[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Jim Manico jim.manico at owasp.org
Tue Aug 6 20:38:20 UTC 2013


I noticed Denis' blog post said "We are not sure how to fix this". :) I
don't blame you, this is a tough problem. I would like to fix the
underlying problem, but that would "kill the entire mechanism". And I do
not think a Java security manager rule is a good long term fix.

Really good finding folks.  Lots to think about.

Thanks,
- Jim


> Remember that you can insert the exploit code even after the valid xml.
> 
> Also want to clarify that Dennis, Alvaro and I worked very hard over the
> past year researching, reading and testing REST APIs to find these types of
> vulnerabilities.
> 
> Regards,
> Abe
> 
> 
> On Tue, Aug 6, 2013 at 12:31 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> The Java security manager runtime permissions have no management
>> software available and often break functionality that these libraries
>> depend on to run. I still think schema validation is in order. I'll dig
>> a little deeper into this (from a defense perspective) and get back to
>> you on this.
>>
>> Cheers,
>> Jim
>>
>>
>>> Policy file runtime permissions may help in restricting execution of
>> rogue code. Most containers have them.
>>> Nice work btw
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>> You normally want to do structural validation of untrusted XML before
>>>> you accept it (using XML schema or the like). Such defenses if
>>>> implemented right should protect you from this kind of vulnerability.
>>>>
>>>> But wow, very interesting work.
>>>>
>>>> Cheers,
>>>> Jim
>>>>
>>>>
>>>>> I wasn't aware that this was possible. Nice work!
>>>>>
>>>>> I'd be very interested in seeing how a Security Manager can be used to
>>>>> sandbox a class like this.
>>>>>
>>>>> If you restrict it to elementary Objects such as String, Integer,
>>>>> Boolean, Float, etc, and Collection classes such as Map and List, I
>>>>> suspect that you should not be able to do too much damage. How would
>> you
>>>>> get a reference to the application code, anyway, to attack the
>>>>> application assets?
>>>>>
>>>>> Rogan
>>>>>
>>>>>
>>>>> On 06/08/2013 14:38, Dinis Cruz wrote:
>>>>>> Hi, where you aware that XmlDecoder could be used this way:
>>>>>>
>> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
>>>>>> (see
>>>>>> examples at the end)
>>>>>>
>>>>>> Me and Abe presented that last week at DefCon and the awareness was
>> very
>>>>>> low.
>>>>>>
>>>>>> I'm also sure that there are other dangerous/exploitable uses of
>>>>>> XmlDecoder on other REST or web apis.
>>>>>>
>>>>>> Finally what about fixing/mitigating this? It looks like Java
>> Sandboxing
>>>>>> using the Security manager is one option, but even that will not be
>>>>>> safe, since the attacker will be able to attack the application
>> assets.
>>>>>>
>>>>>> Any other ideas?
>>>>>>
>>>>>> Dinis Cruz
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> 



More information about the OWASP-Leaders mailing list