Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: CodeQL query for unsafe RMI deserialization #358

Closed
1 task done
artem-smotrakov opened this issue May 1, 2021 · 7 comments
Closed
1 task done

Java: CodeQL query for unsafe RMI deserialization #358

artem-smotrakov opened this issue May 1, 2021 · 7 comments
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@artem-smotrakov
Copy link

artem-smotrakov commented May 1, 2021
edited
Loading

Query

github/codeql#5818

CVE ID(s)

Report

RMI uses the default Java serialization mechanism (in other words, ObjectInputStream) to pass parameters in remote method invocations. If a remote method accepts complex parameters, then a remote attacker can send a malicious serialized object as one of the parameters. The malicious object gets deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely.

You can find more details about this attack in the following articles:

I'd like to propose a new experimental query that looks for deserialization vulnerabilities in remote objects registered in am RMI registry.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I am planning to write a blog post about detecting such issues.

I wrote a short blog post about the query.

Result(s)
@artem-smotrakov artem-smotrakov added the All For One Submissions to the All for One, One for All bounty label May 1, 2021
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@artem-smotrakov
Copy link
Author

FYI I wrote a short blog post about the query.

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
SecLab review > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@xcorail
Copy link
Contributor

xcorail commented Jun 22, 2021

Created Hackerone report 1241579 for bounty 313175 : [358] Java: CodeQL query for unsafe RMI deserialization

@xcorail xcorail closed this as completed Jun 22, 2021
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xcorail @artem-smotrakov @ghsecuritylab