On 06-01-16 13:38, Peter wrote:
Your security analysis is too narrow, your thinking like a user, not an
attacker.
An attacker is not going to send you a proxy to load into a standalone
Classloader. She has the choice of the entire classpath, not you and not
River, that's right it's the senders choice, not the receivers.
She's looking for vulnerable classes on your classpath. ObjectInputStream will
load the attackers instructions. There's no protection domain on the stack
representing the attacker, the attacker is looking to deserialize into
privileged context, the attacker wants AllPermission. This all occurs before
your remote method call even returns. Once the the attacker has privileges,
she can create her own URLClassLoader grant AllPermission to her downloaded
code, install her own security manager.
https://cwe.mitre.org/data/definitions/502.html
--
QCG, Software development, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397
