[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
dinis.cruz at owasp.org
Wed Aug 7 00:09:54 UTC 2013
Yes but as far I am aware, most of the time the Security Manager is
disabled (that was the status quo a couple years ago, and I don't think
much has changed)
On 6 August 2013 20:25, Owasp <eoin.keary at owasp.org> wrote:
> Policy file runtime permissions may help in restricting execution of rogue
> code. Most containers have them.
> Nice work btw
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
> > You normally want to do structural validation of untrusted XML before
> > you accept it (using XML schema or the like). Such defenses if
> > implemented right should protect you from this kind of vulnerability.
> > But wow, very interesting work.
> > Cheers,
> > Jim
> >> I wasn't aware that this was possible. Nice work!
> >> I'd be very interested in seeing how a Security Manager can be used to
> >> sandbox a class like this.
> >> If you restrict it to elementary Objects such as String, Integer,
> >> Boolean, Float, etc, and Collection classes such as Map and List, I
> >> suspect that you should not be able to do too much damage. How would you
> >> get a reference to the application code, anyway, to attack the
> >> application assets?
> >> Rogan
> >> On 06/08/2013 14:38, Dinis Cruz wrote:
> >>> Hi, where you aware that XmlDecoder could be used this way:
> >>> (see
> >>> examples at the end)
> >>> Me and Abe presented that last week at DefCon and the awareness was
> >>> low.
> >>> I'm also sure that there are other dangerous/exploitable uses of
> >>> XmlDecoder on other REST or web apis.
> >>> Finally what about fixing/mitigating this? It looks like Java
> >>> using the Security manager is one option, but even that will not be
> >>> safe, since the attacker will be able to attack the application assets.
> >>> Any other ideas?
> >>> Dinis Cruz
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders