[MAVEN:GHSA-MJMJ-J48Q-9WG2] SnakeYaml Constructor Deserialization Remote Code Execution

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Summary

SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any type be deserialized given the following line:

new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);

Types do not have to match the types of properties in the target class. A ConstructorException is thrown, but only after a malicious payload is deserialized.

Severity

High, lack of type checks during deserialization allows remote code execution.

Proof of Concept

Execute bash run.sh. The PoC uses Constructor to deserialize a payload
for RCE. RCE is demonstrated by using a payload which performs a http request to
http://127.0.0.1:8000.

Example output of successful run of proof of concept:

```
$ bash run.sh

[+] Downloading snakeyaml if needed
[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE
nc: no process found
[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.
[+] An exception is expected.
Exception:
Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0
in 'string', line 1, column 1:
payload: !!javax.script.ScriptEn ...
^
Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
in 'string', line 1, column 10:
payload: !!javax.script.ScriptEngineManag ...
^

at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)
at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)
at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)
at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)
at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)
at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)
at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)
at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)
at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
at Main.main(Main.java:37)

Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
at java.base/java.lang.reflect.Field.set(Field.java:780)
at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)
at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)
... 9 more
[+] Dumping Received HTTP Request. Will not be empty if PoC worked
GET /proof-of-concept HTTP/1.1
User-Agent: Java/11.0.14
Host: localhost:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive
```

Further Analysis

Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.

See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.

A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information.

Timeline

Date reported: 4/11/2022
Date fixed:
Date disclosed: 10/13/2022

Package	Affected Version
pkg:maven/org.yaml/snakeyaml	<= 1.33

Package	Fixed Version
pkg:maven/org.yaml/snakeyaml	= 2.0

ID

MAVEN:GHSA-MJMJ-J48Q-9WG2

Severity

high

URL

https://github.com/advisories/GHSA-mjmj-j48q-9wg2

Published

2022-12-12T21:19:47
(21 months ago)

Modified

2023-11-20T22:16:15
(10 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
			https://nvd.nist.gov/vuln/detail/CVE-2022-1471
			https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
			https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
			https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471
			https://github.com/mbechler/marshalsec
			https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/
			https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
			https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758
			https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4
			https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314
			https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc
			https://security.netapp.com/advisory/ntap-20230818-0015/
			http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html
			http://www.openwall.com/lists/oss-security/2023/11/19/1
			https://github.com/advisories/GHSA-mjmj-j48q-9wg2

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.yaml/snakeyaml	org.yaml	snakeyaml	<= 1.33
Fixed	pkg:maven/org.yaml/snakeyaml	org.yaml	snakeyaml	= 2.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date