Unrestricted deserializing from a privileged context allows an attacker to supply crafted input whichthat, upon deserialization, can yield objects that the attacker would otherwise lack permissions to construct. One example is the construction of a sensitive object such as a custom class loader. Consequently, avoid deserializing from a privileged context. When deserializing requires privileges, programs must strip all permissions other than the minimum set required for the intended usage.
Noncompliant Code Example (CVE-2008-5353: ZoneInfo
)
[CVE-2008-5353 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353] describes a Java vulnerability discovered in August 2008 by Sami Koivu \[ [CVE 2008|AA. References#CVE 08]\]. Julien Tinnes subsequently wrote an exploit that allowed arbitrary code execution on multiple platforms running vulnerable versions of Java. The problem resulted from deserializing untrusted input from within a privileged context. The vulnerability involves the {{ Wiki Markup sun.util.Calendar.ZoneInfo
}} class, which, being serializable , is deserialized by the {{readObject()
}} method of the {{ObjectInputStream
}} class.
The default security model of an applet does not allow access to sun.util.calendar.ZoneInfo
because applets cannot be permitted to invoke any method from any class within the sun
package. As a result, prior to JDK 1.6 u11, the acceptable method for an unsigned applet to deserialize a ZoneInfo
object was to execute the call from a privileged context, such as a doPrivileged()
block. This constitutes a A vulnerability results because there is no guaranteed method of knowing whether the serialized stream contains a bona fide ZoneInfo
object rather than a malicious serializable class. The vulnerable code casts the malicious object to the ZoneInfo
type, which typically causes a ClassCastException
if the actual deserialized class is not a ZoneInfo
object. This exception, however, is of little consequence because it is possible to store a reference to the newly created object in a static context so that the garbage collector cannot act upon it.
A nonserializable class can be extended and its subclass can be made serializable. Also, a subclass automatically becomes serializable if it derives from a serializable class. During deserialization of the subclass, the Java Virtual Machine (JVM) calls the no-argument constructor of the most derived superclass that does not implement java.io.Serializable
either directly or indirectly. This Calling the no-argument constructor allows it to fix the state of this superclass.
In the following code snippet, class A
's no-argument constructor is called when C
is deserialized because A
does not implement Serializable
. Subsequently, Object
's constructor is invoked. This procedure cannot be carried out programmatically, so the JVM generates the equivalent bytecode at runtime. Typically, when the superclass's constructor is called by a subclass, the subclass remains on the stack. However, in deserialization this does not happen. Only the unvalidated bytecode is present. This , which allows any security checks within the superclass's constructor to be bypassed in that because the complete execution chain is not scrutinized.
Code Block |
---|
class A { // hasHas Object as superclass A(int x) { } A() { } } class B extends A implements Serializable { B(int x) { super(x); } } class C extends class B { C(int x) { super(x); } } |
...
A custom class loader can be used to exploit this vulnerability. Instantiating a class loader object requires special permissions that are made available by the security policy that is enforced by the SecurityManager
. An unsigned applet cannot carry out this step by default. However, if an unsigned applet can execute a custom class loader's constructor, it can effectively bypass all the security checks (it has the requisite privileges as a direct consequence of the vulnerability). A custom class loader can be designed to extend the system classlLoaderclass loader, undermine security, and carry out prohibited actions such as reading or deleting files on the user's file system. Moreover, legitimate security checks in the constructor are meaningless because the code is granted all privileges. The following noncompliant code example illustrates the vulnerability.:
Code Block | ||
---|---|---|
| ||
try { ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged( new PrivilegedExceptionAction() { public Object run() throws Exception { return input.readObject(); } }); if (zi != null) { zone = zi; } } catch (Exception e) { // handleHandle error } |
Compliant Solution (CVE-2008-5353: Zoneinfo
)
This vulnerability was fixed in JDK v1.6 u11 by defining a new AccessControlContext
INSTANCE
, with a new ProtectionDomain
. The ProtectionDomain
encapsulated a RuntimePermission
called accessClassInPackage.sun.util.calendar
. Consequently, the code was granted the minimal set of permissions required to access the sun.util.calendar
class. This whitelisting approach guaranteed that a security exception would be thrown in all other cases of invalid access. The code also uses the two-argument form of doPrivileged()
, which strip strips all permissions other than the ones specified in the ProtectionDomain
.
Code Block | ||
---|---|---|
| ||
private static class CalendarAccessControlContext {
private static final AccessControlContext INSTANCE;
static {
RuntimePermission perm =
new RuntimePermission("accessClassInPackage.sun.util.calendar");
PermissionCollection perms = perm.newPermissionCollection();
perms.add(perm);
INSTANCE = new AccessControlContext(new ProtectionDomain[] {
new ProtectionDomain(null, perms)
});
}
}
// ...
try {
zi = AccessController.doPrivileged(
new PrivilegedExceptionAction<ZoneInfo>() {
public ZoneInfo run() throws Exception {
return (ZoneInfo) input.readObject();
}
}, CalendarAccessControlContext.INSTANCE);
} catch (PrivilegedActionException pae) { /* ... */ }
if (zi != null) {
zone = zi;
}
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SER08-J | high High | likely Likely | medium Medium | P18 | L1 |
Related Guidelines
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="480406ed-fcad-4795-bb32-bf6a2a559c6b"><ac:plain-text-body><![CDATA[ | [[API 2006AA. References#API 06]API 2014] | ]]></ac:plain-text-body></ac:structured-macro> | <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="91b1c619-8abb-4801-961e-a4d9e1a86087"><ac:plain-text-body><![CDATA[ |
[[CVE 2011AA. References#CVE 08]] | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353] | ]]></ac:plain-text-body></ac:structured-macro> |
...
SER07-J. Do not use the default serialized form for implementation-defined invariants 13. Serialization (SER)