Serialized objects can be altered unless they are protected using mechanisms, such as sealing and signing. (See guideline VOID SEC16-J. Sign and seal sensitive objects before transit.) If an attacker can alter the serialized form of the object, it becomes possible to modify the system resource that the serialized handle refers to. For example, an attacker may modify a serialized file handle to refer to an arbitrary file on the system. In the absence of a security manager, any operations that use the file handle will be carried out using the attacker supplied file path and file name.
Noncompliant Code Example
This noncompliant code example declares a serializable File
object in the class BadSer
. The serialized form of the object exposes the file path, which can be altered. When the object is deserialized, the operations will be performed using the altered path.
final class BadSer implements Serializable { File f; public BadSer() throws FileNotFoundException { f = new File("c:\\filepath\\filename"); } }
Compliant Solution (Not Implementing Serializable)
This compliant solution shows a final
class Ser
that does not implement java.io.Serializable
. Consequently, the File
object cannot be serialized.
final class Ser { File f; public Ser() throws FileNotFoundException { f = new File("c:\\filepath\\filename"); } }
Compliant Solution (Object Marked Transient)
This compliant solution declares the File
object transient
. Consequently, the file path is not exposed.
final class Ser implements Serializable { transient File f; public Ser() throws FileNotFoundException { f = new File("c:\\filepath\\filename"); } }
Risk Assessment
Deserializing direct handles to system resources can allow the modification of the resources being referred to.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SER10-J |
high |
probable |
low |
P18 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[Sun 2006]] "Serialization specification"
VOID 16. Serialization (SER) SER11-J. Do not invoke overridable methods from the readObject method