[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Owasp eoin.keary at owasp.org
Tue Aug 6 19:47:10 UTC 2013


policy file and schema are not mutually exclusive. There is no 1 right way here. It's a combination of controls.

Policy tool??



Eoin Keary
Owasp Global Board
+353 87 977 2988


On 6 Aug 2013, at 20:31, Jim Manico <jim.manico at owasp.org> wrote:

> The Java security manager runtime permissions have no management
> software available and often break functionality that these libraries
> depend on to run. I still think schema validation is in order. I'll dig
> a little deeper into this (from a defense perspective) and get back to
> you on this.
> 
> Cheers,
> Jim
> 
> 
>> Policy file runtime permissions may help in restricting execution of rogue code. Most containers have them.
>> Nice work btw
>> 
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> You normally want to do structural validation of untrusted XML before
>>> you accept it (using XML schema or the like). Such defenses if
>>> implemented right should protect you from this kind of vulnerability.
>>> 
>>> But wow, very interesting work.
>>> 
>>> Cheers,
>>> Jim
>>> 
>>> 
>>>> I wasn't aware that this was possible. Nice work!
>>>> 
>>>> I'd be very interested in seeing how a Security Manager can be used to
>>>> sandbox a class like this.
>>>> 
>>>> If you restrict it to elementary Objects such as String, Integer,
>>>> Boolean, Float, etc, and Collection classes such as Map and List, I
>>>> suspect that you should not be able to do too much damage. How would you
>>>> get a reference to the application code, anyway, to attack the
>>>> application assets?
>>>> 
>>>> Rogan
>>>> 
>>>> 
>>>> On 06/08/2013 14:38, Dinis Cruz wrote:
>>>>> Hi, where you aware that XmlDecoder could be used this way:
>>>>> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
>>>>> (see
>>>>> examples at the end)
>>>>> 
>>>>> Me and Abe presented that last week at DefCon and the awareness was very
>>>>> low.
>>>>> 
>>>>> I'm also sure that there are other dangerous/exploitable uses of
>>>>> XmlDecoder on other REST or web apis.
>>>>> 
>>>>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>>>>> using the Security manager is one option, but even that will not be
>>>>> safe, since the attacker will be able to attack the application assets.
>>>>> 
>>>>> Any other ideas?
>>>>> 
>>>>> Dinis Cruz
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 


More information about the OWASP-Leaders mailing list