Tuesday, 6 August 2013

Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

At the DefCon REST Presentation we did last week (see slides here), after the Neo4J CSRF payload to start processes (calc and nc) on the server demo, we also showed how dangerous the Java’s XmlDecoder can be.

(tldr: scroll to the end of the article to see how to create an XML file that will trigger an reverse-shell from an REST server into an attacker's box)

I have to say that I was quite surprised that it was possible to execute Java code (and start processes) from XML files!

Abraham and Alvaro deserve all the credit for connecting the dots between XMLDecoder and REST.

Basically what happens is that the Java’s JDK has a feature called Long Term Persistence which can be used like this:


As you can see by the example shown above, the Xml provided to XMLDecoder API is able to create an instance of javax.swing.JButton and invoke its methods.

I can see why this is useful and why it was added to the JDK (since it allows for much better ‘Long Term Object Persistence’), BUT, in practice, what this means is that java payloads can be inserted in XML files/messages.

This is already dangerous in most situations (i.e. when was the last time that you actually thought that an XML file was able to trigger code execution on a server), BUT when you add REST to the mix, we basically have a ‘Remote Code/Command Execution’ vulnerability.

Awareness for this issue

Although there is some awareness out there of the dangers of XMLDecode, I don’t think there is enough understanding of what is possible to do with the XML provided to the XMLDecoder .

For example Is it safe to use XMLDecoder to read document files? asks:


... with the answer being spot on:


Unfortunately, one really has to look for those ‘alerts’, since the main XMLDecoder info/documentation doesn’t mention them.

For example the main links you get by searching for XMLDecoder:


... encourage its use:


...and provide no info on the ‘remote code execution’ feature of XMLDecoder.


Connecting the Dots: Using XmlDecoder on an REST API

There are two key scenarios where this ‘feature’ becomes a spectacular vulnerability:
  1. Server-side backend system that process attacker-controlled XML files using XMLDecoder
  2. REST APIs that uses XMLDecoder to create strongly type objects from the HTTP Request data
And the 2nd case is is exactly what happens with Restlet REST API , which wraps XMLDecode in its org.restlet.representation.ObjectRepresentation<T> feature/class.

Note how the documentation page:


... makes no reference to the dangerous use of XMLDecoder (ironically, it doesn’t even mention XMLDecoder, just that it can parse data created by XMLEncoder)

How XMLDecoder is used in Restlet

In Restlet the ObjectRepresentation<T> class can be used on REST methods to create objects from the HTTP request body (which is an XML string) .

For example, on the PoC that we created for the DefCon presentation (based on one of RestLet source code example apps)

... I changed the code at Line 68 (which manually retrieved data from the HTTP Request data)


... into the code you can see below at  line 72


... which uses ObjectRepresentation<T> to map the HTTP Request data into an object of type Item:


Note that this is exactly the capability that are provided by MVC Frameworks that automagically bind HTTP post data into Model objects. This 'feature' is the one that creates the the Model Binding Vulnerabilities which I have been talking about here, here, here, here, here, here, here and here. In fact, the XMLDecoder is is a ModelBinding Vulnerability (also called Over Posting, Mass Assignment or Auto Binding vulns) on steroids, since not only we can put data on that object, we can create completely new ones and invoke methods in them.

Before you read the exploits, remember that the change I made to the code (see below)


… is one that any developer could do if tasked with automatically casting the received REST XML data into Objects.

In order to develop the exploits and create PoCs, I quickly wrote an O2 Platform based tool, which you can get from here:


This tool:


… provided a gui where these XML exploits:


…could be easy sent to a running instance of the test RestLet app.

Multiple examples of what can be done using the XMLDecode meta-language

1 - create item (Simple).xml - normal object creation


2 - create item (using properties).xml - object creation and calling setters


3 - create item (from var).xml  - creating and using an variable


4 - create item (and more).xml - creating/invoking a complete different class


5 - create item (and calc).xml - starting cacl.exe using Java's Runtime.getRuntime() . Note that this example is VERY STEALTH since there will be no casting error thrown by the XMLDecoder conversion (the first object created in the XML execution is the one returned, which in this case is the expected one (firstResource.Item))


6 - Process Builder - Start a Calc.xml - Create a complete different object (ProcessBuilder) which will throw an casting error ... after the process execution starts :)


7a - Creating a File.xml - in the target app we were using there was no webroot available with ability to render JSPs (it was a pure REST server with only REST routes). But if it there was one, and we could write to it, we could use the technique shown below to upload an JSPShell (like this one), and exploit the server from there.


7b - Creating a Class File.xml - since we can upload files, we can compile a class file locally and 'upload' it to the server


7d - execution class file - anotherExecute- calcl.xml  - in this case the class file we uploaded had a method that could be used to start processes


8a - HttpResponse - return variable.xml  - this is a cool technique where I found the Restlet equivalent of HttpServletresponse, so I was able to write content directly to the current browser


8b - HttpResponse - return variables.xml - which can be used to return data assigned to XMLDecoder created variables


8c - HttpResponse - return JavaProperties.xml - In this case the java.lang.getProperties values (but if this was a real app, we could use this to extract data from the database or in memory objects)


8d - Exploit - Create XSS.xml - another option is to trigger XSS on the current user (usefully if the first payload was delivered over CSRF to the victim)


8e - HttpResponse - execute process - read two lines.xml - here is a way to execute a process and get its output shown in the browser


9a - download NetCat.xml - here is how to trigger a http connection from the server into the attacker's box and download the NetCat tool


9b - Start NetCat reverse shell.xml - once NetCat is available on the server, we can use it to send a reverse-shell an external IP:Port


This is when I run out of time for writing more PoCs....

... but as you can see by the end, I was just about writing Java code, only thing I didn’t figure out how to do create loops and anonymous methods/classes (need to look at the Command Pattern).

I also hope that by now you see how dangerous the XMLDecoder capabilities are, and how its use must be VERY VERY carefully analysed and protected.

How to use XMLDecoder be safely?

I’m not entirely sure at the moment.

The Secure Coding Guidelines for the Java Programming Language, Version 4.0 have a note on 'Long Term Persistence of JavaBeans':


But the Long Term Persistence of JavaBeans Components: XML Schema article (which btw is the best resource out there on how to use the XmlDecoder), has no mention of Security.


Hopefully the presentation that we did at DefCon and blog posts like this, will raise the awareness of this issue and good solutions will emerge

Note that I’m not as good in Java as I am in .NET, so I’m sure there is something in Java or JDK that I’m missing.

Let me know what you think of this issue, if there are safe ways to use XmlDecoder and if you spot other dangerous uses of XmlDecoder.

UPDATE: Presentation slides

See this page for the presentation slides (hosted by SlideShare)


janakikrishnan said...

It is going in a good way. Well done.
Java Training in Bangalore
Java Institutes in Bangalore
Java Training in Madurai
Java Course in Madurai
Java Training in Coimbatore
Best Java Training in Coimbatore

Aruna Ram said...

Actually, recently see this blog! This is very great and very impressed. Thank you for giving the different post.
Oracle DBA Training in Chennai
Oracle DBA Course in Chennai
Excel Training in Chennai
Oracle Training in Chennai
Spark Training in Chennai
Tableau Training in Chennai
Embedded System Course Chennai
Oracle DBA Training in Chennai
Oracle DBA Training in OMR

nikitha josh said...

I have gone through your blog, it was very much useful for me and because of your blog, and also I gained many unknown information, the way you have clearly explained is really fantastic. Kindly post more like this, Thank You.
best aviation academy in Chennai
best air hostess training institute in Chennai
airline management courses in Chennai
airport ground staff training in Chennai
Aviation Academy in Chennai
air hostess training in Chennai
airport management courses in Chennai
ground staff training in Chennai

anvianu said...

emails with the same comment. Is there any way you can remove people from that service? Thanks.
nebosh course in chennai
offshore safety course in chennai

sheela rajesh said...

Thanks for your interesting ideas.the information's in this blog is very much useful
for me to improve my knowledge.
Python Training in Chennai
Python Training Institute in Chennai
JAVA Training in Chennai
Hadoop Training in Chennai
Selenium Training in Chennai
Python Training in Chennai
Python Training in Tambaram

Ramya Krishnan said...

This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points. To appreciate this I like to share some useful information regarding Microsoft Azure which is latest and newest,


Azure Training in Chennai
Azure Training Center in Chennai
Best Azure Training in Chennai
Azure Devops Training in Chenna
Azure Training Institute in Chennai
Azure Training in Chennai OMR
Azure Training in Chennai Velachery
Azure Online Training
Azure Training in Chennai Credo Systemz
DevOps Training in Chennai Credo Systemz
Best Cloud Computing Service Providers

IT Tutorials said...

Really useful information. Thank you so much for sharing.It will help everyone.Keep Post. RPA training in chennai | RPA training in Chennai with placement | UiPath training in Chennai | UiPath certification in Chennai with cost

Traveler said...

we are expert in Digital Marketing and web designing. We are registered company in Agra city, we providing our service all over india.

jenifer irene said...

Thank you so much for providing information on this. It was very useful.
Aviation Courses in Chennai
air hostess course in Chennai
airport courses in Chennai
Ground staff training in Chennai
Aviation Academy in Chennai
air hostess training in Chennai
airport management courses in Chennai
ground staff training in Chennai

kavithasathish said...

Great content and it is really innovative to everyone.
spanish language in chennai
spanish courses in chennai
TOEFL Coaching Centres in Chennai
french classes
pearson vue
German Courses in Chennai
French Classes in T Nagar
French Classes in Anna Nagar

Aman CSE said...

Thanks for sharing such a wonderful blog on Machine learning.This blog contains so much data about Machine learning ,like if anyone who is searching for the Machine learning data will easily grab the knowledge of Machine learning from this .Requested you to please keep sharing these type of useful content so that other can get benefit from your shared content.
Thanks and Regards,
Top institutes for machine learning in chennai
best machine learning institute in chennai
artificial intelligence and machine learning course in chennai

Service Center Acer said...


mani said...

Comfortabl y, the post is really the freshest on that deserving topic. I harmonise with your conclusions and definitely will thirstily look forward to your next updates.

website builder for reseller

mani said...

Thank you for the link building list.I am going jot down this because it will help me a lot.Great blog! Please keep on posting such blog.

private label website builder

mani said...

Comfortabl y, the post is really the freshest on that deserving topic. I harmonise with your conclusions and definitely will thirstily look forward to your next updates.

white label website builder

Prachi Kalra said...

Thanks for sharing the link building list on this topic. Very helpful blog.
Web Design Company in India

Service Center iPhone said...


lampungservice.com said...


Sadhana Rathore said...

Thanks for the well-written post and I will follow your updates regularly and this is really helpful. Keep posting more like this.
RPA Training in Chennai
RPA course in Chennai
RPA Training Institute in Chennai
Blue Prism Training in Chennai
Blue Prism Training Institute in Chennai
UiPath Training in Chennai
RPA Training in Tambaram
RPA Training in Anna Nagar

manisha said...

This is one awesome blog article. .
Python Training in Gurgaon
Python Course in Gurgaon
Python Training institute in Gurgaon

htop said...

thanks for sharing this useful message
aws training center in chennai
aws training in chennai
aws training institute in chennai
best angularjs training in chennai
angular js training in sholinganallur
angularjs training in chennai
azure training in chennai
best devops training in chennai

cynthiawilliams said...

I am very happy to visit your blog. This is definitely helpful to me, eagerly waiting for more updates.
Machine Learning course in Chennai
Machine Learning Training in Chennai
Data Science Course in Chennai
Data Science Certification in Chennai
R Training in Chennai
R Programming Training in Chennai
Machine Learning Training in Velachery
Data Science Course in Anna Nagar

Kerrthika K said...

It's a magnificent blog!thanks for sharing this information
film making courses in chennai
film courses in chennai
best film school in chennai
acting course in chennai
film editing course fees in chennai
film institute in chennai
part time film direction course in chennai

naveen said...

This is very interesting article thanx for your knowledge sharing.this is my website is mechanical Engineering related and one of best site .i hope you are like my website .one vista and plzz checkout my site thank you, sir.
mechanical engineering

htop said...

thanks for sharing this informations
aws training center in chennai
aws training in chennai
aws training institute in chennai
best angularjs training in chennai
angular js training in sholinganallur
angularjs training in chennai
azure training in chennai
best devops training in chennai

Deva Dev said...

Great post! it's a valuable and useful information...
RPA courses in bangalore
RPA classes in bangalore
AWS courses in bangalore
AWS classes in bangalore