SlideShare a Scribd company logo
Java Deserialization Vulnerabilities
– The Forgotten Bug Class
Matthias Kaiser
(@matthias_kaiser)
About me
 Head of Vulnerability Research at Code White in Ulm, Germany
 Dev for defense company in the past
 Spent a lot of time on (server-side) Java Security
 Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, HP, etc.
 Recently looking more into the Windows world and client-side stuff
@matthias_kaiser
11.11.2016 2
Agenda
 Introduction
 Java’s Object Serialization
 What’s the problem with it
 A history of bugs
 Finding and exploiting
 Code White’s bug parade
 A hands-on example
 More to come?
11.11.2016 3
Should you care?
 If your client is running server products of
you SHOULD!
11.11.2016 4
Some facts
 The bug class exists for more than 10 years
 Most ignored bug class in the server-side Java world until 2015
 A easy way to get reliable RCE on a server
 Architecture independent exploitation
 With Java deserialization vulnerabilities you can pwn a corp easily!
11.11.2016 5
Where is it used
 Several J2EE/JEE core technologies rely on serialization
 Remote Method Invocation (RMI)
 Java Management Extension (JMX)
 Java Message Service (JMS)
 Java Server Faces implementations (ViewState)
 Communication between JVMs in general (because devs are lazy :-)
 Custom application protocols running on top of http, etc.
11.11.2016 6
What is serialization?
Object
File
Network
Database
ObjectStream of bytes Stream of bytes
Serialization Deserialization
11.11.2016 7
Overview of Java’s Object Serialization Protocol
Magic
class name
field type
class field
Class description info
TC_OBJECT
TC_CLASSDESC
classdata[]
11.11.2016 8
There is protocol spec and a grammar
https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
11.11.2016 9
Deserializing an object
What could possibly go wrong here?
11.11.2016 10
What’s the problem
 ObjectInputStream doesn’t include validation features in its API
 All serializable classes that the current classloader can locate and load can get deserialized
 Although a class cast exception might occur in the end, the object will be created!
11.11.2016 11
What’s the problem #2
 A developer can customize the (de)-serialization of a serializable class
 Implement methods writeObject(), writeReplace(), readObject() and readResolve()
 ObjectInputStream invokes readObject() and readResolve()
Under our control!
11.11.2016 12
What’s the problem #3
 Further methods can be triggered by using certain classes as a "trampoline"
 Object.toString() using e.g. javax.management.BadAttributeValueExpException
 Object.hashCode() using e.g. java.util.HashMap
 Comparator.compare() using e.g. java.util.PriorityQueue
 etc.
Trampoline
class
Target
class
11.11.2016 13
What’s the problem #3
javax.management.BadAttributeValueExpException
1. Reading the field "val"
2. Calling "toString()" on "val"
11.11.2016 14
History of Java deserialization vulnerabilities
JRE vulnerabilities
(DoS)
Mark Schönefeld
2006
JSF Viewstate
XSS/DoS
Sun Java Web Console
Luca Carretoni
2008
CVE-2011-2894
Spring Framework RCE
Wouter Coekaerts
CVE-2012-4858
IBM Cognos Business
Intelligence RCE
Pierre Ernst
2011 2012
11.11.2016 15
History of Java deserialization vulnerabilities
CVE-2013-1768 Apache OpenJPA RCE
CVE-2013-1777 Apache Geronimo 3 RCE
CVE-2013-2186 Apache commons-fileupload RCE
Pierre Ernst
CVE-2015-3253 Groovy RCE
CVE-2015-7501 Commons-Collection RCE
Gabriel Lawrence and Chris Frohoff
CVE-2013-2165 JBoss RichFaces RCE
Takeshi Terada
2013 2015
11.11.2016 16
#JavaDeser is new hotness …
11.11.2016 17
Finding is trivial
 Do the "grep" thing on "readObject()"
11.11.2016 18
Finding is trivial
 Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject()
11.11.2016 19
Exploitation
 Exploitation requires a chain of serialized objects triggering interesting functionality e.g.
 writing files
 dynamic method calls using Java’s Reflection API
 etc.
 For such a chain the term "gadget" got established
 Chris Frohoff and others found several gadgets in standard libs
11.11.2016 20
Javassist/Weld Gadget
 Gadget utilizes JBoss’ Javassist and Weld framework
 Reported to Oracle with the Weblogic T3 vulnerability
 Works in Oracle Weblogic and JBoss EAP
 Allows us to call a method on a deserialized object
11.11.2016 21
"Return of the Rhino"-Gadget
 Gadget utilizes Rhino Script Engine of Mozilla
 Works with latest Rhino in the classpath
 Oracle applied some hardening to its Rhino version
 So only works Oracle JRE <= jre7u13 
 Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu) 
 Allows us to call a method on a deserialized object
 JRE Gadget 
11.11.2016 22
What to look for?
 Look for methods in serializable classes
 working on files
 triggering reflection (invoking methods, getting/setting properties on beans)
 doing native calls
 etc.
AND being called from
 readObject()
 readResolve()
 toString()
 hashCode()
 finalize()
 any other method being called from a "Trampoline" class
11.11.2016 23
What to look for?
 Look at serializable classes used in Java reflection proxies
 java.lang.reflect.InvocationHandler implementations
 javassist.util.proxy.MethodHandler implementations
InvocationHandlerInterface
Proxy
toString() invoke (…) // do smth
invoke (target, toString, args)
11.11.2016 24
What to look for?
Prints out method being called
11.11.2016 25
What to look for?
What if InvocationHandler.invoke()
does "insecure stuff" using values from
the serialized object input stream?
Proxy
11.11.2016 26
Making gadget search easier
 Chris Frohoff released a tool for finding gadgets using a graph database
 Using object graph queries for gadget search
11.11.2016 27
Exploitation tricks
 Adam Gowdiak’s TemplatesImpl
 com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable
 Allows to define new classes from your byte[ ][ ]
 Calling TemplatesImpl.newTransformer() on deserialized object  Code Execution
11.11.2016 28
Exploitation tricks
 InitialContext.lookup()
 @benmmurphy used it for a sandbox escape (CVE-2013-5830)
 @zerothoughts published a gadget in Spring’s JtaTransactionManager recently
 Triggers InitialContext.lookup(jndiName)
 Uses "rmi://yourFakeRmiServer/Object" as jndiName
 Loads classes from your fake RMI server
 Calling JdbcRowSetImpl.execute() on a deserialized object will do the same 
11.11.2016 29
Payload generation
 Chris Frohoff released the great tool "ysoserial"
 Makes creation of payloads easy
 Includes gadgets for
 Commons Collection 3 & 4
 Spring
 Groovy
 JRE7 (<= jre7u21)
 Commons BeanUtils
 and even more!
11.11.2016 30
Custom payloads
 I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons
 Most of the gadgets don’t touch the disk 
 With scripting languages your life gets even easier
 Use what’s in the classpath
 Javascript (Rhino, Nashorn)
 Groovy
 Beanshell
 etc.
11.11.2016 31
Code White’s Bug Parade #1
 CVE-2015-6554 - Symantec Endpoint Protection Manager RCE
 CVE-2015-6576 - Atlassian Bamboo RCE
 CVE-2015-7253 - Commvault Edge Server RCE
 CVE-2015-7253 - Apache ActiveMQ RCE
 CVE-2015-4582 - Oracle Weblogic RCE
 CVE-2016-1998 - HP Service Manager RCE
 CVE-2016-2173 - Spring AMQP RCE
 CVE-2016-3493 - Oracle Hyperion RCE
 CVE-2016-3551 - Oracle Weblogic RCE
 CVE-2016-3551 - Oracle Weblogic RCE
11.11.2016 32
Code White’s Bug Parade #2
 NOT-FIXED - IBM WebSphere MQ JMS client RCE
 NOT-FIXED - IBM WebSphere JMS Client RCE
 NOT-FIXED - Pivotal RabbitMQ JMS client RCE
 NOT-FIXED - Oracle OpenMQ JMS client RCE
 CVE-2016-4978 - Apache ActiveMQ Artemis JMS client RCE
 CVE-2016-4974 - Apache Qpid client/JMS client RCE
 CVE-2016-0638 - Oracle Weblogic JMS client RCE
 FIXED-NO-CVE - IIT Software SwiftMQ JMS client RCE
 MAYBE-FIX - Amazon SQS Java Messaging RCE
 WONT-FIX - JBOSS HornetQ JMS client RCE
11.11.2016 33
A hands-on example
11.11.2016 34
Jenkins
11.11.2016 35
Jenkins
11.11.2016 36
Jenkins
 Open Source Automation Server / Continous Integration Server / "Build"-Server
 Created by Kohsuke Kawaguchi (Ex-Oracle, now CTO of CloudBees)
 Fork of Oracle’s Hudson CI server
 Supports Subversion, Git, Mecurial, etc.
 Runs Maven, Ant, etc.
 More than 1200 plugins! (see https://updates.jenkins-ci.org/download/plugins/)
11.11.2016 37
Jenkins
 Nice target because Jenkins
 has access to Source Code repositories
 creates deployment artefacts (Jar, War, Ear, etc.)
 can deploy artefacts on target servers
 stores credentials (user/password, SSH keys)
11.11.2016 38
Jenkins Internals
 Jenkins uses an extra port for the Command Line Interface (CLI)
 Can be configured to a fixed or random port
11.11.2016 39
Jenkins Internals
 Jenkins uses an own RMI protocol for it’s Command Line Interface (CLI)
 Base64-encoded serialized objects (rO0 0xac,0xed)
11.11.2016 40
Jenkins under Attack
 Jenkins CLI endpoint suffered from several vulnerabilities
 CVE-2015-8103 of Steven Breen using Commons Collections gadget
 Jenkins introduced a blacklist to filter gadget classes
 CVE-2016-0788 of Moritz Bechler bypassing the blacklist (see ERNW blog post
https://insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/)
 As we all know blacklisting is hard because you never know …
11.11.2016 41
Jenkins’ Blacklist
11.11.2016 42
Finding a blacklist filter bypass
 How to bypass a gadget blacklist filter?
a) Find a new gadget
b) Find a bypass gadget (see Alvaro’s and Christian’s Research)
c) Look for partially fixed gadget
 After looking at all gadgets of ysoserial and matching them with Jenkin’s third-party libs and
the blacklist I found one interesting gadget discovered by Moritz Bechler:
11.11.2016 43
The JSON1 gadget
 "Code execution step"
 filtered by blacklist 
 "Trigger step"
 invokes all "getter" methods on
a serialized object
 Not filtered by blacklist 
 "Init step"
11.11.2016 44
Finding a blacklist filter bypass #1
 Initial idea was to use the JDBCRowSetImpl trick as code execution step
 "Getter"-methods trigger JNDI call:
 But net.sf.json.JSONObject.containsValue(JDBCRowSetImpl-instance) fails because several
"Getter"-methods trigger Exceptions 
11.11.2016 45
Finding a blacklist filter bypass #2
 Next idea was to look for other serializable classes with "Getter"-Methods leading to code
execution
 Recent research FTW:
11.11.2016 46
Finding a blacklist filter bypass #2
 JNDI lookups can lead to RCE (see JDBCRowSetImpl)
 Exploitation using RMI, LDAP and CORBA
 LDAP queries can lead to RCE
 LDAP server needs to be under your control
 data from LDAPresponse is deserialized using ObjectInputStream
 data (URLs) from LDAP response is used to load classes using URLClassLoader -> RCE
 I found some nice classes in package „com.sun.jndi.ldap"
 One of it is the serializable class "com.sun.jndi.ldap.LdapAttribute"
11.11.2016 47
com.sun.jndi.ldap.LdapAttribute
baseCtxURL=ldap://attacker:port
rdn="dc=whatever"
11.11.2016 48
Putting all together for the new JSON2 gadget
11.11.2016 49
 With LdapAttribute.getAttributeDefinition() we get Code Execution using a custom LDAP server
 The "Init-Step" shown before doesn’t work, so we need something else 
 By using Eclipse an alternative code path can be easily found 
Some "updates" with regards to exploitation …
 Previous research only mentioned the CLI port!
 If you have Jenkins running on the internet with firewall / reverse proxy, you can’t connect
 But the Jenkins Wiki has some hidden gems for us:
Connection mechanism
1. Jenkins CLI clients and Jenkins server establishes the communication in the following fashion.
Jenkins listens on a TCP/IP port configured under "TCP port for JNLP agents" in the system
configuration page. This single port is used for both agents and CLI.
…
5. If that fails (for example, if there's a reverse proxy and Jenkins runs on a different host, or if a
firewall blocks access to this TCP/IP port), or if the header is not found, it will fall back to the
communication mechanism that uses two simultaenous HTTP connections.
11.11.2016 50
Jenkins CLI HTTP "fallback"
11.11.2016 51
 HTTP Connection #1
 Server  Client channel
 Client reads from InputStream
 UUID as identifier
 Blocks until #2 connects
 HTTP Connection #2
 Client  Server channel
 Client writes to OutputStream
 UUID as identifier
Jenkins - 2.19.2 LTS
DEMO
11.11.2016 52
Jenkins - 2.19.2 LTS
11.11.2016 53
Jenkins - 2.19.2 LTS
11.11.2016 54
Conclusion
 Java Deserialization is no rocket science
 Finding bugs is trivial, exploitation takes more
 So many products affected by it
 Research has started, again …
 This will never end!
11.11.2016 55
Q&A
11.11.2016 56
Java Deserialization Vulnerabilities
– The forgotten bug class
Matthias Kaiser

More Related Content

What's hot (20)

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Strings in Java
Strings in Java Strings in Java
Strings in Java
Hitesh-Java
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Intrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VMIntrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VM
Kris Mok
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Python twisted
Python twistedPython twisted
Python twisted
Mahendra M
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" Program
National Cheng Kung University
 
Java Threads and Concurrency
Java Threads and ConcurrencyJava Threads and Concurrency
Java Threads and Concurrency
Sunil OS
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
Simone Onofri
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Yan Vugenfirer
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applications
Mikhail Egorov
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
Generics
GenericsGenerics
Generics
Ravi_Kant_Sahu
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementation
nkslides
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Strings in Java
Strings in Java Strings in Java
Strings in Java
Hitesh-Java
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Intrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VMIntrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VM
Kris Mok
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Python twisted
Python twistedPython twisted
Python twisted
Mahendra M
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
Java Threads and Concurrency
Java Threads and ConcurrencyJava Threads and Concurrency
Java Threads and Concurrency
Sunil OS
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Yan Vugenfirer
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applications
Mikhail Egorov
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementation
nkslides
 

Viewers also liked (8)

PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
Moabi.com
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
La sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedInLa sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedIn
Leonardo Bellini
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
Moabi.com
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
La sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedInLa sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedIn
Leonardo Bellini
 

Similar to Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition) (20)

Unikernels - Bristech June 2016
Unikernels - Bristech June 2016 Unikernels - Bristech June 2016
Unikernels - Bristech June 2016
Daniel Drozdzewski
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Play framework
Play frameworkPlay framework
Play framework
Andrew Skiba
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
Home
 
Java Lecture 1
Java Lecture 1Java Lecture 1
Java Lecture 1
Qualys
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Dr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to javaDr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to java
DrRajeshreeKhande
 
Intoduction to java
Intoduction to javaIntoduction to java
Intoduction to java
jalinder123
 
1_Introduction to Java.pptx java programming
1_Introduction to Java.pptx java programming1_Introduction to Java.pptx java programming
1_Introduction to Java.pptx java programming
amitraj53904
 
Docker intro
Docker introDocker intro
Docker intro
Frei Zhang
 
Java Basics
Java BasicsJava Basics
Java Basics
Rkrishna Mishra
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 features
Kumaraswamy M
 
Java introduction
Java introductionJava introduction
Java introduction
NAVEENA ESWARAN
 
Java Programming Fundamentals: Complete Guide for Beginners
Java Programming Fundamentals: Complete Guide for BeginnersJava Programming Fundamentals: Complete Guide for Beginners
Java Programming Fundamentals: Complete Guide for Beginners
Taranath Jaishy
 
Tech Days 2010
Tech  Days 2010Tech  Days 2010
Tech Days 2010
Luqman Shareef
 
Java Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 PresentationJava Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 Presentation
James Hamilton
 
Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments
Pavel Kaminsky
 
maven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.pptmaven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.ppt
nikhilmahendranath1
 
Developing Java Web Applications
Developing Java Web ApplicationsDeveloping Java Web Applications
Developing Java Web Applications
hchen1
 
UNIT 1.pptx
UNIT 1.pptxUNIT 1.pptx
UNIT 1.pptx
EduclentMegasoftel
 
Unikernels - Bristech June 2016
Unikernels - Bristech June 2016 Unikernels - Bristech June 2016
Unikernels - Bristech June 2016
Daniel Drozdzewski
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
Home
 
Java Lecture 1
Java Lecture 1Java Lecture 1
Java Lecture 1
Qualys
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Dr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to javaDr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to java
DrRajeshreeKhande
 
Intoduction to java
Intoduction to javaIntoduction to java
Intoduction to java
jalinder123
 
1_Introduction to Java.pptx java programming
1_Introduction to Java.pptx java programming1_Introduction to Java.pptx java programming
1_Introduction to Java.pptx java programming
amitraj53904
 
Java Programming Fundamentals: Complete Guide for Beginners
Java Programming Fundamentals: Complete Guide for BeginnersJava Programming Fundamentals: Complete Guide for Beginners
Java Programming Fundamentals: Complete Guide for Beginners
Taranath Jaishy
 
Java Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 PresentationJava Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 Presentation
James Hamilton
 
Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments
Pavel Kaminsky
 
maven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.pptmaven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.ppt
nikhilmahendranath1
 
Developing Java Web Applications
Developing Java Web ApplicationsDeveloping Java Web Applications
Developing Java Web Applications
hchen1
 

Recently uploaded (20)

Download Autodesk 3ds Max 2025.2 Crack free
Download Autodesk 3ds Max 2025.2 Crack freeDownload Autodesk 3ds Max 2025.2 Crack free
Download Autodesk 3ds Max 2025.2 Crack free
blouch59kp
 
Jotform Boards: Overview, Benefits and Features
Jotform Boards: Overview, Benefits and FeaturesJotform Boards: Overview, Benefits and Features
Jotform Boards: Overview, Benefits and Features
Jotform
 
Async Excellence Unlocking Scalability with Kafka - Devoxx Greece
Async Excellence Unlocking Scalability with Kafka - Devoxx GreeceAsync Excellence Unlocking Scalability with Kafka - Devoxx Greece
Async Excellence Unlocking Scalability with Kafka - Devoxx Greece
Natan Silnitsky
 
Latest-Adobe Photoshop Crack Free Download 2025?
Latest-Adobe Photoshop Crack Free Download 2025?Latest-Adobe Photoshop Crack Free Download 2025?
Latest-Adobe Photoshop Crack Free Download 2025?
minhaz1122g
 
Autodesk 3ds Max 2025.2 Crack License Key Download
Autodesk 3ds Max 2025.2 Crack License Key DownloadAutodesk 3ds Max 2025.2 Crack License Key Download
Autodesk 3ds Max 2025.2 Crack License Key Download
farooq054kp
 
Taskrabbit Clone Service Provider App.pdf
Taskrabbit Clone Service Provider App.pdfTaskrabbit Clone Service Provider App.pdf
Taskrabbit Clone Service Provider App.pdf
V3cube
 
Latest FL Studio Crack 24 Free Serial Key
Latest FL Studio Crack 24 Free Serial KeyLatest FL Studio Crack 24 Free Serial Key
Latest FL Studio Crack 24 Free Serial Key
sweeram786g
 
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoTFrom Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
Eurotech
 
4K Video Downloader Download (Latest 2025)
4K Video Downloader Download (Latest 2025)4K Video Downloader Download (Latest 2025)
4K Video Downloader Download (Latest 2025)
gullamhassangullam71
 
Choosing the Right Online Survey Tool Made Simple
Choosing the Right Online Survey Tool Made SimpleChoosing the Right Online Survey Tool Made Simple
Choosing the Right Online Survey Tool Made Simple
Sambodhi
 
Application Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI SectorApplication Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Edge AI: Bringing Intelligence to Embedded Devices
Edge AI: Bringing Intelligence to Embedded DevicesEdge AI: Bringing Intelligence to Embedded Devices
Edge AI: Bringing Intelligence to Embedded Devices
Speck&Tech
 
Autodesk Maya 2026 for MacOS  Crack Free Download
Autodesk Maya 2026 for MacOS  Crack Free DownloadAutodesk Maya 2026 for MacOS  Crack Free Download
Autodesk Maya 2026 for MacOS  Crack Free Download
gullamhassangullam03
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
OnePlan Solutions
 
CorelDRAW Graphics Suite Crack Free Download (Latest 2025)
CorelDRAW Graphics Suite Crack Free Download (Latest 2025)CorelDRAW Graphics Suite Crack Free Download (Latest 2025)
CorelDRAW Graphics Suite Crack Free Download (Latest 2025)
yfdhfufjfbfhdfjxbrud
 
HeadSpin Alternatives with Better ROI: Top Tools Compared
HeadSpin Alternatives with Better ROI: Top Tools ComparedHeadSpin Alternatives with Better ROI: Top Tools Compared
HeadSpin Alternatives with Better ROI: Top Tools Compared
Shubham Joshi
 
Vivaldi Web Browser 6.8.3381.50 Crack Free
Vivaldi Web Browser 6.8.3381.50 Crack FreeVivaldi Web Browser 6.8.3381.50 Crack Free
Vivaldi Web Browser 6.8.3381.50 Crack Free
alihamzakpa071
 
Jotform AI Agents: Real User Success Stories
Jotform AI Agents: Real User Success StoriesJotform AI Agents: Real User Success Stories
Jotform AI Agents: Real User Success Stories
Jotform
 
Adobe Master Collection CC Crack 2025 FREE
Adobe Master Collection CC Crack 2025 FREEAdobe Master Collection CC Crack 2025 FREE
Adobe Master Collection CC Crack 2025 FREE
arslanyounus93
 
Software Architecture and Design in the Age of Code Assist tools.pdf
Software Architecture and Design in the Age of Code Assist tools.pdfSoftware Architecture and Design in the Age of Code Assist tools.pdf
Software Architecture and Design in the Age of Code Assist tools.pdf
Manu Pk
 
Download Autodesk 3ds Max 2025.2 Crack free
Download Autodesk 3ds Max 2025.2 Crack freeDownload Autodesk 3ds Max 2025.2 Crack free
Download Autodesk 3ds Max 2025.2 Crack free
blouch59kp
 
Jotform Boards: Overview, Benefits and Features
Jotform Boards: Overview, Benefits and FeaturesJotform Boards: Overview, Benefits and Features
Jotform Boards: Overview, Benefits and Features
Jotform
 
Async Excellence Unlocking Scalability with Kafka - Devoxx Greece
Async Excellence Unlocking Scalability with Kafka - Devoxx GreeceAsync Excellence Unlocking Scalability with Kafka - Devoxx Greece
Async Excellence Unlocking Scalability with Kafka - Devoxx Greece
Natan Silnitsky
 
Latest-Adobe Photoshop Crack Free Download 2025?
Latest-Adobe Photoshop Crack Free Download 2025?Latest-Adobe Photoshop Crack Free Download 2025?
Latest-Adobe Photoshop Crack Free Download 2025?
minhaz1122g
 
Autodesk 3ds Max 2025.2 Crack License Key Download
Autodesk 3ds Max 2025.2 Crack License Key DownloadAutodesk 3ds Max 2025.2 Crack License Key Download
Autodesk 3ds Max 2025.2 Crack License Key Download
farooq054kp
 
Taskrabbit Clone Service Provider App.pdf
Taskrabbit Clone Service Provider App.pdfTaskrabbit Clone Service Provider App.pdf
Taskrabbit Clone Service Provider App.pdf
V3cube
 
Latest FL Studio Crack 24 Free Serial Key
Latest FL Studio Crack 24 Free Serial KeyLatest FL Studio Crack 24 Free Serial Key
Latest FL Studio Crack 24 Free Serial Key
sweeram786g
 
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoTFrom Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
Eurotech
 
4K Video Downloader Download (Latest 2025)
4K Video Downloader Download (Latest 2025)4K Video Downloader Download (Latest 2025)
4K Video Downloader Download (Latest 2025)
gullamhassangullam71
 
Choosing the Right Online Survey Tool Made Simple
Choosing the Right Online Survey Tool Made SimpleChoosing the Right Online Survey Tool Made Simple
Choosing the Right Online Survey Tool Made Simple
Sambodhi
 
Application Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI SectorApplication Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Edge AI: Bringing Intelligence to Embedded Devices
Edge AI: Bringing Intelligence to Embedded DevicesEdge AI: Bringing Intelligence to Embedded Devices
Edge AI: Bringing Intelligence to Embedded Devices
Speck&Tech
 
Autodesk Maya 2026 for MacOS  Crack Free Download
Autodesk Maya 2026 for MacOS  Crack Free DownloadAutodesk Maya 2026 for MacOS  Crack Free Download
Autodesk Maya 2026 for MacOS  Crack Free Download
gullamhassangullam03
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
OnePlan Solutions
 
CorelDRAW Graphics Suite Crack Free Download (Latest 2025)
CorelDRAW Graphics Suite Crack Free Download (Latest 2025)CorelDRAW Graphics Suite Crack Free Download (Latest 2025)
CorelDRAW Graphics Suite Crack Free Download (Latest 2025)
yfdhfufjfbfhdfjxbrud
 
HeadSpin Alternatives with Better ROI: Top Tools Compared
HeadSpin Alternatives with Better ROI: Top Tools ComparedHeadSpin Alternatives with Better ROI: Top Tools Compared
HeadSpin Alternatives with Better ROI: Top Tools Compared
Shubham Joshi
 
Vivaldi Web Browser 6.8.3381.50 Crack Free
Vivaldi Web Browser 6.8.3381.50 Crack FreeVivaldi Web Browser 6.8.3381.50 Crack Free
Vivaldi Web Browser 6.8.3381.50 Crack Free
alihamzakpa071
 
Jotform AI Agents: Real User Success Stories
Jotform AI Agents: Real User Success StoriesJotform AI Agents: Real User Success Stories
Jotform AI Agents: Real User Success Stories
Jotform
 
Adobe Master Collection CC Crack 2025 FREE
Adobe Master Collection CC Crack 2025 FREEAdobe Master Collection CC Crack 2025 FREE
Adobe Master Collection CC Crack 2025 FREE
arslanyounus93
 
Software Architecture and Design in the Age of Code Assist tools.pdf
Software Architecture and Design in the Age of Code Assist tools.pdfSoftware Architecture and Design in the Age of Code Assist tools.pdf
Software Architecture and Design in the Age of Code Assist tools.pdf
Manu Pk
 

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)

  • 1. Java Deserialization Vulnerabilities – The Forgotten Bug Class Matthias Kaiser (@matthias_kaiser)
  • 2. About me  Head of Vulnerability Research at Code White in Ulm, Germany  Dev for defense company in the past  Spent a lot of time on (server-side) Java Security  Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, HP, etc.  Recently looking more into the Windows world and client-side stuff @matthias_kaiser 11.11.2016 2
  • 3. Agenda  Introduction  Java’s Object Serialization  What’s the problem with it  A history of bugs  Finding and exploiting  Code White’s bug parade  A hands-on example  More to come? 11.11.2016 3
  • 4. Should you care?  If your client is running server products of you SHOULD! 11.11.2016 4
  • 5. Some facts  The bug class exists for more than 10 years  Most ignored bug class in the server-side Java world until 2015  A easy way to get reliable RCE on a server  Architecture independent exploitation  With Java deserialization vulnerabilities you can pwn a corp easily! 11.11.2016 5
  • 6. Where is it used  Several J2EE/JEE core technologies rely on serialization  Remote Method Invocation (RMI)  Java Management Extension (JMX)  Java Message Service (JMS)  Java Server Faces implementations (ViewState)  Communication between JVMs in general (because devs are lazy :-)  Custom application protocols running on top of http, etc. 11.11.2016 6
  • 7. What is serialization? Object File Network Database ObjectStream of bytes Stream of bytes Serialization Deserialization 11.11.2016 7
  • 8. Overview of Java’s Object Serialization Protocol Magic class name field type class field Class description info TC_OBJECT TC_CLASSDESC classdata[] 11.11.2016 8
  • 9. There is protocol spec and a grammar https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html 11.11.2016 9
  • 10. Deserializing an object What could possibly go wrong here? 11.11.2016 10
  • 11. What’s the problem  ObjectInputStream doesn’t include validation features in its API  All serializable classes that the current classloader can locate and load can get deserialized  Although a class cast exception might occur in the end, the object will be created! 11.11.2016 11
  • 12. What’s the problem #2  A developer can customize the (de)-serialization of a serializable class  Implement methods writeObject(), writeReplace(), readObject() and readResolve()  ObjectInputStream invokes readObject() and readResolve() Under our control! 11.11.2016 12
  • 13. What’s the problem #3  Further methods can be triggered by using certain classes as a "trampoline"  Object.toString() using e.g. javax.management.BadAttributeValueExpException  Object.hashCode() using e.g. java.util.HashMap  Comparator.compare() using e.g. java.util.PriorityQueue  etc. Trampoline class Target class 11.11.2016 13
  • 14. What’s the problem #3 javax.management.BadAttributeValueExpException 1. Reading the field "val" 2. Calling "toString()" on "val" 11.11.2016 14
  • 15. History of Java deserialization vulnerabilities JRE vulnerabilities (DoS) Mark Schönefeld 2006 JSF Viewstate XSS/DoS Sun Java Web Console Luca Carretoni 2008 CVE-2011-2894 Spring Framework RCE Wouter Coekaerts CVE-2012-4858 IBM Cognos Business Intelligence RCE Pierre Ernst 2011 2012 11.11.2016 15
  • 16. History of Java deserialization vulnerabilities CVE-2013-1768 Apache OpenJPA RCE CVE-2013-1777 Apache Geronimo 3 RCE CVE-2013-2186 Apache commons-fileupload RCE Pierre Ernst CVE-2015-3253 Groovy RCE CVE-2015-7501 Commons-Collection RCE Gabriel Lawrence and Chris Frohoff CVE-2013-2165 JBoss RichFaces RCE Takeshi Terada 2013 2015 11.11.2016 16
  • 17. #JavaDeser is new hotness … 11.11.2016 17
  • 18. Finding is trivial  Do the "grep" thing on "readObject()" 11.11.2016 18
  • 19. Finding is trivial  Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject() 11.11.2016 19
  • 20. Exploitation  Exploitation requires a chain of serialized objects triggering interesting functionality e.g.  writing files  dynamic method calls using Java’s Reflection API  etc.  For such a chain the term "gadget" got established  Chris Frohoff and others found several gadgets in standard libs 11.11.2016 20
  • 21. Javassist/Weld Gadget  Gadget utilizes JBoss’ Javassist and Weld framework  Reported to Oracle with the Weblogic T3 vulnerability  Works in Oracle Weblogic and JBoss EAP  Allows us to call a method on a deserialized object 11.11.2016 21
  • 22. "Return of the Rhino"-Gadget  Gadget utilizes Rhino Script Engine of Mozilla  Works with latest Rhino in the classpath  Oracle applied some hardening to its Rhino version  So only works Oracle JRE <= jre7u13   Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu)   Allows us to call a method on a deserialized object  JRE Gadget  11.11.2016 22
  • 23. What to look for?  Look for methods in serializable classes  working on files  triggering reflection (invoking methods, getting/setting properties on beans)  doing native calls  etc. AND being called from  readObject()  readResolve()  toString()  hashCode()  finalize()  any other method being called from a "Trampoline" class 11.11.2016 23
  • 24. What to look for?  Look at serializable classes used in Java reflection proxies  java.lang.reflect.InvocationHandler implementations  javassist.util.proxy.MethodHandler implementations InvocationHandlerInterface Proxy toString() invoke (…) // do smth invoke (target, toString, args) 11.11.2016 24
  • 25. What to look for? Prints out method being called 11.11.2016 25
  • 26. What to look for? What if InvocationHandler.invoke() does "insecure stuff" using values from the serialized object input stream? Proxy 11.11.2016 26
  • 27. Making gadget search easier  Chris Frohoff released a tool for finding gadgets using a graph database  Using object graph queries for gadget search 11.11.2016 27
  • 28. Exploitation tricks  Adam Gowdiak’s TemplatesImpl  com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable  Allows to define new classes from your byte[ ][ ]  Calling TemplatesImpl.newTransformer() on deserialized object  Code Execution 11.11.2016 28
  • 29. Exploitation tricks  InitialContext.lookup()  @benmmurphy used it for a sandbox escape (CVE-2013-5830)  @zerothoughts published a gadget in Spring’s JtaTransactionManager recently  Triggers InitialContext.lookup(jndiName)  Uses "rmi://yourFakeRmiServer/Object" as jndiName  Loads classes from your fake RMI server  Calling JdbcRowSetImpl.execute() on a deserialized object will do the same  11.11.2016 29
  • 30. Payload generation  Chris Frohoff released the great tool "ysoserial"  Makes creation of payloads easy  Includes gadgets for  Commons Collection 3 & 4  Spring  Groovy  JRE7 (<= jre7u21)  Commons BeanUtils  and even more! 11.11.2016 30
  • 31. Custom payloads  I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons  Most of the gadgets don’t touch the disk   With scripting languages your life gets even easier  Use what’s in the classpath  Javascript (Rhino, Nashorn)  Groovy  Beanshell  etc. 11.11.2016 31
  • 32. Code White’s Bug Parade #1  CVE-2015-6554 - Symantec Endpoint Protection Manager RCE  CVE-2015-6576 - Atlassian Bamboo RCE  CVE-2015-7253 - Commvault Edge Server RCE  CVE-2015-7253 - Apache ActiveMQ RCE  CVE-2015-4582 - Oracle Weblogic RCE  CVE-2016-1998 - HP Service Manager RCE  CVE-2016-2173 - Spring AMQP RCE  CVE-2016-3493 - Oracle Hyperion RCE  CVE-2016-3551 - Oracle Weblogic RCE  CVE-2016-3551 - Oracle Weblogic RCE 11.11.2016 32
  • 33. Code White’s Bug Parade #2  NOT-FIXED - IBM WebSphere MQ JMS client RCE  NOT-FIXED - IBM WebSphere JMS Client RCE  NOT-FIXED - Pivotal RabbitMQ JMS client RCE  NOT-FIXED - Oracle OpenMQ JMS client RCE  CVE-2016-4978 - Apache ActiveMQ Artemis JMS client RCE  CVE-2016-4974 - Apache Qpid client/JMS client RCE  CVE-2016-0638 - Oracle Weblogic JMS client RCE  FIXED-NO-CVE - IIT Software SwiftMQ JMS client RCE  MAYBE-FIX - Amazon SQS Java Messaging RCE  WONT-FIX - JBOSS HornetQ JMS client RCE 11.11.2016 33
  • 37. Jenkins  Open Source Automation Server / Continous Integration Server / "Build"-Server  Created by Kohsuke Kawaguchi (Ex-Oracle, now CTO of CloudBees)  Fork of Oracle’s Hudson CI server  Supports Subversion, Git, Mecurial, etc.  Runs Maven, Ant, etc.  More than 1200 plugins! (see https://updates.jenkins-ci.org/download/plugins/) 11.11.2016 37
  • 38. Jenkins  Nice target because Jenkins  has access to Source Code repositories  creates deployment artefacts (Jar, War, Ear, etc.)  can deploy artefacts on target servers  stores credentials (user/password, SSH keys) 11.11.2016 38
  • 39. Jenkins Internals  Jenkins uses an extra port for the Command Line Interface (CLI)  Can be configured to a fixed or random port 11.11.2016 39
  • 40. Jenkins Internals  Jenkins uses an own RMI protocol for it’s Command Line Interface (CLI)  Base64-encoded serialized objects (rO0 0xac,0xed) 11.11.2016 40
  • 41. Jenkins under Attack  Jenkins CLI endpoint suffered from several vulnerabilities  CVE-2015-8103 of Steven Breen using Commons Collections gadget  Jenkins introduced a blacklist to filter gadget classes  CVE-2016-0788 of Moritz Bechler bypassing the blacklist (see ERNW blog post https://insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/)  As we all know blacklisting is hard because you never know … 11.11.2016 41
  • 43. Finding a blacklist filter bypass  How to bypass a gadget blacklist filter? a) Find a new gadget b) Find a bypass gadget (see Alvaro’s and Christian’s Research) c) Look for partially fixed gadget  After looking at all gadgets of ysoserial and matching them with Jenkin’s third-party libs and the blacklist I found one interesting gadget discovered by Moritz Bechler: 11.11.2016 43
  • 44. The JSON1 gadget  "Code execution step"  filtered by blacklist   "Trigger step"  invokes all "getter" methods on a serialized object  Not filtered by blacklist   "Init step" 11.11.2016 44
  • 45. Finding a blacklist filter bypass #1  Initial idea was to use the JDBCRowSetImpl trick as code execution step  "Getter"-methods trigger JNDI call:  But net.sf.json.JSONObject.containsValue(JDBCRowSetImpl-instance) fails because several "Getter"-methods trigger Exceptions  11.11.2016 45
  • 46. Finding a blacklist filter bypass #2  Next idea was to look for other serializable classes with "Getter"-Methods leading to code execution  Recent research FTW: 11.11.2016 46
  • 47. Finding a blacklist filter bypass #2  JNDI lookups can lead to RCE (see JDBCRowSetImpl)  Exploitation using RMI, LDAP and CORBA  LDAP queries can lead to RCE  LDAP server needs to be under your control  data from LDAPresponse is deserialized using ObjectInputStream  data (URLs) from LDAP response is used to load classes using URLClassLoader -> RCE  I found some nice classes in package „com.sun.jndi.ldap"  One of it is the serializable class "com.sun.jndi.ldap.LdapAttribute" 11.11.2016 47
  • 49. Putting all together for the new JSON2 gadget 11.11.2016 49  With LdapAttribute.getAttributeDefinition() we get Code Execution using a custom LDAP server  The "Init-Step" shown before doesn’t work, so we need something else   By using Eclipse an alternative code path can be easily found 
  • 50. Some "updates" with regards to exploitation …  Previous research only mentioned the CLI port!  If you have Jenkins running on the internet with firewall / reverse proxy, you can’t connect  But the Jenkins Wiki has some hidden gems for us: Connection mechanism 1. Jenkins CLI clients and Jenkins server establishes the communication in the following fashion. Jenkins listens on a TCP/IP port configured under "TCP port for JNLP agents" in the system configuration page. This single port is used for both agents and CLI. … 5. If that fails (for example, if there's a reverse proxy and Jenkins runs on a different host, or if a firewall blocks access to this TCP/IP port), or if the header is not found, it will fall back to the communication mechanism that uses two simultaenous HTTP connections. 11.11.2016 50
  • 51. Jenkins CLI HTTP "fallback" 11.11.2016 51  HTTP Connection #1  Server  Client channel  Client reads from InputStream  UUID as identifier  Blocks until #2 connects  HTTP Connection #2  Client  Server channel  Client writes to OutputStream  UUID as identifier
  • 52. Jenkins - 2.19.2 LTS DEMO 11.11.2016 52
  • 53. Jenkins - 2.19.2 LTS 11.11.2016 53
  • 54. Jenkins - 2.19.2 LTS 11.11.2016 54
  • 55. Conclusion  Java Deserialization is no rocket science  Finding bugs is trivial, exploitation takes more  So many products affected by it  Research has started, again …  This will never end! 11.11.2016 55
  • 57. Java Deserialization Vulnerabilities – The forgotten bug class Matthias Kaiser