The process of decomposing Java objects into bytecode is called serialization, and the process of assembling a Java object from bytecode is called deserialization, which corresponds to the writeobject and readobject methods respectively. The problem is that readobject does not call the constructor when assembling a Java object with a byte stream, which means that there is no type of check, and the user can replicate the readobject() method to execute any code that it wants to execute.
This can lead to three problems:
1. A serialized object modifies an unprotected key property of an object or parent class, leading to unexpected results. for example:
class client {private int value;public client (INT&NBSP;V) { if (v <= 0) { throw new runtimeexception ("Not positive number "); } value = v; } public void writeobject ( Objectoutputstream oos) throws IOException { int value = 0; //here the value is changed to 0. (In reality, you can modify this value in many ways, such as debug mode, modify serialize bytecode, or class instrument) Oos.defaultwriteobject (); }}class controller { private arrayblockingqueue<client> queue; public Void receivestate (oin) throws IOException, ClassNotFoundException { Client s = (Client) oin. (); //deserialization does not call the constructor, and a non-0 check of value does not trigger queue.add (s); } public client getclient () throws interruptedexception { return (Client) queue.take (); }}class Server extends Thread { private Controller Controller = new controller (); private int result = 100; public void run () { while (True) { try { result = result / controller.getclient (). GetValue (); // because value is 0, it causes an arithmetic exception, thread end thread.sleep (; ) } catch (Interruptedexception e) {} } }}
2. An attacker could create a chain of loop objects and then serialize them. Causes deserialization to fail to end, wasting system resources. For example:
Set root = new HashSet (); Set S1 = root; Set s2 = new HashSet (); for (int i = 0; i <; i++) {Set T1 = new HashSet (); Set t2 = new HashSet (); T1.add ("foo"); Make T2 not equal to T1 s1.add (T1); S1.add (T2); S2.add (t1); S2.add (T2); S1 = t1; s2 = t2; } class Controller {public void receivestate (ObjectInputStream ois) {FileOutputStream fos = new Fileoutputs Tream (New File ("Xxx.ser")); Fos.write (OIS); You don't actually know what it is, it might be a malicious script. Fos.close (); }}
Reference
JAVA Deserialization Attack | It addiction
http://itindex.net/detail/54975-java-%E5%BA%8F%E5%88%97%E5%8C%96
Java Deserialization Vulnerability Analysis-ssooking-Blog Park
Http://www.cnblogs.com/ssooking/p/5875215.html
Java serialization mechanisms and principles-redcreen-Blog Park
Http://www.cnblogs.com/redcreen/archive/2011/02/15/1955307.html
JAVA Anti-serialization attack