[Security] MessagePacket will deserialize arbitrary classes

[Gamebuster19901]

Describe the bug
An attacker can supply any instance of Serializable to MessagePacket, and MessagePacket will happily deserialize it without any checks. This could allow a remote attacker to execute arbitrary code if the classpath contains vulnerable serializeable classes.

litiengine/src/de/gurkenlabs/litiengine/net/messages/MessagePacket.java

Line 65 in 649ceea

final Object dataObject = Serializer.deserialize(objectBytes);

All games which currently use MessagePacket are potentially vulnerable, especially if they have third party libraries on the classpath.

Recommendation
Change de.gurkenlabs.litiengine.util.Serializer to not use java's Serializer. Switch away from using Serializable entirely, and make developers construct objects manually. Do not deserialize untrusted data!

Your System:

• LITIENGINE version: [e.g. 0.5.0-beta]

Additional Context
Relates to #331

[colin-ife-snyk]

Hey @Gamebuster19901 do you have a PoC for this?

[Gamebuster19901]

Hey @Gamebuster19901 do you have a PoC for this?

Unfortunately, I'm not skilled enough to provide a proof of concept. It requires a specific set of vulnerable classes to be on the classpath. It may not be possible to abuse this unless someone adds external libraries to their game which have vulnerable serializable classes.

Just as an example, if Groovy 1.7.0 was on the classpath, then one could abuse CVE-2015-3253.