|
| 1 | +<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> |
| 2 | +<qhelp> |
| 3 | + |
| 4 | +<overview> |
| 5 | +<p> |
| 6 | +Java RMI uses the default Java serialization mechanism (in other words, <code>ObjectInputStream</code>) |
| 7 | +to pass parameters in remote method invocations. This mechanism is known to be unsafe when deserializing |
| 8 | +untrusted data. If a registered remote object has a method that accepts a complex object, |
| 9 | +an attacker can take advantage of the unsafe deserialization mechanism. |
| 10 | +In the worst case, it results in remote code execution. |
| 11 | +</p> |
| 12 | +</overview> |
| 13 | + |
| 14 | +<recommendation> |
| 15 | +<p> |
| 16 | +Use only strings and primitive types in parameters of remote objects. |
| 17 | +</p> |
| 18 | +<p> |
| 19 | +Java RMI does not offer API for specifying classes which are only allowed for deserialization. |
| 20 | +However, it is possible to set a process-wide deserialization filter that was introduced in JEP 290. |
| 21 | +The filter can be set via system or security property <code>jdk.serialFilter</code>. |
| 22 | +Make sure that you use the latest Java versions that include JEP 290. |
| 23 | +</p> |
| 24 | +<p> |
| 25 | +Consider using other implementations of remote procedure calls. For example, HTTP API with JSON. |
| 26 | +Make sure that the underlying deserialization mechanism is properly configured |
| 27 | +so that deserialization attacks are not possible. |
| 28 | +</p> |
| 29 | +</recommendation> |
| 30 | + |
| 31 | +<example> |
| 32 | +<p> |
| 33 | +The following code registers a vulnerable remote object |
| 34 | +which has a method that accepts a complex object: |
| 35 | +</p> |
| 36 | +<sample src="RmiUnsafeRemoteObject.java" /> |
| 37 | + |
| 38 | +<p> |
| 39 | +The next example registers a safe remote object |
| 40 | +which has methods that use only primitive types and strings: |
| 41 | +</p> |
| 42 | +<sample src="RmiSafeRemoteObject.java" /> |
| 43 | + |
| 44 | +</example> |
| 45 | + |
| 46 | +<references> |
| 47 | +<li> |
| 48 | +Oracle: |
| 49 | +<a href="https://www.oracle.com/java/technologies/javase/remote-method-invocation-home.html">Remote Method Invocation (RMI)</a>. |
| 50 | +</li> |
| 51 | +<li> |
| 52 | +ITNEXT: |
| 53 | +<a href="https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d">Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries</a>. |
| 54 | +</li> |
| 55 | +<li> |
| 56 | +MOGWAI LABS: |
| 57 | +<a href="https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290/">Attacking Java RMI services after JEP 290</a> |
| 58 | +</li> |
| 59 | +<li> |
| 60 | +OWASP: |
| 61 | +<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>. |
| 62 | +</li> |
| 63 | +<li> |
| 64 | +OpenJDK: |
| 65 | +<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a> |
| 66 | +</li> |
| 67 | +</references> |
| 68 | +</qhelp> |
0 commit comments