java urldns unserialize

forwaded

​ The impact caused by java deserialization is huge, now let’s analyze the remote dns access caused by java’s own chain;

​ In this blog post, I will try to clear up some doubts about deserialization vulnerability, and hope to reduce the condition of vulnerability exploitation by using existing tools. And I will focus on Java deserialization vulnerability research, but the same concept also applies to other languages. I will also focus on command execution vulnerabilities to keep the use simple.

text

​ Serialization is actually the state of the object at a certain time, that is, the state of the persistent object at that time; deserialization is to unfreeze the state of the object.If an attacker can affect variables and program objects in memory, they can affect the code flow that uses them.This is similar to the PHP deserialization;In Java, a serializable class can define a method called ‘readObject’ to perform special processing during deserialization (such as backward compatibility). This method can also be used for events that respond to the deserialization of objects of this class.

ok!First,we can see the getObject class in the URLDNS.java;So we will see that;

1
URLStreamHandler handler = new URLDNS.SilentURLStreamHandler();
1
HashMap ht = new HashMap();
1
URL u = new URL((URL)null, url, handler);
1
ht.put(u, url);

we can see that the handler is the URLStreamHandler and the ht is the HashMap;So we can see that;It uses the put function in the HashMap class .So we can see that;

1
2
3
public V put(K key, V value) {
    return putVal(hash(key), key, value, false, true);
}

We can see the put function;It uses the putVal function;So we can see that;The hash function is the flow;

1
2
3
4
static final int hash(Object key) {
    int h;
    return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}

it return the int;We can see that it use the function of key.hashCode;So we can see;The key is the :

1
URL u = new URL((URL)null, url, handler);

so we can see the hashCode function in the URL class;

1
2
3
4
5
6
7
public synchronized int hashCode() {
    if (hashCode != -1)
        return hashCode;

    hashCode = handler.hashCode(this);
    return hashCode;
}

We can see that if the hashCode is not -1;we can use the function of hashCode in URLStreamHandler class; 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
protected int hashCode(URL u) {
        int h = 0;

        // Generate the protocol part.
        String protocol = u.getProtocol();  //返回协议;
        if (protocol != null)
            h += protocol.hashCode();

        // Generate the host part.
        InetAddress addr = getHostAddress(u);
        if (addr != null) {
            h += addr.hashCode();
        } else {
            String host = u.getHost();
            if (host != null)
                h += host.toLowerCase().hashCode();
        }

        // Generate the file part.
        String file = u.getFile();
        if (file != null)
            h += file.hashCode();

        // Generate the port part.
        if (u.getPort() == -1)
            h += getDefaultPort();
        else
            h += u.getPort();

        // Generate the ref part.
        String ref = u.getRef();
        if (ref != null)
            h += ref.hashCode();

        return h;
    }

6IUJht.png

We can see that the function of the corresponding function is to return the corresponding protocol; then we enter the getHostAddress method;

1
2
3
4
5
6
7
8
9
10
11
protected synchronized InetAddress getHostAddress(URL u) {
    if (u.hostAddress != null)
        return u.hostAddress;

    String host = u.getHost();
    if (host == null || host.isEmpty()) {
        return null;
    } else {
        try {
            u.hostAddress = InetAddress.getByName(host);

Enter the corresponding method here to trace; obviously we can pass judgments such as if; find that the getByName method is finally called, and check it;

6IUXuD.png

This is equivalent to a dns request to confirm the ip address of the host;

The result is;

6IUt9P.png

This vulnerability has no major harm, but it is mostly used to verify the existence of deserialization vulnerabilities; because this vulnerability does not use external references, it is the jdk itself, so it can often be used to verify the existence of deserialization; for follow-up Attack pavement;

ending

This is a relatively simple chain. Let’s analyze it hand in hand first, and I will continue to analyze the complex chain later