Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Deserialize My Shorts
Or How I Learned to Start Worrying and Hate
Java Object Deserialization
Chris Frohoff (@frohoff)
Gab...
2
@gebl spreading The Good Word abroad
OWASP Cork, Ireland Chapter Meeting 2016/3/14
3
snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be
stored or transmitted for...
4
Remote/Interprocess Communication (RPC/IPC)
− Communicating data to different system/process
− Wire protocols, web servi...
5
Crash Course:
Java (de)serialization
6
java.io.ObjectOutputStream java.io.ObjectInputStream
public void writeObject(Object) public Object readObject()
public v...
7
Stream starts with magic & version:
− ObjectStreamConstants.STREAM_MAGIC (short, 0xACED);
− ObjectStreamConstants.STREAM...
8
Java Serialized Form
Uncustomized, default, simple (de)serialization
Object serialized form:
− TC_OBJECT (byte, 0x73)
− ...
9
Must implement java.io.Serializable (or java.io.Externalizable) interface
− Including all nested values
Serializable cla...
10
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d...
11
Java Serialization Format
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6374 6fd1 f104 c2d...
12
Java Serialization Format
final static byte TC_OBJECT = (byte)0x73;
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 .....
13
Java Serialization Format
final static byte TC_CLASSDESC = (byte)0x72;
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65...
14
Java Serialization Format
className:
(utf)
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
0000010: 6...
15
Java Serialization Format
primitiveDesc:
prim_typecode fieldName
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....s...
16
Java Serialization Format
objectDesc:
obj_typecode fieldName className1
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a6...
17
Java Serialization Format
Value for SomeNumber
0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje
000001...
18
Java Serialization Format
final static byte TC_STRING = (byte)0x74;
TC_STRING newHandle (utf)
0000000: aced 0005 7372 0...
19
java.io.Serializable
− void writeObject(ObjectOutputStream): customize object serialization
− Use ObjectOutputStream wr...
20
Java Serialization Stream Header
− 0xACED 0x0005 …
− “rO0AB…”
GZIP Header
− 0x1F8B 0x0800 …
− “H4sIA…”
Anywhere you see...
21
22
Code reuse attack (a la ROP)
Uses “gadget” classes already in scope of application
Create chain of instances and method...
23
Rube-Goldberg-esque
Gadget chains are generally carrier-medium, application, and OS/platform agnostic
− Relies only on ...
24
A Simple Java Gadget Chain
ObjectInputStream.readObject()
“calc.exe”
25
Time-Lapse of Deserialization
ObjectInputStream.readObject() called
ObjectInputStream
readObject()
defaultReadObject()
26
Time-Lapse of Deserialization
CacheManager instance allocated
CacheManager
ObjectInputStream
readObject()
readObject()
...
27
Time-Lapse of Deserialization
CacheManager.readObject() called
CacheManager
ObjectInputStream
readObject()
readObject()...
28
Time-Lapse of Deserialization
ObjectInputStream.defaultReadObject() called
CacheManager
ObjectInputStream
readObject()
...
29
Time-Lapse of Deserialization
CommandTask instance allocated and referenced by CacheManager.initHook field
CacheManager...
30
Time-Lapse of Deserialization
CommandTask.run() called
CacheManager
ObjectInputStream
readObject()
readObject()
default...
31
Time-Lapse of Deserialization
Runtime.exec() called
CacheManager
ObjectInputStream
readObject()
readObject()
defaultRea...
32
Time-Lapse of Deserialization
Target program run
CacheManager
ObjectInputStream
readObject()
readObject()
defaultReadOb...
33
Target java.lang.Runtime.exec(String cmd)
Uses gadgets in JDK and Apache Commons-Collections library
Self-executing dur...
34
Call Chain
35
Gadget Chain Construction Code and Call Tree
36
Demos
37
Contains multiple gadget chain payloads and a few exploits
Create payload to execute calc.exe using CommonsCollections1...
38
Code Execution via Java Serializable
JSF (MyFaces) ViewState form parameters deserialized
39
40
RMIRegistry
41
42
Imperfect Mitigations
Cover in more detail later to include new information
− Look-ahead deserialization with custom Ob...
43
This is not a
new problem
44
This is not a
language problem
45
This is not a
format problem
46
We have
trust issues
47
We have
trust issues.
48
Other languages/platforms
− PHP unserialize()
− Python pickle
− Ruby/Rails deserialization fiasco (YAML, XML, JSON, Mar...
49
50
2011/9/9 — Spring Vulnerabilities
Wouter Coekarts (@WouterCoekaerts)
51
2011/9 — 2013/3 (18 months)
52
2013/03/05 — IBM Cognos BI RCE
Pierre Ernst
53
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java...
54
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java...
55
2013/3 — 2013/12 (9 months)
56
2013/12/16 — Deserialization Spring RCE
Alvaro Muñoz (@pwntester)
57
2013/12 — 2015/1 (14 months)
58
2015/1/28 — Marshalling Pickles, ysoserial
Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
59
2015/1/28 — Marshalling Pickles, ysoserial
Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
60
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java...
61
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
Timeline of Java...
62
2015/1 — 2015/10 (9 months)
63
2015/1 — 2015/10 (9 months)
64
2015/10/28 — Exploiting Deserialization Vulnerabilities in Java
Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015
65
2015/10/28 — Exploiting Deserialization Vulnerabilities in Java
Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015
He...
66
2015/10/28 — Exploiting Deserialization Vulnerabilities in Java
Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015
He...
67
2015/11/6 — What Do WebLogic, WebSphere, …
Stephen Breen (@breenmachine)
My Birthday
68
2015/11/6-10 — Social Media Kills My Phone Battery
Misunderstanding and misinformation abound
69
2015/11/8-16 — Evasive Maneuvers by Dev Community
Innovative Solutions and (Some) Sensible Responses
70
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/10/27 @matt...
71
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/10/27 @matt...
72
2016/1/21-22 — JNDI/JRMP Remote Loading Gadget
@zerothoughts
73
2016/1/25 — PayPal Remote Code Execution
Michael Stepankin and Mark Litchfield
74
2016/1/26-2/24 — JDK <7u21, Beanutils Gadget Chains
Chris Frohoff (@frohoff)
75
2016/2/24 — serianalyzer, Gadgets, Clients, etc.
Moritz Bechler (@mbechler)
76
2016/3/4 — Serial Killer & The Perils of Java Deser.
Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711...
77
2016/3/4 — Serial Killer & The Perils of Java Deser.
Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711...
78
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/10/27 @matt...
79
? ?: Many JSF impls without encryption/signing enabled
2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858
2015/10/27 @matt...
80
* very much not to scale
81
* very much not to scale
82
* very much not to scale
83
Recent — Qualcomm Red Team Exercise
A colleague tried something new
Performed some new targeted scanning on internal ne...
84
Recent — Deser Vulnerability Reported to Qualcomm
85
$ java -jar target/ysoserial-0.0.5-SNAPSHOT-all.jar
Y SO SERIAL?
Usage: java -jar ysoserial-[version]-all.jar [payload ...
86
Recent — Good Guy Glenn
Glenn Lewis (@gmlewis)
87
Mitigation
88
Fundamental vulnerability is in doing unsafe deserialization, not in having gadgets available
More will be always found...
89
Fundamental vulnerability
is in doing unsafe
deserialization
90
Fundamental vulnerability
is in doing unsafe
deserialization
91
Avoid open-ended (de)serialization when possible
− If the serialization includes a class name, it’s probably bad
− Obje...
92
Whitelist/Blacklist classes
− Use subclass of ObjectInputStream0
− override resolveClass() to allow/disallow classes
− ...
93
Encryption != Authentication
− See JSF Padding Oracle attacks
Authenticate channels
− TLS Client Certs, SASL, DB/Cache/...
94
Strict firewall rules for deserializing listeners
Sandboxing/Hardening
− Java SecurityManager
− Transient usage can by ...
95
Find more unsafe deserialization
− Watch products with naïve mitigations
Find more gadgets/chains
Gadget finding tool i...
96
The Future
97
Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation
− https://www.nds.rub.de/media/hfs/attachments/files/2010/03...
98
Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned
− http://www.slideshare.ne...
99
Matthias Kaiser, 2015/10/28, Exploiting Deserialization Vulnerabilities in Java
− http://www.slideshare.net/codewhitese...
100
For more information on Qualcomm, visit us at:
www.qualcomm.com & www.qualcomm.com/blog
Qualcomm is a trademark of Qua...
Upcoming SlideShare
Loading in …5
×

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

9,387 views

Published on

Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.

In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.

This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/

Published in: Software

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

  1. 1. Deserialize My Shorts Or How I Learned to Start Worrying and Hate Java Object Deserialization Chris Frohoff (@frohoff) Gabriel Lawrence (@gebl) (in spirit)
  2. 2. 2 @gebl spreading The Good Word abroad OWASP Cork, Ireland Chapter Meeting 2016/3/14
  3. 3. 3 snapshots one or more “live”, in-memory objects into a flat, serial stream of data that can be stored or transmitted for reconstitution and use by a different process or the same process at some point Formats − Binary: Java Serialization, Ruby Marshal, Protobuf, Thrift, Avro, MS-NRBF, Android Binder/Parcel, IIOP − Hybrid/Other: PHP Serialization, Python pickle, Binary XML/JSON − Readable: XML, JSON, YAML Platform/Formats may have multiple implementations and/or sub-formats Serializing Objects a.k.a. “marshaling”, “pickling”, “freezing”, ”flattening”
  4. 4. 4 Remote/Interprocess Communication (RPC/IPC) − Communicating data to different system/process − Wire protocols, web services, message brokers Caching/Persistence − Communicating data to process’ future self − Databases, cache servers, file systems Tokens − Communicating data to different system/process and back − HTTP cookies, HTML form parameters, API auth tokens Purposes and Mediums Why and where
  5. 5. 5 Crash Course: Java (de)serialization
  6. 6. 6 java.io.ObjectOutputStream java.io.ObjectInputStream public void writeObject(Object) public Object readObject() public void writeUTF(String) public String readUTF() public void writeInt(int) public int readInt() public void writeFloat(float) public float readFloat() public void writeBoolean(boolean) public boolean readBoolean() public void writeByte(byte) public byte readByte() … … Java Serialization API readObject() and writeObject() are open-ended/polymorphic* *yes, that is scary
  7. 7. 7 Stream starts with magic & version: − ObjectStreamConstants.STREAM_MAGIC (short, 0xACED); − ObjectStreamConstants.STREAM_VERSION (short, 0x0005); Polymorphic values’ serialized form prefixed with “type code” − ObjectStreamConstants.TC_*: 0x70-0x7E − TC_NULL=0x70, TC_REFERENCE=0x71, TC_CLASSDESC=0x72, TC_OBJECT=0x73, TC_STRING=0x74, TC_ARRAY=0x75, TC_CLASS=0x76, TC_LONGSTRING=0x7C, TC_PROXYCLASSDESC=0x7D, TC_ENUM=0x7E String (UTF-8) serialized form: − String length (int), String bytes* Boolean serialized form: − value (byte, 1=True, 0=False) Java Serialized Form Uncustomized, default, simple (de)serialization
  8. 8. 8 Java Serialized Form Uncustomized, default, simple (de)serialization Object serialized form: − TC_OBJECT (byte, 0x73) − Class Description (or ref) − TC_CLASSDESC (byte, 0x72) − Class Name (String) − Serial Version UID (long) − Field Descriptions* − Field Type Code (byte) − Field Name (String) − Field Type (String, for non-primitive) − Field values* − [Primitive serialized form] | [Object serialized form] | ref − Causes recursive calls to writeObject()/readObject() or read*()/write*() • Refs: Later representations of same object substituted with incrementing “handles” to save space and preserve referential relationships • TC_REFERENCE (byte, 0x71) • Handle number (int) • > 0x7e0000 • Field Type Codes: 'B'=byte, 'C'=char, 'D'=double, 'F'=float, 'I'=int, 'J'=long, 'L'=class/interface, 'S'=short, 'Z'=boolean, '['=array,
  9. 9. 9 Must implement java.io.Serializable (or java.io.Externalizable) interface − Including all nested values Serializable classes must have access to no-arg ctor of first non-Serializable superclass − Uses bytecode magic to circumvent normal instantiation requirements (MagicAccessorImpl) Skips fields marked with “transient” keyword Serial Version UIDs in serialized form and target deserialized class must match − By default implicitly generated based on class structure − Can be explicitly defined in class if responsible for own serialized for compatibility Supports java.lang.reflect.Proxy instances  − Runtime generated class with interfaces implemented and java.lang.reflect.InvocationHandler − Serialized form includes (Serializable) InvocationHandler instance and interfaces Java Serialization Caveats
  10. 10. 10 Java Serialization Format 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  11. 11. 11 Java Serialization Format 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello final static short STREAM_MAGIC = (short)0xaced; final static short STREAM_VERSION = 5;
  12. 12. 12 Java Serialization Format final static byte TC_OBJECT = (byte)0x73; 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  13. 13. 13 Java Serialization Format final static byte TC_CLASSDESC = (byte)0x72; 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  14. 14. 14 Java Serialization Format className: (utf) 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  15. 15. 15 Java Serialization Format primitiveDesc: prim_typecode fieldName 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  16. 16. 16 Java Serialization Format objectDesc: obj_typecode fieldName className1 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  17. 17. 17 Java Serialization Format Value for SomeNumber 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  18. 18. 18 Java Serialization Format final static byte TC_STRING = (byte)0x74; TC_STRING newHandle (utf) 0000000: aced 0005 7372 000a 536f 6d65 4f62 6a65 ....sr..SomeObje 0000010: 6374 6fd1 f104 c2d9 8525 0200 0249 000a cto......%...I.. 0000020: 536f 6d65 4e75 6d62 6572 4c00 0a53 6f6d SomeNumberL..Som 0000030: 6553 7472 696e 6774 0012 4c6a 6176 612f eStringt..Ljava/ 0000040: 6c61 6e67 2f53 7472 696e 673b 7870 0000 lang/String;xp.. 0000050: 0001 7400 0548 656c 6c6f ..t..Hello
  19. 19. 19 java.io.Serializable − void writeObject(ObjectOutputStream): customize object serialization − Use ObjectOutputStream write*(), defaultWriteObject(), and/or putFields() − void readObject(ObjectInputStream): customize object deserialization − Use ObjectInputStream read*(), defaultReadObject(), and/or readFields() − Object writeReplace(): provide stand-in object for serialization − Object readResolve(): provide stand-in object for deserialization java.io.Externalizable: fully customized and explicit serialization − void readExternal(ObjectInput): manually read fields from stream − void writeExternal(ObjectOutput): manually write fields to stream Customizing Java Serialization Implement interfaces/methods on class to be (de)serialized
  20. 20. 20 Java Serialization Stream Header − 0xACED 0x0005 … − “rO0AB…” GZIP Header − 0x1F8B 0x0800 … − “H4sIA…” Anywhere you see a fully qualified class name − org.apache.commons.collections.functors.InvokerTransformer Some sequences to recognize
  21. 21. 21
  22. 22. 22 Code reuse attack (a la ROP) Uses “gadget” classes already in scope of application Create chain of instances and method invocations − Start with “kick-off” gadget that executes during or after deserialization − End in “sink” gadget that executes arbitrary code/commands − Use other “helper” gadgets to chain start gadget execution to end gadget Serialize chain and send to vulnerable deserialization in application Chain executed in application during/after deserialization Profit Property-Oriented Programming / Object Injection Earliest POP research we found was by Stefan Esser (@i0n1c), “Utilizing Code Reuse/ROP in PHP Application Exploits"
  23. 23. 23 Rube-Goldberg-esque Gadget chains are generally carrier-medium, application, and OS/platform agnostic − Relies only on code available to application − Not necessarily code used by application Gadget Classes − Target common libraries/frameworks. Library sprawl FTW. − “Proxy” gadgets versatile − Deserialization hook methods for self-execution Gadget hunting and chain construction is an art − Can be frustrating and tedious − Rich IDEs help, but custom tools are better − https://github.com/frohoff/inspector-gadget (out of scope for talk) Property-Oriented Programming / Object Injection
  24. 24. 24 A Simple Java Gadget Chain ObjectInputStream.readObject() “calc.exe”
  25. 25. 25 Time-Lapse of Deserialization ObjectInputStream.readObject() called ObjectInputStream readObject() defaultReadObject()
  26. 26. 26 Time-Lapse of Deserialization CacheManager instance allocated CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  27. 27. 27 Time-Lapse of Deserialization CacheManager.readObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  28. 28. 28 Time-Lapse of Deserialization ObjectInputStream.defaultReadObject() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject()
  29. 29. 29 Time-Lapse of Deserialization CommandTask instance allocated and referenced by CacheManager.initHook field CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
  30. 30. 30 Time-Lapse of Deserialization CommandTask.run() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run()
  31. 31. 31 Time-Lapse of Deserialization Runtime.exec() called CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
  32. 32. 32 Time-Lapse of Deserialization Target program run CacheManager ObjectInputStream readObject() readObject() defaultReadObject() CommandTask run() Runtime exec() “calc.exe”
  33. 33. 33 Target java.lang.Runtime.exec(String cmd) Uses gadgets in JDK and Apache Commons-Collections library Self-executing during deserialization − Executes before object returned to caller A Java + Commons-Collections Gadget Chain Similar POP techniques previously applied to Java Serialization by Wouter Coekaerts (@WouterCoekaerts) and implemented by Alvaro Muñoz (@pwntester)
  34. 34. 34 Call Chain
  35. 35. 35 Gadget Chain Construction Code and Call Tree
  36. 36. 36 Demos
  37. 37. 37 Contains multiple gadget chain payloads and a few exploits Create payload to execute calc.exe using CommonsCollections1 chain: $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd | head -3 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe > payload.bin $ cat payload.bin | nc somehost 5555 Send exploit payload to RMI Registry listener: $ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe ysoserial A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization
  38. 38. 38 Code Execution via Java Serializable JSF (MyFaces) ViewState form parameters deserialized
  39. 39. 39
  40. 40. 40 RMIRegistry
  41. 41. 41
  42. 42. 42 Imperfect Mitigations Cover in more detail later to include new information − Look-ahead deserialization with custom ObjectInputStream subclass − Apply SecurityManager only during deserialization
  43. 43. 43 This is not a new problem
  44. 44. 44 This is not a language problem
  45. 45. 45 This is not a format problem
  46. 46. 46 We have trust issues
  47. 47. 47 We have trust issues.
  48. 48. 48 Other languages/platforms − PHP unserialize() − Python pickle − Ruby/Rails deserialization fiasco (YAML, XML, JSON, Marshal) − Recent stuff: “Instagram’s Million Dollar Bug” Java − JSF EL Injection − Recent stuff: “RCE in Oracle NetBeans Opensource Plugins”, “Reliable OS Shell with EL Injection” − Commons FileUpload − XMLDecoder/Xstream/Kryo − Recent stuff: “Serialization Must Die” − Recent Serializable: SerialDOS Only covering Remote Code Execution via Java Serializable/Externalizable API today − Original AppSecCali 2015 “Marshalling Pickles” talk covers some of the others Out-of-scope related must-see/read stuff Google or see references
  49. 49. 49
  50. 50. 50 2011/9/9 — Spring Vulnerabilities Wouter Coekarts (@WouterCoekaerts)
  51. 51. 51 2011/9 — 2013/3 (18 months)
  52. 52. 52 2013/03/05 — IBM Cognos BI RCE Pierre Ernst
  53. 53. 53 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP * very much not to scale
  54. 54. 54 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP * very much not to scale
  55. 55. 55 2013/3 — 2013/12 (9 months)
  56. 56. 56 2013/12/16 — Deserialization Spring RCE Alvaro Muñoz (@pwntester)
  57. 57. 57 2013/12 — 2015/1 (14 months)
  58. 58. 58 2015/1/28 — Marshalling Pickles, ysoserial Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
  59. 59. 59 2015/1/28 — Marshalling Pickles, ysoserial Gabe Lawrence (@gebl) and Chris Frohoff (@frohoff) — AppSec California 2015
  60. 60. 60 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP 2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core * very much not to scale
  61. 61. 61 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP 2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core * very much not to scale
  62. 62. 62 2015/1 — 2015/10 (9 months)
  63. 63. 63 2015/1 — 2015/10 (9 months)
  64. 64. 64 2015/10/28 — Exploiting Deserialization Vulnerabilities in Java Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015
  65. 65. 65 2015/10/28 — Exploiting Deserialization Vulnerabilities in Java Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015 Hey, that’s us!
  66. 66. 66 2015/10/28 — Exploiting Deserialization Vulnerabilities in Java Matthias Kaiser (@matthias_kaiser) — HackPra WS 2015 Hey, that’s us!
  67. 67. 67 2015/11/6 — What Do WebLogic, WebSphere, … Stephen Breen (@breenmachine) My Birthday
  68. 68. 68 2015/11/6-10 — Social Media Kills My Phone Battery Misunderstanding and misinformation abound
  69. 69. 69 2015/11/8-16 — Evasive Maneuvers by Dev Community Innovative Solutions and (Some) Sensible Responses
  70. 70. 70 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360 2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253 2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852 2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS 2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262) 2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799) 2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555 2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238 2015/12/4 n/a: Apache OpenJPA, Commons JCS 2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254 2015/12/9 n/a: Cisco (various) CVE-2015-6420 2015/12/16 cpnrodzc7: TomEE CVE-2015-8581 2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348 2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934 2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans 2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP 2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core * very much not to scale
  71. 71. 71 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360 2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253 2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852 2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS 2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262) 2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799) 2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555 2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238 2015/12/4 n/a: Apache OpenJPA, Commons JCS 2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254 2015/12/9 n/a: Cisco (various) CVE-2015-6420 2015/12/16 cpnrodzc7: TomEE CVE-2015-8581 2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348 2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934 2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans 2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP 2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core * very much not to scale
  72. 72. 72 2016/1/21-22 — JNDI/JRMP Remote Loading Gadget @zerothoughts
  73. 73. 73 2016/1/25 — PayPal Remote Code Execution Michael Stepankin and Mark Litchfield
  74. 74. 74 2016/1/26-2/24 — JDK <7u21, Beanutils Gadget Chains Chris Frohoff (@frohoff)
  75. 75. 75 2016/2/24 — serianalyzer, Gadgets, Clients, etc. Moritz Bechler (@mbechler)
  76. 76. 76 2016/3/4 — Serial Killer & The Perils of Java Deser. Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711) — RSAC 2016
  77. 77. 77 2016/3/4 — Serial Killer & The Perils of Java Deser. Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711) — RSAC 2016
  78. 78. 78 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360 2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253 2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852 2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS 2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262) 2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799) 2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555 2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238 2015/12/4 n/a: Apache OpenJPA, Commons JCS 2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254 2015/12/9 n/a: Cisco (various) CVE-2015-6420 2015/12/16 cpnrodzc7: TomEE CVE-2015-8581 2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348 2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934 2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans 2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765 2016/1/25 Michael Stepankin and Mark Litchfield: PayPal 2016/2/9 n/a: Adobe Experience Manager CVE-2016-0958 2016/2/24 @mbechler: Jenkins CVE-2016-0788 2016/3/16 n/a: TomEE (#2) CVE-2016-0779 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP 2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core 2016/1/22 @zerothoughts: Spring-TX 2016/1/26 @frohoff: JDK 7u21, variation on Commons Collections 2016/2/24 @frohoff: Beanutils 2016/2/29 @mbechler: Hibernate, MyFaces, C3P0, net.sf.json, ROME, variation on Spring, JRMPClient, JRMPListener 2016/3/4 @pwntester and @cschneider4711: Beanshell, Jython, lots of bypasses 2016/3/9 @matthias_kaiser: variation on Commons Collections * very much not to scale
  79. 79. 79 ? ?: Many JSF impls without encryption/signing enabled 2013/03/15 @e_rnst: IBM Cognos BI CVE-2012-4858 2015/10/27 @matthias_kaiser: Atlassian Bamboo CVE-2015-8360 2015/11/4 @mwulftange and @matthias_kaiser: Commvault Edge Server CVE-2015-7253 2015/11/6 @matthias_kaiser: Oracle WebLogic CVE-2015-4852 2015/11/6 @breenmachine: JBoss AS CVE-2015-7501, WebSphere CVE-2015-7450, Jenkins CVE-2015-8103, OpenNMS 2015/11/9 Joel Bernstein: Apache SOLR (SOLR-8262) 2015/11/12 Andrew Purtell: Apache HBase (HBASE-14799) 2015/11/13 @matthias_kaiser and @mwulftange: Symantec Endpoint Protection Manager CVE-2015-6555 2015/11/17 n/a: Unify OpenScape (various) CVE-2015-8237, CVE-2015-8238 2015/12/4 n/a: Apache OpenJPA, Commons JCS 2015/12/9 @pwntester, @matthias_kaiser, @cschneider4711: ActiveMQ CVE-2015-5254 2015/12/9 n/a: Cisco (various) CVE-2015-6420 2015/12/16 cpnrodzc7: TomEE CVE-2015-8581 2015/12/17 Sim Yih Tsern: Apache Camel CVE-2015-5348 2015/12/18 n/a: VMWare vCenter/vRealize (various) CVE-2015-6934 2015/12/27 n/a: Apache Batchee, Apache OpenWebBeans 2015/12/30 n/a: McAfee ePolicy Orchestrator CVE-2015-8765 2016/1/25 Michael Stepankin and Mark Litchfield: PayPal 2016/2/9 n/a: Adobe Experience Manager CVE-2016-0958 2016/2/24 @mbechler: Jenkins CVE-2016-0788 2016/3/16 n/a: TomEE (#2) CVE-2016-0779 Timeline of Java Serializable Pwnage Vulnerable (or Likely) Products/Projects Gadgets/Chains 2011/9/9 Wouter Coekaerts: Spring AOP 2015/1/28 @frohoff: Commons Collections, Groovy, Spring Beans/Core 2016/1/22 @zerothoughts: Spring-TX 2016/1/26 @frohoff: JDK 7u21, variation on Commons Collections 2016/2/24 @frohoff: Beanutils 2016/2/29 @mbechler: Hibernate, MyFaces, C3P0, net.sf.json, ROME, variation on Spring, JRMPClient, JRMPListener 2016/3/4 @pwntester and @cschneider4711: Beanshell, Jython, lots of bypasses 2016/3/9 @matthias_kaiser: variation on Commons Collections * very much not to scale
  80. 80. 80 * very much not to scale
  81. 81. 81 * very much not to scale
  82. 82. 82 * very much not to scale
  83. 83. 83 Recent — Qualcomm Red Team Exercise A colleague tried something new Performed some new targeted scanning on internal network Scripted ysoserial against various listeners − Attempted multiple payload types − Executed DNS lookup (logged at DNS server) with name of payload type Results − Discovered undisclosed vulnerabilities in 6 products (i.e. 0days)
  84. 84. 84 Recent — Deser Vulnerability Reported to Qualcomm
  85. 85. 85 $ java -jar target/ysoserial-0.0.5-SNAPSHOT-all.jar Y SO SERIAL? Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]' Available payload types: BeanShell1 C3P0 CommonsBeanutils1 CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 FileUpload1 Groovy1 Hibernate1 Hibernate2 JRMPClient JRMPListener JSON1 Jdk7u21 Jython1 Myfaces1 Myfaces2 ROME Spring1 Spring2 Recent — ysoserial dev activity picking up
  86. 86. 86 Recent — Good Guy Glenn Glenn Lewis (@gmlewis)
  87. 87. 87 Mitigation
  88. 88. 88 Fundamental vulnerability is in doing unsafe deserialization, not in having gadgets available More will be always found Transitive dependencies cause library sprawl Cross-library gadget chains Auto-detection difficult Gadget Whack-a-Mole DO NOT rely on this!
  89. 89. 89 Fundamental vulnerability is in doing unsafe deserialization
  90. 90. 90 Fundamental vulnerability is in doing unsafe deserialization
  91. 91. 91 Avoid open-ended (de)serialization when possible − If the serialization includes a class name, it’s probably bad − ObjectInputStream.readObject() is not safe − Lots of non-open-ended JVM serialization frameworks available − https://github.com/eishay/jvm-serializers/wiki Simple format and/or data types − Strings, Numbers, Arrays, Maps, etc. − Manually serialize complex objects Keep session state on the server when possible − Beware of lateral attacks! (memcached, redis, database, etc.) Abstenence Avoid magic
  92. 92. 92 Whitelist/Blacklist classes − Use subclass of ObjectInputStream0 − override resolveClass() to allow/disallow classes − http://www.ibm.com/developerworks/library/se-lookahead/ − Blacklisting ≈ Gadget whack-a-mole − Difficult without robust library support − Runtime Agents can help − Strip Serilaizable/Externalizable interfaces from classes − Instrument native ObjectInputStream.resolveClass() − Subclass circumventable by “bypass gadgets” Restrict Deserialization Use with Caution. This is a band-aid.
  93. 93. 93 Encryption != Authentication − See JSF Padding Oracle attacks Authenticate channels − TLS Client Certs, SASL, DB/Cache/Broker credentials Authenticate content − HMAC or Authenticated Encryption with secret key Must be verified pre-deserialization! − Don’t read credentials with readObject() − readUTF() is probably OK Pro-tip: Don’t leak crypto keys! − Path traversal − Default key or key committed to source control Authenticate Trust Verify
  94. 94. 94 Strict firewall rules for deserializing listeners Sandboxing/Hardening − Java SecurityManager − Transient usage can by circumvented by “deferred execution bypass gadgets” − AppArmor/SELinux − Docker containers − Block (or whitelist) forking processes, file/network I/O Security-in-depth Assume breach of defenses
  95. 95. 95 Find more unsafe deserialization − Watch products with naïve mitigations Find more gadgets/chains Gadget finding tool improvements Explore mediums, platforms, formats, implementations Help with ysoserial − Has become more active − Needs contributors − Lots of work to be done Great Job Everyone…but you’re not done Continue pwning all the things
  96. 96. 96 The Future
  97. 97. 97 Stefan Esser, 2009/11/1, Shocking News in PHP Exploitation − https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra09_fu_esser_php_exploits1.pdf David Byrne, Rohini Sulatycki, 2010/6/21, Beware of Serialized GUI Objects Bearing Data − https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf Stefan Esser, 2010/7/29, Utilizing Code Reuse/ROP in PHP Application Exploits − https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf Wouter Coekaerts, 2011/9/9, Spring Vulnerabilities − http://wouter.coekaerts.be/2011/spring-vulnerabilities Charlie Sommerville, 2013/1/10, Rails 3.2.10 Remote Code Execution − https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md Arseniy Reutov, 2013/5/28, PHP Object Injection Revisited − https://prezi.com/5hif_vurb56p/php-object-injection-revisited/ Stephen Coty, 2013/6/14, Writing Exploits for Exotic Bug Classes: unserialize() − https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes/ Ben Murphy, 2013/6/23, Property Oriented Programming Applied to Ruby − http://slides.com/benmurphy/property-oriented-programming#/ Robert Heaton, 2013/7/22, How to hack a Rails app using its secret_token − http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ Dinis Cruz, 2013/8/6, Using XMLDecoder to execute server-side Java Code on an Restlet application − http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html Past Work / References
  98. 98. 98 Abraham Kang, Dinis Cruz, Alvaro Munoz, 2013/8/6, RESTing on your laurels will get you pwned − http://www.slideshare.net/DinisCruz/res-ting-on-your-laurels-will-get-you-powned4-3 Tom Van Goethem, 2013/9/11, WordPress < 3.6.1 PHP Object Injection − https://vagosec.org/2013/09/wordpress-php-object-injection/ David Jorm, 2013/11/20, Java Deserialization Flaws: Part 1, Binary Deserialization − https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/ Alvaro Munoz, 2013/12/16, CVE-2011-2894: Deserialization Spring RCE − http://pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/ Dinis Cruz, 2013/12/22, XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article, − http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html David Jorm, 2014/1/23, Java deserialization flaws: Part 2, XML deserialization − https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/ Johannes Dahse, Nikolai Krein, Thorsten Holz, 2014/11/3, Code Reuse Attacks in PHP: Automated POP Chain Generation − https://websec.files.wordpress.com/2010/11/rips_ccs.pdf − http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf Renaud Dubourguais, Nicolas Collignon, 2013, JSF ViewState upside-down − http://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf Gabe Lawrence, Chris Frohoff 2015/1/28, Marshalling Pickles − http://frohoff.github.io/appseccali-marshalling-pickles/ Past Work / References
  99. 99. 99 Matthias Kaiser, 2015/10/28, Exploiting Deserialization Vulnerabilities in Java − http://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478 − https://www.youtube.com/watch?v=VviY3O-euVQ Stephen Breen, 2015/11/6, What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. − http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ Bernd Eckenfels, Gary Gregory, 2015/11/10, Apache Commons statement to widespread Java object de-serialisation vulnerability − https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread @Zerothoughts, 2016/1/21, Fun with JNDI remote code injection, Spring framework deserialization RCE − http://zerothoughts.tumblr.com/post/137769010389/fun-with-jndi-remote-code-injection − http://zerothoughts.tumblr.com/post/137831000514/spring-framework-deserialization-rce Laksh Raghavan, 2016/1/21, Lessons Learned from the Java Deserialization Bug https://www.paypal-engineering.com/2016/01/21/lessons-learned-from-the-java-deserialization-bug/ Michael Stepankin, 2016/1/25, PayPal Remote Code Execution Vulnerability − http://artsploit.blogspot.com/2016/01/paypal-rce.html Alvaro Muñoz, Christian Schneider, 2016/3/4, Serial Killer: Silently Pwning Your Java Endpoints , Perils of Java Deserialization − http://rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf − http://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995 2016/3/14 Gabe Lawrence, Deserialization is bad, and you should feel bad − http://www.meetup.com/OWASP-Cork/events/229340488/ Past Work / References
  100. 100. 100 For more information on Qualcomm, visit us at: www.qualcomm.com & www.qualcomm.com/blog Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other products and brand names may be trademarks or registered trademarks of their respective owners Thank you Follow us on: Gabe Lawrence gabe@qualcomm.com @gebl Chris Frohoff cfrohoff@qualcomm.com @frohoff

×