Jolokia JNDI Injection&XXE Vulnerability分析复现
0x01 JNDI Injection CVE-2018-1000130
1.1 什么是JNDI注入
参考:https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
1.2 漏洞复现
Jolokia的JNDI注入问题出现在jsr160模块,根据官方文档可以很容找到注入点
6.6. Proxy requests For proxy requests, POST must be used as HTTP method so that the given JSON request can contain an extra section for
the target which should be finally reached via this proxy request. A
typical proxy request looks like{ "type" : "read", "mbean" : "java.lang:type=Memory", "attribute" : "HeapMemoryUsage", "target" : { "url" : "service:jmx:rmi:///jndi/rmi://targethost:9999/jmxrmi", "user" : "jolokia", "password" : "s!cr!t" } }
根据补丁信息很容易确定漏洞位置:
url within the target section is a JSR-160 service URL for the target
server reachable from within the proxy agent. user and password are
optional credentials used for the JSR-160 communication.
1.3 漏洞利用
1.4 影响
1.5 漏洞Bypass
补丁信息,可以看到增加ldap的黑名单:service:jmx:rmi:///jndi/ldap:.*
https://github.com/rhuss/jolokia/commit/2f180cd0774b66d6605b85c54b0eb3974e16f034
但是JDNI注入支持的协议有LDAP、RMI、Cobra三种,所以补丁后还是存在问题的。
0x02 XXE Vulnerability In PolicyDescriptor Class
2.1 漏洞复现
2.2 漏洞利用
由于对Jolokia不熟悉,目前还没有找到用户可控输入点。
0x03 参考
- https://jolokia.org/agent.html
- https://jolokia.org/reference/html/proxy.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000130
- http://outofmemory.cn/code-snippet/35023/Jolokia-single-customer-example-JMX
- https://github.com/rhuss/jolokia/commit/2f180cd0774b66d6605b85c54b0eb3974e16f034
- https://stackoverflow.com/questions/27707190/activemq-jolokia-api-how-can-i-get-the-full-message-body