Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Fabrice Dagorn
fabrice at dagorn.fr
Sat Apr 1 06:20:17 UTC 2017
The POC is a simple Eclipse java project.
UnsafeReceiver will open a ServerSocketReceiver on 1111 port and wait
forever.
Injector will then open a client Socket to the ServerSocketReceiver and
serialize a Calculator instance through the wire.
Calculator implements ILoggingEvent to prevent ClassCastException on
deserialization but Logback won't check more and getLoggerName() is called.
In this case, the gnome calculator is executed.
Regards,
Fabrice
Le 31/03/2017 à 14:10, Markus Koschany a écrit :
> You could also attach the POC to this bug report. The vulnerability is
> publicly known by now anyway.
>
> Markus
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc_logback.tar.gz
Type: application/x-gzip
Size: 3452 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170401/d9f0e29f/attachment.bin>
More information about the pkg-java-maintainers
mailing list