Security problem: Ceylon allows to build a deserialization gadget

Question

Security problem: Ceylon allows to build a deserialization gadget

Opened this issue 3 years ago · 0 comments

Hello, the class org.eclipse.ceylon.compiler.java.language.SerializationProxy allows to build a very simple deserialization gadget.
I'm about to submit a merge request to ysoserial (https://github.com/frohoff/ysoserial), see here: supersache/ysoserial@a65671e.
If someone does java.io.ObjectInputStream.readObject() on untrusted data and ceylon-language-1.3.3 is in the class path, an attacker can achieve Remote Code Execution (or execute arbitrary Java code on behalf of the server). I have no clue how and where ceylon is used whether there is a realistic threat of exploitation.

I wanted to give you the opportunity to address this before the exploit code becomes public.