Exploitable Java functions

Question

This question is similar to Exploitable PHP Functions.

Tainted data comes from the user, or more specifically an attacker. When a tainted variable reaches a sink function, then you have a vulnerability. For instance a function that executes a sql query is a sink, and GET/POST variables are sources of taint.

What are all of the sink functions in the Java class library (for any flavor of Java)? I am looking for functions that introduce a vulnerability or software weakness. I am particularly interested in Remote Code Execution vulnerabilities. Are there whole classes/libraries that contain nasty functionally that a hacker would like to influence? How do people accidentally make dangerous Java code?

*all* sink functions? This list is infinite, since one can define arbitrarily many such functions. — meriton, Dec 02 '10 at 20:56
i believe he is referring to java library code not basement libraries — Woot4Moo, Dec 02 '10 at 20:59

score 36 · Answer 1 · answered Dec 04 '10 at 01:55

Here's a list based on my personal research into Client-side Java security in general, and using the Eclipse IDE to see which methods do SecurityManager checks.

ClassLoaders define classes (=arbitrary java code execution):

java.lang.ClassLoader.defineClass
java.net.URLClassLoader

= code execution

Java Beans Introspection may divert ClassLoaders into loading classes from an untrusted source (example vuln - cve-2010-1622)

java.beans.Instrospector.getBeanInfo

= code execution

File access

java.io.File (constructor)
java.io.File.delete
java.io.File.renameTo
java.io.File.listFiles
java.io.File.list

= deleting/renaming files, directory listing

File stream/reader classes

java.io.FileInputStream
java.io.FileOutputStream
java.io.FileReader
java.io.FileWriter
java.io.RandomAccessFile

=File read/write access

Java System Properties

System.setProperty
System.getProperties
System.getProperty

=Some system properties might contain some information that's almost sensitive, and some system properties might alter the execution of critical stuff, I don't have examples, though

Loading native libraries

System.load
System.loadLibrary

= Arbitrary code execution

Executing operating system executables

Runtime.exec
ProcessBuilder (constructor)

Generating native system input events

java.awt.Robot.keyPress/keyRelease
java.awt.Robot.mouseMove/mousePress/mouseRelease

(Maybe far-fetched since a server might not even have a graphical environment)

Java reflection - accessing arbitrary (even private) fields and methods

java.lang.Class.getDeclaredMethod
java.lang.Class.getDeclaredField
java.lang.reflection.Method.invoke
java.lang.reflection.Field.set
java.lang.reflection.Field.get

= From disclosing sensitive information to eventual code execution, depending on the circumstances

Java scripting engine

javax.script.ScriptEngine.eval

=arbitrary code execution

@Rook: Thanks! I think the question is excellent. I've never quite looked at Java security from this exact angle. — Sami Koivu, Dec 04 '10 at 19:02
+1 - great work and a really exhaustive set of the exploitable methods :) — vstoyanov, Dec 14 '10 at 12:16

CodesInChaos · Answer 2 · 2010-12-02T20:55:16.630

Code execution vulnerabilities:

Private reflection, but it's uncommon for tainted data to get there in a dangerous way
Native interop code which doesn't validate it's parameters enough
De-serializers. Probably the most dangerous since you might want to de-serialize from untrusted data. Some serializers are relatively safe and only use public constructors/setter, but others access private fields. And if there is no type white-list it might instantiate arbitrary types and call setters on them.
Any form of IO, files in particular
Dynamic loading of libraries. In particular using relative path. In particular relative to the working-directory instead of the executable directory

(This is about .net, but I expect Java to be very similar)

Data injection

Then there is the injection family of functions which typically can be prevented by not operating on strings but using specialized library functions. Those typically don't lead to arbitrary code injection.

html injectiong / XSS (Largely prevented by a view-engine that auto-escapes output and cleanly separating escaped and un-escaped strings (perhaps using different types))
SQL injection (prevented by prepared statements)
File-Path injection

+1 for deserialzation and file I/O – Tomas Narros Dec 10 '10 at 08:30 — Tomas Narros, Dec 10 '10 at 08:30

Woot4Moo · Answer 3 · 2010-12-02T21:04:19.573

7

I am sure that this list will grow as I dig into finding real exploits:

Spring classloader
Swallowed exceptions - As has been noted swallowing exceptions may not directly cause an exploitation, but it can lead to the non-discovery of exploitation.
String[] commands = {args[0]}; Runtime.getRuntime().exec(commands);
I realize that it is a fairly trivial item, but running code similar to the above can allow you to pass something like this: && del / if on Windows or ;rm -rf / on *nix

The biggest way people make dangerous Java code is by being lazy. As you mentioned not cleansing user input before running it.

edited Dec 02 '10 at 21:04

answered Dec 02 '10 at 20:54

Woot4Moo

23,987
16
94
151

+1 i also dig on finding real exploits :) – rook Dec 02 '10 at 20:55
2

@Rook I have one about Apache Tomcat, but I won't post it here until the vendor resolves it. – Woot4Moo Dec 02 '10 at 21:52

Exploitable Java functions

3 Answers3