One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 352358 |
| Date de publication | 2017-04-04 16:01:07 (vue: 2017-04-04 16:01:07) |
| Titre | AMF – Another Malicious Format |
| Texte | AMF is a binary serialization format primarily used by Flash applications. Code White has found that several Java AMF libraries contain vulnerabilities, which result in unauthenticated remote code execution. As AMF is widely used, these vulnerabilities may affect products of numerous vendors, including Adobe, Atlassian, HPE, SonicWall, and VMware. Vulnerability disclosure has been coordinated with US CERT (see US CERT VU#307983). Summary Code White has analyzed the following popular Java AMF implementations:Flex BlazeDS by Adobe (retired, contributed Flex to the Apache Software Foundation in 2011)Flex BlazeDS by ApacheFlamingo AMF Serializer by Exadel (discontinued)GraniteDS (discontinued?)WebORB for Java by Midnight Coders Each of these have been found to be affected by one or more of the following vulnerabilities:XML external entity resolution (XXE)Creation of arbitrary objects and setting of propertiesJava Deserialization via RMI The former two vulnerabilities are not completely new.1 But we found that other implementations are also vulnerable. Finally, a way to turn a design flaw common to all implementations into a Java deserialization vulnerability has been discovered. XXE JavaBeans Setters Deserialization via RMI Adobe Flex BlazeDS 4.6.0.23207 ☒ ☐ ☒ Apache Flex BlazeDS 4.7.2 ☐ ☐ ☒ Flamingo AMF Serializer 2.2.0 ☒ ☒ ☒ GraniteDS 3.1.1.GA ☒ ☒ ☒ WebORB for Java 5.1.0.0 ☒ ☒ ☒ We'll get into details later, except for the XXE. If you're looking for details on that, have a look at our previous blog post CVE-2015-3269: Apache Flex BlazeDS XXE Vulnerabilty. Introduction The Action Message Format version 3 (AMF3) is a binary message format mainly used by Flash applications for communicating with the back end. Like JSON, it supports different kind of basic data types. For backwards compatibility, AMF3 is implemented as an extension of the original AMF (often referred to as AMF0), with AMF3 being a newly introduced AMF0 object type. One of the new features of AMF3 objects is the addition of two certain characteristics, so called traits: […] ActionScript 3.0 introduces two furthe |
| Envoyé | Oui |
| Condensat | 2009 2011 2015 2016 2092 2093 23207 2340; 290: 3269 3269: 3960 5255 6u141 7u131 8u121 according action actionscript actual actually added addition additional additionally addresses addressing adobe advent affect affected all allowing allows alone already also amf amf0 amf3 analyzed another any apache apacheflamingo applications arbitrary are atlassian available aware b00/src/share/classes/sun/rmi/transport/dgcclient back backwards baines based basic beans been behavior being between binary blacklist blazeds blazeds: bloated blog boolean boring build but bypass call called calls can catalina cert certain characteristics checks class classes client client: code coders coekaerts coincidentally collection collector com/go/amfspec common communicating comparable compatibility compiler complete completely concept connection contain contracts contributed control controls coordinated creation currently cve data declared; default definition deliver describe deserialization deserialize design details dgcclient different dirty disclosure discontinued discovered distributed documentation during dynamic dynamic: dynamically each effectively elaborate empty end endpoint enforced enhancement enters entity equivalent especially established even exadel except excursion executecall execution existing exploit exploitable exploitation extending extension external externalizable externalizable: fact faster features filter finally first flamingo flash flaw flex following formal format former found foundation frankly from functionality functionality: further garbage general get gets give got graniteds had happens has have here hierarchy how hpe http://hg http://www iexternalizable implement implementation implementations implementations:flex implemented implementing implements implications included including incoming information instance instances interesting interface interpreted introduced introduces introduction introspector issue its jacob jar java java#l54 javabeans jdk jep jre jrmp jrmplistener json just kind later latest let libraries library like listener liveref local look looking lot made magic mainly make makes malicious many may meanings: means members mentioned message method methods midnight migrate mitigation more most much name namely names needs net/jdk8u/jdk8u/jdk/file/jdk8u121 netcat new newly not noticed now numerous object objectinput objectinputstream objects often one only openjdk opt option original other out outlines over override own participate particular passed path payload payload: popular pose post presented previous primarily process products proof properties propertiesjava property proposal protocol public published quick rce read readexternal readobject recent reconstruct reconstructing reconstruction reconstructs referred regarding registered registerrefs registers registration related release remote removed reported research resolution response/solution result resulting results retired reveals rmi runtime runtimeexternalizable: s/apache see seemed sends serializable serialization serialization/deserialization serialized serializer server setter setters setters: setting several short should shown side similar simpler sit slow software some sonicwall sounds speak specification specified specifies specifying start state stood streamremotecall stuff style such suggested summary sun supports sure system table tcp tcpendpoint technique terms than them then therefore these those thus time times tomcat tracing track trait traits traits: transport trying turn turning turns two type types unauthenticated unicastref unicastref/sun unicastref2 updates use used using utilities utilizing utils value variable various vendors version versions vmware vu#307983 vulnerabilities vulnerabilities:xml vulnerability vulnerabilty vulnerable way weborb what when whether which white whole widely win won word wouter writeexternal xxe xxe: you ysoserial … |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.