|
| 1 | +<html> |
| 2 | +<!-- |
| 3 | + Copyright (C) 2024 XStream committers. |
| 4 | + All rights reserved. |
| 5 | + |
| 6 | + The software in this package is published under the terms of the BSD |
| 7 | + style license a copy of which has been included with this distribution in |
| 8 | + the LICENSE.txt file. |
| 9 | + |
| 10 | + Created on 19. September 2024 by Joerg Schaible |
| 11 | + --> |
| 12 | + <head> |
| 13 | + <title>CVE-2024-47072</title> |
| 14 | + </head> |
| 15 | + <body> |
| 16 | + |
| 17 | + <h2 id="vulnerability">Vulnerability</h2> |
| 18 | + |
| 19 | + <p>CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated |
| 20 | + binary input stream.</p> |
| 21 | + |
| 22 | + <h2 id="affected_versions">Affected Versions</h2> |
| 23 | + |
| 24 | + <p>All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.</p> |
| 25 | + |
| 26 | + <h2 id="description">Description</h2> |
| 27 | + |
| 28 | + <p>XStream provides a BinaryStreamDriver with an own optimized serialization format. The format uses ids for |
| 29 | + string values as deduplication. The mapping for these ids are created on-the-fly at marshalling time. At |
| 30 | + unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping |
| 31 | + token to process the next normal token of the data stream. However, an endless recursion could be triggered with |
| 32 | + manipulated input data resulting in a stack overflow causing a denial of service.</p> |
| 33 | + |
| 34 | + <h2 id="reproduction">Steps to Reproduce</h2> |
| 35 | + |
| 36 | + <p>Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:</p> |
| 37 | +<div class="Source Java"><pre>final byte[] byteArray = new byte[36000]; |
| 38 | +for (int i = 0; i < byteArray.length / 4; i++) { |
| 39 | + byteArray[i * 4] = 10; |
| 40 | + byteArray[i * 4 + 1] = -127; |
| 41 | + byteArray[i * 4 + 2] = 0; |
| 42 | + byteArray[i * 4 + 3] = 0; |
| 43 | +} |
| 44 | + |
| 45 | +XStream xstream = new XStream(new BinaryStreamDriver()); |
| 46 | +xstream.fromXML(new ByteArrayInputStream(byteArray)); |
| 47 | +</pre></div> |
| 48 | + |
| 49 | + <p>As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with |
| 50 | + a stack overflow error.</p> |
| 51 | + |
| 52 | + <h2 id="impact">Impact</h2> |
| 53 | + |
| 54 | + <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting |
| 55 | + in a denial of service only by manipulating the processed input stream if the instance is setup with a |
| 56 | + BinaryStreamDriver.</p> |
| 57 | + |
| 58 | + <h2 id="workarounds">Workarounds</h2> |
| 59 | + |
| 60 | + <p>A simple solution is to catch the StackOverflowError in the client code calling XStream. There's no other known |
| 61 | + workaround when using the BinaryStreamDriver.</p> |
| 62 | + |
| 63 | + <h2 id="credits">Credits</h2> |
| 64 | + |
| 65 | + <p>Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.</p> |
| 66 | + |
| 67 | + </body> |
| 68 | + </html> |
0 commit comments