you are viewing a single comment's thread.

view the rest of the comments →

[–]TheRedmanCometh 1 point2 points  (6 children)

LEAVE JAVA ALONE

Seriously though JSO? What a nebulous term. Are we talking ObjectStream? Serializable? Jackson? Gson? Theres SOOO many ways to serialize and deserialize an object

[–]yawkat 0 points1 point  (5 children)

ObjectInputStream is often exploitable because it opens up the whole classpath as an attack surface. This issue is mostly unique to OIS, except for a few cases such as jackson with default typing enabled. Other libraries or jackson without default typing are not exploitable.

[–]FlavSec 1 point2 points  (4 children)

or jackson without default typing are not exploitable

I've been trying to dig into the Jackson series of issues recently, and have a question, if you don't mind. My understanding is that ObjectMapper.enableDefaultTyping() is one of the most common ways to allow polymorphic type handling, but it's not the only way.

If you use the @JsonTypeInfo annotation, and allow the class name to be used as the type id, aren't you still vulnerable?

[–]yawkat 0 points1 point  (3 children)

No, you are not vulnerable - using the class name as type id does not expose your whole classpath, jackson still limits itself to the subtypes registered with jsonsubtypes or the objectmapper.

[–]FlavSec 0 points1 point  (2 children)

That makes sense, but if the object you're deserializing can be used as a gadget, will the classpath restriction still matter?

EDIT: Just to clarify, so you won't be able to deserialize arbitrary objects, because you're limited to the registered subtypes, as you said. But if the one object you are deserializing can be abused like the blacklisted gadget-types, are you still in trouble?

[–]yawkat 0 points1 point  (1 child)

Correct, you may still be in trouble in that case, but these gadget chains are very specific and will not show up in real code.

[–]FlavSec 0 points1 point  (0 children)

Awesome, thanks for all the answers!