[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
dinis.cruz at owasp.org
Tue Aug 6 23:55:50 UTC 2013
Although the security manager should (depending on configuration and
policy) protect against certain exploit vectors (like starting
processes,saving files or loading new classes), I don't think it will be
able to protect the actual application.
As far as I know and saw, we can create and invoke any class or method that
exists inside the JVM (i.e. I don't think you can restrict the object
creation to simple types). So to have access to the the application code,
all that is needed is a static reference or a factory class.
*On my blog post<http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html>
a look at the 5 - create item (and calc).xml example (which calls the
Runtime.getRuntime() static method) or the **8c - HttpResponse - return
JavaProperties.xml *example (which calls the *org.restlet.Response.getCurrent()
On 6 August 2013 15:29, Rogan Dawes <rogan at dawes.za.net> wrote:
> I wasn't aware that this was possible. Nice work!
> I'd be very interested in seeing how a Security Manager can be used to
> sandbox a class like this.
> If you restrict it to elementary Objects such as String, Integer, Boolean,
> Float, etc, and Collection classes such as Map and List, I suspect that you
> should not be able to do too much damage. How would you get a reference to
> the application code, anyway, to attack the application assets?
> On 06/08/2013 14:38, Dinis Cruz wrote:
>> Hi, where you aware that XmlDecoder could be used this way:
>> examples at the end)
>> Me and Abe presented that last week at DefCon and the awareness was very
>> I'm also sure that there are other dangerous/exploitable uses of
>> XmlDecoder on other REST or web apis.
>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>> using the Security manager is one option, but even that will not be
>> safe, since the attacker will be able to attack the application assets.
>> Any other ideas?
>> Dinis Cruz
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders