The POC is a simple Eclipse java project.UnsafeReceiver will open a ServerSocketReceiver on 1111 port and wait forever.
Injector will then open a client Socket to the ServerSocketReceiver and serialize a Calculator instance through the wire.
Calculator implements ILoggingEvent to prevent ClassCastException on deserialization but Logback won't check more and getLoggerName() is called.
In this case, the gnome calculator is executed. Regards, Fabrice Le 31/03/2017 à 14:10, Markus Koschany a écrit :
You could also attach the POC to this bug report. The vulnerability is publicly known by now anyway. Markus
poc_logback.tar.gz
Description: GNU Zip compressed data