[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dinis Cruz dinis.cruz at owasp.org
Wed Aug 7 00:09:54 UTC 2013


Yes but as far I am aware, most of the time the Security Manager is
disabled (that was the status quo a couple years ago, and I don't think
much has changed)


Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 6 August 2013 20:25, Owasp <eoin.keary at owasp.org> wrote:

> Policy file runtime permissions may help in restricting execution of rogue
> code. Most containers have them.
> Nice work btw
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
>
> > You normally want to do structural validation of untrusted XML before
> > you accept it (using XML schema or the like). Such defenses if
> > implemented right should protect you from this kind of vulnerability.
> >
> > But wow, very interesting work.
> >
> > Cheers,
> > Jim
> >
> >
> >> I wasn't aware that this was possible. Nice work!
> >>
> >> I'd be very interested in seeing how a Security Manager can be used to
> >> sandbox a class like this.
> >>
> >> If you restrict it to elementary Objects such as String, Integer,
> >> Boolean, Float, etc, and Collection classes such as Map and List, I
> >> suspect that you should not be able to do too much damage. How would you
> >> get a reference to the application code, anyway, to attack the
> >> application assets?
> >>
> >> Rogan
> >>
> >>
> >> On 06/08/2013 14:38, Dinis Cruz wrote:
> >>> Hi, where you aware that XmlDecoder could be used this way:
> >>>
> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
> >>> (see
> >>> examples at the end)
> >>>
> >>> Me and Abe presented that last week at DefCon and the awareness was
> very
> >>> low.
> >>>
> >>> I'm also sure that there are other dangerous/exploitable uses of
> >>> XmlDecoder on other REST or web apis.
> >>>
> >>> Finally what about fixing/mitigating this? It looks like Java
> Sandboxing
> >>> using the Security manager is one option, but even that will not be
> >>> safe, since the attacker will be able to attack the application assets.
> >>>
> >>> Any other ideas?
> >>>
> >>> Dinis Cruz
> >>>
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130807/dcbd44fa/attachment-0001.html>


More information about the OWASP-Leaders mailing list