Java: CodeQL query for unsafe RMI deserialization

[artem-smotrakov]

Query

https://github.com/github/codeql/pull/5818

CVE ID(s)

Report

RMI uses the default Java serialization mechanism (in other words, ObjectInputStream) to pass parameters in remote method invocations. If a remote method accepts complex parameters, then a remote attacker can send a malicious serialized object as one of the parameters. The malicious object gets deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely.

You can find more details about this attack in the following articles:

• Attacking Java RMI services after JEP 290
• Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries

I'd like to propose a new experimental query that looks for deserialization vulnerabilities in remote objects registered in am RMI registry.

• [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

~I am planning to write a blog post about detecting such issues.~

I wrote a short blog post about the query.

Result(s)

• CVE-2016-2170 in Apache OFBiz
• RMI deserialization vulnerability in PeerUnit/mock-dht
• RMI deserialization vulnerability in TubeDB
• RMI deserialization vulnerability in Weka
• Alerts on LGTM

[ghsecuritylab]

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[artem-smotrakov]

FYI I wrote a short blog post about the query.

[ghsecuritylab]

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following: SecLab review > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following: SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[xcorail]

Created Hackerone report 1241579 for bounty 313175 : [358] Java: CodeQL query for unsafe RMI deserialization

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following: SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed