[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Owasp eoin.keary at owasp.org
Tue Aug 6 19:25:32 UTC 2013


Policy file runtime permissions may help in restricting execution of rogue code. Most containers have them.
Nice work btw

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:

> You normally want to do structural validation of untrusted XML before
> you accept it (using XML schema or the like). Such defenses if
> implemented right should protect you from this kind of vulnerability.
> 
> But wow, very interesting work.
> 
> Cheers,
> Jim
> 
> 
>> I wasn't aware that this was possible. Nice work!
>> 
>> I'd be very interested in seeing how a Security Manager can be used to
>> sandbox a class like this.
>> 
>> If you restrict it to elementary Objects such as String, Integer,
>> Boolean, Float, etc, and Collection classes such as Map and List, I
>> suspect that you should not be able to do too much damage. How would you
>> get a reference to the application code, anyway, to attack the
>> application assets?
>> 
>> Rogan
>> 
>> 
>> On 06/08/2013 14:38, Dinis Cruz wrote:
>>> Hi, where you aware that XmlDecoder could be used this way:
>>> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
>>> (see
>>> examples at the end)
>>> 
>>> Me and Abe presented that last week at DefCon and the awareness was very
>>> low.
>>> 
>>> I'm also sure that there are other dangerous/exploitable uses of
>>> XmlDecoder on other REST or web apis.
>>> 
>>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>>> using the Security manager is one option, but even that will not be
>>> safe, since the attacker will be able to attack the application assets.
>>> 
>>> Any other ideas?
>>> 
>>> Dinis Cruz
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list