[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dinis Cruz dinis.cruz at owasp.org
Wed Aug 7 00:08:48 UTC 2013


I don't think that in this case it is realistic to create a valid XML
validation schema, since the XMLDecoder is designed to create objects from
quite a feature rich XML Schema (btw I think the schema is this one
http://www.javarants.com/schemas/javabeans.dtd , but can't be sure since
the correct from the bottom of
http://www.oracle.com/technetwork/java/persistence3-139471.html is broken).

Ie if you look at how it is supposed to be used, it is part of its design
that objects will be created and methods will be invoked.

In a way, you would need to implement a XML parser to parse or transform
the incoming XML based on a number of rules (ideally white listing), and
take into account the type of objects that should be created (and by then
you might as well use an XML parser that behaves safely).

Note that the
http://docs.oracle.com/javase/7/docs/api/java/beans/XMLDecoder.html#readObject()returns
an Object, so by design this API doesn't know which object it is
supposed to create.

Dinis


Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 6 August 2013 19:39, Jim Manico <jim.manico at owasp.org> wrote:

> You normally want to do structural validation of untrusted XML before
> you accept it (using XML schema or the like). Such defenses if
> implemented right should protect you from this kind of vulnerability.
>
> But wow, very interesting work.
>
> Cheers,
> Jim
>
>
> > I wasn't aware that this was possible. Nice work!
> >
> > I'd be very interested in seeing how a Security Manager can be used to
> > sandbox a class like this.
> >
> > If you restrict it to elementary Objects such as String, Integer,
> > Boolean, Float, etc, and Collection classes such as Map and List, I
> > suspect that you should not be able to do too much damage. How would you
> > get a reference to the application code, anyway, to attack the
> > application assets?
> >
> > Rogan
> >
> >
> > On 06/08/2013 14:38, Dinis Cruz wrote:
> >> Hi, where you aware that XmlDecoder could be used this way:
> >>
> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
> >> (see
> >> examples at the end)
> >>
> >> Me and Abe presented that last week at DefCon and the awareness was very
> >> low.
> >>
> >> I'm also sure that there are other dangerous/exploitable uses of
> >> XmlDecoder on other REST or web apis.
> >>
> >> Finally what about fixing/mitigating this? It looks like Java Sandboxing
> >> using the Security manager is one option, but even that will not be
> >> safe, since the attacker will be able to attack the application assets.
> >>
> >> Any other ideas?
> >>
> >> Dinis Cruz
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130807/6392a611/attachment.html>


More information about the OWASP-Leaders mailing list