Dozer Type Conversion Serialized Object deserialization

Summaryinfo

A vulnerability identified as critical has been detected in Dozer. This vulnerability affects unknown code of the component Type Conversion. This manipulation as part of Serialized Object causes deserialization. The identification of this vulnerability is CVE-2014-9515. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Detailsinfo

A vulnerability classified as critical was found in Dozer (affected version not known). Affected by this vulnerability is some unknown functionality of the component Type Conversion. The manipulation as part of a Serialized Object leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.

The bug was discovered 12/05/2014. The weakness was shared 12/05/2014 by dfj as Issue #217 as confirmed bug report (GitHub Repository). The advisory is shared at github.com. The vendor cooperated in the coordination of the public release. This vulnerability is known as CVE-2014-9515 since 01/05/2015. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details are unknown but a public exploit is available. The advisory points out:

Dozer uses a reflection-based approach to type conversion. If dozer is used to map attacker-supplied object instances, then the attacker can provide a dynamic proxy that implements an interface matching what dozer expects, but then use an event handler to execute all methods in that interface. As soon as dozer tries to execute any getter/setter methods, they'll trigger the event handler.

A public exploit has been developed by dfj in Java and been published 2 weeks after the advisory. It is possible to download the exploit at github.com. It is declared as functional. The code used by the exploit is:

Corgi c = null;

try
{
	FileInputStream fileIn = new FileInputStream("proxy.ser");
	ObjectInputStream in = new ObjectInputStream(fileIn);
	c = (Corgi) in.readObject();
	in.close();
	fileIn.close();
} catch(IOException i)
{
	i.printStackTrace();
	return;
} catch(ClassNotFoundException cnfe)
{
	System.out.println("Employee class not found");
	cnfe.printStackTrace();
	return;
}
// On deserialization evince will pop

Dachshund longDog = mapper.map(c, Dachshund.class);

The exploitable use case seems to be rather limited so far. There must either be an object being mapped to with a getter/setter method that matches a method in an interface on the server classpath, or a manual XML mapping that allows an attacker to force the issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Additional details are provided at infocon.org. The entry VDB-133715 is related to this item. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• Dozer

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion