Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Regarding CVE-2017-9805, I’m genuinely in awe over how remote code execution in Java is even possible. Why should it even be possible to deserialize data on the wire into executable code?

Also, can someone shed light on the technical side of this? E.g., how does the JVM compile Java code it receives on the wire into Java byte code? Does the JVM runtime have a built-in Java compiler that outputs Java byte code that it itself can execute?

https://lgtm.com/blog/apache_struts_CVE-2017-9805



I had shock and awe when I learnt how to exploit PHP's unserialize() vulnerabilities, shock when I learnt Python had the same thing with unpickle, and then somewhat lost the plot reading about a previous Rails vulnerability which looks very much like this struts vulnerability.

It's unsurprising someone, somehow, built the same thing for Java, but I wish we'd move from "don't unserialize unless it's safe" to "this language should not have this feature".


I am not sure what you mean with Python and pickle. You get a binary blob with data (dict, list,...) as an input and bring these data in memory.

This is the same as reading a file in, getting data though a http call, through user input...

Of course you must marshall what you get before using it further - but that does not depend on the source once it is not secure /trusted


Well, the intended goal of the plugin in question is to enable Rails-like functionality [1]. So if they took inspiration from there it's not that surprising if they end up with the same vulnerabilities.

[1] http://struts.apache.org/docs/rest-plugin.html


In my humble opinion, when a remote code execution vulnerability appears in an application written in a memory safe language, you know you’ve chosen the wrong way to model a problem.

The art of writing code is defining the problem space, which is avoided completely when you allow the consumer of your interface to execute arbitrary code. The whole point of interfaces is to restrict the possible actions of a consumer of it — i.e. the inverse of arbitrary remote code execution — which is the hard part of software design.


It can deserialise into arbitrary classes. You could deserialise a process builder to execute an arbitrary shell command [0].

[0] https://github.com/mazen160/struts-pwn_CVE-2017-9805/blob/ma...


I am not sure about this exploit but what can be done is you can send a Class type over the wire.

It contains Java bytecode and when de-serialized it will use some ClassLoader to construct the Class instance. While doing that the static intializer of that class will be executed.

This probably is not what is going on here but is a possibility.


the JVM lets you modify stuff at runtime with reflection




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: