Serialization vulnerability

[techknight]

I stumbled across this article here:

https://access.redhat.com/blogs/766093/posts/3135411

I see some ransomware among other things get distributed in this manner.

So that got me thinking, What about the library B4XSerializator? is it vulnerable to this attack? Does that library use whitelist/blacklist deserialization and class construction?

Just curious. Something to think about.

 

[OliverA]

Note: Just a guess. No. B4Xserializator only serializes / deserializes a fixed number of objects/primitive types (Lists, Arrays, Maps, Strings, primitive types and user defined types). Any other object will cause an error during deserialization. As of now, it does not generate a generic object for an unknown type.

 

[Erel]

B4XSerializator is not based on Java serialization feature. It is much simpler.

You can read more about this issue here: https://foxglovesecurity.com/2015/1...pplication-have-in-common-this-vulnerability/
The exploit relies on the internal Java readObject method implementation of specific classes.

B4XSerializator is not affected by this as it doesn't execute any code when it creates objects.

RandomAccessFile.ReadObject (unlike ReadB4XObject) is based on Java serialization. Based on the list of known vulnerable classes it is not likely to affect B4J programs. Anyway, if you don't use raf.ReadObject in your code and only use the recommended ReadB4XObject or B4XSerializator then your program will be safe from this exploit.

 

[techknight]

Ok. I just wanted to make sure.