Bioformats v8.3.0 Untrusted Deserialization of Bio-Formats Memoizer Cache Files
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户的要求是直接写文章描述,不需要开头。首先,我得仔细阅读文章内容,抓住关键点。 文章标题是“Bio-Formats Performs Unsafe Java Deserialization”,看起来是关于Java反序列化的漏洞。接着,作者提到Memoizer类在加载和反序列化.bfmemo文件时没有进行验证或检查,这可能导致攻击者利用这些文件进行攻击。 攻击者可以创建或篡改.bfmemo文件,导致Bio-Formats反序列化不信任的数据。这可能引发拒绝服务、逻辑操作或远程代码执行。影响部分提到攻击者可以触发反序列化、导致服务中断、影响类加载,甚至在存在合适gadget链的情况下执行远程代码。 漏洞存在于标准图像处理流程中,不需要特殊配置。证明概念部分展示了如何篡改合法的memo文件来触发异常。 总结起来,文章主要讲Bio-Formats存在反序列化漏洞,可能导致多种安全问题。我需要把这些关键点浓缩到100字以内,确保信息准确且简洁。 </think> Bio-Formats存在Java反序列化漏洞,Memoizer类未验证或检查.memo文件来源,允许攻击者通过恶意或篡改的.bfmemo文件触发反序列化攻击,可能导致拒绝服务、逻辑控制或远程代码执行。 2026-1-6 06:59:26 Author: seclists.org(查看原文) 阅读量:8 收藏
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户的要求是直接写文章描述,不需要开头。首先,我得仔细阅读文章内容,抓住关键点。 文章标题是“Bio-Formats Performs Unsafe Java Deserialization”,看起来是关于Java反序列化的漏洞。接着,作者提到Memoizer类在加载和反序列化.bfmemo文件时没有进行验证或检查,这可能导致攻击者利用这些文件进行攻击。 攻击者可以创建或篡改.bfmemo文件,导致Bio-Formats反序列化不信任的数据。这可能引发拒绝服务、逻辑操作或远程代码执行。影响部分提到攻击者可以触发反序列化、导致服务中断、影响类加载,甚至在存在合适gadget链的情况下执行远程代码。 漏洞存在于标准图像处理流程中,不需要特殊配置。证明概念部分展示了如何篡改合法的memo文件来触发异常。 总结起来,文章主要讲Bio-Formats存在反序列化漏洞,可能导致多种安全问题。我需要把这些关键点浓缩到100字以内,确保信息准确且简洁。 </think> Bio-Formats存在Java反序列化漏洞,Memoizer类未验证或检查.memo文件来源,允许攻击者通过恶意或篡改的.bfmemo文件触发反序列化攻击,可能导致拒绝服务、逻辑控制或远程代码执行。 2026-1-6 06:59:26 Author: seclists.org(查看原文) 阅读量:8 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Mon, 29 Dec 2025 22:59:51 -0500
Bio-Formats performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker can exploit this behavior by supplying a crafted or corrupted .bfmemo file—either fully attacker-controlled or derived from a legitimate memo file—causing Bio-Formats to deserialize untrusted data. This can lead to denial-of-service, logic manipulation, or remote code execution when suitable gadget chains are present on the classpath. *Impact:* An attacker can: * Trigger deserialization of untrusted data * Cause repeated parsing failures (denial-of-service) * Influence reader discovery and class loading * Potentially achieve remote code execution when suitable gadget chains exist The vulnerability is reachable through standard image processing workflows and does not require non-default configuration. *Proof of Concept:* Corrupting a Legitimate Memo File This PoC demonstrates exploitation by modifying a legitimately generated .bfmemo file, which closely mirrors a real-world attack scenario. Step 1 – Generate a Valid Memo File [Step 1/4] Creating valid TIFF image... [+] Created valid.tif [Step 2/4] Generating legitimate memo file... [+] Memo created at: ./root/bioformats/.valid.tif.bfmemo [+] Size: 34815 bytes Step 2 – Corrupt the Existing Memo File [Step 4/4] Corrupting memo file... [+] Corrupted memo (appended 400 garbage bytes) [+] Created symlink to memo file Example Output [*] Loading valid.tif with Memoizer... java.lang.ClassNotFoundException: loci.formats.in.URLReader at loci.formats.ClassList.parseLine(ClassList.java:196) at loci.formats.ClassList.parseFile(ClassList.java:258) at loci.formats.Memoizer.<init>(Memoizer.java:540) java.lang.ClassNotFoundException: loci.formats.in.SlideBook6Reader java.lang.ClassNotFoundException: loci.formats.in.ScreenReader java.lang.ClassNotFoundException: loci.formats.in.ZarrReader java.lang.ClassNotFoundException: ch.epfl.biop.formats.in.ZeissQuickStartCZIReader _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Bioformats v8.3.0 Untrusted Deserialization of Bio-Formats Memoizer Cache Files Ron E (Jan 05)
文章来源: https://seclists.org/fulldisclosure/2026/Jan/7
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh