Proof of Concept

Version

Default: scala 2.13.14 + Oracle OpenJDK 1.8.0_321

Available: scala 2.13.0-2.13.14 + java8-java18

Usage

Erase File Contnts

1. Configure Scala dependencies
2. Set the 'filePath' field in PayloadGenerator.java to the desired file path for erasure
3. run PayloadGenerator to generate malicious byte stream and store it in ./payload.ser
4. Write some content into the target file
5. run DeserializationTest to do deserialize the malicious byte stream
6. Inspect the target file. If its content has been erased, it indicates a successful attack

Open URL Connection

1. Configure Scala dependencies
2. Set the 'urlToConnect' field in PayloadGenerator.java to the desired URL for establishing a connection
3. modify line 70 of PayloadGenerator.java to use getFunction0_openConnection instead of getFunction0_eraseFileContents
4. run PayloadGenerator to generate malicious byte stream and store it in ./payload.ser
5. run DeserializationTest to do deserialize the malicious byte stream
6. Check the network connection during the deserialization process, and it can be found that a network connection is established to the specified URL

Notice

• Exceptions may be thrown during the execution of deserialization, but it does not affect the outcome
• When using Java 9 and above, generating the payload may throw a java.lang.reflect.InaccessibleObjectException exception. Adding the '--add-opens java.base/java.util=ALL-UNNAMED' parameter at runtime can resolve this issue

Vulnerability Introduction

When deserializing objects in Scala language, attackers can manipulate malicious byte streams to execute dangerous code specified by the attacker upon the victim's execution of readObject. As for the vulnerability I am reporting, attackers can leverage this to erase contents of arbitrary files on the victim's machine, or cause the victim's machine to establish a specified network connection, or execute any Function0 in Scala.

When attackers perform object deserialization, they can locally construct a malformed malicious object of class java.util.PriorityQueue, so the readObject method of this class will be executed. This results in the following invocation sequence: readObject to heapify to siftDown to siftDownUsingComparator. Ultimately leading to the invocation of comparator.compare(o1,o2), where d is a field of the PriorityQueue object, and the parameters o1, o2 are elements of the queue, indicating they are under the control of the attacker. Attacker can make comparator an object of class scala.math.Ordering$IterableOrdering, and o1, o2 objects of class scala.collection.View$$anon$1. The compare method of IterableOrdering will invoke the iterator() method of class View$$anon$1, which would invoke function0.apply method of a controlable function0 object. Similar to CVE-2022-36944, a pre-constructed object of class scala.sys.process.ProcessBuilderImpl$FileOutput$$anonfun$$lessinit$greater$3 is used here as values for function0. During the execution of the apply() method of this object, new FileOutputStream(File file, boolean append) will be executed and both params are controlable for the attacker, who can erase contents of arbitrary files by setting the first parameter as the file path and the second parameter as true.

During the attack, the value of Function0 can also be an object of the scala.sys.process.ProcessBuilderImpl$URLInput$$anonfun$$lessinit$greater$1 class that comes with Scala or an object of another Function0 class on the attacked machine. In the final step of the attack, using these Function0 objects can achieve other malicious functions, including establishing a network connection.