You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.
There are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through ObjectInputStream/ObjectOutputStream.
POC
The following calls readObject directly on an ObjectInputStream that is constructed from untrusted data, and is therefore inherently unsafe.
publicMyObject{publicintfield;MyObject(intfield){this.field=field;}}publicMyObjectdeserialize(Socketsock){try(ObjectInputStreamin=newObjectInputStream(sock.getInputStream())){return(MyObject)in.readObject();// BAD: in is from untrusted source}}
Rewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.
publicMyObjectdeserialize(Socketsock){try(DataInputStreamin=newDataInputStream(sock.getInputStream())){returnnewMyObject(in.readInt());// GOOD: read only an int}}
logstash/logstash-core/src/main/java/org/logstash/plugins/AliasRegistry.java
Line 105 in 3115c78
Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.
There are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through
ObjectInputStream/ObjectOutputStream.POC
The following calls
readObjectdirectly on anObjectInputStreamthat is constructed from untrusted data, and is therefore inherently unsafe.Rewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.
References
Deserialization of untrusted data.
AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day, OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization.
Serial Killer: Silently Pwning Your Java Endpoints.
SnakeYaml deserialization.
Hessian deserialization.
Castor and Hessian deserialization.
JYaml deserialization.
JsonIO deserialization.
Java Unmarshaller Security - Turning your data into code execution
On Jackson CVEs: Don’t Panic — Here is what you need to know Jackson 2.10: Safe Default Typing
Jabsorb JSON Serializer.
JoddJson Parser.
Flexjson deserialization.
Android Intent deserialization vulnerabilities with GSON parser: Insecure use of JSON parsers.
Pwning Your Java Messaging With Deserialization Vulnerabilities.
CWE-502.
The text was updated successfully, but these errors were encountered: