[Owasp-leaders] [Java-project] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dinis Cruz dinis.cruz at owasp.org
Wed Aug 7 00:14:24 UTC 2013


I think that the solution is not to use it at all. The scenarios where this
API can be used safely and very small, and even then, that application's
security would be entirety dependent on the integrity of the XML files used

What we really need now is Static Analysis rules to quickly identify the
uses of this API and help the developers understand its risk (and ideally
to replaced it with a safer API).

I would be good if we also could find a way to fingerprint this issue from
a BlackBox point of view, so that PenTesters could look for it.


Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 6 August 2013 20:31, Jim Manico <jim.manico at owasp.org> wrote:

> The Java security manager runtime permissions have no management
> software available and often break functionality that these libraries
> depend on to run. I still think schema validation is in order. I'll dig
> a little deeper into this (from a defense perspective) and get back to
> you on this.
>
> Cheers,
> Jim
>
>
> > Policy file runtime permissions may help in restricting execution of
> rogue code. Most containers have them.
> > Nice work btw
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> You normally want to do structural validation of untrusted XML before
> >> you accept it (using XML schema or the like). Such defenses if
> >> implemented right should protect you from this kind of vulnerability.
> >>
> >> But wow, very interesting work.
> >>
> >> Cheers,
> >> Jim
> >>
> >>
> >>> I wasn't aware that this was possible. Nice work!
> >>>
> >>> I'd be very interested in seeing how a Security Manager can be used to
> >>> sandbox a class like this.
> >>>
> >>> If you restrict it to elementary Objects such as String, Integer,
> >>> Boolean, Float, etc, and Collection classes such as Map and List, I
> >>> suspect that you should not be able to do too much damage. How would
> you
> >>> get a reference to the application code, anyway, to attack the
> >>> application assets?
> >>>
> >>> Rogan
> >>>
> >>>
> >>> On 06/08/2013 14:38, Dinis Cruz wrote:
> >>>> Hi, where you aware that XmlDecoder could be used this way:
> >>>>
> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
> >>>> (see
> >>>> examples at the end)
> >>>>
> >>>> Me and Abe presented that last week at DefCon and the awareness was
> very
> >>>> low.
> >>>>
> >>>> I'm also sure that there are other dangerous/exploitable uses of
> >>>> XmlDecoder on other REST or web apis.
> >>>>
> >>>> Finally what about fixing/mitigating this? It looks like Java
> Sandboxing
> >>>> using the Security manager is one option, but even that will not be
> >>>> safe, since the attacker will be able to attack the application
> assets.
> >>>>
> >>>> Any other ideas?
> >>>>
> >>>> Dinis Cruz
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> Java-project mailing list
> Java-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/java-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130807/d226d29c/attachment.html>


More information about the OWASP-Leaders mailing list