Denis Magda created IGNITE-6645:
-----------------------------------
Summary: Security issues in Ignite that allows users with write
access to datagrid to execute arbitrary code
Key: IGNITE-6645
URL: https://issues.apache.org/jira/browse/IGNITE-6645
Project: Ignite
Issue Type: Bug
Security Level: Public (Viewable by anyone)
Affects Versions: 1.0
Reporter: Denis Magda
Assignee: Yakov Zhdanov
Priority: Critical
Fix For: 2.4
The security breach was reported by an end-user:
https://mail-search.apache.org/pmc/private-arch/ignite-private/201710.mbox/%3c7099cd44-92a7-4254-89c5-d8270b5a6...@apache.org%3e
Details shared by the user:
I would like to report some security issues that we found using the query
language QL from lgtm.com. These are unsafe deserialization issues that allow
users, possibly remote, that have rights to put entities on the datagrid to
execute arbitrary code on an ignite server node.
As there are more than one of these issues, I will send them to you in separate
emails.
The first issue affects the socket streaming server. The PoC code are included
and are modifications of the `wordcount.socket` example in the examples
package.
A bit of set up is needed to see the full effect of code execution, so I will
not include the details here, but if you want to try it out yourself, then
please let me know and I can include the full PoC.
First add commons-beantil to the dependency, any version will work. Then
download the file `obj`, which contains the serialized data of a malicious
object. Change line 44 in `SocketStreamClient` so that it opens this file.
First start a server node using the example config `config/example-ignite.xml`,
then start up the streaming server `SocketStreamerServer`. Now when you run
`SocketStreamClient`, you will get an error, but somewhere in the stacktrace on
the log in `SocketStreamerServer`, you will see this:
Caused by: java.lang.RuntimeException: InvocationTargetException:
java.lang.reflect.InvocationTargetException
at
org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171)
at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
at java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
at java.util.PriorityQueue.heapify(PriorityQueue.java:736)
at java.util.PriorityQueue.readObject(PriorityQueue.java:795)
This shows that the node running the `SocketStreamerServer` is deserializing
the payload object that I send it.
When properly set up, an attacker will have a remote ldap server that contains
a second malicious Java object. Then when the above deserialization happens, an
ldap look up will cause the second malicious object to be instantiated, which
can then be used to execute arbitrary code. Also, although this exploit relies
on having commons-beanutils to be on the classpath, there are other exploits
that will work for different third party libraries, so it is not so much of a
problem in commons-beanutils, but an issue in the handling of deserialization
in ignite.
These results are using a slightly more ahead version of the QL library with we
haven't made available on lgtm yet, but should be in a few days, if you are
interested, I can share a link to the query and results to you when it is
ready. Thanks.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
