/
server-dangerous-object-deserialization.yaml
71 lines (71 loc) · 2.44 KB
/
server-dangerous-object-deserialization.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
rules:
- id: server-dangerous-object-deserialization
severity: ERROR
metadata:
cwe:
- 'CWE-502: Deserialization of Untrusted Data'
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://frohoff.github.io/appseccali-marshalling-pickles/
- https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi
- https://youtu.be/t_aw1mDNhzI
- https://github.com/qtc-de/remote-method-guesser
- https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331
category: security
technology:
- rmi
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
message: >-
Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization
vulnerability. This object can be manipulated by a malicious actor allowing them to execute
code on your system. Instead, use an integer ID to look up your object, or consider alternative
serialization schemes such as JSON.
languages:
- java
patterns:
- pattern: |
interface $INTERFACE extends Remote {
$RETURNTYPE $METHOD($PARAMTYPE $PARAM) throws RemoteException;
}
- metavariable-pattern:
metavariable: $PARAMTYPE
# Needed because we unfortunately cannot parse primitive types as
# standalone patterns in Java
language: generic
patterns:
# Not actually a primitive but handled specially in deserialization
# code, so not vulnerable.
- pattern-not: String
- pattern-not: java.lang.String
- pattern-not: boolean
- pattern-not: Boolean
- pattern-not: java.lang.Boolean
- pattern-not: byte
- pattern-not: Byte
- pattern-not: java.lang.Byte
- pattern-not: char
- pattern-not: Character
- pattern-not: java.lang.Character
- pattern-not: double
- pattern-not: Double
- pattern-not: java.lang.Double
- pattern-not: float
- pattern-not: Float
- pattern-not: java.lang.Float
- pattern-not: int
- pattern-not: Integer
- pattern-not: java.lang.Integer
- pattern-not: long
- pattern-not: Long
- pattern-not: java.lang.Long
- pattern-not: short
- pattern-not: Short
- pattern-not: java.lang.Short