Exploiting Deserialization Vulnerabilities in Java
47 likes34,789 views
Matthias Kaiser of Code White talks about the forgotten bug class of Deserialization Vulnerabilities at RUB's HackPra
1 of 38
Downloaded 580 times
Ad
Recommended
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_ - The document discusses Java object serialization vulnerabilities and remote code execution.
- It provides background on serialization/deserialization and how it can allow object injection and improper input validation.
- A key vulnerability discussed is CVE-2015-7501, which affected Apache Commons Collections and allowed remote code execution through a "gadget chain" triggered during deserialization.
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH This document discusses Java deserialization vulnerabilities. It provides an introduction to how Java serialization works and what the security issues are. Specifically, it describes how an attacker can exploit vulnerabilities to remotely execute code on a server by deserializing malicious objects. The document gives examples of past vulnerabilities found in various Java applications and frameworks. It also provides tips for finding vulnerabilities and generating payloads to demonstrate exploits.
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff Marshalling Pickles: how deserializing objects can ruin your day.
http://frohoff.github.io/appseccali-marshalling-pickles/
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane This presentation describes a technique to conduct penetration testing of JAVA applications communicating via serialized objects.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
Insecure Java Deserialization
Insecure Java DeserializationShiv Sahni The slides talk about A8:2017-Insecure Deserialization(OWASP Top 10) vulnerability pertaining to Java applications.
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari What is SQL Injection? Why does this problem exist? How it can be exploited? How to secure your app against this vulnerability?
Spring Boot in Action
Spring Boot in Action Alex Movila This document discusses Spring Boot and how it provides automatic configuration for common web application functionalities like JPA, security, and Spring MVC. It also covers how Spring Boot uses starter dependencies to select libraries automatically and provides tools like the CLI and Spring Initializr. The document then demonstrates creating a basic Spring Boot application and discusses testing Spring Boot applications using techniques like mocking Spring MVC and integrating tests.
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov Presentation from Zero Nights 2017 - https://2017.zeronights.ru/report/tryuki-dlya-obhoda-csrf-zashhity/.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH The document discusses Java deserialization vulnerabilities. It begins with an introduction to Java's object serialization protocol and how it can be exploited if not implemented securely. Several real-world examples of vulnerabilities are provided from 2006 to 2015. Common techniques for finding vulnerabilities like grepping for "readObject()" and exploiting them using "gadgets" are described. The document concludes with a hands-on example of exploiting a Jenkins vulnerability using a custom serialized object.
HTTP Security Headers
HTTP Security HeadersIsmael Goncalves The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Java Collections Framework
Java Collections FrameworkSony India Software Center This document provides an overview of the Java Collections Framework. It discusses core collection interfaces like List, Set, and Map and their common implementations like ArrayList, HashSet, and HashMap. It also covers sorting collections with Comparable and Comparator, searching collections with binary search, and using utility methods in the Collections class. Examples are provided to illustrate usage of various collection classes and methods.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Introduction à spring boot
Introduction à spring bootAntoine Rey Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference Jonathan Birch from Microsoft discusses how misuse of serialization in .NET can lead to remote code execution (RCE) vulnerabilities. He explains how serialization works and how untrusted data streams containing type information can be exploited to instantiate dangerous classes and execute arbitrary code. He provides advice on how to prevent these vulnerabilities, such as using serialization formats without type information, constraining allowed types, and validating streams have not been modified.
REST APIs with Spring
REST APIs with SpringJoshua Long This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
Spring boot
Spring bootsdeeg This document contains an agenda and slides for a presentation on Spring Boot. The presentation introduces Spring Boot, which allows developers to rapidly build production-grade Spring applications with minimal configuration. It demonstrates how to quickly create a "Hello World" application using Spring Boot and discusses some of the features it provides out-of-the-box like embedded servers and externalized configuration. The presentation also shows how to add additional functionality like Thymeleaf templates and actuator endpoints to monitor and manage applications.
Spring Boot
Spring BootJiayun Zhou This document provides an overview of Spring Boot and some of its key features. It discusses the origins and modules of Spring, how Spring Boot simplifies configuration and dependency management. It then covers examples of building Spring Boot applications that connect to a SQL database, use RabbitMQ for messaging, and schedule and run asynchronous tasks.
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran Cross-site scripting (XSS) is an injection attack where malicious scripts are injected into otherwise trusted sites. There are three main types of XSS attacks: reflected XSS occurs via URLs, stored XSS occurs when scripts are stored in a database and delivered to users, and DOM-based XSS modifies the DOM environment. XSS attacks can lead to issues like session hijacking, phishing, and port scanning. Developers can prevent XSS by validating and encoding untrusted data, and using HTTP-only and secure flags for cookies.
Microservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudEberhard Wolff Spring Boot makes creating small Java application easy - and also facilitates operations and deployment. But for Microservices need more: Because Microservices are a distributed systems issues like Service Discovery or Load Balancing must be solved. Spring Cloud adds those capabilities to Spring Boot using e.g. the Netflix stack. This talks covers Spring Boot and Spring Cloud and shows how these technologies can be used to create a complete Microservices environment.
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering This document discusses Java serialization vulnerabilities and mitigations. It introduces Java serialization, attack vectors like serialization gadgets and deserialization endpoints, and demonstrates denial of service attacks. It covers mitigations such as validating class names during deserialization, but notes this approach can be bypassed. It proposes a new concept of also validating methods during deserialization. The goal is to help fix issues with the Java serialization process.
Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1Toshiaki Maki The document provides an introduction and overview of Spring WebFlux, a non-blocking web framework for Spring. It discusses the differences between blocking and non-blocking web stacks, and how Spring WebFlux uses reactive streams and programming. Code examples are provided showing how to build reactive controllers and streams in Spring WebFlux that support backpressure.
Building Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute) XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu This presentation introduces students to the concepts of software weakness, attack and secure coding practices.
Secure coding practices
Secure coding practicesMohammed Danish Amber Secure Coding Practices - PHP.
How to safe gaurd your application from CSRF, Session Hijacking, SQLi
Deserialization vulnerabilities
Deserialization vulnerabilitiesGreenD0g Explanation of attacks on deserialization libs.
Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersTruptiranjan Nayak Java deserialization vulnerabilities allow attackers to exploit object serialization to influence in-memory program objects and code flow. If an attacker controls serialized data passed to a deserialization routine, they can manipulate the program. This has led to remote code execution attacks. Vendors have tried to mitigate this by blacklisting or whitelisting dangerous classes, but full remediation requires code changes. Exploits have included binary, XML, and text payloads triggering vulnerabilities in Spring, Weblogic, and other platforms.
More Related Content
What's hot (20)
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari What is SQL Injection? Why does this problem exist? How it can be exploited? How to secure your app against this vulnerability?
Spring Boot in Action
Spring Boot in Action Alex Movila This document discusses Spring Boot and how it provides automatic configuration for common web application functionalities like JPA, security, and Spring MVC. It also covers how Spring Boot uses starter dependencies to select libraries automatically and provides tools like the CLI and Spring Initializr. The document then demonstrates creating a basic Spring Boot application and discusses testing Spring Boot applications using techniques like mocking Spring MVC and integrating tests.
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov Presentation from Zero Nights 2017 - https://2017.zeronights.ru/report/tryuki-dlya-obhoda-csrf-zashhity/.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH The document discusses Java deserialization vulnerabilities. It begins with an introduction to Java's object serialization protocol and how it can be exploited if not implemented securely. Several real-world examples of vulnerabilities are provided from 2006 to 2015. Common techniques for finding vulnerabilities like grepping for "readObject()" and exploiting them using "gadgets" are described. The document concludes with a hands-on example of exploiting a Jenkins vulnerability using a custom serialized object.
HTTP Security Headers
HTTP Security HeadersIsmael Goncalves The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Java Collections Framework
Java Collections FrameworkSony India Software Center This document provides an overview of the Java Collections Framework. It discusses core collection interfaces like List, Set, and Map and their common implementations like ArrayList, HashSet, and HashMap. It also covers sorting collections with Comparable and Comparator, searching collections with binary search, and using utility methods in the Collections class. Examples are provided to illustrate usage of various collection classes and methods.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Introduction à spring boot
Introduction à spring bootAntoine Rey Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference Jonathan Birch from Microsoft discusses how misuse of serialization in .NET can lead to remote code execution (RCE) vulnerabilities. He explains how serialization works and how untrusted data streams containing type information can be exploited to instantiate dangerous classes and execute arbitrary code. He provides advice on how to prevent these vulnerabilities, such as using serialization formats without type information, constraining allowed types, and validating streams have not been modified.
REST APIs with Spring
REST APIs with SpringJoshua Long This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
Spring boot
Spring bootsdeeg This document contains an agenda and slides for a presentation on Spring Boot. The presentation introduces Spring Boot, which allows developers to rapidly build production-grade Spring applications with minimal configuration. It demonstrates how to quickly create a "Hello World" application using Spring Boot and discusses some of the features it provides out-of-the-box like embedded servers and externalized configuration. The presentation also shows how to add additional functionality like Thymeleaf templates and actuator endpoints to monitor and manage applications.
Spring Boot
Spring BootJiayun Zhou This document provides an overview of Spring Boot and some of its key features. It discusses the origins and modules of Spring, how Spring Boot simplifies configuration and dependency management. It then covers examples of building Spring Boot applications that connect to a SQL database, use RabbitMQ for messaging, and schedule and run asynchronous tasks.
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran Cross-site scripting (XSS) is an injection attack where malicious scripts are injected into otherwise trusted sites. There are three main types of XSS attacks: reflected XSS occurs via URLs, stored XSS occurs when scripts are stored in a database and delivered to users, and DOM-based XSS modifies the DOM environment. XSS attacks can lead to issues like session hijacking, phishing, and port scanning. Developers can prevent XSS by validating and encoding untrusted data, and using HTTP-only and secure flags for cookies.
Microservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudEberhard Wolff Spring Boot makes creating small Java application easy - and also facilitates operations and deployment. But for Microservices need more: Because Microservices are a distributed systems issues like Service Discovery or Load Balancing must be solved. Spring Cloud adds those capabilities to Spring Boot using e.g. the Netflix stack. This talks covers Spring Boot and Spring Cloud and shows how these technologies can be used to create a complete Microservices environment.
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering This document discusses Java serialization vulnerabilities and mitigations. It introduces Java serialization, attack vectors like serialization gadgets and deserialization endpoints, and demonstrates denial of service attacks. It covers mitigations such as validating class names during deserialization, but notes this approach can be bypassed. It proposes a new concept of also validating methods during deserialization. The goal is to help fix issues with the Java serialization process.
Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1Toshiaki Maki The document provides an introduction and overview of Spring WebFlux, a non-blocking web framework for Spring. It discusses the differences between blocking and non-blocking web stacks, and how Spring WebFlux uses reactive streams and programming. Code examples are provided showing how to build reactive controllers and streams in Spring WebFlux that support backpressure.
Building Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute) XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu This presentation introduces students to the concepts of software weakness, attack and secure coding practices.
Secure coding practices
Secure coding practicesMohammed Danish Amber Secure Coding Practices - PHP.
How to safe gaurd your application from CSRF, Session Hijacking, SQLi
Similar to Exploiting Deserialization Vulnerabilities in Java (20)
Deserialization vulnerabilities
Deserialization vulnerabilitiesGreenD0g Explanation of attacks on deserialization libs.
Python Pickle, Node.js node-serialize, Java XMLDecoder, Java Jackson, Java Native Deserialization
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersTruptiranjan Nayak Java deserialization vulnerabilities allow attackers to exploit object serialization to influence in-memory program objects and code flow. If an attacker controls serialized data passed to a deserialization routine, they can manipulate the program. This has led to remote code execution attacks. Vendors have tried to mitigate this by blacklisting or whitelisting dangerous classes, but full remediation requires code changes. Exploits have included binary, XML, and text payloads triggering vulnerabilities in Spring, Weblogic, and other platforms.
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP Serialization vulnerabilities are very dangerous and can enable remote code execution and other attacks. They are difficult to fix due to issues with blacklisting, whitelisting, and the lack of a "silver bullet" solution. Serialization problems are common in Java libraries and formats like JSON/XML. Developers must think carefully before applying fixes and avoid playing "gadget whack-a-mole" since the vulnerabilities are language and format agnostic.
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis This talk provides an introduction and detailed overview of Java deserialization attacks. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work, what solutions exist and the advantages and disadvantages of each. Finally, a new approach will be presented, using Runtime Virtualization, Compartmentalization and Privilege De-escalation.
This talk was presented by Apostolos Giannakidis at the OWASP London meetup on May 2017.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH This document discusses Java deserialization vulnerabilities and provides an overview of how they work. It notes that many Java technologies rely on serialization which can enable remote code execution if not implemented securely. The document outlines the history of vulnerabilities found, how to find vulnerabilities, and techniques for exploiting them, using examples like the Javassist/Weld gadget. It also summarizes vulnerabilities the speaker's company Code White found, including in products from Symantec, Atlassian, Commvault, and Oracle.
Auscert 2022 - log4shell and history of Java deserialisation RCE
Auscert 2022 - log4shell and history of Java deserialisation RCEDavid Jorm The document provides a summary of Java deserialization vulnerabilities, including:
- An 2013 vulnerability in JBoss RichFaces allowed remote code execution via insecure deserialization. This allowed attackers to trigger execution of any deserializable class.
- The 2013 Apache Commons FileUpload vulnerability allowed arbitrary file upload via a poison null byte attack during deserialization that wrote files to the system.
- Later vulnerabilities used "property-oriented programming" gadgets and chains of deserializable classes and methods to achieve remote code execution during deserialization.
- The 2021 Log4Shell vulnerability allowed remote code execution by configuring logging in Log4j version 2.0-2.12.1 and 2.13-2.14.1
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Cigital-ExploitingJava
Cigital-ExploitingJavaTravis Biehn This document discusses exploiting the Java deserialization vulnerability to achieve remote code execution on targets. It identifies the vulnerability by examining serialized Java objects and using automated scanning tools. Various techniques for blind command execution are demonstrated, including using time delays and appending output to DNS queries. Methods for dealing with limitations of command execution without a shell are also covered. The document shows how to exfiltrate data, stage tools, and conduct reconnaissance on targets by manipulating DNS queries. Mitigation strategies like deserialization whitelisting are discussed.
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm Using property-oriented programming gadgets (similar to ROP chains) to achieve RCE when Java applications deserialize arbitrary user-supplied content.
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018Checkmarx Presented by Dor Tumarkin, Application Security Researcher and Team Leader at Checkmarx
Take the plunge into deserialization attacks - from understanding the fundamentals of serialization to vulnerability breakdown, through RCE demos in various technologies (Java, C#, Python). Includes research and exploit demo of never-before-seen vulnerabilities in Microsoft’s Message Queue.
Originally presented at BSidesLV 2018 and AppSecIL 2018. Slides have been altered to remove animations.
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
(De)serial Killers - BSides Las Vegas & AppSec IL 2018Dor Tumarkin This document provides an overview of serialization and deserialization, including potential exploitation. It begins by defining serialization as the process of translating data structures into a transmittable format. It then discusses common serialization formats and deserialization as reconstructing objects from serialized data. The document demonstrates deserialization in code and outlines real-world use cases. It also explores how untrusted deserialization can enable remote code execution attacks in languages like Java, .NET, Python, and PHP. Specific exploitation techniques are demonstrated, including using message queues and distributed systems. The document concludes by discussing additional risks of deserialization and how it has become a significant industry security issue.
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
fireeye-a-daily-grind-filtering-java-vulnerabilities
fireeye-a-daily-grind-filtering-java-vulnerabilitiesAbhishek Singh This document summarizes a white paper about filtering Java vulnerabilities. It describes 3 commonly exploited Java vulnerabilities - CVE-2012-0507, CVE-2013-2465, and CVE-2012-1723. For each vulnerability, it provides technical details on how the vulnerability works and how exploit kits leverage it. It also shows graphs of the prevalence of exploits against these vulnerabilities and discusses how the exploits are used to deliver malware payloads through hidden requests in exploit kit traffic.
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is.
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsPriyanka Aash Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat, Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk, I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability and allowing penetration testers to quickly develop working exploits. At the conclusion we will also be releasing a FOSS toolkit which utilizes this methodology and has been used to successfully develop many deserialization exploits in both internal applications and open source projects.
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash This session is about Android Serialization vulnerabilities. We revisit two vulns found in Android (CVE-2014-7911, CVE-2015-3837) which allowed for privilege escalation. We also present vulns found in third-party SDKs (CVE-2015-2000/1/2/3/4/20) which allowed for arbitrary code execution in apps which used them. But what has been done to prevent similar vulns? The session will answer this question.
(Source: RSA USA 2016-San Francisco)
Deserialization with the JavaScript for the lulz
Deserialization with the JavaScript for the lulzAndrew Freeborn This was my presentation for the OWASP Omaha Feb 2018 meeting. The abstract for the presentation was: "Deserialization attacks are a hot topic in security, but often times these attacks seem like magic. Exploitation of these attacks tend to happen in complex systems that require knowledge in the setup of all the things. To help you better understand why and how these attacks work, we’re using an intentionally broken system with a quick and easy setup.".
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
Ad
Recently uploaded (20)
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!PhilMeredith3 Process Tempo is a rapid application development (RAD) environment that empowers data teams to create enterprise-ready applications using skills they already have.
With Process Tempo, data teams can craft beautiful, pixel-perfect applications the business will love.
Process Tempo combines features found in business intelligence tools, graphic design tools and workflow solutions - all in a single platform.
Process Tempo works with all major databases such as Databricks, Snowflake, Postgres and MySQL. It also works with leading graph database technologies such as Neo4j, Puppy Graph and Memgraph.
It is the perfect platform to accelerate the delivery of data-driven solutions.
For more information, you can find us at www.processtempo.com
Best Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small BusinessesTheTelephony The best inbound call tracking software for small businesses offers features like call recording, real-time analytics, lead attribution, and CRM integration. It helps track marketing campaign performance, improve customer service, and manage leads efficiently. Look for solutions with user-friendly dashboards, customizable reporting, and scalable pricing plans tailored for small teams. Choosing the right tool can significantly enhance communication and boost overall business growth.
IBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - IntroductionGaurav Sharma IBM Rational Unified Process For Software Engineering
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfHerond Labs The Bonk airdrop, one of the largest in Solana’s history, distributed 50% of its total supply to community members, significantly boosting its popularity and Solana’s network activity. Below is everything you need to know about the Bonk coin airdrop, including its history, eligibility, how to claim tokens, risks, and current status.
https://blog.herond.org/bonk-coin-airdrop/
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...Prachi Desai As payment flows grow more fragmented, the complexity of reconciliation and revenue recognition increases. The result? Mounting operational costs, silent revenue leakages, and avoidable financial risk.
Spot the inefficiencies. Automate what’s slowing you down.
https://www.taxilla.com/ecommerce-reconciliation
Essentials of Resource Planning in a Downturn
Essentials of Resource Planning in a DownturnOnePlan Solutions In a tight labor market and tighter economy, PMOs and resource managers must ensure that every team member is focused on the highest-value work. This session explores how AI reshapes resource planning and empowers organizations to forecast capacity, prevent burnout, and balance workloads more effectively, even with shrinking teams.
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-OffTier1 app When it comes to performance testing, most engineers instinctively gravitate toward the big-picture indicators—response time, memory usage, throughput. But what about the smaller, more subtle indicators that quietly shape your application’s performance and stability? we explored the hidden layer of performance diagnostics that too often gets overlooked: micro-metrics. These small but mighty data points can reveal early signs of trouble long before they manifest as outages or degradation in production.
From garbage collection behavior and object creation rates to thread state transitions and blocked thread patterns, we unpacked the critical micro-metrics every performance engineer should assess before giving the green light to any release.
This session went beyond the basics, offering hands-on demonstrations and JVM-level diagnostics that help identify performance blind spots traditional tests tend to miss. We showed how early detection of these subtle anomalies can drastically reduce post-deployment issues and production firefighting.
Whether you're a performance testing veteran or new to JVM tuning, this session helped shift your validation strategies left—empowering you to detect and resolve risks earlier in the lifecycle.
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelBradBedford3 So you’ve built trust in your Marketo Engage-Dynamics integration—excellent. But now what?
This sequel picks up where our last adventure left off, offering a step-by-step guide to move from stable sync to strategic power moves. We’ll share real-world project examples that empower sales and marketing to work smarter and stay aligned.
If you’re ready to go beyond the basics and do truly most excellent stuff, this session is your guide.
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricNatan Silnitsky At Wix, we revolutionized our platform by making integration events the backbone of our 4,000-microservice ecosystem. By abandoning traditional domain events for standardized Protobuf events through Kafka, we created a universal language powering our entire architecture.
We'll share how our "single-aggregate services" approach—where every CUD operation triggers semantic events—transformed scalability and extensibility, driving efficient event choreography, data lake ingestion, and search indexing.
We'll address our challenges: balancing consistency with modularity, managing event overhead, and solving consumer lag issues. Learn how event-based data prefetches dramatically improved performance while preserving the decoupling that makes our platform infinitely extensible.
Key Takeaways:
- How integration events enabled unprecedented scale and extensibility
- Practical strategies for event-based data prefetching that supercharge performance
- Solutions to common event-driven architecture challenges
- When to break conventional architectural rules for specific contexts
Revolutionize Your Insurance Workflow with Claims Management Software
Revolutionize Your Insurance Workflow with Claims Management SoftwareInsurance Tech Services Claims management software enhances efficiency, accuracy, and satisfaction by automating processes, reducing errors, and speeding up transparent claims handling—building trust and cutting costs. Explore More - https://www.damcogroup.com/insurance/claims-management-software
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps CyclesMarjukka Niinioja Teams delivering API are challenges with:
- Connecting APIs to business strategy
- Measuring API success (audit & lifecycle metrics)
- Partner/Ecosystem onboarding
- Consistent documentation, security, and publishing
🧠 The big takeaway?
Many teams can build APIs. But few connect them to value, visibility, and long-term improvement.
That’s why the APIOps Cycles method helps teams:
📍 Start where the pain is (one “metro station” at a time)
📈 Scale success across strategy, platform, and operations
🛠 Use collaborative canvases to get buy-in and visibility
Want to try it and learn more?
- Follow APIOps Cycles in LinkedIn
- Visit the www.apiopscycles.com site
- Subscribe to email list
-
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesSandeepKS52 Artificial Intelligence is a rapidly growing field that influences many aspects of modern life, including transportation, healthcare, and finance. Understanding the basics of AI provides insight into how machines can learn and make decisions, which is essential for grasping its applications in various industries. In the automotive sector, AI enhances vehicle safety and efficiency through advanced technologies like self-driving systems and predictive maintenance. Similarly, in healthcare, AI plays a crucial role in diagnosing diseases and personalizing treatment plans, while in financial services, it helps in fraud detection and risk management. By exploring these themes, a clearer picture of AI's transformative impact on society emerges, highlighting both its potential benefits and challenges.
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...SheenBrisals The distributed nature of modern applications and their architectures brings a great level of complexity to engineering teams. Though API contracts, asynchronous communication patterns, and event-driven architecture offer assistance, not all enterprise teams fully utilize them. While adopting cloud and modern technologies, teams are often hurried to produce outcomes without spending time in upfront thinking. This leads to building tangled applications and distributed monoliths. For those organizations, it is hard to recover from such costly mistakes.
In this talk, Sheen will explain how enterprises should decompose by starting at the organizational level, applying Domain-Driven Design, and distilling to a level where teams can operate within a boundary, ownership, and autonomy. He will provide organizational, team, and design patterns and practices to make the best use of event-driven architecture by understanding the types of events, event structure, and design choices to keep the domain model pure by guarding against corruption and complexity.
FME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable InsightsSafe Software Regional and local governments aim to provide essential services for stormwater management systems. However, rapid urbanization and the increasing impacts of climate change are putting growing pressure on these governments to identify stormwater needs and develop effective plans. To address these challenges, GHD developed an FME solution to process over 20 years of rainfall data from rain gauges and USGS radar datasets. This solution extracts, organizes, and analyzes Next Generation Weather Radar (NEXRAD) big data, validates it with other data sources, and produces Intensity Duration Frequency (IDF) curves and future climate projections tailored to local needs. This presentation will showcase how FME can be leveraged to manage big data and prioritize infrastructure investments.
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptxkalichargn70th171 Media platforms, from video streaming to OTT and Smart TV apps, face unprecedented pressure to deliver seamless, high-quality experiences across diverse devices and networks. Ensuring top-notch Quality of Experience (QoE) is critical for user satisfaction and retention.
How Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines OperationsInsurance Tech Services Insurance policy management software transforms complex, manual insurance operations into streamlined, efficient digital workflows, enhancing productivity, accuracy, customer service, and profitability for insurers. Visit https://www.damcogroup.com/insurance/policy-management-software for more details!
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...WSO2 Enterprises must deliver intelligent, cloud native applications quickly—without compromising governance or scalability. This session explores how an internal developer platform increases productivity via AI for code and accelerates AI-native app delivery via code for AI. Learn practical techniques for embedding AI in the software lifecycle, automating governance with AI agents, and applying a cell-based architecture for modularity and scalability. Real-world examples and proven patterns will illustrate how to simplify delivery, enhance developer productivity, and drive measurable outcomes.
Learn more: https://wso2.com/choreo
Leveraging Foundation Models to Infer Intents
Leveraging Foundation Models to Infer IntentsKeheliya Gallaba Invited Talk at RAISE 2025: Requirements engineering for AI-powered SoftwarE Workshop co-located with ICSE, the IEEE/ACM International Conference on Software Engineering.
Abstract: Foundation Models (FMs) have shown remarkable capabilities in various natural language tasks. However, their ability to accurately capture stakeholder requirements remains a significant challenge for using FMs for software development. This paper introduces a novel approach that leverages an FM-powered multi-agent system called AlignMind to address this issue. By having a cognitive architecture that enhances FMs with Theory-of-Mind capabilities, our approach considers the mental states and perspectives of software makers. This allows our solution to iteratively clarify the beliefs, desires, and intentions of stakeholders, translating these into a set of refined requirements and a corresponding actionable natural language workflow in the often-overlooked requirements refinement phase of software engineering, which is crucial after initial elicitation. Through a multifaceted evaluation covering 150 diverse use cases, we demonstrate that our approach can accurately capture the intents and requirements of stakeholders, articulating them as both specifications and a step-by-step plan of action. Our findings suggest that the potential for significant improvements in the software development process justifies these investments. Our work lays the groundwork for future innovation in building intent-first development environments, where software makers can seamlessly collaborate with AIs to create software that truly meets their needs.
Plooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your wayPlooma Plooma is your all in one writing companion, designed to support authors at every twist and turn of the book creation journey. Whether you're sketching out your story's blueprint, breathing life into characters, or crafting chapters, Plooma provides a seamless space to organize all your ideas and materials without the overwhelm. Its intuitive interface makes building rich narratives and immersive worlds feel effortless.
Packed with powerful story and character organization tools, Plooma lets you track character development and manage world building details with ease. When it’s time to write, the distraction-free mode offers a clean, minimal environment to help you dive deep and write consistently. Plus, built-in editing tools catch grammar slips and style quirks in real-time, polishing your story so you don’t have to juggle multiple apps.
What really sets Plooma apart is its smart AI assistant - analyzing chapters for continuity, helping you generate character portraits, and flagging inconsistencies to keep your story tight and cohesive. This clever support saves you time and builds confidence, especially during those complex, detail packed projects.
Getting started is simple: outline your story’s structure and key characters with Plooma’s user-friendly planning tools, then write your chapters in the focused editor, using analytics to shape your words. Throughout your journey, Plooma’s AI offers helpful feedback and suggestions, guiding you toward a polished, well-crafted book ready to share with the world.
With Plooma by your side, you get a powerful toolkit that simplifies the creative process, boosts your productivity, and elevates your writing - making the path from idea to finished book smoother, more fun, and totally doable.
Get Started here: https://www.plooma.ink/
Ad
Exploiting Deserialization Vulnerabilities in Java
- 1. Exploiting Deserialization Vulnerabilities in Java HackPra WS 2015 2015/10/28 Matthias Kaiser
- 2. About Code White ▪ Pentest and Security Research Startup ▪ Based in Ulm ▪ Attacking corporate infrastructures in Red Teams ▪ Strong focus on post-exploitation ▪ Love to use 0day-angle to get initial hop ▪ AV is our best friend to gain SYSTEM ▪ Always looking for candidates ;-) 2015/10/23 2Exploiting Deserialization Vulnerabilities in Java
- 3. About me ▪ Head of Vulnerability Research at Code White ▪ Doing Technical Security for 6 years now ▪ Worked as Java Dev for a defense company ▪ Lead Expert Offensive Security at an automotive IT company ▪ Likes to find easy bugs in Java Software ▪ Found vulns in products of Oracle, IBM, SAP, Symantec, Apache, Adobe, Atlassian, etc. ▪ Enjoys low-level stuff recently ▪ @matthias_kaiser 2015/10/28 3Exploiting Deserialization Vulnerabilities in Java
- 4. Why this talk? ▪ Deserialization vulnerabilities are less known and exploited (compared to unserialize() in PHP) ▪ A dedicated bug class on its own ▪ Only a few researchers disclosed deserialization vulnerabilities like Takeshi Terada, @djorm, @gebl & @frohoff, etc. ▪ Easy to spot, easy RCE if the right classes are in the classpath ▪ I spent research time of CW to analyze several products of Oracle, Atlassian, Apache, etc. ▪ Only my Atlassian Bamboo vulnerability is patched, more RCEs to come ☺ 2015/10/23 4Exploiting Deserialization Vulnerabilities in Java
- 5. Disclaimer ▪ This is not a reference how Serialization works, I skip details for speed. Read the spec. ▪ This talk does _not_ cover Privileged Deserialization (from @samikoivu) used to escape the JVM Sandbox ▪ Custom Serialization Frameworks like XStream, Castor etc. won’t be discussed although the exploitation vectors shown here can be applied to XStream 2015/10/23 5Exploiting Deserialization Vulnerabilities in Java
- 6. Agenda 2015/10/23 6 1 What is serialization? 2 What‘s the issue? 3 How to exploit it? 4 Where is serialization used? 5 Case-Study: CVE-2015-6576 Exploiting Deserialization Vulnerabilities in Java
- 7. 1 What is serialization? To serialize an object means to convert its state to a byte stream so that the byte stream can be reverted back into a copy of the object (x) 2015/10/23 7Exploiting Deserialization Vulnerabilities in Java (x) https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html
- 8. 1 What is serialization? 2015/10/23 8Exploiting Deserialization Vulnerabilities in Java
- 9. 1 What is serialization? 2015/10/23 9Exploiting Deserialization Vulnerabilities in Java
- 10. 1 What is serialization? Class java.io.ObjectOutputStream ▪ Writes serialized data to an OutputStream ▪ Has methods writeObject(), writeChar(), writeShort(), writeUTF(), etc. Class java.io.ObjectInputStream ▪ Reads serialized data from an InputStream ▪ Has methods readObject(), readChar(), readShort(), readUTF(), etc. 2015/10/23 10Exploiting Deserialization Vulnerabilities in Java
- 11. 1 What is serialization? Customizing serialization ▪ Developers can customize how objects are serialized to bytes /deserialized from bytes ▪ Serializing 1. writeReplace() → Developer can provide a replacement object to be serialized 2. writeObject() → Full control over what will written to the stream ▪ Deserializing 1. readObject() → Full control over what will be read from the stream 2. readResolve() → Replacing a deserialized object with another one 2015/10/23 11Exploiting Deserialization Vulnerabilities in Java
- 12. 1 What is serialization? 2015/10/23 12Exploiting Deserialization Vulnerabilities in Java
- 13. 1 What is serialization? 2015/10/23 13Exploiting Deserialization Vulnerabilities in Java
- 14. 2 What‘s the issue? ▪ ObjectInputStream does not check which class gets deserialized ▪ There is no whitelist/blacklist which classes are allowed to get deserialized ▪ All serializable classes that the current classloader can locate and load can get deserialized ▪ Although a class cast exception might occur in the end, the object will be created! ▪ User supplied input can be processed in readObject()/ readResolve() ▪ If a class does something “dangerous” in readObject()/ readResolve() it might get abused ▪ Case-Study: Apache Commons FileUpload (CVE-2013-2186) 2015/10/23 14Exploiting Deserialization Vulnerabilities in Java
- 15. 2 What‘s the issue? Apache Commons FileUpload ▪ Makes your life easy when dealing with HTTP file uploads ▪ Just add to your webapp and uploads are easy CVE-2013-2186: ▪ But requires the null-byte vulnerability, patched in Java 7u40 or Java8 2015/10/23 15Exploiting Deserialization Vulnerabilities in Java
- 16. 2 What‘s the issue? ▪ Values of the object are read with defaultReadObject() ▪ getOutputStream() gets called 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 16
- 17. ▪ Calls getTempFile() ▪ Creates new File ▪ repository is a member of the class under our control ▪→we can put a u0000 at the end of repository path 2 What‘s the issue? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 17
- 18. 3 How to exploit it? ▪ Finding ObjectInputStream.readObject() calls on user supplied input is easy ▪ You can decompile and grep for it … / “Open Call Hierarchy” in Eclipse ☺ ▪ The question is how you can turn a ObjectInputStream.readObject() call into RCE ▪ Several universal exploitation vectors exist: ▪ Spring Framework <=3.0.5, <=2.0.6 (cve-2011-2894 of @woutercoekaerts) ▪ Groovy < 2.4.4 (cve-2015-3253 of @gebl & @frohoff) ▪ Apache Commons Collection (cve-xxxx-xxxx of @gebl & @frohoff) ▪ More to come … (e.g. cve-xxxx-xxxx of @matthias_kaiser) ▪ @gebl & @frohoff were so kind and published “ysoserial” to make exploitation easy … ▪ Let’s find out how an universal exploit for Apache Commons Collection works 2015/10/23 18Exploiting Deserialization Vulnerabilities in Java
- 19. 3 How to exploit it? Apache Commons Collection Exploit ▪ I adapted the one from @gebl /@frohoff to skip what a java.lang.reflect.Proxy is ☺ ▪ It’s just AWESOME, because Commons Collection is almost everywhere in the classpath ▪ Disclosed 274 days ago at AppSec California 2015, still not patched ▪ Self-executing, just send the stream and wait for ObjectInputStream.readObject() ▪ The vulnerabilities are in several Collection implementations (Map, Set, etc.) ▪ A TransformedMap can be created that invokes methods via reflection (=dynamically) ▪ An InvocationHandler from the “sun.”-namespace is used to trigger the vulnerability 2015/10/23 19Exploiting Deserialization Vulnerabilities in Java
- 20. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 20 ▪ The TransformedMap transforms keys/values when stored into the map (put(), putAll()) ▪ Therefore the keyTransformer/valueTransformer are invoked ▪ All elements of the Map are stored in a set of Map.Entry objects
- 21. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 21 ▪ When the value of a Map.Entry object is changed, the valueTransformer is invoked
- 22. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 22 ▪ Transformers can be chained using a ChainedTransformer
- 23. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 23 1. Constructor takes the method to invoke, argument types and the arguments 2. Invokes the method on the input object and returns the method return value 1 2
- 24. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 24 ▪ Now we need a serializable class that calls Map.Entry.setValue() in a readObject() or readResolve() method to get code execution
- 25. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 25 ▪ Member type is of class Class, memberValues of class Map! ▪ Constructor is package-private and performs some checks before setting the members
- 26. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 26 1. Read in default values (type, memberValues) 2. type is a annotation type. We can use java.lang.annotation.Target.class 3. memberValues is a map implementation of our choice 4. memberValue is a of Map.Entry 5. If our map contains an entry like (“value”,”value”) we can pass the checks 6. memberValue.setValue is invoked! 1 2 34 5 6
- 27. 3 How to exploit it? 2015/10/23 Exploiting Deserialization Vulnerabilities in Java 27 1. Since the constructor of AnnotationInvocationHandler is package-private, we need to make it accessible/callable using reflection 2. We create a new instance using our parameters with reflection1 2
- 28. 3 How to exploit it? No Groovy or Commons Collection in the Classpath? ▪ Look for readObject(), readResolve() doing „nasty“ things ▪ Java has the concept of Proxies that forward method calls to InvocationHandler ▪ So take another look for serializible InvocationHandler, because they often do reflection magic on user input ▪ There is more to come, several researchers are working in this topic ▪ As soon as my vulnerabilites are fixed I will release the vectors on our blog/github 2015/10/23 28Exploiting Deserialization Vulnerabilities in Java
- 29. 4 Where is Serialization used ▪ Remote Method Invocation (RMI/JRMP) ▪ Custom RMI/IPC protocols (e.g. Spring HTTP invoker, …) ▪ Java Management Extension (JMX) ▪ Java Messaging Service (JMS) 2015/10/23 29Exploiting Deserialization Vulnerabilities in Java
- 30. 5 Case-Study: CVE-2015-6576 2015/10/23 30Exploiting Deserialization Vulnerabilities in Java
- 31. 5 Case-Study: CVE-2015-6576 ▪ Bamboo is a continuous build server from Atlassian ▪ Just did a grep for readObject() on the source ▪ One hit which looked interesting: DeliverMessageServlet 2015/10/23 31Exploiting Deserialization Vulnerabilities in Java
- 32. 5 Case-Study: CVE-2015-6576 2015/10/23 32Exploiting Deserialization Vulnerabilities in Java 1. Valid fingerprint required 1
- 33. 5 Case-Study: CVE-2015-6576 ▪ We need a valid fingerprint ▪ Atlassian Bamboo uses Struts ☺ ▪ There is an action “GetFingerprint” that can be invoked via HTTP request ▪ We have some check but let’s see how easy it is to bypass them 2015/10/23 33Exploiting Deserialization Vulnerabilities in Java
- 34. 5 Case-Study: CVE-2015-6576 2015/10/23 34Exploiting Deserialization Vulnerabilities in Java 1 2 3 4 5 1. Authentication is checked 2. If we are an Elastic Agent we pass 3. We are an Elastic Agent if our agentType is “elastic” 4. Again! 5. Get the fingerprint
- 35. 5 Case-Study: CVE-2015-6576 2015/10/23 35Exploiting Deserialization Vulnerabilities in Java DEM O
- 36. 5 Case-Study: CVE-2015-6576 2015/10/23 36Exploiting Deserialization Vulnerabilities in Java
- 37. 5 Case-Study: CVE-2015-6576 2015/10/23 37Exploiting Deserialization Vulnerabilities in Java