CVE-2024-47072

Vulnerability

CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream.

Affected Versions

All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.

Description

XStream provides a BinaryStreamDriver with an own optimized serialization format. The format uses ids for string values as deduplication. The mapping for these ids are created on-the-fly at marshalling time. At unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping token to process the next normal token of the data stream. However, an endless recursion could be triggered with manipulated input data resulting in a stack overflow causing a denial of service.

Steps to Reproduce

Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:

final byte[] byteArray = new byte[36000];
for (int i = 0; i < byteArray.length / 4; i++) {
      byteArray[i * 4] = 10;
      byteArray[i * 4 + 1] = -127;
      byteArray[i * 4 + 2] = 0;
      byteArray[i * 4 + 3] = 0;
}

XStream xstream = new XStream(new BinaryStreamDriver());
xstream.fromXML(new ByteArrayInputStream(byteArray));

As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with a stack overflow error.

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream if the instance is setup with a BinaryStreamDriver.

Workarounds

A simple solution is to catch the StackOverflowError in the client code calling XStream. There's no other known workaround when using the BinaryStreamDriver.

Credits

Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.