Return-Path: X-Original-To: apmail-commons-dev-archive@www.apache.org Delivered-To: apmail-commons-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 38241184AC for ; Sun, 8 Nov 2015 19:17:27 +0000 (UTC) Received: (qmail 28220 invoked by uid 500); 8 Nov 2015 19:17:26 -0000 Delivered-To: apmail-commons-dev-archive@commons.apache.org Received: (qmail 28071 invoked by uid 500); 8 Nov 2015 19:17:26 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 28054 invoked by uid 99); 8 Nov 2015 19:17:26 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 08 Nov 2015 19:17:26 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id DAE43180185 for ; Sun, 8 Nov 2015 19:17:25 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.981 X-Spam-Level: ** X-Spam-Status: No, score=2.981 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=carmanconsulting_com.20150623.gappssmtp.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id h-YX2AOlv2hv for ; Sun, 8 Nov 2015 19:17:21 +0000 (UTC) Received: from mail-ig0-f174.google.com (mail-ig0-f174.google.com [209.85.213.174]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id CC2AF2139E for ; Sun, 8 Nov 2015 19:17:20 +0000 (UTC) Received: by igbxm8 with SMTP id xm8so39762539igb.1 for ; Sun, 08 Nov 2015 11:17:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=carmanconsulting_com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=f4KvTubYwVGS0JJBvvD/muY1Mevp7RLOwReK3ryZWUI=; b=sMsvR35KntebtbHxZHql+aGrHop1eaOui4HymiO74/7CVHXIbp1XIjzVIoRZNPOLBJ HuXwDOpGswBoTZv6pXlE8OuZOztB3sBTamARbQKd1EGoq63hDctCA2+Qqjm6/u2mFN/3 s9N8KnwvnB6OkrFKIWtddKKz2I0IYu5gSWH8P59kB8Vx1y93O0GRgGp6vItc7RUYyD/S iC69eU2aHQTHmwojuh8NGKgW0wb1mW97fbRQAHEkkK3NDdL3vhhVNy9/qy57oqPWCjXa 1Ml+282Yhz1IaO1Q7Pq4mT2RPMbpXd+u4fA45IS2JxWl3yzwwabt3QrHrvG1mSW+SGlq L25Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=f4KvTubYwVGS0JJBvvD/muY1Mevp7RLOwReK3ryZWUI=; b=cMUnAtCQulnbHvgT3DJc3BS8tZ6ajOYkxawDwO84Chme11UPkjE3OOx/99L9EMnoPv MKq4pVm872zjhH8N1WGjEL+fHzDg4XujGRf3vD5A5FfUEQdqEN6RNKRKB0u2TktSx7xE JvXqhnksIz+6H7BF85WVmuy5oVI/SDq+NSEHt5CD6Bf+QJfTnoMIMZ4BqDD+Qehv4ilf xs0lPqL4/squNG4zE9F2xJQAMr5ROZ0fCyUVqH9hQxCArCLUirOgG+sAI3z33dA6o8fq X4UaVXG6hJH8tuYLt8vEVyLzgcC1CUJTek8eEXa/9mRuR+C5e9SJf196sYRXfyp4aV0N 9IJA== X-Gm-Message-State: ALoCoQkqo/MJlfoRbRAcnIb5h/Mor1QY6RNogV6cOh09nq0hdITPWKeUZNBuKRv5ARINyTd+I5PP X-Received: by 10.50.46.36 with SMTP id s4mr18598663igm.84.1447010233985; Sun, 08 Nov 2015 11:17:13 -0800 (PST) MIME-Version: 1.0 References: <20151106222553.00002c57.ecki@zusammenkunft.net> <563D3E10.9010906@gmail.com> <20151107042531.00007385.ecki@zusammenkunft.net> <563DCED8.5030302@gmail.com> <563DD02D.1040501@apache.org> <563F2188.3090905@gmail.com> <563F40D3.5060503@apache.org> <563F585C.6000600@gmail.com> <563F988F.8070003@apache.org> <563F9E27.6060604@gmail.com> <563F9F7B.8060400@apache.org> In-Reply-To: <563F9F7B.8060400@apache.org> From: James Carman Date: Sun, 08 Nov 2015 19:17:04 +0000 Message-ID: Subject: Re: [collection][security] InvokerTransformer missused in java object serialisation exploits To: Commons Developers List Content-Type: multipart/alternative; boundary=001a11347276fbbc5005240c529d --001a11347276fbbc5005240c529d Content-Type: text/plain; charset=UTF-8 Yes, I guess it should be prevented. Duh! On Sun, Nov 8, 2015 at 2:16 PM Mark Thomas wrote: > On 08/11/2015 19:13, James Carman wrote: > > If they can execute Runtime.exec then they can execute System.setProperty > > Yes. But the point you seem to seem to be missing is that if the system > property is set such that this attack is blocked, they can't use the > attack to change the system property and unblock it. > > Mark > > > > On Sun, Nov 8, 2015 at 2:11 PM James Carman > > wrote: > > > >> System.setProperty() > >> > >> > >> On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart < > thomas.neidhart@gmail.com> > >> wrote: > >> > >>> On 11/08/2015 07:51 PM, James Carman wrote: > >>>> Couldn't they use the same attack vector to set a system property > also? > >>> I > >>>> do believe that would be possible > >>> > >>> for this you need a way to execute code via a de-serialized class. > >>> Right now, the simplest way to do so is via the InvokerTransformer. > >>> > >>> There are surely other ways to do so, but if the only available way is > >>> blocked (i.e. InvokerTransformer can not be deserialized), a remote > >>> attacker cannot set a system property via this attack vector. > >>> > >>> btw. setting a system property can also be restricted by a > >>> SecurityManager. > >>> > >>> I am -1 on a programmatic interface, and for the 4.X branch I propose > to > >>> remove the serialization support completely. > >>> > >>> Thomas > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org > >>> For additional commands, e-mail: dev-help@commons.apache.org > >>> > >>> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org > For additional commands, e-mail: dev-help@commons.apache.org > > --001a11347276fbbc5005240c529d--