SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 64 Next »

Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which, upon deserialization, can yield objects that the attacker lacks permissions to construct. One example of this is the construction of a sensitive object, such as a custom class loader. Consequently, avoid deserializing from a privileged context. When deserializing requires privileges, programs must strip all permissions other than the minimum set required for the intended usage. See rules void SEC12-J. Do not grant untrusted code access to classes in inaccessible packages and void SEC13-J. Do not allow unauthorized construction of classes in inaccessible packages for additional information.

Noncompliant Code Example (CVE-2008-5353: Zoneinfo)

[[CVE]] CVE-2008-5353 describes a Java vulnerability, discovered in August 2008 by Sami Koivu. Julien Tinnes subsequently wrote an exploit that allowed arbitrary code execution on multiple platforms that ran vulnerable versions of Java. The problem resulted from deserializing untrusted input from within a privileged context. The vulnerability involves the (sun.util.Calendar.Zoneinfo) object, which being a serializable class, is deserialized by the readObject() method of the ObjectInputStream class.

Consider the default security model of an applet that does not allow access to sun.util.calendar.ZoneInfo because all classes within the "sun" package are treated as untrusted. As a result, prior to JDK 1.6 u11, the acceptable method for an unsigned applet to deserialize a Zoneinfo object was to execute the call from a privileged context, such as a doPrivileged block. This constitutes a vulnerability because there is no guaranteed method of knowing whether the serialized stream contains a Zoneinfo object and not a malicious serializable class. The vulnerable code casts the malicious object to the ZoneInfo type which typically causes a ClassCastException if the actual deserialized class is not a ZoneInfo. This exception however, is of little consequence as it is possible to store a reference to the newly created object in some static context so that the garbage collector does not act upon it.

A non-serializable class can be extended and its subclass can be made serializable. Also a subclass automaticall becomes serializable if it derives from a serializable class. During deserialization of the subclass, the JVM calls the no-argument constructor of the most derived superclass that does not implement java.io.Serializable either directly or indirectly. This allows it to fix the state of this superclass. In the following code snippet, class A's no-argument constructor is called when C is deserialized because A does not implement Serializable. Subsequently, Object's constructor is invoked. This procedure cannot be carried out programmatically, consequently the JVM generates the equivalent bytecode at runtime. Typically, when the superclass's constructor is called by a subclass, the subclass remains on the stack. However, in deserialization this does not happen. Only the unvalidated bytecode is present. This allows any security checks within the superclass's constructor to be bypassed in that the complete execution chain is not brought into scrutiny.

class A { // has Object as superclass
  A(int x) { }
  A() { }
}

class B extends A implements Serializable {
  B(int x) { super(x); }
}
 
class C extends class B {
  C(int x) { super(x); }
}

At this point, there is no subclass code on the stack and the superclass's constructor is executed with no restrictions as doPrivileged() allows the immediate caller to exert its full privileges. Because the immediate caller java.util.Calendar is trusted, it exhibits full system privileges.

For exploiting this condition, often, a custom class loader is desirable. Instantiating a class loader object requires special permissions that are made available by the security policy that is enforced by the SecurityManager. An unsigned applet cannot carry out this step by default. If an unsigned applet can execute a custom class loader's constructor, it can effectively bypass all the security checks (it has the requisite privileges as a direct consequence of the vulnerability). A custom class loader can be designed to extend the System Class Loader, undermine security and carry out forbidden actions such as reading or deleting files on the user's file system. Moreover, any legitimate security checks in the constructor are meaningless as the code is granted all privileges.

try {
  ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged(
    new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        return input.readObject();
      }
  });
  if (zi != null) {
    zone = zi;
  }
} catch (Exception e) {
}

Compliant Solution (CVE-2008-5353: Zoneinfo)

This vulnerability was fixed in JDK v1.6 u11 by defining a new AccessControlContext INSTANCE, with a new ProtectionDomain. The ProtectionDomain encapsulated a RuntimePermission called accessClassInPackage.sun.util.calendar. Consequently, the code was granted the minimal set of permissions required to access the sun.util.calendar class. This whitelisting approach guaranteed that a security exception would be thrown in all other cases of invalid access. Refer to rule void SEC12-J. Do not grant untrusted code access to classes in inaccessible packages for more details on allowing or disallowing access to packages. Finally, the two-argument form of doPrivileged() allows stripping all permissions other than the ones specified in the ProtectionDomain. 

private static class CalendarAccessControlContext {
  private static final AccessControlContext INSTANCE;
    static {
      RuntimePermission perm = new RuntimePermission("accessClassInPackage.sun.util.calendar");
      PermissionCollection perms = perm.newPermissionCollection();
      perms.add(perm);
      INSTANCE = new AccessControlContext(new ProtectionDomain[] {
        new ProtectionDomain(null, perms)
      });
    }
  }

// ...
try {
  zi = AccessController.doPrivileged(
       new PrivilegedExceptionAction<ZoneInfo>() {
         public ZoneInfo run() throws Exception {
           return (ZoneInfo) input.readObject();
         }
       }, CalendarAccessControlContext.INSTANCE);
} catch (PrivilegedActionException pae) { /* ... */ }
if (zi != null) {
  zone = zi;
}

Risk Assessment

Deserializing objects from an unrestricted privileged context can result in arbitrary code execution.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER09-J

high

likely

medium

P18

L1

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f67ff3d5-c591-45db-8f6e-7cfb5bde3702"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="337de828-a4f6-4897-a647-07d34ca47114"><ac:plain-text-body><![CDATA[

[[CVE

AA. Bibliography#CVE]]

[CVE-2008-5353

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353]

]]></ac:plain-text-body></ac:structured-macro>

SER07-J. Do not use the default serialized form for implementation-defined invariants      16. Serialization (SER)      SER09-J. Do not invoke overridable methods from the readObject method

  • No labels