Is an application that uses Spring Http Invoker at risk from the the Java serialisation exploit?

Question

I have an application that exposes an endpoint using HttpInvokerServiceExporter from Spring. I have been trying to investigate whether or not this is at risk from the Java (Apache commons-collections) serialisation exploit (as detailed here).

I have been trying to generate payloads that can be sent to the endpoint for testing, but I haven't managed to get a definitive answer so far. I have checked out the ysoserial project for generating payloads but I believe the problem with this is that the HttpInvoker expects the serialised Object to be of type RemoteInvocation, which is not what ysoserial generates.

So my questions are:

1. Is a Spring endpoint configured like this at risk?
2. How can I generate a payload that would exploit it, so that I can validate that I have closed the exploit after my fix?

Answer 1

I have found the answer to my own questions:

1. Yes. I have successfully managed to exploit my server using a simple http post to the Spring endpoint.

2. Spring Http Invoker expects the object it receives to be a RemoteInvocation instance, which contains a method to be executed on the server side (i.e. a method that you are exposing on some interface). It has the following constructor:

   public RemoteInvocation(String methodName, Class[] parameterTypes, Object[] arguments)

so to use the exploit you just have to put the object that ysoserial generates into the Object[] arguments. This will result in it being unserialised before attempting and failing to execute the method on the exposed interface and therefore it will execute the command you specified.