Skip to content

Instantly share code, notes, and snippets.

@j0lt-github

j0lt-github/jyaml Java library - 1.3 Deserialization attack

Last active December 17, 2020 16:15
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save j0lt-github/f5141abcacae63d434ecae211422153a to your computer and use it in GitHub Desktop.
Save j0lt-github/f5141abcacae63d434ecae211422153a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jyaml Java library - 1.3 Deserialization attack
Description: JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product.
VulnerabilityType: CWE-502: Deserialization of Untrusted Data
Vendor of Product: http://jyaml.sourceforge.net (see yaml.org)
Affected Product Code Base: jyaml Java library
Attack Type: Remote
Impact Code execution : True
Credits: Manmeet Singh and Ashish Kukreti
Attack Vectors : The jyaml can be exploited by deserialization of malicious YAML payload with default load() function of its object. The payload can be easily generated by this payload generator:
https://github.com/mbechler/marshalsec
and passed to load function
like Object object = Yaml.load(new File("object.yml"));
it will certainly execute command.
Reference :
https://github.com/mbechler/marshalsec
https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf
https://sourceforge.net/p/jyaml/bugs/
Has vendor confirmed or acknowledged the vulnerability? : Yes
Discoverer : Manmeet Singh and Ashish Kukreti
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment