Denis Magda created IGNITE-6645:
-----------------------------------
Summary: Security issues in Ignite that allows users with write access to datagrid to execute arbitrary code
Key: IGNITE-6645
URL:
https://issues.apache.org/jira/browse/IGNITE-6645 Project: Ignite
Issue Type: Bug
Security Level: Public (Viewable by anyone)
Affects Versions: 1.0
Reporter: Denis Magda
Assignee: Yakov Zhdanov
Priority: Critical
Fix For: 2.4
The security breach was reported by an end-user:
https://mail-search.apache.org/pmc/private-arch/ignite-private/201710.mbox/%3c7099CD44-92A7-4254-89C5-D8270B5A6449@...%3eDetails shared by the user:
I would like to report some security issues that we found using the query language QL from lgtm.com. These are unsafe deserialization issues that allow users, possibly remote, that have rights to put entities on the datagrid to execute arbitrary code on an ignite server node.
As there are more than one of these issues, I will send them to you in separate emails.
The first issue affects the socket streaming server. The PoC code are included and are modifications of the `wordcount.socket` example in the examples package.
A bit of set up is needed to see the full effect of code execution, so I will not include the details here, but if you want to try it out yourself, then please let me know and I can include the full PoC.
First add commons-beantil to the dependency, any version will work. Then download the file `obj`, which contains the serialized data of a malicious object. Change line 44 in `SocketStreamClient` so that it opens this file.
First start a server node using the example config `config/example-ignite.xml`, then start up the streaming server `SocketStreamerServer`. Now when you run `SocketStreamClient`, you will get an error, but somewhere in the stacktrace on the log in `SocketStreamerServer`, you will see this:
Caused by: java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException
at org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171)
at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
at java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
at java.util.PriorityQueue.heapify(PriorityQueue.java:736)
at java.util.PriorityQueue.readObject(PriorityQueue.java:795)
This shows that the node running the `SocketStreamerServer` is deserializing the payload object that I send it.
When properly set up, an attacker will have a remote ldap server that contains a second malicious Java object. Then when the above deserialization happens, an ldap look up will cause the second malicious object to be instantiated, which can then be used to execute arbitrary code. Also, although this exploit relies on having commons-beanutils to be on the classpath, there are other exploits that will work for different third party libraries, so it is not so much of a problem in commons-beanutils, but an issue in the handling of deserialization in ignite.
These results are using a slightly more ahead version of the QL library with we haven't made available on lgtm yet, but should be in a few days, if you are interested, I can share a link to the query and results to you when it is ready. Thanks.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
Locked
