使用Tabby 分析CS RCE CVE-2022-39197

Swing 标签解析

https://docs.oracle.com/javase/tutorial/uiswing/components/html.html

根源来自于CS 的UI构建使用swing,而swing支持某些html标签的解析

测试解析demo如下

import javax.swing.*;
public class test {

private static void createAndShowGUI() {
JFrame.setDefaultLookAndFeelDecorated(true);
JFrame frame = new JFrame("test");
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);



JLabel label = new JLabel("<html><img src=xxxxx><h1>hhhhhhhhhhhh</h1>");
frame.getContentPane().add(label);
frame.pack();
frame.setVisible(true);
}

public static void main(String[] args) {
javax.swing.SwingUtilities.invokeLater(new Runnable() {
public void run() {
createAndShowGUI();
}
});
}
}

使用Tabby 分析CS RCE CVE-2022-39197

IMG解析触发请求

javax.swing.text.html.HTML.Tag#allTags 定义了swing支持解析的标签

使用Tabby 分析CS RCE CVE-2022-39197

不同的标签有不同的VIEW对应去解析处理此标签,以img为例,一个img标签会触发http请求,最终会走到javax.swing.text.html.ImageView#loadImage ,新起一个线程来发起sockt请求,主线程调用栈如下

wait:-1, Object (java.lang)
waitForID:677, MediaTracker (java.awt)
loadImage:314, ImageIcon (javax.swing)
setImage:381, ImageIcon (javax.swing)
loadImage:704, ImageView (javax.swing.text.html)
refreshImage:673, ImageView (javax.swing.text.html)
sync:645, ImageView (javax.swing.text.html)
getPreferredSpan:443, ImageView (javax.swing.text.html)
getPreferredSpan:732, FlowView$LogicalView (javax.swing.text)
calculateMinorAxisRequirements:233, FlowView (javax.swing.text)
calculateMinorAxisRequirements:717, ParagraphView (javax.swing.text)
calculateMinorAxisRequirements:157, ParagraphView (javax.swing.text.html)
checkRequests:935, BoxView (javax.swing.text)
getMinimumSpan:568, BoxView (javax.swing.text)
getMinimumSpan:270, ParagraphView (javax.swing.text.html)
calculateMinorAxisRequirements:903, BoxView (javax.swing.text)
calculateMinorAxisRequirements:146, BlockView (javax.swing.text.html)
checkRequests:935, BoxView (javax.swing.text)
getMinimumSpan:568, BoxView (javax.swing.text)
getMinimumSpan:378, BlockView (javax.swing.text.html)
calculateMinorAxisRequirements:903, BoxView (javax.swing.text)
calculateMinorAxisRequirements:146, BlockView (javax.swing.text.html)
checkRequests:935, BoxView (javax.swing.text)
getPreferredSpan:545, BoxView (javax.swing.text)
getPreferredSpan:362, BlockView (javax.swing.text.html)
<init>:383, BasicHTML$Renderer (javax.swing.plaf.basic)
createHTMLView:67, BasicHTML (javax.swing.plaf.basic)
updateRenderer:207, BasicHTML (javax.swing.plaf.basic)
installComponents:381, BasicLabelUI (javax.swing.plaf.basic)
installUI:343, BasicLabelUI (javax.swing.plaf.basic)
setUI:666, JComponent (javax.swing)
setUI:261, JLabel (javax.swing)
updateUI:275, JLabel (javax.swing)
<init>:164, JLabel (javax.swing)
<init>:194, JLabel (javax.swing)
createAndShowGUI:10, Main

图片请求线程如下 使用Tabby 分析CS RCE CVE-2022-39197

Object标签解析

大概模糊的了解了标签解析,接下来就该逐一看每个标签解析都会产生什么样危险逻辑,当然有那么多分析文章我们这里就很没脸的掠过了,直接将目光定位到ObjectView

javax.swing.text.html.ObjectView#createComponent

protected Component createComponent() {
AttributeSet attr = getElement().getAttributes();
String classname = (String) attr.getAttribute(HTML.Attribute.CLASSID);
try {
ReflectUtil.checkPackageAccess(classname);
Class c = Class.forName(classname, true,Thread.currentThread().
getContextClassLoader());
Object o = c.newInstance();
if (o instanceof Component) {
Component comp = (Component) o;
setParameters(comp, attr);
return comp;
}
} catch (Throwable e) {
// couldn't create a component... fall through to the
// couldn't load representation.
}

return getUnloadableRepresentation();
}

可以实例化Component子类 使用Tabby 分析CS RCE CVE-2022-39197

必须有无参构造方法

必须存在一个setXXX方法的XXX属性

setXXX方法的传参数必须是接受一个string类型的参数

Tabby查找符合条件类

好的,让我们打开tabby,上面这些条件转化为tabby语法如下(遇到点小问题,感谢wh1t3Pig指点)

match path=(source:Method)<-[:HAS]-(c:Class)-[:EXTENDS*]-(ec:Class{NAME:"java.awt.Component"})
where source.NAME starts with "set" and source.PARAMETER_SIZE=1
return c limit 100

使用Tabby 分析CS RCE CVE-2022-39197

<html><object classid='org.apache.batik.swing.JSVGCanvas'><param name='URI' value='payload'></param></object>

接下来就是SVG利用链的过程,到点下班了详情参考 https://todis21.github.io/2022/10/30/CVE-2022-39197%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/

参考链接

https://mp.weixin.qq.com/s?__biz=MzIxNDAyNjQwNg==&mid=2456098978&idx=1&sn=d511d5a674d84eeaf262c8e389ae0403&chksm=803c696bb74be07d8ef8e473b11ffe4dce57b58ccf82e8615ab15d9ba6bba9263360c01276a8&mpshare=1&scene=23&srcid=1012cGc5X3pyXr5VpF2LMf7Y&sharer_sharetime=1665577816700&sharer_shareid=685f4dccaa04150832e24b9e6499e6cf#rd

https://todis21.github.io/2022/10/30/CVE-2022-39197%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/

原文始发于微信公众号(赛博少女):使用Tabby 分析CS RCE CVE-2022-39197

版权声明:admin 发表于 2023年12月15日 下午10:29。
转载请注明:使用Tabby 分析CS RCE CVE-2022-39197 | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...