Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/artem-smotrakov/cve-2016-1000027-poc

PoC for CVE-2016-1000027
https://github.com/artem-smotrakov/cve-2016-1000027-poc

cve-2016-1000027 deserialization java poc security serialization spring-boot spring-framework vulnerability vulnerable-server

Last synced: about 1 month ago
JSON representation

PoC for CVE-2016-1000027

Host: GitHub
URL: https://github.com/artem-smotrakov/cve-2016-1000027-poc
Owner: artem-smotrakov
License: mit
Created: 2021-02-01T19:46:51.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2021-03-05T21:52:06.000Z (over 3 years ago)
Last Synced: 2024-09-29T00:05:51.001Z (about 2 months ago)
Topics: cve-2016-1000027, deserialization, java, poc, security, serialization, spring-boot, spring-framework, vulnerability, vulnerable-server
Language: Java
Homepage:
Size: 18.6 KB
Stars: 11
Watchers: 1
Forks: 6
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# PoC for CVE-2016-1000027

This is a demo Spring Boolt application that is affected by [CVE-2016-1000027](https://nvd.nist.gov/vuln/detail/CVE-2016-1000027).

# Steps to reproduce the vulnerability

1. Start a vulnerable server `com.gypsyengineer.server.Server`.
2. Run `com.gypsyengineer.client.Exploit`.

The [`Exploit`](client/src/main/java/com/gypsyengineer/client/Exploit.java) class reads `payload.bin` and sends it to the vulnerable server.
`payload.bin` contains a payload generated by [ysoserial](https://github.com/frohoff/ysoserial).
The current `payload.bin` is `CommonsCollections5` that runs `gedit`:

```
java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 gedit > payload.bin
```

# How to fix an application that is affected by CVE-2016-1000027

The issue has not been fixed in Spring Framework. See https://github.com/spring-projects/spring-framework/issues/24434

Here is what can be done on application side.

1. The best way is to stop using `HttpInvokerServiceExporter` and `RemoteInvocationSerializingExporter` classes.
They are already deprecated and will likely be remove in next versions of Spring Framework.
2. Do not accept untrusted data in the endpoints that are based on these vulnerable classes.
3. Use serialization filters that were introduced by JEP 290.

# Links

1. [[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization](https://www.tenable.com/security/research/tra-2016-20)
1. [OWASP: Deserialization of untrusted data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data)
1. The application is based on [this](https://github.com/eugenp/tutorials/tree/master/spring-remoting/remoting-http).