古老的馈赠之CORBA漏洞分析

搞安全的总是要赛博考古，找找被遗忘的角落。这两年的漏洞偶尔会出现CORBA这个东西，这玩意好像比RMI还老，得有二十多年历史了，但很多框架还支持它，简单分析一下。
CORBA也是用于RPC的，可以理解为和RMI差不多，但不像RMI是Java特有的，CORBA是一种跨语言的分布式调用结构，先写个demo。

Java CORBA Demo实现

首先，CORBA是跨语言的结构，所以先要用它自己的格式创建出对应文件，再编译成Java。CORBA自己的语言文件叫IDL，长这样：

module HelloApp
{
  interface Hello
  {
    string sayHello();
  };
};

其实就是package为HelloApp的Hello接口，里面有sayHello方法。然后用jdk自带的idlj工具编译：

idlj -fall hello.idl

编译后多出来一个HelloApp包，里面有六个文件。如果参数改成-fclient/-fserver可以单独生成客户端和服务端的文件。这里列举一下。
客户端服务端都有：
HelloOperations

public interface HelloOperations 
{
  String sayHello ();
} // interface HelloOperations

一个接口，定义了idl里定义的方法
Hello

public interface Hello extends HelloOperations, org.omg.CORBA.Object, org.omg.CORBA.portable.IDLEntity 
{
} // interface Hello

其实就像RMI，需要两边都有远程接口的定义
服务端：
一个接口，名称是idl定义的接口，继承了几个接口。
HelloPOA

public abstract class HelloPOA extends org.omg.PortableServer.Servant
 implements HelloApp.HelloOperations, org.omg.CORBA.portable.InvokeHandler
{

  // Constructors

  private static java.util.Hashtable _methods = new java.util.Hashtable ();
  static
  {
    _methods.put ("sayHello", new java.lang.Integer (0));
  }

  public org.omg.CORBA.portable.OutputStream _invoke (String $method,
                                org.omg.CORBA.portable.InputStream in,
                                org.omg.CORBA.portable.ResponseHandler $rh)
  {
    org.omg.CORBA.portable.OutputStream out = null;
    java.lang.Integer __method = (java.lang.Integer)_methods.get ($method);
    if (__method == null)
      throw new org.omg.CORBA.BAD_OPERATION (0, org.omg.CORBA.CompletionStatus.COMPLETED_MAYBE);

    switch (__method.intValue ())
    {
       case 0:  // HelloApp/Hello/sayHello
       {
         String $result = null;
         $result = this.sayHello ();
         out = $rh.createReply();
         out.write_string ($result);
         break;
       }

       default:
         throw new org.omg.CORBA.BAD_OPERATION (0, org.omg.CORBA.CompletionStatus.COMPLETED_MAYBE);
    }

    return out;
  } // _invoke

  // Type-specific CORBA::Object operations
  private static String[] __ids = {
    "IDL:HelloApp/Hello:1.0"};

  public String[] _all_interfaces (org.omg.PortableServer.POA poa, byte[] objectId)
  {
    return (String[])__ids.clone ();
  }

  public Hello _this() 
  {
    return HelloHelper.narrow(
    super._this_object());
  }

  public Hello _this(org.omg.CORBA.ORB orb) 
  {
    return HelloHelper.narrow(
    super._this_object(orb));
  }


} // class HelloPOA

一个抽象类，叫做POA，实际是负责服务端处理调用请求的，可以类比为RMI里面的Skel。
客户端：
HelloHelper

abstract public class HelloHelper
{
  private static String  _id = "IDL:HelloApp/Hello:1.0";

  public static void insert (org.omg.CORBA.Any a, HelloApp.Hello that)
  {
    org.omg.CORBA.portable.OutputStream out = a.create_output_stream ();
    a.type (type ());
    write (out, that);
    a.read_value (out.create_input_stream (), type ());
  }

  public static HelloApp.Hello extract (org.omg.CORBA.Any a)
  {
    return read (a.create_input_stream ());
  }

  private static org.omg.CORBA.TypeCode __typeCode = null;
  synchronized public static org.omg.CORBA.TypeCode type ()
  {
    if (__typeCode == null)
    {
      __typeCode = org.omg.CORBA.ORB.init ().create_interface_tc (HelloApp.HelloHelper.id (), "Hello");
    }
    return __typeCode;
  }

  public static String id ()
  {
    return _id;
  }

  public static HelloApp.Hello read (org.omg.CORBA.portable.InputStream istream)
  {
    return narrow (istream.read_Object (_HelloStub.class));
  }

  public static void write (org.omg.CORBA.portable.OutputStream ostream, HelloApp.Hello value)
  {
    ostream.write_Object ((org.omg.CORBA.Object) value);
  }

  public static HelloApp.Hello narrow (org.omg.CORBA.Object obj)
  {
    if (obj == null)
      return null;
    else if (obj instanceof HelloApp.Hello)
      return (HelloApp.Hello)obj;
    else if (!obj._is_a (id ()))
      throw new org.omg.CORBA.BAD_PARAM ();
    else
    {
      org.omg.CORBA.portable.Delegate delegate = ((org.omg.CORBA.portable.ObjectImpl)obj)._get_delegate ();
      HelloApp._HelloStub stub = new HelloApp._HelloStub ();
      stub._set_delegate(delegate);
      return stub;
    }
  }

  public static HelloApp.Hello unchecked_narrow (org.omg.CORBA.Object obj)
  {
    if (obj == null)
      return null;
    else if (obj instanceof HelloApp.Hello)
      return (HelloApp.Hello)obj;
    else
    {
      org.omg.CORBA.portable.Delegate delegate = ((org.omg.CORBA.portable.ObjectImpl)obj)._get_delegate ();
      HelloApp._HelloStub stub = new HelloApp._HelloStub ();
      stub._set_delegate(delegate);
      return stub;
    }
  }

}

辅助类，处理编码解码。
HelloHolder

public final class HelloHolder implements org.omg.CORBA.portable.Streamable
{
  public HelloApp.Hello value = null;

  public HelloHolder ()
  {
  }

  public HelloHolder (HelloApp.Hello initialValue)
  {
    value = initialValue;
  }

  public void _read (org.omg.CORBA.portable.InputStream i)
  {
    value = HelloApp.HelloHelper.read (i);
  }

  public void _write (org.omg.CORBA.portable.OutputStream o)
  {
    HelloApp.HelloHelper.write (o, value);
  }

  public org.omg.CORBA.TypeCode _type ()
  {
    return HelloApp.HelloHelper.type ();
  }

}

也是一个辅助类，处理参数的。
_HelloStub

public class _HelloStub extends org.omg.CORBA.portable.ObjectImpl implements HelloApp.Hello
{

  public String sayHello ()
  {
            org.omg.CORBA.portable.InputStream $in = null;
            try {
                org.omg.CORBA.portable.OutputStream $out = _request ("sayHello", true);
                $in = _invoke ($out);
                String $result = $in.read_string ();
                return $result;
            } catch (org.omg.CORBA.portable.ApplicationException $ex) {
                $in = $ex.getInputStream ();
                String _id = $ex.getId ();
                throw new org.omg.CORBA.MARSHAL (_id);
            } catch (org.omg.CORBA.portable.RemarshalException $rm) {
                return sayHello (        );
            } finally {
                _releaseReply ($in);
            }
  } // sayHello

  // Type-specific CORBA::Object operations
  private static String[] __ids = {
    "IDL:HelloApp/Hello:1.0"};

  public String[] _ids ()
  {
    return (String[])__ids.clone ();
  }

  private void readObject (java.io.ObjectInputStream s) throws java.io.IOException
  {
     String str = s.readUTF ();
     String[] args = null;
     java.util.Properties props = null;
     org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init (args, props);
   try {
     org.omg.CORBA.Object obj = orb.string_to_object (str);
     org.omg.CORBA.portable.Delegate delegate = ((org.omg.CORBA.portable.ObjectImpl) obj)._get_delegate ();
     _set_delegate (delegate);
   } finally {
     orb.destroy() ;
   }
  }

  private void writeObject (java.io.ObjectOutputStream s) throws java.io.IOException
  {
     String[] args = null;
     java.util.Properties props = null;
     org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init (args, props);
   try {
     String str = orb.object_to_string (this);
     s.writeUTF (str);
   } finally {
     orb.destroy() ;
   }
  }
} // class _HelloStub

看名字也知道了，客户端处理远程调用的代理，类比RMI中的stub。
有了这些自动生成的类以后，当然还要写自己的逻辑。和RMI类似CORBA也分为三部分：客户端、服务端、Naming Service。Naming Service和注册中心差不多，服务端把对象绑定上去，客户端去查询。因为CORBA是跨语言的，所以Naming Service不是用Java代码开启的，也是一个内置工具：

orbd -ORBInitialPort 1050 -ORBInitialHost localhost

然后创建服务端，做两件事：实例化Hello接口，绑定到Naming Service
CORBAServer，来自官网示例https://docs.oracle.com/javase/8/docs/technotes/guides/idl/jidlExample.html

class HelloImpl extends HelloPOA {
    private ORB orb;

    public void setORB(ORB orb_val) {
        orb = orb_val;
    }

    // implement sayHello() method
    public String sayHello() {
        return "\nHello world !!\n";
    }
}

public class CORBAServer {

    public static void main(String args[]) {
        try{
            Properties properties = new Properties();
            properties.put("org.omg.CORBA.ORBInitialHost","127.0.0.1");
            properties.put("org.omg.CORBA.ORBInitialPort","1050");
            // create and initialize the ORB
            ORB orb = ORB.init(args, properties);

            // get reference to rootpoa & activate the POAManager
            POA rootpoa = POAHelper.narrow(orb.resolve_initial_references("RootPOA"));
            rootpoa.the_POAManager().activate();

            // create servant and register it with the ORB
            HelloImpl helloImpl = new HelloImpl();
            helloImpl.setORB(orb);

            // get object reference from the servant
            org.omg.CORBA.Object ref = rootpoa.servant_to_reference(helloImpl);
            Hello href = HelloHelper.narrow(ref);

            // get the root naming context
            // NameService invokes the name service
            org.omg.CORBA.Object objRef =
                    orb.resolve_initial_references("NameService");
            // Use NamingContextExt which is part of the Interoperable
            // Naming Service (INS) specification.
            NamingContextExt ncRef = NamingContextExtHelper.narrow(objRef);

            // bind the Object Reference in Naming
            String name = "Hello";
            NameComponent path[] = ncRef.to_name( name );
            ncRef.rebind(path, href);

            System.out.println("HelloServer ready and waiting ...");

            // wait for invocations from clients
            orb.run();
        }

        catch (Exception e) {
            System.err.println("ERROR: " + e);
            e.printStackTrace(System.out);
        }

        System.out.println("HelloServer Exiting ...");

    }
}

然后是客户端，获取stub，对stub调用远程方法，就照着RMI理解就行了

public class CORBAClient {
    static Hello helloImpl;

    public static void main(String args[])
    {
        try{
            Properties properties = new Properties();
            properties.put("org.omg.CORBA.ORBInitialHost","127.0.0.1");
            properties.put("org.omg.CORBA.ORBInitialPort","1050");
            // create and initialize the ORB
            ORB orb = ORB.init(args, properties);

            // get the root naming context
            org.omg.CORBA.Object objRef =
                    orb.resolve_initial_references("NameService");
            // Use NamingContextExt instead of NamingContext. This is
            // part of the Interoperable naming Service.
            NamingContextExt ncRef = NamingContextExtHelper.narrow(objRef);

            // resolve the Object Reference in Naming
            String name = "Hello";
            helloImpl = HelloHelper.narrow(ncRef.resolve_str(name));

            System.out.println("Obtained a handle on server object: " + helloImpl);
            System.out.println(helloImpl.sayHello());

        } catch (Exception e) {
            System.out.println("ERROR : " + e) ;
            e.printStackTrace(System.out);
        }
    }
}

运行后客户端成功打印出Hello World。实际上服务端也调用了，可以自己sout一下。
总体来说和RMI很像，但是多了一步ORB的操作。RMI是getRegistry直接获创建注册中心Stub的，CORBA是创建一个ORB，用ORB获取Naming Service，再在Naming Service上面操作。
直觉上这个过程和RMI一样可能出现两种漏洞：
1、反序列化
2、动态类加载
分析一下调用流程，看看有没有存在风险的地方。由于代码实在很乱，所以直接在com.sun.corba.se包里所有调用readObject的点下断点了，省的遗漏。
先看服务端，大概做了几件事：
1、用ORB从Naming Service获取RootPOA。
2、用RootPOA将远程对象转化为stub
3、用ORB从Naming Service获取命名上下文NameService
4、绑定stub到NameService
5、开启监听
可以看到中间和Naming Service是有多次交互的，有可能有反序列化的问题。调试跟一下：

服务端调用流程

在ORB从Naming Service解析引用名时会调用ORBImpl#resolve_initial_references

public org.omg.CORBA.Object resolve_initial_references(
    String identifier) throws InvalidName
{
    Resolver res ;

    synchronized( this ) {
        checkShutdownState();
        res = resolver ;
    }

    synchronized (resolverLock) {
        org.omg.CORBA.Object result = res.resolve( identifier ) ;

        if (result == null)
            throw new InvalidName() ;
        else
            return result ;
    }
}

到CompositeResolverImpl#resolve

public org.omg.CORBA.Object resolve( String name )
{
    org.omg.CORBA.Object result = first.resolve( name ) ;
    if (result == null)
        result = second.resolve( name ) ;
    return result ;
}

具体不分析了，第二次请求NamingService时会到BootstrapResolverImpl#resolve

public org.omg.CORBA.Object resolve( String identifier )
{
    InputStream inStream = null ;
    org.omg.CORBA.Object result = null ;

    try {
        inStream = invoke( "get", identifier ) ;

        result = inStream.read_Object();

        // NOTE: do note trap and ignore errors.
        // Let them flow out.
    } finally {
        bootstrapDelegate.releaseReply( null, inStream ) ;
    }

    return result ;
}

对输入流调用read_Object，这里有好几层，最后到CDRInputStream_1_0#read_Object

// ------------ RMI related methods --------------------------

// IDL to Java ptc-00-01-08 1.21.4.1
//
// The clz argument to read_Object can be either a stub
// Class or the "Class object for the RMI/IDL interface type
// that is statically expected."
// This functions as follows:
// 1. If clz==null, just use the repository ID from the stub
// 2. If clz is a stub class, just use it as a static factory.
//    clz is a stub class iff StubAdapter.isStubClass( clz ).
//    In addition, clz is a IDL stub class iff
//    IDLEntity.class.isAssignableFrom( clz ).
// 3. If clz is an interface, use it to create the appropriate
//    stub factory.
public org.omg.CORBA.Object read_Object(Class clz)
{
    // In any case, we must first read the IOR.
    IOR ior = IORFactories.makeIOR(parent) ;
    if (ior.isNil())
        return null ;

    PresentationManager.StubFactoryFactory sff = ORB.getStubFactoryFactory() ;
    String codeBase = ior.getProfile().getCodebase() ;
    PresentationManager.StubFactory stubFactory = null ;

    if (clz == null) {
        RepositoryId rid = RepositoryId.cache.getId( ior.getTypeId() ) ;
        String className = rid.getClassName() ;
        boolean isIDLInterface = rid.isIDLType() ;

        if (className == null || className.equals( "" ))
            stubFactory = null ;
        else
            try {
                stubFactory = sff.createStubFactory( className,
                    isIDLInterface, codeBase, (Class)null,
                    (ClassLoader)null );
            } catch (Exception exc) {
                // Could not create stubFactory, so use null.
                // XXX stubFactory handling is still too complex:
                // Can we resolve the stubFactory question once in
                // a single place?
                stubFactory = null ;
            }
    } else if (StubAdapter.isStubClass( clz )) {
        stubFactory = PresentationDefaults.makeStaticStubFactory(
            clz ) ;
    } else {
        // clz is an interface class
        boolean isIDL = IDLEntity.class.isAssignableFrom( clz ) ;

        stubFactory = sff.createStubFactory( clz.getName(),
            isIDL, codeBase, clz, clz.getClassLoader() ) ;
    }

    return internalIORToObject( ior, stubFactory, orb ) ;
}

默认进clz==null的分支，注意到获取了codebase，那就看看有没有远程加载。来到StubFactoryFactoryStaticImpl#createStubFactory

public PresentationManager.StubFactory createStubFactory(
    String className, boolean isIDLStub, String remoteCodeBase, Class
    expectedClass, ClassLoader classLoader)
{
    String stubName = null ;

    if (isIDLStub)
        stubName = Utility.idlStubName( className ) ;
    else
        stubName = Utility.stubNameForCompiler( className ) ;

    ClassLoader expectedTypeClassLoader =
        (expectedClass == null ? classLoader :
        expectedClass.getClassLoader());

    // The old code was optimized to try to guess which way to load classes
    // first.  The real stub class name could either be className or
    // "org.omg.stub." + className.  We will compute this as follows:
    // If stubName starts with a "forbidden" package, try the prefixed
    // version first, otherwise try the non-prefixed version first.
    // In any case, try both forms if necessary.

    String firstStubName = stubName ;
    String secondStubName = stubName ;

    if (PackagePrefixChecker.hasOffendingPrefix(stubName))
        firstStubName = PackagePrefixChecker.packagePrefix() + stubName ;
    else
        secondStubName = PackagePrefixChecker.packagePrefix() + stubName ;

    Class clz = null;

    try {
        clz = Util.loadClass( firstStubName, remoteCodeBase,
            expectedTypeClassLoader ) ;
    } catch (ClassNotFoundException e1) {
        // log only at FINE level
        wrapper.classNotFound1( CompletionStatus.COMPLETED_MAYBE,
            e1, firstStubName ) ;
        try {
            clz = Util.loadClass( secondStubName, remoteCodeBase,
                expectedTypeClassLoader ) ;
        } catch (ClassNotFoundException e2) {
            throw wrapper.classNotFound2(
                CompletionStatus.COMPLETED_MAYBE, e2, secondStubName ) ;
        }
    }

    // XXX Is this step necessary, or should the Util.loadClass
    // algorithm always produce a valid class if the setup is correct?
    // Does the OMG standard algorithm need to be changed to include
    // this step?
    if ((clz == null) ||
        ((expectedClass != null) && !expectedClass.isAssignableFrom(clz))) {
        try {
            ClassLoader cl = Thread.currentThread().getContextClassLoader();
            if (cl == null)
                cl = ClassLoader.getSystemClassLoader();

            clz = cl.loadClass(className);
        } catch (Exception exc) {
            // XXX make this a system exception
            IllegalStateException ise = new IllegalStateException(
                "Could not load class " + stubName ) ;
            ise.initCause( exc ) ;
            throw ise ;
        }
    }

    return new StubFactoryStaticImpl( clz ) ;
}

全是函数，这代码看着真累。来到javax.rmi.CORBA.Util#loadClass

/**
 * Returns a class instance for the specified class.
 * <P>The spec for this method is the "Java to IDL language
 * mapping", ptc/00-01-06.
 * <P>In Java SE Platform, this method works as follows:
 * <UL><LI>Find the first non-null <tt>ClassLoader</tt> on the
 * call stack and attempt to load the class using this
 * <tt>ClassLoader</tt>.
 * <LI>If the first step fails, and if <tt>remoteCodebase</tt>
 * is non-null and
 * <tt>useCodebaseOnly</tt> is false, then call
 * <tt>java.rmi.server.RMIClassLoader.loadClass(remoteCodebase, className)</tt>.
 * <LI>If <tt>remoteCodebase</tt> is null or <tt>useCodebaseOnly</tt>
 * is true, then call <tt>java.rmi.server.RMIClassLoader.loadClass(className)</tt>.
 * <LI>If a class was not successfully loaded by step 1, 2, or 3,
 * and <tt>loader</tt> is non-null, then call <tt>loader.loadClass(className)</tt>.
 * <LI>If a class was successfully loaded by step 1, 2, 3, or 4, then
 *  return the loaded class, else throw <tt>ClassNotFoundException</tt>.
 * @param className the name of the class.
 * @param remoteCodebase a space-separated list of URLs at which
 * the class might be found. May be null.
 * @param loader a <tt>ClassLoader</tt> that may be used to
 * load the class if all other methods fail.
 * @return the <code>Class</code> object representing the loaded class.
 * @exception ClassNotFoundException if class cannot be loaded.
 */
public static Class loadClass(String className,
                              String remoteCodebase,
                              ClassLoader loader)
    throws ClassNotFoundException {
    if (utilDelegate != null) {
        return utilDelegate.loadClass(className,remoteCodebase,loader);
    }
    return null ;
}

从注释里看到实际上是支持远程加载的，但是需要useCodebaseOnly为false。
最后到JDKBridge#loadClassM

private static Class loadClassM (String className,
                        String remoteCodebase,
                        boolean useCodebaseOnly)
    throws ClassNotFoundException {

    try {
        return JDKClassLoader.loadClass(null,className);
    } catch (ClassNotFoundException e) {}
    try {
        if (!useCodebaseOnly && remoteCodebase != null) {
            return RMIClassLoader.loadClass(remoteCodebase,
                                            className);
        } else {
            return RMIClassLoader.loadClass(className);
        }
    } catch (MalformedURLException e) {
        className = className + ": " + e.toString();
    }

    throw new ClassNotFoundException(className);
}

如果useCodebaseOnly为false并且codebase不是空，会调用RMIClassLoader.loadClass。但实际上即使满足这两个条件，真正想用RMI进行远程类加载还需要允许配置SecurityManager。如果能本地加载最后就是调JDKClassLoader.loadClass，最后用Class.forName加载，后面进行了实例化，但实际上forName会触发初始化，不管是否实例化都已经能执行代码了。
当前就是本地加载了org.omg.CosNaming._NamingContextStub类，这个类其实相当于RMI中的RegistryImpl_Stub，获取到这个stub后调用了两次，先看第一处
_NamingContextStub#to_name

 /**
* This operation  converts a Stringified Name into an  equivalent array
* of Name Components. 
* 
* @param sn Stringified Name of the object <p>
* 
* @exception org.omg.CosNaming.NamingContextExtPackage.InvalidName
* Indicates the name does not identify a binding.<p>
* 
*/
 public org.omg.CosNaming.NameComponent[] to_name (String sn) throws org.omg.CosNaming.NamingContextPackage.InvalidName
 {
           org.omg.CORBA.portable.InputStream $in = null;
           try {
               org.omg.CORBA.portable.OutputStream $out = _request ("to_name", true);
               org.omg.CosNaming.NamingContextExtPackage.StringNameHelper.write ($out, sn);
               $in = _invoke ($out);
               org.omg.CosNaming.NameComponent $result[] = org.omg.CosNaming.NameHelper.read ($in);
               return $result;
           } catch (org.omg.CORBA.portable.ApplicationException $ex) {
               $in = $ex.getInputStream ();
               String _id = $ex.getId ();
               if (_id.equals ("IDL:omg.org/CosNaming/NamingContext/InvalidName:1.0"))
                   throw org.omg.CosNaming.NamingContextPackage.InvalidNameHelper.read ($in);
               else
                   throw new org.omg.CORBA.MARSHAL (_id);
           } catch (org.omg.CORBA.portable.RemarshalException $rm) {
               return to_name (sn        );
           } finally {
               _releaseReply ($in);
           }
 } // to_name

大致是创建输出流，写一个字符串，调用连接，然后接收了返回值。这不就是RMI里的newCall+invoke+反序列化吗。
和RMI不同，这个_invoke里没看到反序列化的地方。看看接收返回值的函数
NameHelper#read

public static org.omg.CosNaming.NameComponent[] read (org.omg.CORBA.portable.InputStream istream)
{
  org.omg.CosNaming.NameComponent value[] = null;
  int _len0 = istream.read_long ();
  value = new org.omg.CosNaming.NameComponent[_len0];
  for (int _o1 = 0;_o1 < value.length; ++_o1)
    value[_o1] = org.omg.CosNaming.NameComponentHelper.read (istream);
  return value;
}

NameComponentHelper#read

public static org.omg.CosNaming.NameComponent read (org.omg.CORBA.portable.InputStream istream)
{
  org.omg.CosNaming.NameComponent value = new org.omg.CosNaming.NameComponent ();
  value.id = istream.read_string ();
  value.kind = istream.read_string ();
  return value;
}

跟进去发现这两个read_string不是用反序列化实现的，而是创建了字符串，直接赋值网络流里读取的字符。catch块里的InvalidNameHelper.read也是一样的。意外的比RMI安全。
那么看下一处交互，绑定的地方
_NamingContextExtStub#rebind

public void rebind (org.omg.CosNaming.NameComponent[] n, org.omg.CORBA.Object obj) throws org.omg.CosNaming.NamingContextPackage.NotFound, org.omg.CosNaming.NamingContextPackage.CannotProceed, org.omg.CosNaming.NamingContextPackage.InvalidName
{
          org.omg.CORBA.portable.InputStream $in = null;
          try {
              org.omg.CORBA.portable.OutputStream $out = _request ("rebind", true);
              org.omg.CosNaming.NameHelper.write ($out, n);
              org.omg.CORBA.ObjectHelper.write ($out, obj);
              $in = _invoke ($out);
              return;
          } catch (org.omg.CORBA.portable.ApplicationException $ex) {
              $in = $ex.getInputStream ();
              String _id = $ex.getId ();
              if (_id.equals ("IDL:omg.org/CosNaming/NamingContext/NotFound:1.0"))
                  throw org.omg.CosNaming.NamingContextPackage.NotFoundHelper.read ($in);
              else if (_id.equals ("IDL:omg.org/CosNaming/NamingContext/CannotProceed:1.0"))
                  throw org.omg.CosNaming.NamingContextPackage.CannotProceedHelper.read ($in);
              else if (_id.equals ("IDL:omg.org/CosNaming/NamingContext/InvalidName:1.0"))
                  throw org.omg.CosNaming.NamingContextPackage.InvalidNameHelper.read ($in);
              else
                  throw new org.omg.CORBA.MARSHAL (_id);
          } catch (org.omg.CORBA.portable.RemarshalException $rm) {
              rebind (n, obj        );
          } finally {
              _releaseReply ($in);
          }
} // rebind

简单跟了下，没发现可控的反序列化点，catch里有一处调用了read_object但是参数不可控。
那么服务端绑定过程没有触发反序列化的点，有触发远程类加载的点。

客户端调用流程(客户端)

接下来看客户端调用的过程
前面和Naming Service交互的部分和服务端是一样的，看获取远程对象stub的部分：
_NamingContextExtStub#resolve_str

public org.omg.CORBA.Object resolve_str (String sn) throws org.omg.CosNaming.NamingContextPackage.NotFound, org.omg.CosNaming.NamingContextPackage.CannotProceed, org.omg.CosNaming.NamingContextPackage.InvalidName
{
          org.omg.CORBA.portable.InputStream $in = null;
          try {
              org.omg.CORBA.portable.OutputStream $out = _request ("resolve_str", true);
              org.omg.CosNaming.NamingContextExtPackage.StringNameHelper.write ($out, sn);
              $in = _invoke ($out);
              org.omg.CORBA.Object $result = org.omg.CORBA.ObjectHelper.read ($in);
              return $result;
          } catch (org.omg.CORBA.portable.ApplicationException $ex) {
              $in = $ex.getInputStream ();
              String _id = $ex.getId ();
              if (_id.equals ("IDL:omg.org/CosNaming/NamingContext/NotFound:1.0"))
                  throw org.omg.CosNaming.NamingContextPackage.NotFoundHelper.read ($in);
              else if (_id.equals ("IDL:omg.org/CosNaming/NamingContext/CannotProceed:1.0"))
                  throw org.omg.CosNaming.NamingContextPackage.CannotProceedHelper.read ($in);
              else if (_id.equals ("IDL:omg.org/CosNaming/NamingContext/InvalidName:1.0"))
                  throw org.omg.CosNaming.NamingContextPackage.InvalidNameHelper.read ($in);
              else
                  throw new org.omg.CORBA.MARSHAL (_id);
          } catch (org.omg.CORBA.portable.RemarshalException $rm) {
              return resolve_str (sn        );
          } finally {
              _releaseReply ($in);
          }
} // resolve_str

和前面不同的是调用了ObjectHelper#read

public static org.omg.CORBA.Object read (org.omg.CORBA.portable.InputStream istream)
{
    return istream.read_Object ();
}

和前面的类似，最后也是来到CDRInputStream_1_0#read_object，那么这里也是一个动态类加载点。
获取到的是远程对象代理_HelloStub，和RMI用反序列化的方式获取stub不同，CORBA是直接进行类加载，客户端本来是有这个类的定义的，同时也支持远程类加载。
看客户端调用远程方法的部分，也就是helloImpl.sayHello这里，调用到_HelloStub#sayHello

public String sayHello ()
{
          org.omg.CORBA.portable.InputStream $in = null;
          try {
              org.omg.CORBA.portable.OutputStream $out = _request ("sayHello", true);
              $in = _invoke ($out);
              String $result = $in.read_string ();
              return $result;
          } catch (org.omg.CORBA.portable.ApplicationException $ex) {
              $in = $ex.getInputStream ();
              String _id = $ex.getId ();
              throw new org.omg.CORBA.MARSHAL (_id);
          } catch (org.omg.CORBA.portable.RemarshalException $rm) {
              return sayHello (        );
          } finally {
              _releaseReply ($in);
          }
} // sayHello

这里接收调用结果时使用的read_string是安全的方法，但这时会想到如果返回值是Object的呢？或者如果有参数，又是怎么进行传递的呢？
CORBA的idl里，参数类型不是Java的类型，而是in、out、inout这三种，比如这样：

module HelloApp2
{
  interface Hello
  {
    Object sayHello(in Object obj,in wstring str2);
  };
};

在ibm的文档里的IDL数据类型里没看到支持Object类型，但是好像也能正常用。
重新看一下这个Hello接口的调用流程，_HelloStub#sayHello

public org.omg.CORBA.Object sayHello (org.omg.CORBA.Object obj, String str2)
{
          org.omg.CORBA.portable.InputStream $in = null;
          try {
              org.omg.CORBA.portable.OutputStream $out = _request ("sayHello", true);
              org.omg.CORBA.ObjectHelper.write ($out, obj);
              $out.write_wstring (str2);
              $in = _invoke ($out);
              org.omg.CORBA.Object $result = org.omg.CORBA.ObjectHelper.read ($in);
              return $result;
          } catch (org.omg.CORBA.portable.ApplicationException $ex) {
              $in = $ex.getInputStream ();
              String _id = $ex.getId ();
              throw new org.omg.CORBA.MARSHAL (_id);
          } catch (org.omg.CORBA.portable.RemarshalException $rm) {
              return sayHello (obj, str2        );
          } finally {
              _releaseReply ($in);
          }
} // sayHello

此时的$result已经变成用ObjectHelper.read来获取了，这个函数前面分析过是存在动态类加载问题的。也就是说CORBA的客户端调用时，如果返回值是Object就会产生风险。别的类型是否有危险可能需要针对的去看，这里重载的方法太多了。
分析完了对返回值的处理，最后看看服务端对参数的处理。

客户端调用流程(服务端)

断点下在HelloPOA里，相当于RMI中的Skel

public org.omg.CORBA.portable.OutputStream _invoke (String $method,
                              org.omg.CORBA.portable.InputStream in,
                              org.omg.CORBA.portable.ResponseHandler $rh)
{
  org.omg.CORBA.portable.OutputStream out = null;
  java.lang.Integer __method = (java.lang.Integer)_methods.get ($method);
  if (__method == null)
    throw new org.omg.CORBA.BAD_OPERATION (0, org.omg.CORBA.CompletionStatus.COMPLETED_MAYBE);

  switch (__method.intValue ())
  {
     case 0:  // HelloApp2/Hello/sayHello
     {
       org.omg.CORBA.Object obj = org.omg.CORBA.ObjectHelper.read (in);
       String str2 = in.read_wstring ();
       org.omg.CORBA.Object $result = null;
       $result = this.sayHello (obj, str2);
       out = $rh.createReply();
       org.omg.CORBA.ObjectHelper.write (out, $result);
       break;
     }

     default:
       throw new org.omg.CORBA.BAD_OPERATION (0, org.omg.CORBA.CompletionStatus.COMPLETED_MAYBE);
  }

  return out;
} // _invoke

可以看到有两个读取参数的操作，第一个已经见过好几回了，看下read_wstring这个函数，最后走到CDRInputStream_1_2#read_wstring

public String read_wstring() {
    // In GIOP 1.2, wstrings are not terminated by a null.  The
    // length is the number of octets in the converted format.
    // A zero length string is represented with the 4 byte length
    // value of 0.

    int len = read_long();

    //
    // IMPORTANT: Do not replace 'new String("")' with "", it may result
    // in a Serialization bug (See serialization.zerolengthstring) and
    // bug id: 4728756 for details
    if (len == 0)
        return new String("");

    checkForNegativeLength(len);

    return new String(getConvertedChars(len, getWCharConverter()),
                      0,
                      getWCharConverter().getNumChars());
}

是没有问题的。这里实际上是根据不同的参数类型来调用不同的read_*方法，那干脆搜索一下到底有没有哪中参数类型是会调用反序列化处理的。最后找到了两处，都在IDLJavaSerializationInputStream里面：

public String read_wstring() {
    if (!markOn && !(markedItemQ.isEmpty())) { // dequeue
        return (String) markedItemQ.removeFirst();
    }
    if (markOn && !(markedItemQ.isEmpty()) &&
            (peekIndex < peekCount)) { // peek
        return (String) markedItemQ.get(peekIndex++);
    }
    try {
        String value = (String) is.readObject();
        if (markOn) { // enqueue
            markedItemQ.addLast(value);
        }
        return value;
    } catch (Exception e) {
        throw wrapper.javaSerializationException(e, "read_wstring");
    }
}

public java.io.Serializable read_value() {
    if (!markOn && !(markedItemQ.isEmpty())) { // dequeue
        return (Serializable) markedItemQ.removeFirst();
    }
    if (markOn && !(markedItemQ.isEmpty()) &&
            (peekIndex < peekCount)) { // peek
        return (Serializable) markedItemQ.get(peekIndex++);
    }
    try {
        Serializable value = (java.io.Serializable) is.readObject();
        if (markOn) { // enqueue
            markedItemQ.addLast(value);
        }
        return value;
    } catch (Exception e) {
        throw wrapper.javaSerializationException(e, "read_value");
    }
}

这是另一个InputStream，前面一直用的都是CDRInputStream。那么如果能想办法把调用流程切换到这个IDLJavaSerializationInputStream里面，在读取特定数据类型时就有机会触发反序列化漏洞。这个输入流实际上是根据服务端返回的标记为来决定的，也就是恶意CORBA服务端可以攻击CORBA客户端。
但实际上，这种原生CORBA实在是太少见了，基本不会有这个攻击场景。Java中使用CORBA更常用的是RMI+IIOP的方式，具体的实现是结合JNDI，在JNDI那篇文章详细介绍。

参考链接

https://docs.oracle.com/javase/8/docs/technotes/guides/idl/jidlExample.html
https://docs.oracle.com/javase/7/docs/technotes/guides/rmi-iiop/rmi_iiop_pg.html