Entity provider selection confusion attacks in JAX-RSapplicationsMikhail Egorov

• Security researcher, bug hunter

• Application security engineer at Odin [ Ingram Micro Cloud ]

• @0ang3el

• http://0ang3el.blogspot.com

• http://www.slideshare.net/0ang3el

About me

• Java API for creating RESTful web services

• Part of J2EE since J2EE 6

• JAX-RS 2.0 [ https://jcp.org/aboutJava/communityprocess/final/jsr339/index.html ]

• RESTEasy [ Red Hat ] , Jersey [ Oracle ]

What is JAX-RS?

• RESTful web services are based on REST architectural style

• Some features

• Resource identification through URI

• Uniform interface

• Self-descriptive messages

• Stateful interactions through hyperlinks

What is RESTful web services?

Simple RESTful web service built w/ JAX-RS

;

import javax.ws.rs.GET;

import javax.ws.rs.Path;

import javax.ws.rs.Produces;

@Path("helloworld")

public class HelloWorldResource {

public static final String CLICHED_MESSAGE = "Hello World!";

@GET

@Produces("text/plain")

public String getHello() {

return CLICHED_MESSAGE;

}

}

Simple RESTful web service built w/ JAX-RS

;

• Annotated parameters

• @PathParam

• @QueryParam

• @FormParam

• @HeaderParam

• @CookieParam

• @MatrixParam

• Entity parameters – parameters without annotation

Passing parameters to resource method

• @QueryParam example

• Entity parameter example

Passing parameters to resource method

@GET

@Path("/order")

public String getOrder(@QueryParam("id") Sting id) {

...

}

@Path("/order")

@PUT

public void putOrder(Order order) {

...

}

• Unmarshalling – process of converting message content into Java object which is passed as parameter into resource method

• Entity providers are used for marshalling/unmarshalling

Entity parameters

• Entity providers – specials Java classes

• Annotated with @Provider

• Implement javax.ws.rs.ext.MessageBodyReader [ isReadable(), readFrom() ]

• Entity provider is selected based on

• Content type specified with @Consumes annotation

• Content-Type HTTP header in request

• Java Class of entity parameter

• There are interesting built-in entity providers

Entity providers

• Jersey performs WEB-INF/lib scanning for entity providers

• RESTEasy by default performs WEB-INF/lib scanning for entity providers, parameter resteasy.scan.providers does not work

[ https://issues.jboss.org/browse/RESTEASY-1504 ]

Automated scanning for entity providers

• Attacker selects entity provider which is not intended for unmarshalling, by manipulating with Content-Type header of HTTP request

Entity provider selection confusion attack

• Occur when resource or resource method does not specify preferred content type via @Consumes annotation

• Or specifies it too permissive

• */*

• application/*

• And in some cases when content type is

• multipart/*

• multipart/form-data

• etc

Entity provider selection confusion attack

• Impact of attack

• RCE

• DoS

• CSRF

• XXE

• etc

Entity provider selection confusion attack

• RESTEasy by default has SerializableProvider entity provider

• Vulnerable resource method doConcat()

Attack for RESTEasy [ CVE-2016-7050 ]

@POST

@Path("/concat")

@Produces(MediaType.APPLICATION_JSON)

public Map doConcat(Pair pair) {

HashMap result = new HashMap();

result.put("Result", pair.getP1() + pair.getP2());

return result;

}

public class Pair implements Serializable {

...

}

• isReadable() method of SerializableProvider

• SerializableProvider is used when Content-Type is application/x-java-serialized-object and Java class of entity parameter is serializable

Attack for RESTEasy [ CVE-2016-7050 ]

public boolean isReadable(Class type, Type genericType, Annotation[] annotations,

MediaType mediaType) {

return (Serializable.class.isAssignableFrom(type)) &&

(APPLICATION_SERIALIZABLE_TYPE.getType().equals(mediaType.getType())) &&

(APPLICATION_SERIALIZABLE_TYPE.getSubtype().equals(mediaType.getSubtype()));

}

• readFrom() method of SerializableProvider

Attack for RESTEasy [ CVE-2016-7050 ]

public Serializable readFrom(Class type, Type genericType, Annotation[]

annotations, MediaType mediaType, MultivaluedMap httpHeaders, InputStream

entityStream) throws IOException, WebApplicationException {

BufferedInputStream bis = new BufferedInputStream(entityStream);

ObjectInputStream ois = new ObjectInputStream(bis);

try {

return (Serializable)Serializable.class.cast(ois.readObject());

} catch (ClassNotFoundException e) {

throw new WebApplicationException(e);

}

}

Attack for RESTEasy [ CVE-2016-7050 ]

Attack for RESTEasy [ CVE-2016-7050 ]

• Jersey has default jersey-media-kryo entity provider

• Vulnerable resource method doShowSize()

Attack for Jersey

@POST

@Path("/size")

@Produces(MediaType.APPLICATION_JSON)

public Map<String, String> doShowSize(ArrayList<Pair> pairs) {

HashMap<String, String> result = new HashMap<String, String>();

result.put("Count", String.valueOf(pairs.size()));

return result;

}

• DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Attack for Jersey

• DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Attack for Jersey

• Narrow possible content types for resource or resource method using @Consumes annotation

• Use multipart/*, multipart/form-data, etc. content types with caution

• Java deserialization bugs exist not only in RMI/JMX/JMS

Takeaways