[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Jim Manico jim.manico at owasp.org
Tue Aug 6 19:31:04 UTC 2013


The Java security manager runtime permissions have no management
software available and often break functionality that these libraries
depend on to run. I still think schema validation is in order. I'll dig
a little deeper into this (from a defense perspective) and get back to
you on this.

Cheers,
Jim


> Policy file runtime permissions may help in restricting execution of rogue code. Most containers have them.
> Nice work btw
> 
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> 
> 
> On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> You normally want to do structural validation of untrusted XML before
>> you accept it (using XML schema or the like). Such defenses if
>> implemented right should protect you from this kind of vulnerability.
>>
>> But wow, very interesting work.
>>
>> Cheers,
>> Jim
>>
>>
>>> I wasn't aware that this was possible. Nice work!
>>>
>>> I'd be very interested in seeing how a Security Manager can be used to
>>> sandbox a class like this.
>>>
>>> If you restrict it to elementary Objects such as String, Integer,
>>> Boolean, Float, etc, and Collection classes such as Map and List, I
>>> suspect that you should not be able to do too much damage. How would you
>>> get a reference to the application code, anyway, to attack the
>>> application assets?
>>>
>>> Rogan
>>>
>>>
>>> On 06/08/2013 14:38, Dinis Cruz wrote:
>>>> Hi, where you aware that XmlDecoder could be used this way:
>>>> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
>>>> (see
>>>> examples at the end)
>>>>
>>>> Me and Abe presented that last week at DefCon and the awareness was very
>>>> low.
>>>>
>>>> I'm also sure that there are other dangerous/exploitable uses of
>>>> XmlDecoder on other REST or web apis.
>>>>
>>>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>>>> using the Security manager is one option, but even that will not be
>>>> safe, since the attacker will be able to attack the application assets.
>>>>
>>>> Any other ideas?
>>>>
>>>> Dinis Cruz
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list