nippy

History

Peter Taoussanis 61fb009fdd [BREAKING] [Security] Fix RCE vulnerability Fix a Remote Code Execution (RCE) vulnerability identified in an excellent report by Timo Mihaljov (@solita-timo-mihaljov). You are vulnerable iff both: 1. You are using Nippy to serialize and deserialize data from an UNTRUSTED SOURCE. 2. You have a vulnerable ("gadget") class on your classpath. Notably Clojure <= 1.8 includes such a class [1]. Many other libraries do too, some examples at [2]. To prevent this risk, a Serialization whitelist has been added. Any classes not explicitly authorized by the whitelist to use Serialization will NOT be permitted to. The default whitelist is EMPTY, meaning this is a BREAKING change iff you make use of Nippy's Serialization support. In this case, you'll need to update the whitelist for your needs. For more info see the `serializable-whitelist` docstring. [1] https://clojure.atlassian.net/browse/CLJ-2204 [2] https://github.com/frohoff/ysoserial Further info below provided by Timo: ------------------------------------ Deserialization vulnerabilities are exploited by constructing objects of classes whose constructors perform some action that's useful to the attacker. A class like this is called a gadget, and a collection of such classes that can be combined to reach the attacker's goal is called a gadget chain. There are three prerequisites for exploiting a deserialization vulnerability: 1) The attacker must be able to control the deserialized data, for example, by gaining write access to the data store where trusted parties serialize data or by exploiting some other vulnerability on the other end of a communications channel. 2) The deserializer must construct objects of classes specified in the serialized data. In other words, the attacker must have full control over which classes get instantiated. 3) The classpath must contain gadgets that can be combined into a gadget chain. The vulnerable code is in Nippy's function `read-serializable`, which calls the `readObject` method of `ObjectInputStream`. I have only tested the PoC with the latest stable version, 2.14.0, but looking at Nippy's Git history, I believe all versions starting with the following commit are vulnerable: commit `9448d2b3ce` [Thu Oct 24 13:47:25 2013 +0700] For a user to be affected, they must: 1) use Nippy to serialize untrusted input, and 2) have a gadget chain on their classpath. I suspect (but haven't verified) that using Nippy's encryption feature prevents exploitation in some cases, but if it's used to encrypt the communications between two systems, one compromised endpoint could send encrypted but attacker-controlled data to the other. Ysoserial [4] contains a list of some Java libraries with known gadget chains. If any of those libraries can be found on the user's classpath, they are known to be vulnerable. (Ysoserial's list is not exhaustive, so even if a user doesn't have these particular libraries on their classpath, they may still have some other gadget chains loaded.) Unfortunately Clojure versions before 1.9 contained a gadget chain in the standard library [5][6], so all Nippy users running Clojure 1.8 or earlier are vulnerable. (Note that users of later Clojure versions may or may not be vulnerable, depending on whether they have gadget chains from other libraries on their classpath.) [4] https://github.com/frohoff/ysoserial [5] https://groups.google.com/forum/#!msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ [6] https://clojure.atlassian.net/browse/CLJ-2204	2020-07-24 18:17:25 +02:00
..
nippy/tests	[BREAKING] [Security] Fix RCE vulnerability	2020-07-24 18:17:25 +02:00

Peter Taoussanis 61fb009fdd [BREAKING] [Security] Fix RCE vulnerability

Fix a Remote Code Execution (RCE) vulnerability identified in an
excellent report by Timo Mihaljov (@solita-timo-mihaljov).

You are vulnerable iff both:

  1. You are using Nippy to serialize and deserialize data from an
     UNTRUSTED SOURCE.

  2. You have a vulnerable ("gadget") class on your classpath.
     Notably Clojure <= 1.8 includes such a class [1].
     Many other libraries do too, some examples at [2].

To prevent this risk, a Serialization whitelist has been added.
Any classes not *explicitly* authorized by the whitelist to use
Serialization will NOT be permitted to.

The default whitelist is EMPTY, meaning this is a BREAKING
change iff you make use of Nippy's Serialization support. In
this case, you'll need to update the whitelist for your needs.

For more info see the `*serializable-whitelist*` docstring.

[1] https://clojure.atlassian.net/browse/CLJ-2204
[2] https://github.com/frohoff/ysoserial

Further info below provided by Timo:
------------------------------------

Deserialization vulnerabilities are exploited by constructing objects of classes
whose constructors perform some action that's useful to the attacker. A class like
this is called a gadget, and a collection of such classes that can be combined to
reach the attacker's goal is called a gadget chain.

There are three prerequisites for exploiting a deserialization vulnerability:

  1) The attacker must be able to control the deserialized data, for example,
     by gaining write access to the data store where trusted parties serialize
     data or by exploiting some other vulnerability on the other end of a
     communications channel.

  2) The deserializer must construct objects of classes specified in the
     serialized data. In other words, the attacker must have full control over
     which classes get instantiated.

  3) The classpath must contain gadgets that can be combined into a gadget chain.

The vulnerable code is in Nippy's function `read-serializable`, which calls the
`readObject` method of `ObjectInputStream`.

I have only tested the PoC with the latest stable version, 2.14.0, but looking at
Nippy's Git history, I believe all versions starting with the following commit
are vulnerable:

    commit 9448d2b3ce
    [Thu Oct 24 13:47:25 2013 +0700]

For a user to be affected, they must:

  1) use Nippy to serialize untrusted input, and
  2) have a gadget chain on their classpath.

I suspect (but haven't verified) that using Nippy's encryption feature prevents
exploitation in some cases, but if it's used to encrypt the communications between
two systems, one compromised endpoint could send encrypted but
attacker-controlled data to the other.

Ysoserial [4] contains a list of some Java libraries with known gadget chains.
If any of those libraries can be found on the user's classpath, they are known
to be vulnerable. (Ysoserial's list is not exhaustive, so even if a user doesn't
have these particular libraries on their classpath, they may still have some
other gadget chains loaded.)

Unfortunately Clojure versions before 1.9 contained a gadget chain in the
standard library [5][6], so all Nippy users running Clojure 1.8 or earlier
are vulnerable. (Note that users of later Clojure versions may or may not
be vulnerable, depending on whether they have gadget chains from other
libraries on their classpath.)

[4] https://github.com/frohoff/ysoserial
[5] https://groups.google.com/forum/#!msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ
[6] https://clojure.atlassian.net/browse/CLJ-2204

2020-07-24 18:17:25 +02:00

nippy/tests [BREAKING] [Security] Fix RCE vulnerability 2020-07-24 18:17:25 +02:00