java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
98,168
Download Count*
LGPL Commons Clause
License

Using an arbitrary object ('Object $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: server-dangerous-object-deserialization
    severity: ERROR
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/
        - https://frohoff.github.io/appseccali-marshalling-pickles/
      category: security
      technology:
        - rmi
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Using an arbitrary object ('Object $PARAM') with Java RMI is an
      insecure deserialization vulnerability. This object can be manipulated by
      a malicious actor allowing them to execute code on your system. Instead,
      use an integer ID to look up your object, or consider alternative
      serialization schemes such as JSON.
    languages:
      - java
    pattern: |
      interface $INTERFACE extends Remote {
        $RETURNTYPE $METHOD(Object $PARAM) throws RemoteException;
      }

Examples

server-dangerous-object-deserialization.java

// cf. https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/

package de.mogwailabs.BSidesRMIService;

import java.rmi.Naming;
import java.rmi.registry.LocateRegistry;

import java.rmi.Remote;
import java.rmi.RemoteException;

// ruleid:server-dangerous-object-deserialization
public interface IBSidesService extends Remote {
   boolean registerTicket(String ticketID) throws RemoteException;
   void vistTalk(String talkname) throws RemoteException;
   void poke(Object attende) throws RemoteException;
}

// ok:server-dangerous-object-deserialization
public interface IBSidesServiceOK extends Remote {
   boolean registerTicket(String ticketID) throws RemoteException;
   void vistTalk(String talkname) throws RemoteException;
   void poke(int attende) throws RemoteException;
}

public class BSidesServer {
    public static void main(String[] args) {
        try {
            // Create new RMI registry to which we can register
            LocateRegistry.createRegistry(1099);

            // Make our BSides Server object
            // available under the name "bsides"
            Naming.bind("bsides", new BSidesServiceServerImpl());
            System.out.println("BSides RMI server is ready");

        } catch (Exception e) {
            // In case of an error, print the stacktrace
            // and bail out
            e.printStackTrace();
        }
    }
}