New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lead to RCE when unmarshal xml data with XStream #454

Open
idealzh opened this Issue Sep 28, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@idealzh

idealzh commented Sep 28, 2018

The XstreamEngine unmarshal xml data based on XStream, but it doesn't check the data;
when the data contains malicious types, then it may leads to remote code execution;
The Struts2 framework once had the same issue(https://cwiki.apache.org/confluence/display/WW/S2-052);
Using the following code snippet to convert the malicious xml data:

POST("/xml", routeContext -> {
    String xmlData = routeContext.getRequest().getBody();
    XstreamEngine engine = new XstreamEngine();
    engine.fromString(xmlData, String.class);
});

The malicious xml data is as follows:
payload.txt
The tool marshalsec can help to generate more kinds of payload including the one above.
To mitigate the vulnerability, since version 1.4.7, XStream provides developers with some APIs (such as addPermission,denyPermission, allowTypes,denyTypes) to restrict the types be unmarshalled.
Here we could fix the issue refer to the patch of Struts2.

@decebals

This comment has been minimized.

Show comment
Hide comment
@decebals

decebals Sep 28, 2018

Member

@idealzh
Thanks! I understand the problem. Do you have a solution, or a recommendation for other users that use pippo-xtream? Do you think that we can add a protection in Pippo? If yes, please submit a PR.

Member

decebals commented Sep 28, 2018

@idealzh
Thanks! I understand the problem. Do you have a solution, or a recommendation for other users that use pippo-xtream? Do you think that we can add a protection in Pippo? If yes, please submit a PR.

@idealzh

This comment has been minimized.

Show comment
Hide comment
@idealzh

idealzh Sep 29, 2018

@decebals
Hi,decebals!
Please give me some time to know about the mechanism of pippo better,and implement the protection code;I will submit a pr later.

idealzh commented Sep 29, 2018

@decebals
Hi,decebals!
Please give me some time to know about the mechanism of pippo better,and implement the protection code;I will submit a pr later.

@decebals

This comment has been minimized.

Show comment
Hide comment
@decebals

decebals Sep 29, 2018

Member

@idealzh
If you have questions about Pippo, we are here to respond you.

Member

decebals commented Sep 29, 2018

@idealzh
If you have questions about Pippo, we are here to respond you.

@mhagnumdw

This comment has been minimized.

Show comment
Hide comment
@mhagnumdw

mhagnumdw Sep 30, 2018

Contributor

This issue may have a point in common with issue #458.

Contributor

mhagnumdw commented Sep 30, 2018

This issue may have a point in common with issue #458.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment