Urldns chain for Java Security

0x00 Preface

When learning Java's deserialization vulnerability, you have to learn one of its utilization chains. Many newcomers may be unfamiliar with the word "use chain". So here's a look at the generation of Java deserialization and deserialization vulnerabilities.

Article first: urldns chain of Java Security

0x01 Java deserialization

Java provides a mechanism for object serialization. An object is represented by a byte sequence, which contains object data, object type and object storage properties. After the byte sequence is written out to the file, it is equivalent to persistently reporting an object information error. This process is called serialization. Serializing an object writes an object to a file through the writeobject method of objectoutputstream.

Deserialization uses the readObject method to read and restore it to a class before serialization.

There is no security problem in this step, but if the deserialized data is controllable, we can enter malicious code from an input point, and then find the point at which our input will be brought to our trigger point layer by layer. This step is called the step of finding and utilizing the chain.

0x02 dynamic debugging ysoserial

As for ysoserial, I don't have much to say. Baidu itself.

Ysoserial project address: ysoserial

Pull the project source code and import it into idea.

See POM XML knows that the project is a maven project, click POM Refresh the XML and download the missing dependencies

After the download is completed, you can start debugging ysoserial until it is not popular.

First, find the entry point of the program and click POM XML search mainclass to find the class of the entry point

CTRL + left click to track in and run the test.

Some errors were found in the run, because we didn't pass in the value.

Click Edit configurations to set parameters

Run again and you can see the successful execution.

In this way, we get a serialized data.

Our ysoserial can run in idea.

0x03 urldns chain analysis

Urldns is a simple utilization chain in ysoserial, but the utilization effect of urldns is that it can only trigger DNS requests once and cannot execute commands. It is more applicable to vulnerability verification, and the utilization chain of urldns does not depend on third-party classes, but some classes and methods built in JDK.

When some exploits are not echoed, we can also use this chain to verify whether the vulnerability exists. For example, Shiro deserialization uses dnslog to verify whether the vulnerability exists (blind guess, no analysis has been made, so we can analyze it later).

Let's use ysoserial's urldns first

 java -jar .\ysoserial.jar URLDNS "http://2mdw9p.dnslog.cn"

Get the serialized data. If it needs to be executed, we need to deserialize it. Don't execute it here first. Let's take a look at how the data is obtained in ysoserial.

Open ysoserial / payloads / urldns Java source code

The above note also explains his call chain

We have to go to debug to see how to execute it.

The trigger point is in the put method of HashMap. We make a breakpoint in the put place

Go to the readObject of HashMap and see

Here, the hash method is used to process the value of the key. Let's track the hash method to see its specific implementation

The key here is Java net. The instance object of the URL called the hashcode of the key. Follow up his hashcode method.

The handler's hashcode is also called in the hashcode method. Let's track hanler first

Call the hashcode of urlstreamhandler. Track urlstreamhandler hashcode。

Follow up on the getprotocol method

It is written in the API document of JDK that this method is used to obtain the name of the protocol

Go back to where you just left off

Let's trace gethostaddress again

After coming here, you can find that gethost and getbyname will be called.

View InetAddress. Jdkapi documentation Getbyname method

This method will use the remote request to obtain the IP address of the host, and then a request will be triggered. Here, our dnslog platform can receive the response. This is a trigger point of the urldns chain.

Call chain:

HashMap.readObject() ->  HashMap.putVal() -> HashMap.hash() 
-> URL.hashCode()->URLStreamHandler.hashCode().getHostAddress
->URLStreamHandler.hashCode().getHostAddress
->URLStreamHandler.hashCode().getHostAddress.InetAddress.getByName

Let's test it

import java.io.*;

public class main {
    public static void main(String[] args) throws IOException,ClassNotFoundException {
        FileInputStream fis = new FileInputStream("out.bin");
        ObjectInputStream bit = new ObjectInputStream(fis);
        bit.readObject();
    }
}

Look at our dnslog platform after execution

Reference articles

https://www.cnblogs.com/kuaile1314/p/13690210.html
https://www.cnblogs.com/ph4nt0mer/p/11994384.html
https://www.cnblogs.com/v1ntlyn/p/13549991.html
https://zhuanlan.zhihu.com/p/30045174
https://www.cnblogs.com/litlife/p/12596286.html

0x04 end

In fact, the chain of debugging urldns is relatively simple, although it took a lot of time to explore and refer to a large number of articles. However, after understanding, it is found that the urldns chain is relatively simple.