[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Abraham Kang abraham.kang at owasp.org
Tue Aug 6 22:19:24 UTC 2013


I totally agree that a DVRA (Darn Vulnerable REST API) is needed to
highlight the issues for developers.

I am busy as well but wouldn't mind supporting an effort.  When things
settle down, I can pitch in more.

Any takers...

Regards,
Abe


On Tue, Aug 6, 2013 at 2:04 PM, Rogers, John M. <John.Rogers at lfg.com> wrote:

> Abe/Dinis/Alvaro,****
>
> ** **
>
> I attended the DefCon presentation and I thought your presentation went
> very well.  Actually, it scared the hell out me. J****
>
> ** **
>
> I was the attendee that raised a hand and said, “Damn Vulnerable REST
> API?”.  Abe nods and agrees that they are vulnerable and then gets ready to
> answer the next question.  I think my question mark got lost in the room
> noise, so I asked it again with some additional clarification.  Then the
> light goes on and the initial response seemed to indicate that the idea
> might have some merit.****
>
> ** **
>
> I need to start working to educate our application architect/development
> teams and while I’m pretty sure I don’t have the time to lead such an
> effort, I would be interested in participating if someone thought this was
> a worthwhile effort.****
>
> ** **
>
> jr****
>
> [image: Description: C:\Documents and Settings\jmroger\Application
> Data\Microsoft\Signatures\sb.jpg]
> John M. Rogers, CISSP
> Senior Application Security Engineer
> Lincoln Financial Group, 8801 Indian Hills Drive 8972, Omaha, NE 68114
> Phone: Work: 402-361-7343, Cell: 402-536-0722
> Email: John.Rogers at lfg.com
> Web: www.lfg.com ****
>
> *You’re In Charge sm*****
>
> ██████ *WearYellow, LIVESTRONG!* <http://www.livestrong.org> ██████****
>
> ** **
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Abraham Kang
> *Sent:* Tuesday, August 06, 2013 3:11 PM
> *To:* Jim Manico
> *Cc:* java-project at lists.owasp.org; owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Using XMLDecoder to execute server-side
> Java Code on an Restlet application (i.e. Remote Command Execution)****
>
> ** **
>
> Remember that you can insert the exploit code even after the valid xml.***
> *
>
> Also want to clarify that Dennis, Alvaro and I worked very hard over the
> past year researching, reading and testing REST APIs to find these types of
> vulnerabilities.****
>
> Regards,
> Abe****
>
> ** **
>
> On Tue, Aug 6, 2013 at 12:31 PM, Jim Manico <jim.manico at owasp.org> wrote:*
> ***
>
> The Java security manager runtime permissions have no management
> software available and often break functionality that these libraries
> depend on to run. I still think schema validation is in order. I'll dig
> a little deeper into this (from a defense perspective) and get back to
> you on this.
>
> Cheers,
> Jim****
>
>
>
> > Policy file runtime permissions may help in restricting execution of
> rogue code. Most containers have them.
> > Nice work btw
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> You normally want to do structural validation of untrusted XML before
> >> you accept it (using XML schema or the like). Such defenses if
> >> implemented right should protect you from this kind of vulnerability.
> >>
> >> But wow, very interesting work.
> >>
> >> Cheers,
> >> Jim
> >>
> >>
> >>> I wasn't aware that this was possible. Nice work!
> >>>
> >>> I'd be very interested in seeing how a Security Manager can be used to
> >>> sandbox a class like this.
> >>>
> >>> If you restrict it to elementary Objects such as String, Integer,
> >>> Boolean, Float, etc, and Collection classes such as Map and List, I
> >>> suspect that you should not be able to do too much damage. How would
> you
> >>> get a reference to the application code, anyway, to attack the
> >>> application assets?
> >>>
> >>> Rogan
> >>>
> >>>
> >>> On 06/08/2013 14:38, Dinis Cruz wrote:
> >>>> Hi, where you aware that XmlDecoder could be used this way:
> >>>>
> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
> >>>> (see
> >>>> examples at the end)
> >>>>
> >>>> Me and Abe presented that last week at DefCon and the awareness was
> very
> >>>> low.
> >>>>
> >>>> I'm also sure that there are other dangerous/exploitable uses of
> >>>> XmlDecoder on other REST or web apis.
> >>>>
> >>>> Finally what about fixing/mitigating this? It looks like Java
> Sandboxing
> >>>> using the Security manager is one option, but even that will not be
> >>>> safe, since the attacker will be able to attack the application
> assets.
> >>>>
> >>>> Any other ideas?
> >>>>
> >>>> Dinis Cruz
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>
> ** **
>
>  Notice of Confidentiality: **This E-mail and any of its attachments may
> contain
> Lincoln National Corporation proprietary information, which is privileged,
> confidential,
> or subject to copyright belonging to the Lincoln National Corporation
> family of
> companies. This E-mail is intended solely for the use of the individual or
> entity to
> which it is addressed. If you are not the intended recipient of this
> E-mail, you are
> hereby notified that any dissemination, distribution, copying, or action
> taken in
> relation to the contents of and attachments to this E-mail is strictly
> prohibited
> and may be unlawful. If you have received this E-mail in error, please
> notify the
> sender immediately and permanently delete the original and any copy of
> this E-mail
> and any printout. Thank You.**
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130806/5a7fbe8a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 3097 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130806/5a7fbe8a/attachment.jpg>


More information about the OWASP-Leaders mailing list