[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Rogers, John M. John.Rogers at lfg.com
Tue Aug 6 21:04:01 UTC 2013


Abe/Dinis/Alvaro,

 

I attended the DefCon presentation and I thought your presentation went very well.  Actually, it scared the hell out me. J

 

I was the attendee that raised a hand and said, "Damn Vulnerable REST API?".  Abe nods and agrees that they are vulnerable and then gets ready to answer the next question.  I think my question mark got lost in the room noise, so I asked it again with some additional clarification.  Then the light goes on and the initial response seemed to indicate that the idea might have some merit.

 

I need to start working to educate our application architect/development teams and while I'm pretty sure I don't have the time to lead such an effort, I would be interested in participating if someone thought this was a worthwhile effort.

 

jr

 
John M. Rogers, CISSP
Senior Application Security Engineer
Lincoln Financial Group, 8801 Indian Hills Drive 8972, Omaha, NE 68114
Phone: Work: 402-361-7343, Cell: 402-536-0722
Email: John.Rogers at lfg.com
Web: www.lfg.com 

You're In Charge sm

██████ WearYellow, LIVESTRONG! <http://www.livestrong.org>  ██████

 

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Abraham Kang
Sent: Tuesday, August 06, 2013 3:11 PM
To: Jim Manico
Cc: java-project at lists.owasp.org; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

 

Remember that you can insert the exploit code even after the valid xml.

Also want to clarify that Dennis, Alvaro and I worked very hard over the past year researching, reading and testing REST APIs to find these types of vulnerabilities.

Regards,
Abe

 

On Tue, Aug 6, 2013 at 12:31 PM, Jim Manico <jim.manico at owasp.org> wrote:

The Java security manager runtime permissions have no management
software available and often break functionality that these libraries
depend on to run. I still think schema validation is in order. I'll dig
a little deeper into this (from a defense perspective) and get back to
you on this.

Cheers,
Jim



> Policy file runtime permissions may help in restricting execution of rogue code. Most containers have them.
> Nice work btw
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988 <tel:%2B353%2087%20977%202988> 
>
>
> On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
>
>> You normally want to do structural validation of untrusted XML before
>> you accept it (using XML schema or the like). Such defenses if
>> implemented right should protect you from this kind of vulnerability.
>>
>> But wow, very interesting work.
>>
>> Cheers,
>> Jim
>>
>>
>>> I wasn't aware that this was possible. Nice work!
>>>
>>> I'd be very interested in seeing how a Security Manager can be used to
>>> sandbox a class like this.
>>>
>>> If you restrict it to elementary Objects such as String, Integer,
>>> Boolean, Float, etc, and Collection classes such as Map and List, I
>>> suspect that you should not be able to do too much damage. How would you
>>> get a reference to the application code, anyway, to attack the
>>> application assets?
>>>
>>> Rogan
>>>
>>>
>>> On 06/08/2013 14:38, Dinis Cruz wrote:
>>>> Hi, where you aware that XmlDecoder could be used this way:
>>>> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
>>>> (see
>>>> examples at the end)
>>>>
>>>> Me and Abe presented that last week at DefCon and the awareness was very
>>>> low.
>>>>
>>>> I'm also sure that there are other dangerous/exploitable uses of
>>>> XmlDecoder on other REST or web apis.
>>>>
>>>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>>>> using the Security manager is one option, but even that will not be
>>>> safe, since the attacker will be able to attack the application assets.
>>>>
>>>> Any other ideas?
>>>>
>>>> Dinis Cruz
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

Notice of Confidentiality: **This E-mail and any of its attachments may contain
Lincoln National Corporation proprietary information, which is privileged, confidential,
or subject to copyright belonging to the Lincoln National Corporation family of
companies. This E-mail is intended solely for the use of the individual or entity to
which it is addressed. If you are not the intended recipient of this E-mail, you are
hereby notified that any dissemination, distribution, copying, or action taken in
relation to the contents of and attachments to this E-mail is strictly prohibited
and may be unlawful. If you have received this E-mail in error, please notify the
sender immediately and permanently delete the original and any copy of this E-mail
and any printout. Thank You.**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130806/a6c36e14/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 3097 bytes
Desc: image002.jpg
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130806/a6c36e14/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list