Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-39141 PoC — XStream 代码问题漏洞

Source
https://github.com/zwjjustdoit/Xstream-1.4.17
Associated Vulnerability
Title:XStream 代码问题漏洞 (CVE-2021-39141)
Description:XStream是XStream(Xstream)团队的一个轻量级的、简单易用的开源Java类库,它主要用于将对象序列化成XML(JSON)或反序列化为对象。 XStream 1.4.17及之前版本存在代码问题漏洞,远程攻击者可以通过操纵处理后的输入流,从远程主机加载和执行任意代码。
Description
XSTREAM<=1.4.17漏洞复现(CVE-2021-39141、CVE-2021-39144、CVE-2021-39150)
Readme
# Xstream-1.4.17

(以上Xstream Demo环境经本人搭建,漏洞利用环境以JDK1.8_u131为准,现支持本地测试和HTTP远程发包)

XSTREAM&lt;=1.4.17漏洞复现(CVE-2021-39141、CVE-2021-39144、CVE-2021-39150、CVE-2021-39152)

不提供本实验利用POC,仅展示复现利用效果,为避免恶意人员的利用,仅提供官网POC:http://x-stream.github.io/changes.html


### CVE-2021-39141(RCE)
攻击机起一个http服务供Exploit.class的访问,再用marshalsec工具起一个LDAP监听器,如下:

![1](https://user-images.githubusercontent.com/50495555/130566157-959b7c90-58a6-41a9-a920-2648ea1b9345.png)
请求发包即利用成功

![2](https://user-images.githubusercontent.com/50495555/130566165-345a27c7-ea75-4d3a-8011-02b779e9f5f4.png)

### CVE-2021-39144(RCE)
发包即利用

![3](https://user-images.githubusercontent.com/50495555/130566170-333f18e9-60bb-4f86-b1ca-4f18fe7c00fc.png)

### CVE-2021-39150(SSRF)
A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
发包即利用

![4](https://user-images.githubusercontent.com/50495555/130566177-2cbc2fa2-f437-4ac7-8834-d3bd9a63d16e.png)

### CVE-2021-39152(SSRF)
All versions until and including version 1.4.17 are affected, if using the version out of the box with Java runtime version 14 to 8.
发包即利用

![5](https://user-images.githubusercontent.com/50495555/130576671-dcdaa3db-81d1-4623-a1cc-7e520ef33edb.png)

经测试发现内外网的IP或者域名仅能解析/探测一次

![1](https://user-images.githubusercontent.com/50495555/130576798-ac0c21e3-c049-4bdd-b5d9-22a6a800d25e.png)
File Snapshot

 [4.0K]  /data/pocs/738720abebf8e8368dc82e530eb6a1664459867b
├── [4.0K]  Demo
│   ├── [1.7K]  pom.xml
│   ├── [4.0K]  src
│   │   ├── [4.0K]  lib
│   │   │   └── [1.0M]  javax.swing-1.0.5.jar
│   │   └── [4.0K]  main
│   │       └── [4.0K]  java
│   │           ├── [4.9K]  HttpStarter.java
│   │           ├── [6.1K]  test.xml
│   │           └── [3.2K]  XstreamDemo.java
│   └── [4.0K]  target
│       └── [4.0K]  classes
│           ├── [4.8K]  HttpStarter$MyHttpHandler.class
│           ├── [1.1K]  HttpStarter.class
│           └── [ 689]  XstreamDemo.class
└── [1.7K]  README.md

7 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.