Return-Path: X-Original-To: apmail-commons-dev-archive@www.apache.org Delivered-To: apmail-commons-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 24E3E1844A for ; Sun, 8 Nov 2015 19:12:06 +0000 (UTC) Received: (qmail 18892 invoked by uid 500); 8 Nov 2015 19:12:05 -0000 Delivered-To: apmail-commons-dev-archive@commons.apache.org Received: (qmail 18755 invoked by uid 500); 8 Nov 2015 19:12:05 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 18743 invoked by uid 99); 8 Nov 2015 19:12:05 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 08 Nov 2015 19:12:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id CD8FCC1040 for ; Sun, 8 Nov 2015 19:12:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.999 X-Spam-Level: ** X-Spam-Status: No, score=2.999 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3, RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=carmanconsulting_com.20150623.gappssmtp.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id No8q33Kz5Pj2 for ; Sun, 8 Nov 2015 19:12:03 +0000 (UTC) Received: from mail-io0-f174.google.com (mail-io0-f174.google.com [209.85.223.174]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 1AB78439DD for ; Sun, 8 Nov 2015 19:12:03 +0000 (UTC) Received: by ioll68 with SMTP id l68so168846933iol.3 for ; Sun, 08 Nov 2015 11:12:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=carmanconsulting_com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=j4QFOHtuc76YLGaMWdhvuDLsLXVqKt/2YypjlZi5BXw=; b=v5GXMMtw86eLpP5ql1EFrzhFbZauWdt6y0wMBZj+t4wH4dWesbPlDFfhBKHdvDmkzp RE8aUjnHWZi+6KFGcYat+pdGjrv9wuYC4bc0+jh0267w4c9w4p7A8OmhetjhCNklNRib Gnh6d1AZnQ+GIOepf1ygVZkkClHqJRm2qIZIWf2JieU5Cpksvdau+G7h2yGn7QHP0yxm Js/NKmobVsCPuCV3qnKVMr3b8unotAos0LcWz8B/buwMg+7pQxzEzU6o1Mf3mjwVOrLg 5eoKo7xzlIA0qwLqvg6wTROQCgBK5Avaj4bh/XLkYPaT00sq8HoUJ5c/AOqx+4yyAyAt zvkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=j4QFOHtuc76YLGaMWdhvuDLsLXVqKt/2YypjlZi5BXw=; b=Nnpjiv4tQizB/LPj5UCahm3FBBg7TZ3W/vX/gDF61lQuRS3jlUXDQhZi9Dt3seAMra At3MP1CrafcbrY3YROkcJvwLZS/FjzmnSr3tRZL7o9Ah7l8v1NrEcKUY10uoSLy3yOYc LYZxDTi1KsBe1ksIQ82/raAOgzdCY9hO9DfvxvEX8xWosmtPxeNApklFAY1ITDy4NKjn jx5JyWrTUPGFehSQSkr0s81mQCiHQv9IYRX/vDSdgytKLVxTxl2iRh9GPeauIJAokDpd ERP6Zi7ti1x0JXimhMYanpI8P48fZl+EIlJqHKlR52UJwgEUsp6GbQ8DKEdSdR3Ein/7 vdjg== X-Gm-Message-State: ALoCoQmiAOCHDD4RqvARzcQaCtoIAiv6kr3ZcBrf86AGehSfw5wgVqAjnKI091OBi/P7uZHAa/aA X-Received: by 10.107.28.194 with SMTP id c185mr23907073ioc.15.1447009922640; Sun, 08 Nov 2015 11:12:02 -0800 (PST) MIME-Version: 1.0 References: <20151106222553.00002c57.ecki@zusammenkunft.net> <563D3E10.9010906@gmail.com> <20151107042531.00007385.ecki@zusammenkunft.net> <563DCED8.5030302@gmail.com> <563DD02D.1040501@apache.org> <563F2188.3090905@gmail.com> <563F40D3.5060503@apache.org> <563F585C.6000600@gmail.com> <563F988F.8070003@apache.org> <563F9E27.6060604@gmail.com> In-Reply-To: <563F9E27.6060604@gmail.com> From: James Carman Date: Sun, 08 Nov 2015 19:11:53 +0000 Message-ID: Subject: Re: [collection][security] InvokerTransformer missused in java object serialisation exploits To: Commons Developers List Content-Type: multipart/alternative; boundary=001a113ff8a06d060905240c40aa --001a113ff8a06d060905240c40aa Content-Type: text/plain; charset=UTF-8 System.setProperty() On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart wrote: > On 11/08/2015 07:51 PM, James Carman wrote: > > Couldn't they use the same attack vector to set a system property also? I > > do believe that would be possible > > for this you need a way to execute code via a de-serialized class. > Right now, the simplest way to do so is via the InvokerTransformer. > > There are surely other ways to do so, but if the only available way is > blocked (i.e. InvokerTransformer can not be deserialized), a remote > attacker cannot set a system property via this attack vector. > > btw. setting a system property can also be restricted by a SecurityManager. > > I am -1 on a programmatic interface, and for the 4.X branch I propose to > remove the serialization support completely. > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org > For additional commands, e-mail: dev-help@commons.apache.org > > --001a113ff8a06d060905240c40aa--