SECURITY: remote code execution due to XML deserialization in Restlet

[dfj]

Dinis Cruz has published information on remote code execution due to XML deserialization in Restlet:

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
https://github.com/o2platform/DefCon_RESTing

I have tested his reproducer and confirmed it works against Restlet 2.0 and 2.2.

[thboileau]

Hello,
many thanks David, Dinis, Abe and Alvaro.

It has been decided to remove the default support of XML-serialized JavaBean using the ObjectRepresentation inside the default converter provided by the framework (NB: the binary representations is still supported). This support is activated using a system property (org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED).
In addition, the comment of the ObjectRepresentation class will be updated, in order to precise the classes it leverages, and in order to add a security warning.

Here is the comment added:
It supports binary representations of JavaBeans using the {@link ObjectInputStream} and {@link ObjectOutputStream} classes. In this case, it handles representations having the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT} ("application/x-java-serialized-object").
It also supports textual representations of JavaBeans using the {@link XMLEncoder} and {@link XMLDecoder} classes. In this case, it handles representations having the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT_XML} ("application/x-java-serialized-object+xml").

SECURITY WARNING: The usage of {@link XMLDecoder} when deserializing XML presentations from unstrusted sources can lead to malicious attacks. As pointed here , the {@link XMLDecoder} is able to force the JVM to execute unwanted Java code described inside the XML file. Thus, the support of such format has been disactivated by default inside the default converter. You can activate this support by turning on the following system property: org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED.

[dfj]

Thanks Thierry. Given that this issue has a serious security impact, and a working exploit is publicly available, I think it would be a good idea to release a new minor version of restlet that includes this patch. Please note that CVE-2013-4221 has been assigned to this issue:

http://www.openwall.com/lists/oss-security/2013/08/08/13