[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dinis Cruz dinis.cruz at owasp.org
Tue Aug 6 23:55:50 UTC 2013

Although the security manager should (depending on configuration and
policy) protect against certain exploit vectors (like starting
processes,saving files or loading new classes), I don't think it will be
able to protect the actual application.

As far as I know and saw, we can create and invoke any class or method that
exists inside the JVM (i.e. I don't think you can restrict the object
creation to simple types). So to have access to the the application code,
all that is needed is a static reference or a factory class.
*On my blog post<http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html>
a look at the 5 - create item (and calc).xml example (which calls the
Runtime.getRuntime() static method) or the **8c - HttpResponse - return
JavaProperties.xml *example (which calls the *org.restlet.Response.getCurrent()

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

On 6 August 2013 15:29, Rogan Dawes <rogan at dawes.za.net> wrote:

> I wasn't aware that this was possible. Nice work!
> I'd be very interested in seeing how a Security Manager can be used to
> sandbox a class like this.
> If you restrict it to elementary Objects such as String, Integer, Boolean,
> Float, etc, and Collection classes such as Map and List, I suspect that you
> should not be able to do too much damage. How would you get a reference to
> the application code, anyway, to attack the application assets?
> Rogan
> On 06/08/2013 14:38, Dinis Cruz wrote:
>> Hi, where you aware that XmlDecoder could be used this way:
>> http://blog.diniscruz.com/**2013/08/using-xmldecoder-to-**
>> execute-server-side.html<http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html>(see
>> examples at the end)
>> Me and Abe presented that last week at DefCon and the awareness was very
>> low.
>> I'm also sure that there are other dangerous/exploitable uses of
>> XmlDecoder on other REST or web apis.
>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>> using the Security manager is one option, but even that will not be
>> safe, since the attacker will be able to attack the application assets.
>> Any other ideas?
>> Dinis Cruz
>> ______________________________**_________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/**mailman/listinfo/owasp-leaders<https://lists.owasp.org/mailman/listinfo/owasp-leaders>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130807/5cf38902/attachment.html>

More information about the OWASP-Leaders mailing list