SECURITY: remote code execution due to XML deserialization in Restlet #774

Closed
dfj opened this Issue Aug 8, 2013 · 2 comments

Comments

Projects
None yet
2 participants

dfj commented Aug 8, 2013

Dinis Cruz has published information on remote code execution due to XML deserialization in Restlet:

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
https://github.com/o2platform/DefCon_RESTing

I have tested his reproducer and confirmed it works against Restlet 2.0 and 2.2.

Owner

thboileau commented Aug 14, 2013

Hello,
many thanks David, Dinis, Abe and Alvaro.

It has been decided to remove the default support of XML-serialized JavaBean using the ObjectRepresentation inside the default converter provided by the framework (NB: the binary representations is still supported). This support is activated using a system property (org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED).
In addition, the comment of the ObjectRepresentation class will be updated, in order to precise the classes it leverages, and in order to add a security warning.

Here is the comment added:
It supports binary representations of JavaBeans using the {@link ObjectInputStream} and {@link ObjectOutputStream} classes. In this case, it handles representations having the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT} ("application/x-java-serialized-object").
It also supports textual representations of JavaBeans using the {@link XMLEncoder} and {@link XMLDecoder} classes. In this case, it handles representations having the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT_XML} ("application/x-java-serialized-object+xml").

SECURITY WARNING: The usage of {@link XMLDecoder} when deserializing XML presentations from unstrusted sources can lead to malicious attacks. As pointed here , the {@link XMLDecoder} is able to force the JVM to execute unwanted Java code described inside the XML file. Thus, the support of such format has been disactivated by default inside the default converter. You can activate this support by turning on the following system property: org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED.

@thboileau thboileau added a commit that referenced this issue Aug 14, 2013

@thboileau thboileau Fixed issue #774 - Removed default support of JavaBeans XML-serializa…
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and alavaro Munoz.
b85c2ef

@thboileau thboileau added a commit that referenced this issue Aug 14, 2013

@thboileau thboileau Fixed issue #774 - Removed default support of JavaBeans XML-serializa…
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
552464c

@thboileau thboileau added a commit that referenced this issue Aug 14, 2013

@thboileau thboileau Fixed issue #774 - Removed default support of JavaBeans XML-serializa…
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
998de12

@thboileau thboileau added a commit that referenced this issue Aug 14, 2013

@thboileau thboileau Fixed issue #774 - Removed default support of JavaBeans XML-serializa…
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
c3015e4

dfj commented Aug 15, 2013

Thanks Thierry. Given that this issue has a serious security impact, and a working exploit is publicly available, I think it would be a good idea to release a new minor version of restlet that includes this patch. Please note that CVE-2013-4221 has been assigned to this issue:

http://www.openwall.com/lists/oss-security/2013/08/08/13

@thboileau thboileau added a commit that referenced this issue Aug 22, 2013

@thboileau thboileau Fixed issue #774 - Removed default support of JavaBeans XML-serializa…
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
12cc79b

@thboileau thboileau added a commit that referenced this issue Sep 6, 2013

@thboileau thboileau Fixed issues #774, #778 - Removed default support of JavaBeans XML-de…
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
ae3ef64

@thboileau thboileau added a commit that referenced this issue Sep 6, 2013

@thboileau thboileau Fixed issues #774, #778 - Removed default support of JavaBeans XML-de…
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
b1b11fe

thboileau closed this Nov 15, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment