记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

shiro550反序列化分析

2021-01-27 21:31



漏洞概述



    Apache Shiro <= 1.2.4 版本中,加密的用户信息序列化后存储在Cookie的rememberMe字段中,攻击者可以使用Shiro的AES加密算法的默认密钥来构造恶意的Cookie rememberMe值,发送到Shiro服务端之后会先后进行Base64解码、AES解密、readObject()反序列化,从而触发Java原生反序列化漏洞,进而实现RCE.


    该漏洞的根源在于硬编码Key.





漏洞复现



    使用shiroattack工具.



    Dnslog接收到请求.



    执行命令.





漏洞分析



远程调试


    用idea连vulhub的docker环境来进行调试.

    首先进入容器.


docker exec -it 34db756dfcfc /bin/bash


    可以看到是用jar包起的环境,把文件拷贝出来(也可以docker-compose up -d之后使用docker ps --no-trunc来查看容器默认的启动命令).



docker cp 34db756dfcfc:/shirodemo-1.0-SNAPSHOT.jar ~/


    然后把jar包解压了之后用idea打开.



    libraries里导入.



    在module中添加BOOT_INF这个目录.



    另外还需要改一下dockerfile.

    idea远程调试docker.

    需要增加一组端口供调试用,这里我们用idea默认的5005.


    vulhub的shiro环境是java -jar xxx.jar的形式运行的,那么添加对jar程序启动的调试命令即可,在启动docker时用自定义的COMMAND替换默认的COMMAND.


version: '2'services:web:image: vulhub/shiro:1.2.4ports:- "8080:8080"- "5005:5005"command: java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 -jar /shirodemo-1.0-SNAPSHOT.jar


然后配置好remote.



    下好断点,输入登录账户密码测试,看到以下界面说明成功了.





原理分析




    从官方的 issue 上来看,存在几个重要的点:




rememberMe cookie

CookieRememberMeManager.java

Base64

AES

加密密钥硬编码

Java serialization




    首先正常登录.



    返回的cookie值中的rememberme值如下:


o5NA+QAjgJpe6uKkIJ1li/WLqOAR2KfLIY3BzwfAUFbbkBSEfs3/259i4Qc2jq6lxUpLabYK2c0oR4faB3l8m0GDhzMvVYjFOR2TPKRtQmqlUAdaiJT06biAC56EMu6UbBJAujAgP1msHuJYkV1fDuhdLN5wGK+IlEpr1Xf+aa6oNkPqBkRG7+B/3bXQNTqmLFlarZUWxB6TwZyshplhx0ckyIfc0qJuf/f5Tt60gK/D28JUI93Gp3vGi/P7UUiwv2Qyzpz4hXZSUocGlC73qE+62ZvQ1ryzVRjpfTkG4Hat6sst04wbpFwdUSJxh6t4FLJ2i9bs5eIm/1UJpVHP9Eia5WaAShQa45qr5yIMA+q1rYxtz0WufvOi67fpqY3qi8LQ/ZnGwXUY+o6dLu2qmqHwTXbRTRKP4G5d3e5SA9FNvXUhYWRhcwo2zJ2lS2JK/D6S0u3HAak04+3wpbZm0UCJxafXlaFPUDhmiXBtIULcEELqBOaqLr1n7LV+F1Cl7kYNU6GozLVPvNlqW5UtLA==


    跟一下登录生成cookie的过程.



生成cookie


    shiro会提供rememberme功能,可以通过cookie记录登录用户从而记录登录用户的身份认证信息,即下次无需登录即可访问.而其中对rememberme的cookie做了加密处理,漏洞主要原因是加密的AES密钥是硬编码在文件中的,那么对于AES加密算法我们已知密钥,并且IV为cookie进行base64解码后的前16个字节,因此我们可以构造任意的可控序列化payload.


    处理rememberme的cookie的类为.


org.apache.shiro.web.mgt.CookieRememberMeManager



    它继承自


org.apache.shiro.mgt.AbstractRememberMeManager

  

    其中在


AbstractRememberMeManager


    中定义了加密cookie所需要使用的密钥,当我们成功登录时,如果勾选了rememberme选项,那么此时将进入onSuccessfulLogin方法.



    之后进入serialize,对登录认证信息进行序列化.



    然后进行加密.



    org.apache.shiro.mgt.AbstractRememberMeManager中的encrypt方法如下:


protected byte[] encrypt(byte[] serialized) {byte[] value = serialized;CipherService cipherService = getCipherService();if (cipherService != null) {ByteSource byteSource = cipherService.encrypt(serialized, getEncryptionCipherKey());value = byteSource.getBytes();}return value;}


ByteSource byteSource = cipherService.encrypt(serialized, getEncryptionCipherKey())


    调用的即为AES算法.



    可以看到使用CBC模式的AES加密算法,其中Padding规则是PKCS5.具体实现在org/apache/shiro/crypto/JcaCipherService.java中


private ByteSource encrypt(byte[] plaintext, byte[] key, byte[] iv, boolean prependIv) throws CryptoException {

final int MODE = javax.crypto.Cipher.ENCRYPT_MODE;

byte[] output;

if (prependIv && iv != null && iv.length > 0) {

byte[] encrypted = crypt(plaintext, key, iv, MODE);

output = new byte[iv.length + encrypted.length];

//now copy the iv bytes + encrypted bytes into one output array:

// iv bytes:System.arraycopy(iv, 0, output, 0, iv.length);

// + encrypted bytes:System.arraycopy(encrypted, 0, output, iv.length, encrypted.length);} else {output = crypt(plaintext, key, iv, MODE);}

if (log.isTraceEnabled()) {log.trace("Incoming plaintext of size " + (plaintext != null ? plaintext.length : 0) + ". Ciphertext " +"byte array is size " + (output != null ? output.length : 0));}

return ByteSource.Util.bytes(output);}


    IV(初始化向量)是随机生成的,将IV放在crtpt()加密的数据之前然后返回


    加密结束后,在

org/apache/shiro/web/mgt/CookieRememberMeManager.java


    的rememberSerializedIdentity方法中进行base64编码,并通过response返回.



    这里的byte是前16位随机的IV+AES密文,然后经过base64编码.




解析cookie


    org/apache/shiro/web/mgt/CookieRememberMeManager.java中会将传递的base64字符串进行解码后放到字节数组中,因为java的序列化字符串即为字节数组.


byte[] decoded = Base64.decode(base64);


    然后进入解密流程



    先解密后进行反序列化




    AES是对称加密,加解密密钥都是相同的,并且shiro都是将密钥硬编码.


public void setCipherKey(byte[] cipherKey) {//Since this method should only be used in symmetric ciphers//(where the enc and dec keys are the same), set it on both:setEncryptionCipherKey(cipherKey);setDecryptionCipherKey(cipherKey);}

public AbstractRememberMeManager() {this.serializer = new DefaultSerializer<PrincipalCollection>();this.cipherService = new AesCipherService();setCipherKey(DEFAULT_CIPHER_KEY_BYTES);}


    再此方法中进行解密从cookie中取出iv与加密的序列化数据.


org/apache/shiro/crypto/JcaCipherService.java的decrypt()



    调用crypt方法利用密文,key,iv进行解密.



   解密完成后进入反序列化,看上面的public AbstractRememberMeManager()这里用的是默认反序列化类.


public T deserialize(byte[] serialized) throws SerializationException {if (serialized == null) {String msg = "argument cannot be null.";throw new IllegalArgumentException(msg);}ByteArrayInputStream bais = new ByteArrayInputStream(serialized);BufferedInputStream bis = new BufferedInputStream(bais);try {ObjectInputStream ois = new ClassResolvingObjectInputStream(bis);@SuppressWarnings({"unchecked"})T deserialized = (T) ois.readObject();ois.close();return deserialized;} catch (Exception e) {String msg = "Unable to deserialze argument byte array.";throw new SerializationException(msg, e);}}



    readobject()触发反序列化.  


    至此,Shiro对Cookie的rememberMe的处理流程已整体调试分析结束.    




漏洞修复



    Apache Shiro 1.2.5版本的源码,修复方法就是将使用默认Key加密改为生成随机的Key加密:


https://github.com/apache/shiro/commit/4d5bb000a7f3c02d8960b32e694a565c95976848





参考




https://ares-x.com/2020/04/20/IDEA远程调试Docker中程序的方法/

https://paper.seebug.org/shiro-rememberme-1-2-4/

https://xz.aliyun.com/t/6493?accounttraceid=052d6170a05a4736a42c47de607a2766sdut#toc-6

https://www.mi1k7ea.com/2020/10/03/浅析Shiro-rememberMe反序列化漏洞(Shiro550)/



end





知识来源: https://mp.weixin.qq.com/s?__biz=MzI5MDE0MjQ1NQ==&mid=2247510906&idx=1&sn=1c4fcc9b96a4c4d623c0dca83fa738f8

阅读:378264 | 评论:0 | 标签:序列化

想收藏或者和大家分享这篇好文章→复制链接地址

“shiro550反序列化分析”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

十年经营持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

🙇🧎¥由自富财,长成起一↓

标签云 ☁