[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Eric Sheridan eric.sheridan at owasp.org
Tue Aug 6 14:08:26 UTC 2013


Wow... I was honestly not aware of this 'capability' and think this is a
pretty bad situation. I'm not sure there is any fix other then "do not
use XMLDecoder" (or at least only use it on streams that you trust
100%). I wouldn't depend on the security manager... still waiting for it
to gain real world traction after 10+ years.

The idea of building Java objects this way is kind of interesting, but
it totally falls apart the second method invocations can be triggered. I
think raising the awareness and flagging this API as 'banned' in our
respective tool sets is the best we can do. There are plenty of other
XML APIs/libraries that do less silly stuff.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 8/6/13 8:38 AM, Dinis Cruz wrote:
> Hi, where you aware that XmlDecoder could be used this
> way: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html (see
> examples at the end)
> 
> Me and Abe presented that last week at DefCon and the awareness was very
> low.
> 
> I'm also sure that there are other dangerous/exploitable uses of
> XmlDecoder on other REST or web apis.
> 
> Finally what about fixing/mitigating this? It looks like Java Sandboxing
> using the Security manager is one option, but even that will not be
> safe, since the attacker will be able to attack the application assets.
> 
> Any other ideas?
> 
> Dinis Cruz
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 


More information about the OWASP-Leaders mailing list