Bug Pattern: JACKSON_UNSAFE_DESERIALIZATION

When the Jackson databind library is used incorrectly the deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.

Solutions:

Explicitly define what types and subtypes you want to be available when using polymorphism through JsonTypeInfo.Id.NAME. Also, never call ObjectMapper.enableDefaultTyping (and then readValue a type that holds a Object or Serializable or Comparable or a known deserialization type).

Code at risk:

  1. public class Example {
  2.     static class ABean {
  3.         public int id;
  4.         public Object obj;
  5.     }
  7.     static class AnotherBean {
  8.         @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) // or JsonTypeInfo.Id.MINIMAL_CLASS
  9.         public Object obj;
  10.     }
  12.     public void example(String json) throws JsonMappingException {
  13.          ObjectMapper mapper = new ObjectMapper();
  14.          mapper.enableDefaultTyping();
  15.          mapper.readValue(json, ABean.class);
  16.     }
  18.     public void exampleTwo(String json) throws JsonMappingException {
  19.          ObjectMapper mapper = new ObjectMapper();
  20.          mapper.readValue(json, AnotherBean.class);
  21.     }
  23. }

References
Jackson Deserializer security vulnerability
Java Unmarshaller Security - Turning your data into code execution

This class could be used as deserialization gadget

Bug Pattern: DESERIALIZATION_GADGET

Deserialization gadget are class that could be used by an attacker to take advantage of a remote API using Native Serialization. This class is either adding custom behavior to deserialization with the readObject method (Serializable) or can be called from a serialized object (InvocationHandler).

This detector is intended to be used mostly by researcher. The real issue is using deserialization for remote operation. Removing gadget is an hardening practice to reduce the risk of being exploited.

References
CWE-502: Deserialization of Untrusted Data
Deserialization of untrusted data
Serialization and Deserialization
A tool for generating payloads that exploit unsafe Java object deserialization
[1] Example of Denial of Service using the class java.util.HashSet
[2] OpenJDK: Deserialization issue in ObjectInputStream.readSerialData() (CVE-2015-2590)
[3] Rapid7: Sun Java Calendar Deserialization Privilege Escalation (CVE-2008-5353)