On 11/06/2015 10:25 PM, Bernd Eckenfels wrote:
> ello,
>
> I came across this article:
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
>
> It describes attacks against common Java applications with
> pre-authentication requests using malicious Java Object serialisation.
> It builds upon the work of Gabriel Lawrence (@gebl) and Chris Frohoff
> (@frohoff) (presented on January 28th, 2015, “Marshalling Pickles”
> given at AppSecCali)
>
> http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
>
> The ysoserial tool has some sample payloads, two use
> commons-collection oac.collections.functors.InvokerTransformer. *
>
> https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
>
> The class itself is rather handy to break out of the readObject()
> chains to execute arbitrary methods.
>
> I do'nt recall any discussion here about this
> class. Is this currently handled/reported? Of course the more general
> problem is using serialisation with untusted peers, and if
> commons-collection fixes this, there might still be other vectors, but
> still I think it would be good to do something against that "bad press"?
I was not aware of this yet, thanks for the pointers.
If we would remove the problematic classes and release a new collections
version (for the 3.x or 4.x branch) we would break source and binary
compatibility.
It might be acceptable/doable to release a collections version with an
additional maven classifier (e.g. -hardened) that removes the relevant
classes and explain the compatibility issues in detail in the release
notes. What do others think about something like that?
btw. with Java 8 you can do similar things by using serialized method
references. I did create a very simple example to illustrate the issue:
public class MyTest {
public static void main(String[] args) throws Exception {
final SAM1 m1 = (SAM1 & Serializable) Runtime::getRuntime;
final SAM2 m2 = (SAM2 & Serializable) Runtime::exec;
Transformer t1 = (Transformer & Serializable) (input) -> m1.action();
Transformer t2 = (Transformer & Serializable) (input) -> {
try {
Process p = m2.action((Runtime) input, "ls");
String line;
StringBuilder output = new StringBuilder();
BufferedReader reader = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while ((line = reader.readLine()) != null) {
output.append(line);
output.append("\n");
}
reader.close();
return output.toString();
} catch (IOException e) {
return null;
}
};
ChainedTransformer chain = new ChainedTransformer(t1, t2);
TransformedList list = TransformedList.transformedList(new
ArrayList(), chain);
FileOutputStream fos = new FileOutputStream("test.ser");
ObjectOutputStream os = new ObjectOutputStream(fos);
os.writeObject(list);
os.close();
FileInputStream fis = new FileInputStream("test.ser");
ObjectInputStream ois = new ObjectInputStream(fis);
List l2 = (List)ois.readObject();
l2.add(1);
//Print the result
System.out.println(l2);
ois.close();
}
interface SAM1 {
Runtime action();
}
interface SAM2 {
Process action(Runtime r, String s) throws IOException;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
