Oh nasty! I must've met, this is quite a fascinating exploit. I'm going to do some digging later today when I am at my computer.
On Sun, Nov 8, 2015 at 3:34 PM Thomas Neidhart <thomas.neidh...@gmail.com> wrote: > On 11/08/2015 09:11 PM, James Carman wrote: > > How did we get to the point where someone could invoke arbitrary > bytecode? > > Take a look at class TemplatesImpl in > com.sun.org.apache.xalan.internal.xsltc.trax which is part of the oracle > and openjdk jre. > > It is serializable and can load so called Translets which are stored as > byte[] and will be loaded once the newTransformer method is invoked. > > So an attacker can store byte code in the array of a serialized > TemplatesImpl object and force its execution via the InvokerTransformer. > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
