irsl/jackson-rce-via-spel

Stars
121
Rank 293,924 (Top 6 %)
Language
Java
Created almost 7 years ago
Updated almost 7 years ago

irsl/jackson-rce-via-spel

irsl

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

An example project that exploits the default typing issue in Jackson-databind via Spring application contexts and expressions

jackson-rce-via-spel

An example project that exploits the default typing issue in Jackson-databind (https://github.com/FasterXML/jackson-databind) via Spring application contexts and expressions

Context

The Jackson-databind project has a feature called default-typing (not enabled by default). When the target class has some polymorph fields inside (such as interfaces, abstract classes or the Object base class), the library can include type info into the JSON structure and use that info at unmarshalling. This can be dangerous when the input is controlled by an attacker and the target class contains a field of type Object or something general (like Comparable).

How likely is this? I'm naive, so I hope Java developers don't degrade a type-safe language to the level of an interpreted type-unsafe language by (ab)using Objects as base classes... But I wouldn't be surprised if one day some huge enterprise software would be exploited one day via this vulnerability.

After the original discoveries (CVE-2017-7525) had been reported, the author patched this attack surface with a blacklist, which was incomplete (as by nature of blacklists). This proof-of-concept project is a follow-up to demonstrate one more way of exploitation; by abusing Spring classes via Jackson, this could lead to remote code execution. Note: FileSystemXmlApplicationContext is happy to fetch the specified Spring context from anywhere, even from remote location via http.

MITRE assigned CVE-2017-17485 to this vulnerability.

Affected versions

The following ones (inclusive) and older: 2.9.3, 2.7.9.1, 2.8.10

Mitigation

The fixed versions 2.7.9.2, 2.8.11 and 2.9.3.1 (which is to be released at time of writing these lines) expanded the blacklist once again so that Spring application contexts cannot be instantiated anymore.

The new major version (3.x) of Jackson-databind will address this topic via a new API layer that provides a way to achieve whitelisting-based serialization for these polymorph classes.

References

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/

gcp-dhcp-takeover-code-exec

Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent

curlshell

reverse shell using curl

ADB-Backup-APK-Injection

Android ADB backup APK Injection POC

dfwfw

Docker Firewall Framework

CVE-2020-1313

Proof of concept exploit of Windows Update Orchestrator Service Elevation of Privilege Vulnerability

Huawei-Hisuite-KobackupCipherTool

Tool to encrypt/decrypt backup packages created by Huawei Hisuite.

CVE-2020-0728

Proof of Concept code for CVE-2020-0728

apache-openoffice-rce-via-uno-links

php-bypass-disable-functions

Demo project how to bypass the disable_functions security control of PHP on Linux

microsoft-diagcab-rce-poc

Proof of concept about a path traversal vulnerability in Microsoft's Diagcab technology that could lead to remote code execution

CVE-2020-1967

Proof of concept exploit about OpenSSL signature_algorithms_cert DoS flaw (CVE-2020-1967)

lgosp-poc

LG On Screen Phone authentication bypass PoC (CVE-2014-8757)

struts-any-results

Demonstrating why Dynamic Method Invocation with unrestricted method names (the old default of Struts) is dangerous.

golang-insecureskipverify-patch

Simple patcher tool to turn off TLS handshake validation in golang binaries

google-osconfig-privesc

Proof of concept about the privilege escalation flaw identified in Google's Osconfig

CVE-2022-20128

Android Debug Bridge (adb) was vulnerable to directory traversal attacks that could have been mounted by rogue/compromised adb daemons during an adb pull operation.

microsoft-diaghub-case-sensitivity-eop-cve

Proof of concept code about the Microsoft Diaghub case sensitivity Elevation of Privileges vulnerability

tcp-http-proxy

A potential solution for OpenWRT + Mitmproxy

gnu-patch-vulnerabilities

The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here.

mysql-load-data-local-abuse

Abusing MySQL's LOAD DATA LOCAL feature

golang-http2debug-onthefly

Tool to activate http2debug feature of golang on the fly.

go-reproto

An experimental tool to reconstruct proto definitions based on golang binaries

cloud-sql-auth-proxy-iam-mitm

PoC tool to demonstrate an MitM attack against Google's Cloud SQL authentication proxy product.

pcap-proxy

A simple userland TCP proxy application that captures the network flow into a .pcap file

CVE-2022-3168-adb-unexpected-reverse-forwards

Proof of concept code to exploit flaw in adb that allowed opening network connections on the host to arbitrary destinations

icedtea-web-vulnerabilities

Hosting proof of concept exploit code of the remote code execution vulnerabilities in the IcedTea-Web Java webstart implementation.

postgres-proxy-cloudsql-iam-vuln

A PoC proxy script that allowed me to extract access tokens from the Postgres wire messages in Google Cloud SQL.

cloud-shell-ssrf

Google Cloud Shell SSRF feature PoC tool

grpcurl-for-android

gRPCurl precompiled binaries for Android

rdiff-backup

Simple docker image around rdiff-backup

raiffeisen-direktnet

Transaction parser for the Raiffeisen Direktnet banking website

hikvision-motion

SMTP server to receive HikVision camera/NVR notifications in order to post process the stream/images with GCP Vision AI (object tagging). Push notification to your device.

p1x1

Open-source web application for cataloging and archiving private photos in S3 compatible stores, protecting content via a full-browser, client-side encryption logic.

proftpd-mysql-password

Support for MySQL PASSWORD() in Proftpd's SQLAuthTypes