SlideShare a Scribd company logo

Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)

CODE WHITE GmbH
CODE WHITE GmbH

Slides from our RuhrSec '16 talk

1 of 61
Download to read offline
Java Deserialization Vulnerabilities – The Forgotten Bug Class Matthias Kaiser (@matthias_kaiser)
About me  Head of Vulnerability Research at Code White in Ulm, Germany  Specialized on (server-side) Java  Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, etc.  Recently looking more into the Windows world and client-side stuff 28.04.2016 @matthias_kaiser
Agenda  Introduction  Java’s Object Serialization  What’s the problem with it  A history of bugs  Finding and exploiting  Code White’s bug parade + a RuhrSec special  More to come? 28.04.2016
Should you care?  If your client is running server products of 28.04.2016 you SHOULD!
Some facts  The bug class exists for more than 10 years  Most ignored bug class in the server-side Java world until 2015  A easy way to get reliable RCE on a server  Architecture independent exploitation  With Java deserialization vulnerabilities you can pwn a corp easily! 28.04.2016
Where is it used  Several J2EE/JEE core technologies rely on serialization  Remote Method Invocation (RMI)  Java Management Extension (JMX)  Java Message Service (JMS)  Java Server Faces implementations (ViewState)  Communication between JVMs in general (because devs are lazy :-)  Custom application protocols running on top of http, etc. 28.04.2016
What is serialization? 28.04.2016 Object File Network Database ObjectStream of bytes Stream of bytes Serialization Deserialization
Overview of Java’s Object Serialization Protocol 28.04.2016 Magic class name field type class field Class description info TC_OBJECT TC_CLASSDESC classdata[]
There is protocol spec and a grammar 28.04.2016 https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
Deserializing an object What could possibly go wrong here? 28.04.2016
What’s the problem  ObjectInputStream doesn’t include validation features in its API  All serializable classes that the current classloader can locate and load can get deserialized  Although a class cast exception might occur in the end, the object will be created! 28.04.2016
What’s the problem #2  A developer can customize the (de)-serialization of a serializable class  Implement methods writeObject(), writeReplace(), readObject() and readResolve()  ObjectInputStream invokes readObject() and readResolve() 28.04.2016 Under our control!
What’s the problem #3  Further methods can be triggered by using certain classes as a "trampoline"  Object.toString() using e.g. javax.management.BadAttributeValueExpException  Object.hashCode() using e.g. java.util.HashMap  Comparator.compare() using e.g. java.util.PriorityQueue  etc. 28.04.2016 Trampoline class Target class
What’s the problem #3 28.04.2016 javax.management.BadAttributeValueExpException 1. Reading the field "val" 2. Calling "toString()" on "val"
History of Java deserialization vulnerabilities JRE vulnerabilities (DoS) Mark Schönefeld 2006 JSF Viewstate XSS/DoS Sun Java Web Console Luca Carretoni 2008 CVE-2011-2894 Spring Framework RCE Wouter Coekaerts CVE-2012-4858 IBM Cognos Business Intelligence RCE Pierre Ernst 2011 2012 28.04.2016
History of Java deserialization vulnerabilities CVE-2013-1768 Apache OpenJPA RCE CVE-2013-1777 Apache Geronimo 3 RCE CVE-2013-2186 Apache commons-fileupload RCE Pierre Ernst CVE-2015-3253 Groovy RCE CVE-2015-7501 Commons-Collection RCE Gabriel Lawrence and Chris Frohoff CVE-2013-2165 JBoss RichFaces RCE Takeshi Terada 2013 2015 28.04.2016
Finding is trivial  Do the "grep" thing on "readObject()" 28.04.2016
Finding is trivial  Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject() 28.04.2016
Exploitation  Exploitation requires a chain of serialized objects triggering interesting functionality e.g.  writing files  dynamic method calls using Java’s Reflection API  etc.  For such a chain the term "gadget" got established  Chris Frohoff and others found several gadgets in standard libs  Let’s look at an example gadget 28.04.2016
Javassist/Weld Gadget  Gadget utilizes JBoss’ Javassist and Weld framework  Reported to Oracle with the Weblogic T3 vulnerability  Works in Oracle Weblogic and JBoss EAP  Allows us to call a method on a deserialized object 28.04.2016
Javassist/Weld Gadget InterceptorMethodHandler 28.04.2016
Javassist/Weld Gadget summary  During deserialization a "POST_ACTIVATE" interception will be executed  We can create an "interceptorHandlerInstances" that defines our deserialized target object as a handler for a "POST_ACTIVATE" interception  We can create an "interceptionModel" that defines a method to be executed on our handler for a "POST_ACTIVATE" interception 28.04.2016
Javassist/Weld Gadget call chain InterceptorMethodHandler.readObject(ObjectInputStream) InterceptorMethodHandler.executeInterception(Object, Method, Method, …) SimpleInterceptionChain.invokeNextInterceptor(InvocationContext) SimpleMethodInvocation<T>.invoke(InvocationContext) 28.04.2016
Javassist/Weld Gadget SimpleMethodInvocation 28.04.2016
"Return of the Rhino"-Gadget  Gadget utilizes Rhino Script Engine of Mozilla  Works with latest Rhino in the classpath  Oracle applied some hardening to its Rhino version  So only works Oracle JRE <= jre7u13   Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu)   Allows us to call a method on a deserialized object  Will be released on our blog soon 28.04.2016
What to look for?  Look for methods in serializable classes  working on files  triggering reflection (invoking methods, getting/setting properties on beans)  doing native calls  etc. AND being called from  readObject()  readResolve()  toString()  hashCode()  finalize()  any other method being called from a "Trampoline" class 28.04.2016
What to look for?  Look at serializable classes used in Java reflection proxies  java.lang.reflect.InvocationHandler implementations  javassist.util.proxy.MethodHandler implementations 28.04.2016 InvocationHandlerInterface Proxy toString() invoke (…) // do smth invoke (target, toString, args)
What to look for? 28.04.2016 Prints out method being called
What to look for? 28.04.2016 What if InvocationHandler.invoke() does "scary" things using values from the serialized object input stream? Proxy
Making gadget search easier  Chris Frohoff released a tool for finding gadgets using a graph database  Using object graph queries for gadget search 28.04.2016
Exploitation tricks  Adam Gowdiak’s TemplatesImpl  com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable  Allows to define new classes from your byte[ ][ ]  Calling TemplatesImpl.newTransformer() on deserialized object  Code Execution 28.04.2016
Exploitation tricks  InitialContext.lookup()  @zerothoughts published a gadget in Spring’s JtaTransactionManager recently  Triggers InitialContext.lookup(jndiName)  Uses "rmi://yourFakeRmiServer/…" as jndiName  Loads classes from your fake RMI server  Calling JdbcRowSetImpl.execute() on a deserialized object will do the same  28.04.2016
Payload generation  Chris Frohoff released the great tool "ysoserial"  Makes creation of payloads easy  Includes gadgets for  Commons Collection 3 & 4  Spring  Groovy  JRE7 (<= jre7u21)  Commons BeanUtils  and even more! 28.04.2016
Custom payloads  I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons  Most of the gadgets don’t touch the disk   With scripting languages your life gets even easier  Use what’s in the classpath  Javascript (Rhino, Nashorn)  Groovy  Beanshell  etc. 28.04.2016
Code White’s Bug Parade  CVE-2015-6554 - Symantec Endpoint Protection Manager RCE  CVE-2015-6576 - Atlassian Bamboo RCE  CVE-2015-7253 - Commvault Edge Server RCE  CVE-2015-7253 - Apache ActiveMQ RCE  CVE-2015-4582 - Oracle Weblogic RCE  CVE-2016-1998 - HP Service Manager RCE  CVE-2016-2173 - Spring AMQP  NO-CVE-YET - Oracle Hyperion RCE  NO-CVE-YET - SAP NW AS Java  Others I can’t talk about (now) 28.04.2016
Oracle Weblogic 28.04.2016
Oracle Weblogic  Oracle’s Application Server (acquired from BEA)  Middleware for core products of Oracle  Oracle Enterprise Manager  Oracle VM Manager  Oracle ESB  Oracle Hyperion  Oracle Peoplesoft  And many more 28.04.2016
CVE-2015-4852 - Oracle Weblogic  Reported on 21st of July 2015 to Oracle as "Oracle Weblogic T3 Deserialization Remote Code Execution Vulnerability"  Detailed advisory with POCs  Using Chris Frohoff’s Commons Collection Gadget  Using my Javassist/Weld Gadget  I recommended to implement "Look-ahead Deserialization" by Pierre Ernst  Yeah, the one @foxglovesec dropped … 28.04.2016
CVE-2015-4852 - Oracle Weblogic  Weblogic uses multi-protocol listener architecture  Channels can be defined listening for several protocols  The "interesting" protocols are t3 and t3s 28.04.2016
CVE-2015-4852 - T3 Protocol  Weblogic has its own RMI protocol called T3  Exists since the early days of Weblogic  Used for JEE remoting (e.g. Session Beans)  Used for JMX (e.g. by Weblogic Scripting Tool)  Can also be tunneled over HTTP (if enabled)  Check http://target:port/bea_wls_internal/HTTPClntLogin/a.tun 28.04.2016
CVE-2015-4852 - How I found the bug  Found during my daughter’s midday nap ;-)  Remembered the time when I was Dev and writing software for NATO systems  We used to deploy software on Weblogic using T3  Just wrote some lines to create a T3 connection 28.04.2016
CVE-2015-4852 - How I found the bug 28.04.2016 I haven’t specified any user, right?
T3Client CVE-2015-4852 - Oracle Weblogic 28.04.2016 1. Checking the protocol 2. Create "RJVM" object 4. Call a RMI method on on the stub 3. Create a RMI stub
BootServicesStub CVE-2015-4852 - Oracle Weblogic 28.04.2016 Method id 2 Serializing a UserInfo object
CVE-2015-4852 - Triggering the bug 28.04.2016 Stacktrace of the Weblogic Server while triggering the bug
CVE-2015-4852 - I’m in your UserInfo BootServicesImpl 28.04.2016 Method id 2
CVE-2015-4852 - I’m in your UserInfo BootServicesStubImpl 28.04.2016 calls readObject()
CVE-2015-4852 - POC 28.04.2016
Oracle Weblogic "Patch" #1: CPU January 2016 28.04.2016
CVE-2015-4852 - "Patch" #1  Fixing this doesn’t look easy, serialization is used in the core protocol  You can find a lot of gadgets in the classpath of Weblogic  Oracle "patched" it by implementing "Look-ahead" deserialization (by Pierre Ernst)  But they check against a blacklist in "resolveClass()": 28.04.2016
CVE-2015-4852 - Bypassing "Patch" #1  Alvaro Muñoz and Christian Schneider released "SerialKiller" at RSA 2016  collection of gadgets to bypass "Look-ahead" deserialization  triggering additional call to "readObject()" on an unfilterted "ObjectInputStream" instance  allows to bypass the "patch" using gadget e.g. "Weblogic1"  Jacob Baines found another bypass gadget  utilizes JMS classes from package "weblogic.jms.common"  e.g. "TextMessageImpl", "XMLMessageImpl", "ObjectMessageImpl", etc.  I also found it and wanted to drop it here   btw. JMS is another external entry point for deserialization  28.04.2016
Oracle Weblogic "Patch" #2: CPU April 2016 28.04.2016
CVE-2015-4852 - "Patch" #2  Blacklist unchanged, although new gadgets were available!  The JMS bypass gadgets/entry points were fixed.  Couple of other changes I need to look at … 28.04.2016
CVE-2015-4852 - Bypassing "Patch" #2  Alvaro‘s / Christian‘s bypass gadget still works, but I want to show you something new   So I started to  look at "patch" #1  look for bypass gadgets  You can imagine what’s coming  28.04.2016
CVE-2015-4852 - Bypassing "Patch" #2  com.oracle.sender.provider.standard.Conversation 28.04.2016
CVE-2015-4852 - Bypassing "Patch" #2  Blacklist implemented in "ClassFilter" blocks classes from package "javassist"  The only class from "javassist" which is used by gadget is the interface "MethodHandler"  Interfaces are not checked by the "Look-ahead" deserialization technique  Javassist/Weld gadget still works, but the "TemplatesImpl" technique is blocked  As you have seen before you can also use the "JdbcRowSetImpl" technique 28.04.2016
Oracle Weblogic 12.2.1 (fully patched) 28.04.2016 DEMO
More to come?  Sure! Bugs & Gadgets  I already mentioned that Java Messaging is using Serialization heavily  Currently I’m working on the Java Messaging Exploitation Tool (JMET)  Integrates Chris Frohoff’s ysoserial  Pwns your queues/topics like a boss!  Planned to be released around summer ‘16 28.04.2016
Conclusion  Java Deserialization is no rocket science  Finding bugs is trivial, exploitation takes more  So many products affected by it  Research has started, again …  This will never end! 28.04.2016
Q&A 28.04.2016
Java Deserialization Vulnerabilities – The forgotten bug class Matthias Kaiser

Recommended

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 

Recommended

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
Antoine Rey
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Being Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring ReactorBeing Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring Reactor
Max Huang
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes
 
Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Edureka!
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
Introduction to VueJS & Vuex
Introduction to VueJS & VuexIntroduction to VueJS & Vuex
Introduction to VueJS & Vuex
Bernd Alter
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
Shiv Sahni
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST API
Fabien Vauchelles
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
Salesforce Engineering
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsBrian Huff
 

More Related Content

What's hot

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
Antoine Rey
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Being Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring ReactorBeing Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring Reactor
Max Huang
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes
 
Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Edureka!
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
Introduction to VueJS & Vuex
Introduction to VueJS & VuexIntroduction to VueJS & Vuex
Introduction to VueJS & Vuex
Bernd Alter
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
Shiv Sahni
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST API
Fabien Vauchelles
 

What's hot (20)

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
XSS
XSSXSS
XSS
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Being Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring ReactorBeing Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring Reactor
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
 
Json web token
Json web tokenJson web token
Json web token
 
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
 
Introduction to VueJS & Vuex
Introduction to VueJS & VuexIntroduction to VueJS & Vuex
Introduction to VueJS & Vuex
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST API
 

Viewers also liked

Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
Salesforce Engineering
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsBrian Huff
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!
Brian Huff
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Brian Huff
 
Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterBrian Huff
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersBrian Huff
 

Viewers also liked (6)

Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile Applications
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
 
Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenter
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio Developers
 

Similar to Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
Dror Bereznitsky
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. A
Sumanth krishna
 
Java Basics
Java BasicsJava Basics
Java Basics
shivamgarg_nitj
 
比XML更好用的Java Annotation
比XML更好用的Java Annotation比XML更好用的Java Annotation
比XML更好用的Java Annotation
javatwo2011
 
CLR Exception Handing And Memory Management
CLR Exception Handing And Memory ManagementCLR Exception Handing And Memory Management
CLR Exception Handing And Memory Management
Shiny Zhu
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMS
PVS-Studio
 
JavaScript Miller Columns
JavaScript Miller ColumnsJavaScript Miller Columns
JavaScript Miller Columns
Jonathan Fine
 
Java programming basics
Java programming basicsJava programming basics
Java programming basics
Hamid Ghorbani
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)
Netcetera
 
Orchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache MahoutOrchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache Mahout
aneeshabakharia
 
2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layer2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layer
andreasmartin
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 
Java interview questions and answers
Java interview questions and answersJava interview questions and answers
Java interview questions and answers
Krishnaov
 
Tomcat + other things
Tomcat + other thingsTomcat + other things
Tomcat + other things
Aravindharamanan S
 

Similar to Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition) (20)

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Servlets
ServletsServlets
Servlets
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. A
 
Java Basics
Java BasicsJava Basics
Java Basics
 
比XML更好用的Java Annotation
比XML更好用的Java Annotation比XML更好用的Java Annotation
比XML更好用的Java Annotation
 
CLR Exception Handing And Memory Management
CLR Exception Handing And Memory ManagementCLR Exception Handing And Memory Management
CLR Exception Handing And Memory Management
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMS
 
JavaScript Miller Columns
JavaScript Miller ColumnsJavaScript Miller Columns
JavaScript Miller Columns
 
JavaSecure
JavaSecureJavaSecure
JavaSecure
 
Java programming basics
Java programming basicsJava programming basics
Java programming basics
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)
 
Orchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache MahoutOrchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache Mahout
 
2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layer2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layer
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Java interview questions and answers
Java interview questions and answersJava interview questions and answers
Java interview questions and answers
 
backend
backendbackend
backend
 
backend
backendbackend
backend
 
Tomcat + other things
Tomcat + other thingsTomcat + other things
Tomcat + other things
 

Recently uploaded

一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 

Recently uploaded (20)

一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 

Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)

  • 1. Java Deserialization Vulnerabilities – The Forgotten Bug Class Matthias Kaiser (@matthias_kaiser)
  • 2. About me  Head of Vulnerability Research at Code White in Ulm, Germany  Specialized on (server-side) Java  Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, etc.  Recently looking more into the Windows world and client-side stuff 28.04.2016 @matthias_kaiser
  • 3. Agenda  Introduction  Java’s Object Serialization  What’s the problem with it  A history of bugs  Finding and exploiting  Code White’s bug parade + a RuhrSec special  More to come? 28.04.2016
  • 4. Should you care?  If your client is running server products of 28.04.2016 you SHOULD!
  • 5. Some facts  The bug class exists for more than 10 years  Most ignored bug class in the server-side Java world until 2015  A easy way to get reliable RCE on a server  Architecture independent exploitation  With Java deserialization vulnerabilities you can pwn a corp easily! 28.04.2016
  • 6. Where is it used  Several J2EE/JEE core technologies rely on serialization  Remote Method Invocation (RMI)  Java Management Extension (JMX)  Java Message Service (JMS)  Java Server Faces implementations (ViewState)  Communication between JVMs in general (because devs are lazy :-)  Custom application protocols running on top of http, etc. 28.04.2016
  • 7. What is serialization? 28.04.2016 Object File Network Database ObjectStream of bytes Stream of bytes Serialization Deserialization
  • 8. Overview of Java’s Object Serialization Protocol 28.04.2016 Magic class name field type class field Class description info TC_OBJECT TC_CLASSDESC classdata[]
  • 9. There is protocol spec and a grammar 28.04.2016 https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
  • 10. Deserializing an object What could possibly go wrong here? 28.04.2016
  • 11. What’s the problem  ObjectInputStream doesn’t include validation features in its API  All serializable classes that the current classloader can locate and load can get deserialized  Although a class cast exception might occur in the end, the object will be created! 28.04.2016
  • 12. What’s the problem #2  A developer can customize the (de)-serialization of a serializable class  Implement methods writeObject(), writeReplace(), readObject() and readResolve()  ObjectInputStream invokes readObject() and readResolve() 28.04.2016 Under our control!
  • 13. What’s the problem #3  Further methods can be triggered by using certain classes as a "trampoline"  Object.toString() using e.g. javax.management.BadAttributeValueExpException  Object.hashCode() using e.g. java.util.HashMap  Comparator.compare() using e.g. java.util.PriorityQueue  etc. 28.04.2016 Trampoline class Target class
  • 14. What’s the problem #3 28.04.2016 javax.management.BadAttributeValueExpException 1. Reading the field "val" 2. Calling "toString()" on "val"
  • 15. History of Java deserialization vulnerabilities JRE vulnerabilities (DoS) Mark Schönefeld 2006 JSF Viewstate XSS/DoS Sun Java Web Console Luca Carretoni 2008 CVE-2011-2894 Spring Framework RCE Wouter Coekaerts CVE-2012-4858 IBM Cognos Business Intelligence RCE Pierre Ernst 2011 2012 28.04.2016
  • 16. History of Java deserialization vulnerabilities CVE-2013-1768 Apache OpenJPA RCE CVE-2013-1777 Apache Geronimo 3 RCE CVE-2013-2186 Apache commons-fileupload RCE Pierre Ernst CVE-2015-3253 Groovy RCE CVE-2015-7501 Commons-Collection RCE Gabriel Lawrence and Chris Frohoff CVE-2013-2165 JBoss RichFaces RCE Takeshi Terada 2013 2015 28.04.2016
  • 17. Finding is trivial  Do the "grep" thing on "readObject()" 28.04.2016
  • 18. Finding is trivial  Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject() 28.04.2016
  • 19. Exploitation  Exploitation requires a chain of serialized objects triggering interesting functionality e.g.  writing files  dynamic method calls using Java’s Reflection API  etc.  For such a chain the term "gadget" got established  Chris Frohoff and others found several gadgets in standard libs  Let’s look at an example gadget 28.04.2016
  • 20. Javassist/Weld Gadget  Gadget utilizes JBoss’ Javassist and Weld framework  Reported to Oracle with the Weblogic T3 vulnerability  Works in Oracle Weblogic and JBoss EAP  Allows us to call a method on a deserialized object 28.04.2016
  • 22. Javassist/Weld Gadget summary  During deserialization a "POST_ACTIVATE" interception will be executed  We can create an "interceptorHandlerInstances" that defines our deserialized target object as a handler for a "POST_ACTIVATE" interception  We can create an "interceptionModel" that defines a method to be executed on our handler for a "POST_ACTIVATE" interception 28.04.2016
  • 23. Javassist/Weld Gadget call chain InterceptorMethodHandler.readObject(ObjectInputStream) InterceptorMethodHandler.executeInterception(Object, Method, Method, …) SimpleInterceptionChain.invokeNextInterceptor(InvocationContext) SimpleMethodInvocation<T>.invoke(InvocationContext) 28.04.2016
  • 25. "Return of the Rhino"-Gadget  Gadget utilizes Rhino Script Engine of Mozilla  Works with latest Rhino in the classpath  Oracle applied some hardening to its Rhino version  So only works Oracle JRE <= jre7u13   Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu)   Allows us to call a method on a deserialized object  Will be released on our blog soon 28.04.2016
  • 26. What to look for?  Look for methods in serializable classes  working on files  triggering reflection (invoking methods, getting/setting properties on beans)  doing native calls  etc. AND being called from  readObject()  readResolve()  toString()  hashCode()  finalize()  any other method being called from a "Trampoline" class 28.04.2016
  • 27. What to look for?  Look at serializable classes used in Java reflection proxies  java.lang.reflect.InvocationHandler implementations  javassist.util.proxy.MethodHandler implementations 28.04.2016 InvocationHandlerInterface Proxy toString() invoke (…) // do smth invoke (target, toString, args)
  • 28. What to look for? 28.04.2016 Prints out method being called
  • 29. What to look for? 28.04.2016 What if InvocationHandler.invoke() does "scary" things using values from the serialized object input stream? Proxy
  • 30. Making gadget search easier  Chris Frohoff released a tool for finding gadgets using a graph database  Using object graph queries for gadget search 28.04.2016
  • 31. Exploitation tricks  Adam Gowdiak’s TemplatesImpl  com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable  Allows to define new classes from your byte[ ][ ]  Calling TemplatesImpl.newTransformer() on deserialized object  Code Execution 28.04.2016
  • 32. Exploitation tricks  InitialContext.lookup()  @zerothoughts published a gadget in Spring’s JtaTransactionManager recently  Triggers InitialContext.lookup(jndiName)  Uses "rmi://yourFakeRmiServer/…" as jndiName  Loads classes from your fake RMI server  Calling JdbcRowSetImpl.execute() on a deserialized object will do the same  28.04.2016
  • 33. Payload generation  Chris Frohoff released the great tool "ysoserial"  Makes creation of payloads easy  Includes gadgets for  Commons Collection 3 & 4  Spring  Groovy  JRE7 (<= jre7u21)  Commons BeanUtils  and even more! 28.04.2016
  • 34. Custom payloads  I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons  Most of the gadgets don’t touch the disk   With scripting languages your life gets even easier  Use what’s in the classpath  Javascript (Rhino, Nashorn)  Groovy  Beanshell  etc. 28.04.2016
  • 35. Code White’s Bug Parade  CVE-2015-6554 - Symantec Endpoint Protection Manager RCE  CVE-2015-6576 - Atlassian Bamboo RCE  CVE-2015-7253 - Commvault Edge Server RCE  CVE-2015-7253 - Apache ActiveMQ RCE  CVE-2015-4582 - Oracle Weblogic RCE  CVE-2016-1998 - HP Service Manager RCE  CVE-2016-2173 - Spring AMQP  NO-CVE-YET - Oracle Hyperion RCE  NO-CVE-YET - SAP NW AS Java  Others I can’t talk about (now) 28.04.2016
  • 37. Oracle Weblogic  Oracle’s Application Server (acquired from BEA)  Middleware for core products of Oracle  Oracle Enterprise Manager  Oracle VM Manager  Oracle ESB  Oracle Hyperion  Oracle Peoplesoft  And many more 28.04.2016
  • 38. CVE-2015-4852 - Oracle Weblogic  Reported on 21st of July 2015 to Oracle as "Oracle Weblogic T3 Deserialization Remote Code Execution Vulnerability"  Detailed advisory with POCs  Using Chris Frohoff’s Commons Collection Gadget  Using my Javassist/Weld Gadget  I recommended to implement "Look-ahead Deserialization" by Pierre Ernst  Yeah, the one @foxglovesec dropped … 28.04.2016
  • 39. CVE-2015-4852 - Oracle Weblogic  Weblogic uses multi-protocol listener architecture  Channels can be defined listening for several protocols  The "interesting" protocols are t3 and t3s 28.04.2016
  • 40. CVE-2015-4852 - T3 Protocol  Weblogic has its own RMI protocol called T3  Exists since the early days of Weblogic  Used for JEE remoting (e.g. Session Beans)  Used for JMX (e.g. by Weblogic Scripting Tool)  Can also be tunneled over HTTP (if enabled)  Check http://target:port/bea_wls_internal/HTTPClntLogin/a.tun 28.04.2016
  • 41. CVE-2015-4852 - How I found the bug  Found during my daughter’s midday nap ;-)  Remembered the time when I was Dev and writing software for NATO systems  We used to deploy software on Weblogic using T3  Just wrote some lines to create a T3 connection 28.04.2016
  • 42. CVE-2015-4852 - How I found the bug 28.04.2016 I haven’t specified any user, right?
  • 43. T3Client CVE-2015-4852 - Oracle Weblogic 28.04.2016 1. Checking the protocol 2. Create "RJVM" object 4. Call a RMI method on on the stub 3. Create a RMI stub
  • 44. BootServicesStub CVE-2015-4852 - Oracle Weblogic 28.04.2016 Method id 2 Serializing a UserInfo object
  • 45. CVE-2015-4852 - Triggering the bug 28.04.2016 Stacktrace of the Weblogic Server while triggering the bug
  • 46. CVE-2015-4852 - I’m in your UserInfo BootServicesImpl 28.04.2016 Method id 2
  • 47. CVE-2015-4852 - I’m in your UserInfo BootServicesStubImpl 28.04.2016 calls readObject()
  • 49. Oracle Weblogic "Patch" #1: CPU January 2016 28.04.2016
  • 50. CVE-2015-4852 - "Patch" #1  Fixing this doesn’t look easy, serialization is used in the core protocol  You can find a lot of gadgets in the classpath of Weblogic  Oracle "patched" it by implementing "Look-ahead" deserialization (by Pierre Ernst)  But they check against a blacklist in "resolveClass()": 28.04.2016
  • 51. CVE-2015-4852 - Bypassing "Patch" #1  Alvaro Muñoz and Christian Schneider released "SerialKiller" at RSA 2016  collection of gadgets to bypass "Look-ahead" deserialization  triggering additional call to "readObject()" on an unfilterted "ObjectInputStream" instance  allows to bypass the "patch" using gadget e.g. "Weblogic1"  Jacob Baines found another bypass gadget  utilizes JMS classes from package "weblogic.jms.common"  e.g. "TextMessageImpl", "XMLMessageImpl", "ObjectMessageImpl", etc.  I also found it and wanted to drop it here   btw. JMS is another external entry point for deserialization  28.04.2016
  • 52. Oracle Weblogic "Patch" #2: CPU April 2016 28.04.2016
  • 53. CVE-2015-4852 - "Patch" #2  Blacklist unchanged, although new gadgets were available!  The JMS bypass gadgets/entry points were fixed.  Couple of other changes I need to look at … 28.04.2016
  • 54. CVE-2015-4852 - Bypassing "Patch" #2  Alvaro‘s / Christian‘s bypass gadget still works, but I want to show you something new   So I started to  look at "patch" #1  look for bypass gadgets  You can imagine what’s coming  28.04.2016
  • 55. CVE-2015-4852 - Bypassing "Patch" #2  com.oracle.sender.provider.standard.Conversation 28.04.2016
  • 56. CVE-2015-4852 - Bypassing "Patch" #2  Blacklist implemented in "ClassFilter" blocks classes from package "javassist"  The only class from "javassist" which is used by gadget is the interface "MethodHandler"  Interfaces are not checked by the "Look-ahead" deserialization technique  Javassist/Weld gadget still works, but the "TemplatesImpl" technique is blocked  As you have seen before you can also use the "JdbcRowSetImpl" technique 28.04.2016
  • 57. Oracle Weblogic 12.2.1 (fully patched) 28.04.2016 DEMO
  • 58. More to come?  Sure! Bugs & Gadgets  I already mentioned that Java Messaging is using Serialization heavily  Currently I’m working on the Java Messaging Exploitation Tool (JMET)  Integrates Chris Frohoff’s ysoserial  Pwns your queues/topics like a boss!  Planned to be released around summer ‘16 28.04.2016
  • 59. Conclusion  Java Deserialization is no rocket science  Finding bugs is trivial, exploitation takes more  So many products affected by it  Research has started, again …  This will never end! 28.04.2016
  • 61. Java Deserialization Vulnerabilities – The forgotten bug class Matthias Kaiser