Apache Commons Configuration远程代码执行漏洞 CVE-2022-33980 漏洞分析

首先可以看一下官方的漏洞描述:

https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are:

– “script” – execute expressions using the JVM script execution engine (javax.script)

– “dns” – resolve dns records

– “url” – load values from urls,

including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

翻译一下就是Apache Commons Configuration允许动态的插值,标准格式是${prefix:name},会根据prefix的值去寻找对应的lookup方法,支持script,dns,url等方法。

首先下载一下有漏洞的代码,版本2.4-2.7的都在范围。

然后看到src/main/java/org/apache/commons/configuration2/interpol/DefaultLookups.java 枚举类支持的lookup方法,可以看到支持:

SCRIPT:

URL:

DNS:

去跟进一下加载配置的整个流程,然后看一下如何触发命令执行的代码:

pom.xml:

        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-configuration2</artifactId>
            <version>2.7</version>
        </dependency>

TestRead.java

public class TestRead {

    public static void main(String[] args) throws ConfigurationException {
        Configurations configs = new Configurations();
        Configuration config = configs.properties(new File("/Users/admin/Downloads/vulndemo/src/main/resources/test.properties"));
        String dbHost = config.getString("java.home");

    }


}

config.getString->org.apache.commons.configuration2.ImmutableConfiguration#getString(java.lang.String)

->org.apache.commons.configuration2.AbstractConfiguration#getString(java.lang.String)

->org.apache.commons.configuration2.AbstractConfiguration#convert

->org.apache.commons.configuration2.AbstractConfiguration#getAndConvertProperty

首先调用getProperty获取key和value:

然后调用getConversionHandler.to方法,getConversionHandler返回的是conversionHandler:

构造函数对conversionHandler进行了初始化操作:

跟进一下初始化的代码:
org.apache.commons.configuration2.AbstractConfiguration#installDefaultInterpolator

->org.apache.commons.configuration2.interpol.ConfigurationInterpolator#getDefaultPrefixLookups

发表评论