Java: CodeQL query for unsafe RMI deserialization #358
Description
Query
CVE ID(s)
Report
RMI uses the default Java serialization mechanism (in other words, ObjectInputStream) to pass parameters in remote method invocations. If a remote method accepts complex parameters, then a remote attacker can send a malicious serialized object as one of the parameters. The malicious object gets deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely.
You can find more details about this attack in the following articles:
- Attacking Java RMI services after JEP 290
- Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries
I'd like to propose a new experimental query that looks for deserialization vulnerabilities in remote objects registered in am RMI registry.
- Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
I am planning to write a blog post about detecting such issues.
I wrote a short blog post about the query.