lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 9 Sep 2011 01:40:50 -0700
From: s2-security <s2-security@...are.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: CVE-2011-2894: Spring Framework and Spring
 Security serialization-based remoting vulnerabilities

CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities

Severity: Critical

Versions Affected:

Spring Framework:
    3.0.0 to 3.0.5

Spring Security:
    2.0.0 to 2.0.6
    3.0.0 to 3.0.5

Earlier versions may also be affected

Description:

Several issues have been reported which may affect applications which de-serialize objects from an untrusted source such as a remote client. It is possible for a malicious client to inject undesirable behaviour into the server by serializing proxies rather than specific class instances, or by taking advantage of internal AOP interfaces which were being exposed through the remote service, in addition to the service interface.


Example:

It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.

Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.


Mitigation:

Applications which use serialization-based remoting are likely to be vulnerable. In the long-term, we would recommend users migrate away from serialization-based remoting in cases where the client cannot be trusted, as it is a potential source of vulnerabilities in both Spring and non-Spring applications.

All users may mitigate this issue by upgrading to Spring Framework 3.0.6 and Spring Security 3.0.6. Spring Framework users should make use of the additional features introduced to prevent deserialization of malicious proxies. These are described below.

Users of Spring Security 2.0.x may upgrade to 2.0.7


Fix:

RemoteInvocationSerializingExporter (the base class for HttpInvokerServiceExporter) now has an "acceptProxyClasses" flag which should be set to false if using Spring remoting. This will prevent any deserialization of proxies through Spring remoting, thus providing additional protection against future attacks of this kind which may use other serializable classes.

DefaultListableBeanFactory instances can no longer be deserialized other than through a SerializedBeanFactoryReference, which resolves to an existing bean factory instance on the server side. In addition, the serialization ID can be customized, to prevent a client from guessing it, by setting a value for "contextId" in the web.xml file as a context-param and as an init-param for instances of FrameworkServlet (such as Spring's DispatcherServlet).

RemoteExporter now uses an "opaque" proxy to limit exported methods to those of the service interface. This prevent access to interfaces such as org.springframework.aop.framework.Advised.

Spring Security remoting has been changed to prevent the submission of an Authentication instance by a remote client. It now only supports username/password authentication. This removes any possibility of an untrusted Authentication object being created on the server and prevents any of the associated attack vectors.

Credit:

The issue was discovered by Wouter Coekaerts (http://wouter.coekaerts.be/).

History:
2011-09-09: Original advisory

References:
[1] http://www.springsource.com/security/cve-2011-2731
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ