInvocationHandler deserialization actuators readObject, can trigger its members memberValues entry. The setValue execution, namely implement the entry. In TransformedMap setValue
  2. Entry.setvalue in TransformedMap then triggers Transformer execution within it, which triggers the chain Transformer execution
  3. This results in malicious instructions being executed, in this case opening the file manager on the MAC.

Here’s a question to ponder: Why would we go to all this trouble to implement malicious code? Why don’t we define an instance locally and have it execute the malicious code directly with the readObject? And then serialize that instance and send it to the server for deserialization, okay?

6. Introduction to attack code

When constructing AnnotationInvocationHandler object by reflection, because its construction method is not public.

4. Dubbo deserialization vulnerability analysis

1. Introduction of Dubbo vulnerabilities

It’s easy to look at Dubbo’s deserialization vulnerability the other way around. In the Http protocol scenario, it deserializes the sent bytecode directly (without any detection). If we use the above method, we can easily implement the attack.

Below is a code implementation of Dubbo directly deserializing the object passed by the client over Http.

The call chain looks something like:

The Http protocol sends data

  -> HttpProtocol.handle 

  -> HttpInvokerServiceExporter.handleRequest 

  -> HttpInvokerServiceExporter.readRemoteInvocation

  -> RemoteInvocationSerializingExporter.doReadRemoteInvocation

2. Steps of vulnerability recurrence

Online Daniel has done, I will not show off, we can refer to directly :(do not let the link, their search)

3. How to solve the vulnerability

In fact, if you want to do it yourself, you can check the input stream.

Instead of deserializing directly, the latest version of Dubbo deserializes data through the Google-provided JSONrPC4J component.

5. More deserialization vulnerabilities

You can refer to the open source ySOSerial, which lists a lot of deserialization vulnerability attack examples, you can have a look. The Dubbo deserialization vulnerability repeated above is also implemented using this open source tool.

Sixth, practices

If you have any questions or comments about this article, please add an official account to discuss it. (Add an official account to get 10GB video and graphic materials on “Java Advanced Architecture”.)