Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-17564 PoC — Apache Dubbo 安全漏洞

Source
https://github.com/Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget
Associated Vulnerability
Title:Apache Dubbo 安全漏洞 (CVE-2019-17564)
Description:Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
Description
Basic code for creating the Alibaba FastJson + Spring gadget chain, as used to exploit Apache Dubbo in CVE-2019-17564 - more information available at https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability
Readme
# CVE-2019-17564 FastJson + SpringFramework Gadget for Dubbo 2.7.3
Our full write-up is available at https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability

Note that *this is not an exploit*; it is a POC gadget chain used in an exploit used to demonstrate deserialization in scopes containing certain dependencies.

# Overview
Basic code for creating the Alibaba FastJson + Spring gadget chain, as used to exploit Apache Dubbo in CVE-2019-17564. This code will print, and locally deserialize, a gadget based on dependencies available in the scope of Dubbo 2.7.3, Dubbo Common 2.7.3, and Spring Framework 

# Gadget Chain Structure
1.	HashMap.putVal(h,k,v)
    a.	The result of hashCode(), h, is identical for HotSwappableTargetSource objects, triggering a deeper equals() call on HashMap keys when a second value is inserted
2.	HotSwappableTargetSource.equals()
3.	XString.equals()
4.	com.alibaba.fastjson.JSON.toString()
5.	com.alibaba.fastjson.JSON.toJSONString()
6.	com.alibaba.fastjson.serializer.MapSerializer.write()
7.	TemplatesImpl.getOutputProperties()
8.	TemplatesImpl.newTransformer()
9.	TemplatesImpl.getTransletInstance()
10.	TemplatesImpl.defineTransletClasses()
11.	ClassLoader.defineClass()
12.	Class.newInstance()
13.	MaliciousClass.<clinit>()
14.	Runtime.exec()

# Credits
Credits are in order to Chris Frohoff and Moritz Bechler for their research and tools (ysoserial and marshalsec), as some of their code was used in the gadget chain, and their research laid the foundation for this exploit.

Credits are also in order to Checkmarx, who enable this type of research, and our fantastic research group for pitching ideas, reviewing, and bearing the fact that I won't shut up about this type of stuff.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →