Download Entity provider selection confusion attacks in JAX

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts
no text concepts found
Transcript 
Entity provider
selection confusion
attacks in JAX-RS
applications
Mikhail Egorov
About me
• Security researcher, bug hunter
• Application security engineer at Odin [ Ingram Micro Cloud ]
• @0ang3el
• http://0ang3el.blogspot.com
• http://www.slideshare.net/0ang3el
What is JAX-RS?
• Java API for creating RESTful web services
• Part of J2EE since J2EE 6
• JAX-RS 2.0 [ https://jcp.org/aboutJava/communityprocess/final/jsr339/index.html ]
• RESTEasy [ Red Hat ] , Jersey [ Oracle ]
What is RESTful web services?
• RESTful web services are based on REST architectural style
• Some features
• Resource identification through URI
• Uniform interface
• Self-descriptive messages
• Stateful interactions through hyperlinks
;
Simple RESTful web service built w/ JAX-RS
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
@Path("helloworld")
public class HelloWorldResource {
public static final String CLICHED_MESSAGE = "Hello World!";
@GET
@Produces("text/plain")
public String getHello() {
return CLICHED_MESSAGE;
}
}
;
Simple RESTful web service built w/ JAX-RS
Passing parameters to resource method
• Annotated parameters
• @PathParam
• @QueryParam
• @FormParam
• @HeaderParam
• @CookieParam
• @MatrixParam
• Entity parameters – parameters without annotation
Passing parameters to resource method
• @QueryParam example
@GET
@Path("/order")
public String getOrder(@QueryParam("id") Sting id) {
...
}
• Entity parameter example
@Path("/order")
@PUT
public void putOrder(Order order) {
...
}
Entity parameters
• Unmarshalling – process of converting message content into Java
object which is passed as parameter into resource method
• Entity providers are used for marshalling/unmarshalling
Entity providers
• Entity providers – specials Java classes
• Annotated with @Provider
• Implement javax.ws.rs.ext.MessageBodyReader [ isReadable(), readFrom() ]
• Entity provider is selected based on
• Content type specified with @Consumes annotation
• Content-Type HTTP header in request
• Java Class of entity parameter
• There are interesting built-in entity providers
Automated scanning for entity providers
• Jersey performs WEB-INF/lib scanning for entity providers
• RESTEasy by default performs WEB-INF/lib scanning for entity
providers, parameter resteasy.scan.providers does not work
[ https://issues.jboss.org/browse/RESTEASY-1504 ]
Entity provider selection confusion attack
• Attacker selects entity provider which is not intended for
unmarshalling, by manipulating with Content-Type header of HTTP
request
Entity provider selection confusion attack
• Occur when resource or resource method does not specify preferred
content type via @Consumes annotation
• Or specifies it too permissive
• */*
• application/*
• And in some cases when content type is
• multipart/*
• multipart/form-data
• etc
Entity provider selection confusion attack
• Impact of attack
• RCE
• DoS
• CSRF
• XXE
• etc
Attack for RESTEasy [ CVE-2016-7050 ]
• RESTEasy by default has SerializableProvider entity provider
• Vulnerable resource method doConcat()
@POST
@Path("/concat")
@Produces(MediaType.APPLICATION_JSON)
public Map doConcat(Pair pair) {
HashMap result = new HashMap();
result.put("Result", pair.getP1() + pair.getP2());
return result;
}
public class Pair implements Serializable {
...
}
Attack for RESTEasy [ CVE-2016-7050 ]
• isReadable() method of SerializableProvider
public boolean isReadable(Class type, Type genericType, Annotation[] annotations,
MediaType mediaType) {
return (Serializable.class.isAssignableFrom(type)) &&
(APPLICATION_SERIALIZABLE_TYPE.getType().equals(mediaType.getType())) &&
(APPLICATION_SERIALIZABLE_TYPE.getSubtype().equals(mediaType.getSubtype()));
}
• SerializableProvider is used when Content-Type is application/x-javaserialized-object and Java class of entity parameter is serializable
Attack for RESTEasy [ CVE-2016-7050 ]
• readFrom() method of SerializableProvider
public Serializable readFrom(Class type, Type genericType, Annotation[]
annotations, MediaType mediaType, MultivaluedMap httpHeaders, InputStream
entityStream) throws IOException, WebApplicationException {
BufferedInputStream bis = new BufferedInputStream(entityStream);
ObjectInputStream ois = new ObjectInputStream(bis);
try {
return (Serializable)Serializable.class.cast(ois.readObject());
} catch (ClassNotFoundException e) {
throw new WebApplicationException(e);
}
}
Attack for RESTEasy [ CVE-2016-7050 ]
Attack for RESTEasy [ CVE-2016-7050 ]
Attack for Jersey
• Jersey has default jersey-media-kryo entity provider
• Vulnerable resource method doShowSize()
@POST
@Path("/size")
@Produces(MediaType.APPLICATION_JSON)
public Map<String, String> doShowSize(ArrayList<Pair> pairs) {
HashMap<String, String> result = new HashMap<String, String>();
result.put("Count", String.valueOf(pairs.size()));
return result;
}
Attack for Jersey
• DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Attack for Jersey
• DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Takeaways
• Narrow possible content types for resource or resource method using
@Consumes annotation
• Use multipart/*, multipart/form-data, etc. content types with caution
• Java deserialization bugs exist not only in RMI/JMX/JMS
Related documents