0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

MegaMek Java Objection Injection

· Sajeeb Lohani · CVE-2018-1000824

The Issue

The deserialisation of the Java object can trigger certain methods within the object, allowing the attacker to perform unauthorised actions like execution of code, disclosure of information, etc.

The MegaMek project overly trusted user input when processing the data obtained from a form.

Where the Issue Occurred

Displayed below is the code within the MegaMek project containing the vulnerable code (found on line 67 megamek/megamek/src/megamek/common/net/ObjectStreamConnection.java#67):

packet = (NetworkPacket) in.readObject();

Disclosure Timeline

  • Issue Reported: 29th September2018
  • Blog Post Published: 28th October 2018