"Replication of JavaWeb Vulnerability" CVE-2022-33980: Apache Commons Configuration Read File RCE

Ho1aAs 2022-08-06 12:33:39 阅读数:320

replicationjavawebvulnerabilitycve-2022-33980cve

影响版本

Apache Commons Configuration: 2.4 ~ 2.7

漏洞原理(Turn the machineCVE页面)

Apache CommonsConfiguration to perform variable interpolation,Allow the property to be dynamically assess and extend.Interpolation is the standard format"${prefix:name}",其中 "prefix "Used to locate the implementation of the interpolationorg.apache.commons.configuration2.interpol.Lookup的一个实例.从2.4版本开始,一直到2.7版本,默认的LookupSet examples may cause arbitrary code execution or interpolation is associated with the remote server.The finder is - “script” - 使用JVM脚本执行引擎(javax.script)执行表达式 - “dns” - 解析dns记录 - “url” - 从urls加载值,From the remote server loading value If you use the untrusted configuration values,Using the interpolation of versions affected the default application may be limited by the remote code execution or inadvertently come into contact with the remote server.建议用户升级到Apache Commons Configuration 2.8.0,This version is disabled by default there is a problem of interpolation.

漏洞复现

环境配置

jdk版本

java version “11” 2018-09-25

pom.xml

<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-configuration2</artifactId>
<version>2.7</version>
</dependency>

基本使用demo

import org.apache.commons.configuration2.interpol.ConfigurationInterpolator;
import org.apache.commons.configuration2.interpol.InterpolatorSpecification;
public class Main {

public static void main(String[] args) {

InterpolatorSpecification specification = new InterpolatorSpecification. Builder().
withPrefixLookups(ConfigurationInterpolator.getDefaultPrefixLookups()).
withDefaultLookups(ConfigurationInterpolator.getDefaultPrefixLookups().values()).
create();
ConfigurationInterpolator interpolator = ConfigurationInterpolator.fromSpecification(specification);
System.out.printf("%s", interpolator.interpolate("${env:Path}"));
}
}

运行,通过ConfigurationInterpolator.interpolate()Methods analyze the expression of value

在这里插入图片描述

PoC

解析表达式${script:javascript:java.lang.Runtime.getRuntime().exec('calc')}

在这里插入图片描述

代码审计

进入方法ConfigurationInterpolator.interpolate(),The incoming character of single variable intothis.resolveSingleVariable()解析变量

在这里插入图片描述

Step before parsing and callextractVariableName()方法

在这里插入图片描述

该方法把${}Package the value of the expression of intercept out,And then introduced into the outerthis.reslove()解析

在这里插入图片描述

First subtractedprefix:name,然后调用this.fetchLookupForPrefix("script").lookup("javascript:java.lang...")方法,也就是调用prefixCorresponding interpolatorlookup方法查找name对应的值

在这里插入图片描述

fetchLookupForPrefix("script")To get the keyscript对应的StringLookupAdapter对象

在这里插入图片描述

实际对应的是ScriptStringLookup对象,然后调用它的lookup方法

First of all from the incomingnameContinue to split out theengineNamescript

在这里插入图片描述

Then loading the script engine、Call the corresponding engineeval方法执行name中的script脚本

Here directly loading thejavascript的引擎,老套路了,eval直接就能执行java代码

在这里插入图片描述

The impact on the production environment

Apache Commons ConfigurationProduction is used in the configuration file operation,So more is by reading the configuration fileRCE,Precondition to write files+获取配置文件路径,然后调用 ConfigurationInterpolator.interpolate(payload)触发

漏洞修复

The official push2.8.0版本修复了bug

在这里插入图片描述

The three dangerous interpolator removed

在这里插入图片描述

参考

Commons Configuration – Basic Features (apache.org)

commons-configuration2提供的变量占位符(Variable Interpolation)功能 - 腾讯云开发者社区-腾讯云 (tencent.com)

CVE - CVE-2022-33980 (mitre.org)

CVE-2022-33980: Apache Commons Configuration insecure interpolation defaults-Apache Mail Archives

oss-security - CVE-2022-33980:Apache Commons Configuration Unsafe interpolation default value (openwall.com)

Commons Configuration – Apache Commons Configuration Release Notes

欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://blog.csdn.net/Xxy605/article/details/126114740
版权声明:本文为原创,转载时须注明出处及本声明

copyright:author[Ho1aAs],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/218/202208061216040180.html