Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Fabrice Dagorn fabrice at dagorn.fr
Sat Apr 1 06:20:17 UTC 2017


The POC is a simple Eclipse java project.

UnsafeReceiver will open a ServerSocketReceiver on 1111 port and wait 
forever.

Injector will then open a client Socket to the ServerSocketReceiver and 
serialize a Calculator instance through the wire.

Calculator implements ILoggingEvent to prevent ClassCastException on 
deserialization but Logback won't check more and getLoggerName() is called.

In this case, the gnome calculator is executed.


Regards,

Fabrice


Le 31/03/2017 à 14:10, Markus Koschany a écrit :
> You could also attach the POC to this bug report. The vulnerability is
> publicly known by now anyway.
>
> Markus
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc_logback.tar.gz
Type: application/x-gzip
Size: 3452 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170401/d9f0e29f/attachment.bin>


More information about the pkg-java-maintainers mailing list