Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Nov 2015 08:06:42 -0800
From: Tim <tim-security@...tinelchicken.org>
To: oss-security@...ts.openwall.com
Subject: Re: Assign CVE for common-collections remote code
 execution on deserialisation flaw


Hi Moritz,

> The problem here is that the amount of potential "sinks" is incredibly
> large - everything on your classpath. No objection here to hardening the
> specific instance, but thinking one will be safe afterwards is a
> misconception. Like someone else put it, it's a game of whack-a-mole.

Does every class in your classpath implement Serializable?  If your
library is implemented that way, it is broken.  Web architectures used
to be implemented such that you had to encode HTML in hundreds of
separate places, one by one.  Did we stop receiving and displaying
user input because of it?  No, we changed our archtectures to
accommodate a better understanding of XSS.

I don't think fixing one instance of a broken Serializable class will
make us safe, but playing whack-a-mole with every application that
uses serialization to transfer data isn't attractive either.  Note
that eliminating the use of serialization is harder because that
requires a *functional* design change, rather than a change in
implementation details.


> Sure, as long as nobody does any funny stuff in their default
> constructors, setters or getters. But the difference there is that these
> unmarshallers (at least the ones I know of) only act on a very specific
> set of classes you mostly control.
> Looking at the flawed deserialization design at hand...

I'm not saying Java's serialization architecture is good.  Oracle
definitely needs to do something.  But passing the buck up to all
applications and asking them to eliminate serialization is impractical
and *dangerous*.  The higher up you go in the software stack, the less
developers understand security.  Very few developers will get the
message that they can't use it to process untrusted data and that will
lead to a continued series of vulnerabilities.


> And that's the assumption you are making. There is no such statement in
> the Serializable definition, neither is anywhere defined what is
> acceptable behavior for a readObject method and neither forbids the
> collection API to do something dangerous in a getter (which in OpenJDK
> seems to generally be an acceptable call).

I agree that there's no statement about serialization security there.
That's not surprising at all, because Oracle really sucks about
security, always giving us a "not my problem" attitude.  That's why I
mentioned XMLDecoder.  Even something as blatantly vulnerable as that
interface doesn't receive any documentation that it shouldn't be used
with untrusted data.  So how can you expect them to rise to the
occasion and document something slightly more nuanced?

However, my assumption is the only one that makes sense, given the
design of Java's serialization.  Clearly, the lack of documentation
has confused everyone, though, which is why we're having this
discussion.


> Maybe forcing them to take a position on the RMI implementation will be
> of some use. They clearly assume deserialization is safe there and fun
> fact, even use it for the authentication crendentials.

Anything to nudge them into taking responsibility *for something,
ever* would be a good start.  However, last time I tried to convince
them of something like this, they just told me "use a security
manager".  lulz.  So good luck.

Thanks much,
tim

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ