作者：Longofo@知道创宇404实验室
时间：2020年2月20日 
英文版本：https://paper.seebug.org/1137/

前不久有一个关于Apache Dubbo Http反序列化的漏洞，本来是一个正常功能（通过正常调用抓包即可验证确实是正常功能而不是非预期的Post），通过Post传输序列化数据进行远程调用，但是如果Post传递恶意的序列化数据就能进行恶意利用。Apache Dubbo还支持很多协议，例如Dubbo（Dubbo Hessian2）、Hessian（包括Hessian与Hessian2，这里的Hessian2与Dubbo Hessian2不是同一个）、Rmi、Http等。Apache Dubbo是远程调用框架，既然Http方式的远程调用传输了序列化的数据，那么其他协议也可能存在类似问题，例如Rmi、Hessian等。@pyn3rd师傅之前在twiter发了关于Apache Dubbo Hessian协议的反序列化利用，Apache Dubbo Hessian反序列化问题之前也被提到过，这篇文章里面讲到了Apache Dubbo Hessian存在反序列化被利用的问题，类似的还有Apache Dubbo Rmi反序列化问题。之前也没比较完整的去分析过一个反序列化组件处理流程，刚好趁这个机会看看Hessian序列化、反序列化过程，以及marshalsec工具中对于Hessian的几条利用链。

关于序列化/反序列化机制

序列化/反序列化机制（或者可以叫编组/解组机制，编组/解组比序列化/反序列化含义要广），参考marshalsec.pdf，可以将序列化/反序列化机制分大体分为两类：

1. 基于Bean属性访问机制
2. 基于Field机制

基于Bean属性访问机制

• SnakeYAML
• jYAML
• YamlBeans
• Apache Flex BlazeDS
• Red5 IO AMF
• Jackson
• Castor
• Java XMLDecoder
• ...

它们最基本的区别是如何在对象上设置属性值，它们有共同点，也有自己独有的不同处理方式。有的通过反射自动调用getter(xxx)和setter(xxx)访问对象属性，有的还需要调用默认Constructor，有的处理器（指的上面列出来的那些）在反序列化对象时，如果类对象的某些方法还满足自己设定的某些要求，也会被自动调用。还有XMLDecoder这种能调用对象任意方法的处理器。有的处理器在支持多态特性时，例如某个对象的某个属性是Object、Interface、abstruct等类型，为了在反序列化时能完整恢复，需要写入具体的类型信息，这时候可以指定更多的类，在反序列化时也会自动调用具体类对象的某些方法来设置这些对象的属性值。这种机制的攻击面比基于Field机制的攻击面大，因为它们自动调用的方法以及在支持多态特性时自动调用方法比基于Field机制要多。

基于Field机制

基于Field机制是通过特殊的native（native方法不是java代码实现的，所以不会像Bean机制那样调用getter、setter等更多的java方法）方法或反射（最后也是使用了native方式）直接对Field进行赋值操作的机制，不是通过getter、setter方式对属性赋值（下面某些处理器如果进行了特殊指定或配置也可支持Bean机制方式）。在ysoserial中的payload是基于原生Java Serialization，marshalsec支持多种，包括上面列出的和下面列出的。

• Java Serialization
• Kryo
• Hessian
• json-io
• XStream
• ...

就对象进行的方法调用而言，基于字段的机制通常通常不构成攻击面。另外，许多集合、Map等类型无法使用它们运行时表示形式进行传输/存储（例如Map，在运行时存储是通过计算了对象的hashcode等信息，但是存储时是没有保存这些信息的），这意味着所有基于字段的编组器都会为某些类型捆绑定制转换器（例如Hessian中有专门的MapSerializer转换器）。这些转换器或其各自的目标类型通常必须调用攻击者提供的对象上的方法，例如Hessian中如果是反序列化map类型，会调用MapDeserializer处理map，期间map的put方法被调用，map的put方法又会计算被恢复对象的hash造成hashcode调用（这里对hashcode方法的调用就是前面说的必须调用攻击者提供的对象上的方法），根据实际情况，可能hashcode方法中还会触发后续的其他方法调用。

Hessian简介

Hessian是二进制的web service协议，官方对Java、Flash/Flex、Python、C++、.NET C#等多种语言都进行了实现。Hessian和Axis、XFire都能实现web service方式的远程方法调用，区别是Hessian是二进制协议，Axis、XFire则是SOAP协议，所以从性能上说Hessian远优于后两者，并且Hessian的JAVA使用方法非常简单。它使用Java语言接口定义了远程对象，集合了序列化/反序列化和RMI功能。本文主要讲解Hessian的序列化/反序列化。

下面做个简单测试下Hessian Serialization与Java Serialization：

结果如下：

通过这个测试可以简单看出Hessian反序列化占用的空间比JDK反序列化结果小，Hessian序列化时间比JDK序列化耗时长，但Hessian反序列化很快。并且两者都是基于Field机制，没有调用getter、setter方法，同时反序列化时构造方法也没有被调用。

Hessian概念图

下面的是网络上对Hessian分析时常用的概念图，在新版中是整体也是这些结构，就直接拿来用了：

• Serializer：序列化的接口
• Deserializer ：反序列化的接口
• AbstractHessianInput ：hessian自定义的输入流，提供对应的read各种类型的方法
• AbstractHessianOutput ：hessian自定义的输出流，提供对应的write各种类型的方法
• AbstractSerializerFactory
• SerializerFactory ：Hessian序列化工厂的标准实现
• ExtSerializerFactory：可以设置自定义的序列化机制，通过该Factory可以进行扩展
• BeanSerializerFactory：对SerializerFactory的默认object的序列化机制进行强制指定，指定为使用BeanSerializer对object进行处理

Hessian Serializer/Derializer默认情况下实现了以下序列化/反序列化器，用户也可通过接口/抽象类自定义序列化/反序列化器：

序列化时会根据对象、属性不同类型选择对应的序列化其进行序列化；反序列化时也会根据对象、属性不同类型选择不同的反序列化器；每个类型序列化器中还有具体的FieldSerializer。这里注意下JavaSerializer/JavaDeserializer与BeanSerializer/BeanDeserializer，它们不是类型序列化/反序列化器，而是属于机制序列化/反序列化器：

1. JavaSerializer：通过反射获取所有bean的属性进行序列化，排除static和transient属性，对其他所有的属性进行递归序列化处理(比如属性本身是个对象)
2. BeanSerializer是遵循pojo bean的约定，扫描bean的所有方法，发现存在get和set方法的属性进行序列化，它并不直接直接操作所有的属性，比较温柔

Hessian反序列化过程

这里使用一个demo进行调试，在Student属性包含了String、int、List、Map、Object类型的属性，添加了各属性setter、getter方法，还有readResovle、finalize、toString、hashCode方法，并在每个方法中进行了输出，方便观察。虽然不会覆盖Hessian所有逻辑，不过能大概看到它的面貌：

下面是对上面这个demo进行调试后画出的Hessian在反序列化时处理的大致面貌（图片看不清，可以点这个链接查看）：

下面通过在调试到某些关键位置具体说明。

获取目标类型反序列化器

首先进入HessianInput.readObject()，读取tag类型标识符，由于Hessian序列化时将结果处理成了Map，所以第一个tag总是M(ascii 77)：

在case 77这个处理中，读取了要反序列化的类型，接着调用this._serializerFactory.readMap(in,type)进行处理，默认情况下serializerFactory使用的Hessian标准实现SerializerFactory：

先获取该类型对应的Deserializer，接着调用对应Deserializer.readMap(in)进行处理，看下如何获取对应的Derserializer：

第一个红框中主要是判断在_cacheTypeDeserializerMap中是否缓存了该类型的反序列化器；第二个红框中主要是判断是否在_staticTypeMap中缓存了该类型反序列化器，_staticTypeMap主要存储的是基本类型与对应的反序列化器；第三个红框中判断是否是数组类型，如果是的话则进入数组类型处理；第四个获取该类型对应的Class，进入this.getDeserializer(Class)再获取该类对应的Deserializer，本例进入的是第四个：

这里再次判断了是否在缓存中，不过这次是使用的_cacheDeserializerMap，它的类型是ConcurrentHashMap，之前是_cacheTypeDeserializerMap，类型是HashMap，这里可能是为了解决多线程中获取的问题。本例进入的是第二个this.loadDeserializer(Class)：

第一个红框中是遍历用户自己设置的SerializerFactory，并尝试从每一个工厂中获取该类型对应的Deserializer；第二个红框中尝试从上下文工厂获取该类型对应的Deserializer；第三个红框尝试创建上下文工厂，并尝试获取该类型自定义Deserializer，并且该类型对应的Deserializer需要是类似xxxHessianDeserializer，xxx表示该类型类名；第四个红框依次判断，如果匹配不上，则使用getDefaultDeserializer(Class)，本例进入的是第四个：

_isEnableUnsafeSerializer默认是为true的，这个值的确定首先是根据sun.misc.Unsafe的theUnsafe字段是否为空决定，而sun.misc.Unsafe的theUnsafe字段默认在静态代码块中初始化了并且不为空，所以为true；接着还会根据系统属性com.caucho.hessian.unsafe是否为false，如果为false则忽略由sun.misc.Unsafe确定的值，但是系统属性com.caucho.hessian.unsafe默认为null，所以不会替换刚才的ture结果。因此，_isEnableUnsafeSerializer的值默认为true，所以上图默认就是使用的UnsafeDeserializer，进入它的构造方法。

获取目标类型各属性反序列化器

在这里获取了该类型所有属性并确定了对应得FieldDeserializer，还判断了该类型的类中是否存在ReadResolve()方法，先看类型属性与FieldDeserializer如何确定：

获取该类型以及所有父类的属性，依次确定对应属性的FIeldDeserializer，并且属性不能是transient、static修饰的属性。下面就是依次确定对应属性的FieldDeserializer了，在UnsafeDeserializer中自定义了一些FieldDeserializer。

判断目标类型是否定义了readResolve()方法

接着上面的UnsafeDeserializer构造器中，还会判断该类型的类中是否有readResolve()方法：

通过遍历该类中所有方法，判断是否存在readResolve()方法。

好了，后面基本都是原路返回获取到的Deserializer，本例中该类使用的是UnsafeDeserializer，然后回到SerializerFactory.readMap(in,type)中，调用UnsafeDeserializer.readMap(in)：

至此，获取到了本例中com.longofo.deserialize.Student类的反序列化器UnsafeDeserializer，以各字段对应的FieldSerializer，同时在Student类中定义了readResolve()方法，所以获取到了该类的readResolve()方法。

为目标类型分配对象

接下来为目标类型分配了一个对象：

通过_unsafe.allocateInstance(classType)分配该类的一个实例，该方法是一个sun.misc.Unsafe中的native方法，为该类分配一个实例对象不会触发构造器的调用，这个对象的各属性现在也只是赋予了JDK默认值。

目标类型对象属性值的恢复

接下来就是恢复目标类型对象的属性值：

进入循环，先调用in.readObject()从输入流中获取属性名称，接着从之前确定好的this._fieldMap中匹配该属性对应的FieldDeserizlizer，然后调用匹配上的FieldDeserializer进行处理。本例中进行了序列化的属性有innerMap（Map类型）、name（String类型）、id（int类型）、friends（List类型），这里以innerMap这个属性恢复为例。

以InnerMap属性恢复为例

innerMap对应的FieldDeserializer为UnsafeDeserializer$ObjectFieldDeserializer：

首先调用in.readObject(fieldClassType)从输入流中获取该属性值，接着调用了_unsafe.putObject这个位于sun.misc.Unsafe中的native方法，并且不会触发getter、setter方法的调用。这里看下in.readObject(fieldClassType)具体如何处理的：

这里Map类型使用的是MapDeserializer，对应的调用MapDeserializer.readMap(in)方法来恢复一个Map对象：

注意这里的几个判断，如果是Map接口类型则使用HashMap，如果是SortedMap类型则使用TreeMap，其他Map则会调用对应的默认构造器，本例中由于是Map接口类型，使用的是HashMap。接下来经典的场景就来了，先使用in.readObject()（这个过程和之前的类似，就不重复了）恢复了序列化数据中Map的key，value对象，接着调用了map.put(key,value)，这里是HashMap，在HashMap的put方法会调用hash(key)触发key对象的key.hashCode()方法，在put方法中还会调用putVal，putVal又会调用key对象的key.equals(obj)方法。处理完所有key，value后，返回到UnsafeDeserializer$ObjectFieldDeserializer中：

使用native方法_unsafe.putObject完成对象的innerMap属性赋值。

Hessian的几条利用链分析

在marshalsec工具中，提供了对于Hessian反序列化可利用的几条链：

• Rome
• XBean
• Resin
• SpringPartiallyComparableAdvisorHolder
• SpringAbstractBeanFactoryPointcutAdvisor

下面分析其中的两条Rome和SpringPartiallyComparableAdvisorHolder，Rome是通过HashMap.put->key.hashCode触发，SpringPartiallyComparableAdvisorHolder是通过HashMap.put->key.equals触发。其他几个也是类似的，要么利用hashCode、要么利用equals。

SpringPartiallyComparableAdvisorHolder

在marshalsec中有所有对应的Gadget Test，很方便：

这里将Hessian对SpringPartiallyComparableAdvisorHolder这条利用链提取出来看得比较清晰些：

看以下触发流程：

经过HessianInput.readObject()，到了MapDeserializer.readMap(in)进行处理Map类型属性，这里触发了HashMap.put(key,value)：

HashMap.put有调用了HashMap.putVal方法，第二次put时会触发key.equals(k)方法：

此时key与k分别如下，都是HotSwappableTargetSource对象：

进入HotSwappableTargetSource.equals：

在HotSwappableTargetSource.equals中又触发了各自target.equals方法，也就是XString.equals(PartiallyComparableAdvisorHolder)：

在这里触发了PartiallyComparableAdvisorHolder.toString：

发了AspectJPointcutAdvisor.getOrder：

触发了AspectJAroundAdvice.getOrder：

这里又触发了BeanFactoryAspectInstanceFactory.getOrder：

又触发了SimpleJndiBeanFactory.getTYpe->SimpleJndiBeanFactory.doGetType->SimpleJndiBeanFactory.doGetSingleton->SimpleJndiBeanFactory.lookup->JndiTemplate.lookup->Context.lookup：

Rome

Rome相对来说触发过程简单些：

同样将利用链提取出来：

看下触发过程：

经过HessianInput.readObject()，到了MapDeserializer.readMap(in)进行处理Map类型属性，这里触发了HashMap.put(key,value)：

接着调用了hash方法，其中调用了key.hashCode方法：

接着触发了EqualsBean.hashCode->EqualsBean.beanHashCode：

触发了ToStringBean.toString：

这里调用了JdbcRowSetImpl.getDatabaseMetadata，其中又触发了JdbcRowSetImpl.connect->context.lookup：

小结

通过以上两条链可以看出，在Hessian反序列化中基本都是利用了反序列化处理Map类型时，会触发调用Map.put->Map.putVal->key.hashCode/key.equals->...，后面的一系列出发过程，也都与多态特性有关，有的类属性是Object类型，可以设置为任意类，而在hashCode、equals方法又恰好调用了属性的某些方法进行后续的一系列触发。所以要挖掘这样的利用链，可以直接找有hashCode、equals以及readResolve方法的类，然后人进行判断与构造，不过这个工作量应该很大；或者使用一些利用链挖掘工具，根据需要编写规则进行扫描。

Apache Dubbo反序列化简单分析

Apache Dubbo Http反序列化

先简单看下之前说到的HTTP问题吧，直接用官方提供的samples，其中有一个dubbo-samples-http可以直接拿来用，直接在DemoServiceImpl.sayHello方法中打上断点，在RemoteInvocationSerializingExporter.doReadRemoteInvocation中反序列化了数据，使用的是Java Serialization方式：

抓包看下，很明显的ac ed标志：

Apache Dubbo Dubbo反序列化

同样使用官方提供的dubbo-samples-basic，默认Dubbo hessian2协议，Dubbo对hessian2进行了魔改，不过大体结构还是差不多，在MapDeserializer.readMap是依然与Hessian类似：

参考

1. https://docs.ioin.in/writeup/blog.csdn.net/_u011721501_article_details_79443598/index.html
2. https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf
3. https://www.mi1k7ea.com/2020/01/25/Java-Hessian%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/
4. https://zhuanlan.zhihu.com/p/44787200

---

本文由 Seebug Paper 发布，如需转载请注明来源。本文地址：https://paper.seebug.org/1131/

Author：Longofo@Knownsec 404 Team 
Time: February 20, 2020 
Chinese version: https://paper.seebug.org/1131/

Not long ago, there was a vulnerability about Apache Dubbo Http deserialization. It was originally a normal function (it can be verified that it is indeed a normal function instead of an unexpected Post by calling the packet capture normally),the serialized data is transmitted via Post for remote calls,but if Post passes malicious serialized data, it can be used maliciously. Apache Dubbo also supports many protocols, such as Dubbo (Dubbo Hessian2), Hessian (including Hessian and Hessian2, where Hessian2 and Dubbo Hessian2 are not same), Rmi, Http, etc. Apache Dubbo is a remote call framework. Since the remote call of Http mode transmits serialized data, other protocols may also have similar problems, such as Rmi, Hessian, etc. I haven't analyzed a deserialization component processing flow completely before, just take this opportunity to look at the Hessian serialization, deserialization process, and marshalsec Several gadget chains for Hessian in the tool.

About serialization/deserialization mechanism

Serialization/deserialization mechanism(also called marshalling/unmarshalling mechanism, marshalling/unmarshalling has a wider meaning than serialization/deserialization), refer to marshalsec.pdf, the serialization/deserialization mechanism can be roughly divided into two categories:

• Based on Bean attribute access mechanism
• Based on Field mechanism

Based on Bean attribute access mechanism

• SnakeYAML
• jYAML
• YamlBeans
• Apache Flex BlazeDS
• Red5 IO AMF
• Jackson
• Castor
• Java XMLDecoder
• ...

The most basic difference between them is how to set the property value on the object. They have common points and also have their own unique processing methods. Some automatically call getter (xxx) and setter (xxx) to access object properties through reflection, and some need to call the default Constructor, and some processors (referring to those listed above) deserialized objects If some methods of the class object also meet certain requirements set by themselves, they will be automatically called. There also have a XML Decoder processor that can call any method of an object. When some processors support polymorphism, for example, a certain property of an object is of type Object, Interface, abstract, etc. In order to be completely restored during deserialization, specific type information needs to be written. At this time, you can specify For more classes, certain methods of concrete class objects are automatically called when deserializing to set the property values of these objects. The attack surface of this mechanism is larger than the attack surface based on the Field mechanism because they automatically call more methods and automatically call methods when they support polymorphic features than the Field mechanism.

Based on Field mechanism

The field-based mechanism is implemented by special native methods (native methods are not implemented in java code, so it won't call more java methods such as getter and setter like Bean mechanism.) are invoked like the Bean mechanism. The mechanism of the assignment operation is not to assign attributes to the property through getters and setters (some processors below can also support the Bean mechanism if they are specially specified or configured). The payload in ysoserial is based on Java Serialization. Marshalsec supports multiple types, including the ones listed above and the ones listed below：

• Java Serialization
• Kryo
• Hessian
• json-io
• X Stream
• ...

As far as method made by objects are concerned, field-based mechanisms often do not constitute an attack surface. In addition, many collections, Maps, and other types cannot be transmitted/stored using their runtime representation(for example, Map, which stores information such as the hashcode of the object at runtime, but does not save this information when storing), which means All field-based marshallers bundle custom converters for certain types (for example, there is a dedicated MapSerializer converter in Hessian). These converters or their respective target types must usually call methods on the object provided by the attacker. For example, in Hessian, if the map type is deserialized, MapDeserializer is called to process the map. During this time, the map put method is called, it will calculate the hash of the recovered object and cause a hashcode call (here the call to the hashcode method is to say that the method on the object provided by the attacker must be called). According to the actual situation, the hashcode method may trigger subsequent other method calls .

Hessian Introduction

Hessian is a binary web service protocol. It has officially implemented multiple languages such as Java, Flash / Flex, Python, C ++, .NET C #, etc. Hessian, Axis, and XFire can implement remote method invocation of web services. The difference is that Hessian is a binary protocol and Axis and X Fire are SOAP protocols. Therefore, Hessian is far superior to the latter two in terms of performance, and Hessian JAVA is very simple to use. It uses the Java language interface to define remote objects and integrates serialization/deserialization and RMI functions. This article mainly explains serialization/deserialization of Hessian.

Here is a simple test of Hessian Serialization and Java Serialization:

The results are as follows:

Through this test, it can be easily seen that Hessian deserialization takes less space than JDK deserialization results. Hessian serialization takes longer than JDK serialization, but Hessian deserialization is fast. And both are based on the Field mechanism, no getter and setter methods are called, and the constructor is not called during deserialization.

Hessian concept map

The following are the conceptual diagrams commonly used in the analysis of Hessian on the Internet. In the new version, these are the overall structures, and I Just use it directly:

• Serializer: Serialized interface
• Deserializer: deserializer interface
• Abstract Hessian Input: Hessian custom input stream, providing corresponding read various types of methods
• Abstract Hessian Output: Hessian custom output stream, providing corresponding write various types of methods
• Abstract Serializer Factory
• Serializer Factory: Standard implementation of Hessian serialization factory
• ExtSerializer Factory: You can set a custom serialization mechanism, which can be extended through this Factory
• Bean Serializer Factory: Force the serialization mechanism of the Serializer Factory's default object to be specified, and specify to use the Bean Serializer to process the object

Hessian Serializer/Derializer implements the following serializers/deserializers by default. Users can also customize serializers/deserializers through interfaces/abstract classes:

When serializing, it will select the corresponding serialization according to different types of objects and attributes for serialization; when deserializing, it will also select different deserializers according to different types of objects and attributes; each type of serializer also has specific Field Serializer. Note here that Java Serializer/Java Deserializer and Bean Serializer/Bean Deserializer are not type serializers/deserializers, but belong to mechanism serializers/deserializers:

• Java Serializer: Get all bean properties for serialization by reflection, exclude static and transient properties, and perform recursive serialization on all other properties (such as the property itself is an object)
• Bean Serializer follows the conventions of pojo beans, scans all the methods of the bean, and finds that the properties of the get and set methods are serialized. It does not directly manipulate all the properties, which is gentle.

Hessian deserialization process

Here a demo is used for debugging. The Student property contains String, int, List, Map, Object type properties, and the property setter and getter methods are added, as well as the read Resovle, finalize, to String, hash Code methods, and The output was carried out for easy observation. Although it will not cover all the logic of Hessian, we can roughly see its appearance:

The following is the general appearance of Hessian's processing during deserialization drawn after debugging the above demo. (The picture is not clear, you can click this link):

The following details are explained by debugging to some key positions.

Get target type deserializer

First enter Hessian Input,read Object () to read the tag type identifier. Since Hessian serializes the result into a Map, the first tag is always M (ascii 77):

In the processing of case 77, the type to be deserialized is read, then this._serializerFactory.readMap (in, type)is called for processing. By default, Hessian standard used by _serializer Factory implements Serializer Factory:

First get the corresponding Deserializer of this type, then call the corresponding Deserializer.readMap (in) for processing, and see how to get the corresponding Derserializer:

The first red box mainly determines whether a deserializer of this type is cached in _cacheTypeDeserializerMap; the second red box mainly determines whether a deserializer of this type is cached in_staticTypeMap, _staticTypeMap mainly stores the basic type and the corresponding deserializer; the third red box determines whether it is an array type, and if so, enters the array type processing; the fourth obtains the Class corresponding to the type, and enters this .getDeserializer(Class) gets the Deserializer corresponding to this class, this example enters the fourth:

Here it again judged whether it is in the cache, but this time it used _cacheDeserializerMap, whose type is ConcurrentHashMap, and before that it was _cacheTypeDeserializerMap, and the type was HashMap. This may be to solve the problem of obtaining in multithread . This example enters the second this.loadDeserializer(Class):

The first red box is to traverse the Serializer Factory set by the user and try to get the Serializer corresponding to the type from each factory; the second red box tries to get the Serializer corresponding to the type from the context factory; the third red box Try to create a context factory and try to get a custom deserializer of this type, and the deserializer corresponding to this type needs to be similar to xxxHessianDeserializer, where xxx indicates the class name of the type; the fourth red box is judged in turn, If not match, then use getDefaultDeserializer (Class),. This example is the fourth:

_isEnableUnsafeSerializer is true by default. The determination of this value is first determined based on whether the the unsafe field of sun.misc.Unsafe is empty, and the unsafe field ofsun.misc.Unsafe is initialized in the static code block by default and Not empty, so it is true; then it will also be based on whether the system property com.caucho.hessian.unsafe is false. If it is false, the value determined by sun.misc.Unsafe is ignored, but the system property com. caucho.hessian.unsafe is null by default, so it won't replace the result of ture. Therefore, the value of _isEnableUnsafeSerializer is true by default, so the above figure defaults to the UnsafeDeserializer used, and enters its constructor.

Get deserializer of each attribute of target type

Here all the properties of the type are obtained and the corresponding FieldDeserializer is determined. It is also determined whether there is a ReadResolve () method in the class of the type. Let's first see how the type property and FieldDeserializer determine:

Get the properties of this type and all parent classes, determine the FIeld Deserializer of the corresponding properties in turn, and the properties cannot be transient or static modified properties. The following is the Field Deserializer that determines the corresponding properties in turn. Some Field Deserializers are customized in Unsafe Deserializer.

Determine if the target type has a read Resolve() method defined

Then in the above Unsafe Deserializer constructor, it will also determine whether there is a readResolve() method in a class of this type:

Iterate through all the methods in this class to determine if there is a readResolve() method.

Okay, after that the acquired Deserializer are returned in the original way. In this example, the class uses Unsafe Deserializer, and then returns to SerializerFactory.readMap (in, type) and calls UnsafeDeserializer.readMap (in):

So far, the deserializer UnsafeDeserializer of thecom.longofo.deserialize.Student class in this example is obtained, and the Field Serializer corresponding to each field is defined. At the same time, the readResolve() method is defined in the Student class, so got the readResolve()method of this class.

Assigning object to target type

Next, an object is assigned to the target type:

An instance of this class is allocated via _unsafe.allocateInstance (classType). This method is a native method in sun.misc.Unsafe. Assigning an instance object to this class does not trigger a constructor call. The attributes are now just given the JDK default values.

Recovery of target type object attribute values

The next step is to restore the attribute values of the target type object:

Into the loop, first call in.readObject () to get the attribute name from the input stream, then match the Field Deserizlizer corresponding to the attribute from the previously determined this._fieldMap, and then call Field Deserializer on the match to process. The serialized attributes in this example are inner Map (Map type), name (String type), id (int type), and friends (List type). Here we take the inner Map attribute recovery as an example.

Take Inner Map attribute recovery as an example

The Field Deserializer corresponding to the inner Map is UnsafeDeserializer$ ObjectFieldDeserializer:

First call in.readObject (fieldClassType) to get the property value from the input stream, and then call _unsafe.putObject, the native method insun.misc.Unsafe, and will not trigger the getter and setter methods. Here's how to deal with in.readObject (fieldClassType):

Here Map type uses Map Deserializer, correspondingly calling MapDeserializer.readMap (in)method to restore a Map object:

Note the several judgments here. If it is a Map interface type, Hash Map is used. If it is a Sorted Map type, Tree Map is used. Other Maps will call the corresponding default constructor. In this example, because it is a Map interface type, Hash Map is used. Next comes the classic scenario. First use in.readObject() (this process is similar to the previous one and will not be repeated). The map's key and value objects in the serialized data are restored, and then call map.put (key, value), here is Hash Map, the put method of Hash Map will call hash(key) to trigger thekey.hashCode() method of key object, and put Val will be called in put method, and put Val will Call the key.equals (obj) method of the key object. After processing all keys and values, return to UnsafeDeserializer$ObjectFieldDeserializer:

Use the native method _unsafe.putObject to complete the inner Map property assignment of the object.

Analysis of several Hessian gadget chains

In the marshalsec tool, there are several chains available for Hessian deserialization:

• Rome
• X Bean
• Resin
• Spring Partially Comparable Advisor Holder
• Spring Abstract Bean Factory Pointcu tAdvisor

Let‘s analyze two of them, Rome and Spring Partially Comparable Advisor Holder. Rome is triggered by HashMap.put->key.hashCode, and Spring Partially Comparable Advisor Holder is triggered by HashMap.put->key.equals. Several others are similar, either using hash Code or equals.

SpringPartiallyComparableAdvisorHolder

There are all corresponding Gadget Tests in marshalsec, which is very convenient:

To make it clearer, I extracted SpringPartiallyComparableAdvisorHolder gadget chain from marshalsec:

Look at the following trigger process:

After HessianInput.readObject(), it comes to MapDeserializer.readMap (in) to process Map type attributes, which triggers HashMap.put (key, value):

HashMap.put has called theHashMap.putVal method, and the key.equals(k) method will be triggered on the second put:

At this time, key and k are as follows, both are Hot Swappable Target Source objects:

Enter HotSwappableTargetSource.equals:

In HotSwappableTargetSource.equals, the respective target.equals method is triggered, that is, XString.equals(PartiallyComparableAdvisorHolder):

PartiallyComparableAdvisorHolder.toString is triggered here:

Triggered AspectJPointcutAdvisor.getOrder:

触发了AspectJAroundAdvice.getOrder：

Here trigger BeanFactoryAspectInstanceFactory.getOrder:

This triggered SimpleJndiBeanFactory.getTYpe->SimpleJndiBeanFactory.doGetType-> SimpleJndiBeanFactory.doGetSingleton->SimpleJndiBeanFactory.lookup-> JndiTemplate.lookup->Context.lookup:

Rome

Rome is relatively simple to trigger:

Like above, I extracted the gadget chain:

Take a look at the trigger process:

Then called the hash method, which called the key.hashCode method:

Then EqualsBean.hashCode-> EqualsBean.beanHashCode is triggered:

Triggered ToStringBean.toString:

This calls JdbcRowSetImpl.getDatabaseMetadata, which triggersJdbcRowSetImpl.connect-> context.lookup:

summary

As can be seen from the above two chains, when Hessian deserialization basically uses deserialization to process the Map type, the call Map.put->Map.putVal-> key.hashCode / key.equals-> ... will be triggered, the subsequent series of starting processes are also related to polymorphic characteristics. Some class attributes are of type Object, which can be set to any class, and the hash Code and equals methods just call Certain methods of properties carry out a subsequent series of triggers. So to find such a gadget chain, we can directly find the classes with hash Code, equals, and read Resolve methods, and then people judge and construct, but this workload should be heavy; or use some chain mining tools, write rules to scan as needed.

Simple analysis of Apache Dubbo deserialization

Apache Dubbo Http deserialization

Let's take a brief look at the HTTP problem mentioned earlier, and directly use the official samples, there is a dubbo-samples-http which can be used directly, put a breakpoint directly in the DemoServiceImpl.sayHello method, and deserialize the data in RemoteInvocationSerializingExporter.doReadRemoteInvocation, using Java Serialization:

Looking at the packet, the obvious ac ed flag:

Apache Dubbo Dubbo deserialization

Also use the official Dubbo-samples-basic, the default Dubbo hessian2 protocol, Dubbo has magically modified the hessian2, but the general structure is still similar, in MapDeserializer.readMap is still similar to Hessian:

Reference

1. https://docs.ioin.in/writeup/blog.csdn.net/_u011721501_article_details_79443598/index.html
2. https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf
3. https://www.mi1k7ea.com/2020/01/25/Java-Hessian%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/
4. https://zhuanlan.zhihu.com/p/44787200

---

本文由 Seebug Paper 发布，如需转载请注明来源。本文地址：https://paper.seebug.org/1137/