The document discusses Java deserialization vulnerabilities. It begins with an introduction to Java's object serialization protocol and how it can be exploited if not implemented securely. Several real-world examples of vulnerabilities are provided from 2006 to 2015. Common techniques for finding vulnerabilities like grepping for "readObject()" and exploiting them using "gadgets" are described. The document concludes with a hands-on example of exploiting a Jenkins vulnerability using a custom serialized object.
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
- The document discusses Java object serialization vulnerabilities and remote code execution.
- It provides background on serialization/deserialization and how it can allow object injection and improper input validation.
- A key vulnerability discussed is CVE-2015-7501, which affected Apache Commons Collections and allowed remote code execution through a "gadget chain" triggered during deserialization.
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
This document discusses Java deserialization vulnerabilities. It provides an introduction to how Java serialization works and what the security issues are. Specifically, it describes how an attacker can exploit vulnerabilities to remotely execute code on a server by deserializing malicious objects. The document gives examples of past vulnerabilities found in various Java applications and frameworks. It also provides tips for finding vulnerabilities and generating payloads to demonstrate exploits.
In this core java training session, you will learn Handling Strings in Java. Topics covered in this session are:
• Memory Allocation & Garbage Collection
• Strings in Java
For more information about this course visit on this link: https://www.mindsmapped.com/courses/software-development/learn-java-fundamentals-hands-on-training-on-core-java-concepts/
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
The document discusses using return-oriented programming (ROP) to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It describes using the procedure linkage table (PLT) to leak the address of functions like puts to bypass ASLR. A ROP chain is then constructed to call read to read "/bin/sh" into memory and execute it, achieving arbitrary code execution.
This document discusses intrinsic methods in the HotSpot JVM. It provides background on what intrinsic methods are and how they are implemented and optimized in JVMs and native compilers. It gives examples of intrinsic methods in HotSpot VM like System.currentTimeMillis(), Unsafe.compareAndSwapInt(), and Math.log(). It also discusses intrinsic methods added in TaobaoJDK like TCrc32 and how to experiment implementing your own intrinsic methods in the C1 and C2 compilers.
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
This document discusses a new iOS kernel exploitation technique that involves manipulating mach ports. It fills the kernel heap with pointers to mach ports, then overwrites those pointers to fake ports that point to attacker-controlled data structures. This allows calling kernel APIs and the Mach API using the fake ports to potentially execute arbitrary code or escalate privileges. The technique was previously private but was leaked in late 2016 and used in the Yalu jailbreak.
Python Twisted is an event-driven networking framework. It uses non-blocking functions and callbacks to handle events like data on sockets. Code execution is triggered from an event loop when events occur. This allows for highly scalable servers without threads. Twisted supports many protocols and includes features like deferreds for asynchronous programming and a plugin architecture. However, it is single-threaded and requires external tools to utilize multiple CPUs.
This document discusses Aspect Oriented Programming (AOP) using the Spring Framework. It defines AOP as a programming paradigm that extends OOP by enabling modularization of crosscutting concerns. It then discusses how AOP addresses common crosscutting concerns like logging, validation, caching, and transactions through aspects, pointcuts, and advice. It also compares Spring AOP and AspectJ, and shows how to implement AOP in Spring using annotations or XML.
The document discusses how a "Hello World" program works behind the scenes. It covers topics like compilation, linking, executable file formats, loading programs into memory, and process creation. The key points are:
1) A C program is compiled into an object file, then linked with library files to create an executable. The linker resolves symbols and relocates addresses.
2) Executable files use formats like ELF that contain machine code, data, symbol tables, and sections. Object files have a similar format.
3) When a program runs, the OS loads pages of the executable into memory as needed and sets up the process with its own virtual address space.
4) System calls
This document provides information on processes, threads, concurrency, and parallelism in Java. It discusses that processes have separate memory spaces while threads within the same process share memory. It describes how to create threads by extending Thread or implementing Runnable. It also covers thread states, scheduling, priorities, and daemon threads.
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
This document discusses ORM injection vulnerabilities using Hibernate and MySQL as an example. It begins with an introduction to injection vulnerabilities and ORM concepts. It then demonstrates how SQL injection is possible by exploiting differences in escaping rules between HQL and MySQL. A proof of concept shows injecting HQL to retrieve all records, and injecting SQL directly by escaping quotes differently. The document concludes that input validation and parameterized queries are needed to prevent ORM injection, and frameworks may not fully prevent injection depending on the underlying database.
Receive side scaling (RSS) with eBPF in QEMU and virtio-netYan Vugenfirer
eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading a kernel module. Receive side scaling (RSS) is the mechanism of packet steering for multi-queue NICs optimizing multiple CPU utilization. The first usage of eBPF in QEMU is the optimization of the RSS packet steering in virtio-net. During this session, Yan will provide the motives for the RSS optimization using eBPF, review the technical solution, describe integration with libvirt, and discuss future development and additional usages of eBPF in QEMU.
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
This document summarizes new methods for exploiting ORM injections in Java applications. It begins with introductions to ORM, JPA, and common ORM libraries. It then outlines several exploitation techniques, including using special functions in EclipseLink and TopLink to call database functions, abusing string handling and quote processing in OpenJPA, and leveraging features in Hibernate and specific databases like string escaping, quoted strings, magic functions, and Unicode delimiters. Code examples and demonstrations are provided for most of the techniques.
Vault is a tool for securely accessing secrets. It encrypts and stores secrets and enforces strict access controls. Secrets have a limited lifetime and must be renewed. Vault supports dynamic secret generation, revocation of access, and audit logging. It uses Shamir's secret sharing algorithm to split encryption keys across Vault servers for high availability.
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides an overview of generics in Java. It discusses the benefits of generics, including type safety and compile-time error detection. It also covers generic classes and interfaces, generic methods, wildcard types, and restrictions on generics. Examples are provided to illustrate key concepts like generic classes with multiple type parameters, bounded types, and the implementation of generics using type erasure.
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
Intel handles SYSRET instructions weirdly and might throw around exceptions while still being in ring0. When the kernel is not being extra careful when returning to userland after being signaled with a syscall bad things can happen. Like root shells.
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
Video at: https://www.youtube.com/watch?v=PqsudKzs79c
An introduction to PHP unserialization vulnerabilities, with some practical tips on methodology. Based around three new exploits for old vulnerabilities (CVE-2011-4962, CVE-2013-1453, CVE-2013-4338).
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
Powerpoint of our presentation at Blackhat 2015.
Featuring the first attacks against Windows 10 and Microsoft Edge.
- French Kiss attack against Windows 10.
- Syphilis attack against Microsoft Edge.
- Ménage à trois attack against Windows 10 and Exchange.
- Démos on Amazon AWS and Microsoft Azure.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
This document discusses Java deserialization vulnerabilities. It provides an introduction to how Java serialization works and what the security issues are. Specifically, it describes how an attacker can exploit vulnerabilities to remotely execute code on a server by deserializing malicious objects. The document gives examples of past vulnerabilities found in various Java applications and frameworks. It also provides tips for finding vulnerabilities and generating payloads to demonstrate exploits.
In this core java training session, you will learn Handling Strings in Java. Topics covered in this session are:
• Memory Allocation & Garbage Collection
• Strings in Java
For more information about this course visit on this link: https://www.mindsmapped.com/courses/software-development/learn-java-fundamentals-hands-on-training-on-core-java-concepts/
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
The document discusses using return-oriented programming (ROP) to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It describes using the procedure linkage table (PLT) to leak the address of functions like puts to bypass ASLR. A ROP chain is then constructed to call read to read "/bin/sh" into memory and execute it, achieving arbitrary code execution.
This document discusses intrinsic methods in the HotSpot JVM. It provides background on what intrinsic methods are and how they are implemented and optimized in JVMs and native compilers. It gives examples of intrinsic methods in HotSpot VM like System.currentTimeMillis(), Unsafe.compareAndSwapInt(), and Math.log(). It also discusses intrinsic methods added in TaobaoJDK like TCrc32 and how to experiment implementing your own intrinsic methods in the C1 and C2 compilers.
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
This document discusses a new iOS kernel exploitation technique that involves manipulating mach ports. It fills the kernel heap with pointers to mach ports, then overwrites those pointers to fake ports that point to attacker-controlled data structures. This allows calling kernel APIs and the Mach API using the fake ports to potentially execute arbitrary code or escalate privileges. The technique was previously private but was leaked in late 2016 and used in the Yalu jailbreak.
Python Twisted is an event-driven networking framework. It uses non-blocking functions and callbacks to handle events like data on sockets. Code execution is triggered from an event loop when events occur. This allows for highly scalable servers without threads. Twisted supports many protocols and includes features like deferreds for asynchronous programming and a plugin architecture. However, it is single-threaded and requires external tools to utilize multiple CPUs.
This document discusses Aspect Oriented Programming (AOP) using the Spring Framework. It defines AOP as a programming paradigm that extends OOP by enabling modularization of crosscutting concerns. It then discusses how AOP addresses common crosscutting concerns like logging, validation, caching, and transactions through aspects, pointcuts, and advice. It also compares Spring AOP and AspectJ, and shows how to implement AOP in Spring using annotations or XML.
The document discusses how a "Hello World" program works behind the scenes. It covers topics like compilation, linking, executable file formats, loading programs into memory, and process creation. The key points are:
1) A C program is compiled into an object file, then linked with library files to create an executable. The linker resolves symbols and relocates addresses.
2) Executable files use formats like ELF that contain machine code, data, symbol tables, and sections. Object files have a similar format.
3) When a program runs, the OS loads pages of the executable into memory as needed and sets up the process with its own virtual address space.
4) System calls
This document provides information on processes, threads, concurrency, and parallelism in Java. It discusses that processes have separate memory spaces while threads within the same process share memory. It describes how to create threads by extending Thread or implementing Runnable. It also covers thread states, scheduling, priorities, and daemon threads.
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
This document discusses ORM injection vulnerabilities using Hibernate and MySQL as an example. It begins with an introduction to injection vulnerabilities and ORM concepts. It then demonstrates how SQL injection is possible by exploiting differences in escaping rules between HQL and MySQL. A proof of concept shows injecting HQL to retrieve all records, and injecting SQL directly by escaping quotes differently. The document concludes that input validation and parameterized queries are needed to prevent ORM injection, and frameworks may not fully prevent injection depending on the underlying database.
Receive side scaling (RSS) with eBPF in QEMU and virtio-netYan Vugenfirer
eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading a kernel module. Receive side scaling (RSS) is the mechanism of packet steering for multi-queue NICs optimizing multiple CPU utilization. The first usage of eBPF in QEMU is the optimization of the RSS packet steering in virtio-net. During this session, Yan will provide the motives for the RSS optimization using eBPF, review the technical solution, describe integration with libvirt, and discuss future development and additional usages of eBPF in QEMU.
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
This document summarizes new methods for exploiting ORM injections in Java applications. It begins with introductions to ORM, JPA, and common ORM libraries. It then outlines several exploitation techniques, including using special functions in EclipseLink and TopLink to call database functions, abusing string handling and quote processing in OpenJPA, and leveraging features in Hibernate and specific databases like string escaping, quoted strings, magic functions, and Unicode delimiters. Code examples and demonstrations are provided for most of the techniques.
Vault is a tool for securely accessing secrets. It encrypts and stores secrets and enforces strict access controls. Secrets have a limited lifetime and must be renewed. Vault supports dynamic secret generation, revocation of access, and audit logging. It uses Shamir's secret sharing algorithm to split encryption keys across Vault servers for high availability.
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides an overview of generics in Java. It discusses the benefits of generics, including type safety and compile-time error detection. It also covers generic classes and interfaces, generic methods, wildcard types, and restrictions on generics. Examples are provided to illustrate key concepts like generic classes with multiple type parameters, bounded types, and the implementation of generics using type erasure.
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
Intel handles SYSRET instructions weirdly and might throw around exceptions while still being in ring0. When the kernel is not being extra careful when returning to userland after being signaled with a syscall bad things can happen. Like root shells.
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
Video at: https://www.youtube.com/watch?v=PqsudKzs79c
An introduction to PHP unserialization vulnerabilities, with some practical tips on methodology. Based around three new exploits for old vulnerabilities (CVE-2011-4962, CVE-2013-1453, CVE-2013-4338).
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
Powerpoint of our presentation at Blackhat 2015.
Featuring the first attacks against Windows 10 and Microsoft Edge.
- French Kiss attack against Windows 10.
- Syphilis attack against Microsoft Edge.
- Ménage à trois attack against Windows 10 and Exchange.
- Démos on Amazon AWS and Microsoft Azure.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
1. The document provides tips for effective hacking and bug hunting in 2015, focusing on web applications.
2. It discusses philosophy shifts towards crowdsourced testing, and techniques for discovery such as finding less tested application parts and acquisitions.
3. The document also covers mapping methodology, parameters to attack, and bypassing filters for XSS, SQLi, file inclusion, and CSRF vulnerabilities.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime.
This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App.
Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.
This document discusses SQL injection and the sqlmap tool. It provides an overview of SQL injection, describes how sqlmap can be used to find and exploit SQL injection vulnerabilities, and demonstrates how it can be used to enumerate databases and files systems, and in some cases obtain remote access. It also discusses mitigation techniques like input sanitization and using prepared statements.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Perché è importante inserire il Riepilogo all'interno del Profilo; cosa e come scrivere il riepilogo. L'importanza della formattazione. La call to action finale.
A talk listing few main shortcomings of Docker, showing potential however questionable remedies, to finally introduce Alpine Linux - biggest revolution in Docker of recent.
Following on that rabbit a bit deeper down its hole, we introduce Unikernels - the next big thing in cloud, embedded, big data and scientific computing... well at least Docker is betting on it too.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
This document discusses Java deserialization vulnerabilities and provides an overview of how they work. It notes that many Java technologies rely on serialization which can enable remote code execution if not implemented securely. The document outlines the history of vulnerabilities found, how to find vulnerabilities, and techniques for exploiting them, using examples like the Javassist/Weld gadget. It also summarizes vulnerabilities the speaker's company Code White found, including in products from Symantec, Atlassian, Commvault, and Oracle.
The document introduces the Play Framework version 2.1 and highlights its key features. It demonstrates building a sample application in Scala using Play's reactive, non-blocking architecture. Key features discussed include Play's built-in support for Scala, reactive programming, JSON APIs, routing, templates, and testing.
Java was developed in 1991 at Sun Microsystems by James Gosling and others to be a platform-independent object-oriented programming language. It was initially called Oak but renamed to Java in 1995. Java compiles code to bytecode that runs on a Java Virtual Machine (JVM) allowing programs to run on any device with a JVM. Major features of Java include being object-oriented, portable, robust, secure, multithreaded, and dynamic. Java has evolved through several versions and is widely used for internet applications and enterprise software.
Microservices and containers for the unitiatedKevin Lee
In this presentation I provide a high level explanation of why applications are now being developed using in a Microservice architecture. I look at how Microservice applications are typically developed and deployed using container technology and look at some of the challenges of using container technology for applications in production.
Java Evolution
Java was originally developed by Sun Microsystems in 1991 under the name Oak as a language for programming consumer electronics. It was later renamed to Java and became best known as a language for developing applications and applets to run on web browsers over the Internet. Key features of Java include being platform-independent, object-oriented, robust, secure, and having a rich class library. Java applications are compiled to bytecode that runs on a Java Virtual Machine, allowing them to run on any platform that supports Java.
Java Evolution
Java was originally developed by Sun Microsystems in 1991 under the name Oak as a language for programming consumer electronics. It was later renamed to Java and became widely used for internet programming due to its ability to write applications that can run on any platform. Key features of Java include being object-oriented, platform independent, secure, robust, and having a rich class library. Java applications can be standalone programs or applets embedded in web pages. The Java compiler generates bytecode that is executed by a Java Virtual Machine, allowing Java programs to run on any system with a JVM.
Virtualization refers to creating virtual versions of hardware, operating systems, storage or network resources. Docker uses virtualization techniques like namespaces and control groups to virtualize operating systems and applications. Docker allows building, shipping and running applications securely isolated in containers. Developers can package applications with all dependencies into standardized units called containers that can run on any Linux server.
This document provides an introduction and overview of the Java programming language. It discusses that Java was developed by Sun Microsystems in 1991, is an object-oriented programming language that is compiled and interpreted, and is platform independent. The document then lists key features of Java, how to write a simple Java program, features of object-oriented programming in Java including classes, objects, encapsulation, inheritance and polymorphism. It also discusses exceptions, multithreading, and provides a simple example Java program.
Project Coin introduced several new features to Java 7 including diamond syntax for type inference, multi-catch exception handling, try-with-resources for cleaner resource management, strings in switch statements, and underscores in numeric literals. NIO.2 expanded non-blocking I/O with new file system APIs and WatchService for monitoring directories. Performance was improved through parallel array operations and other concurrency updates. Java 8 will include lambda expressions and new date/time APIs.
Java Tutorial or Core Java Tutorial or Java Programming Tutorial is a widely used robust technology. Let's start learning Java from basic questions like what is Java tutorial, Core Java, where it is used, what type of applications are created in Java, why use java and Java platforms etc. Our Java tutorial helps you to learn Java with easy and simple examples.
- The event featured live music and talks about new Java technologies like JavaFX, Java EE 6, and the JDK 7. James Gosling discussed the growth of the Java ecosystem to over 10 billion devices and 6.5 million developers.
- New features in Java EE 6 include improved modularity, dependency injection, and support for open web frameworks. The JavaFX platform allows creation of rich client applications across devices.
- Performance tuning techniques for Java applications include selecting an appropriate garbage collection algorithm and tuning JVM settings based on application requirements.
Java Attacks & Defenses - End of Year 2010 PresentationJames Hamilton
Decompilation is a problem for the software industry, with the global revenue loss due to software piracy estimated to be more than $50 billion in 2008. There are several Java decompilers available but none are 100% effective, and many are obsolete/unmaintained. We found Java Decompiler, JODE and Dava to be good Java decompilers but not perfect. Dava is particularily suited to aribtrary bytecode, while others are suited to javac generated bytecode.
Static watermarking techniques can be used to protect a program from being copied by giving the ability to easily identify the owner of such software. However, static watermarking techniques are higher susceptible to semantics-preserving transformations. We show that the majority of the current implementations of watermarking systems are based on static techniques are fail when attacked with obfuscations and optimisations. Further work will involve evaluating dynamic watermarking algorithms in a similar manner, and compare them to their static counterparts.
Techniques such as program slicing can be used to attack software watermarks, in subtractive attacks on software.
Java 6 [Mustang] - Features and Enchantments Pavel Kaminsky
The document discusses the new features of Java SE 6 including enhancements to web services, scripting, databases, desktop integration, monitoring and management, compiler access, pluggable annotations, desktop deployment, security, and performance. It provides code examples and explanations for many of the new features.
This document provides instructions for setting up a Maven project using Hibernate. It begins by having the user generate a Maven project structure using the mvn archetype:create command. It then instructs the user to add the Hibernate dependency to the pom.xml file. The document also specifies adding a compiler plugin configuration to the pom.xml and creating a resources directory for the Hibernate configuration file. Overall, the document outlines the basic steps to initialize a Maven project and integrate Hibernate through dependency management and configuration, requiring minimal additional configuration compared to traditional build systems.
The document discusses several key technologies for developing Java web applications, including Java Servlet technology, WebWork framework, Spring framework, and Apache Maven build tool. It provides an overview of how each technology addresses common problems like stateless communication, business logic implementation, view generation, and data access overhead. Examples are given showing how WebWork and Spring can be used together with Maven to build a simple "Hello World" application that follows the MVC pattern and leverages dependency injection.
Java is an object-oriented programming language originally developed by Sun Microsystems. There are four main types of Java applications: standalone, web, enterprise, and mobile. The key features of Java include being platform independent, secure, robust, and distributed. Java code is compiled into bytecode that runs on a Java Virtual Machine (JVM) on any device. The JVM performs tasks like loading code, memory management, and execution. There are various data types in Java including primitives like int and double, and reference types like classes. Variables are used to store and reference values in memory and can be local, instance, or class variables. Arrays provide a way to store multiple values of the same type.
Download Autodesk 3ds Max 2025.2 Crack freeblouch59kp
🌍📱👉COPY LINK & PASTE ON GOOGLE https://9to5mac.org/after-verification-click-go-to-download-page👈🌍
It stands out in 3D modeling and animation by offering a unique technology known as "Meta mesh." This innovation allows you to seamlessly merge tree trunks and branches into a single surface, ensuring smooth transitions at their contact points. Additionally, Meta Mesh provides the freedom to craft tree trunks of any desired shape, giving you unparalleled control over the realism of your creations.
One of the plugin's standout features is its ability to create both individual and entire groups of plants with remarkable ease. You can distribute them using predefined start points or directly onto the surface of an object. Texture maps can control various parameters, such as plant density and height, facilitating the creation of lush grasslands and dense woodlands that breathe life into your scenes.
Jotform Boards: Overview, Benefits and FeaturesJotform
No matter where requests come from, with Jotform Boards they’ll stay organized, trackable, and easy to manage. Users can auto-generate tasks from form responses and other communication channels for simple tracking and team assignment. Jotform Boards is user-friendly, collaborative, customizable, and always connected.
Easily share boards with teammates, clients, and stakeholders. You can set permissions to control who can view, edit, or manage tasks, making sure the right people have access to the right information.
Learn more about Jotform Boards and its benefits in this slideshow. For more details, visit https://www.jotform.com/products/boards/
Async Excellence Unlocking Scalability with Kafka - Devoxx GreeceNatan Silnitsky
How do you scale 4,000 microservices while tackling latency, bottlenecks, and fault tolerance? At Wix, Kafka powers our event-driven architecture with practical patterns that enhance scalability and developer velocity.
This talk explores four key patterns for asynchronous programming:
1. Integration Events: Reduce latency by pre-fetching instead of synchronous calls.
2. Task Queue: Streamline workflows by offloading non-critical tasks.
3. Task Scheduler: Enable precise, scalable scheduling for delayed or recurring tasks.
4. Iterator: Handle long-running jobs in chunks for resilience and scalability.
Learn how to balance benefits and trade-offs, with actionable insights to optimize your own microservices architecture using these proven patterns.
COPY & PASTE LINK >>> https://crackedtech.net/after-verification-click-go-to-download-page/
Although “Photoshop crack” is a very popular search today, it is one of the most dangerous and illegal ways to use Adobe Photoshop without paying for a ...
Autodesk 3ds Max 2025.2 Crack License Key Downloadfarooq054kp
🌍📱👉COPY LINK & PASTE ON GOOGLE https://9to5mac.org/after-verification-click-go-to-download-page👈
Free Download Exlevel GrowFX for Autodesk 3ds Max for Windows PC. It is an exceptional plugin designed for Autodesk® 3ds Max® that empowers 3D artists and designers to create stunningly realistic plants and trees while offering the flexibility to animate them easily.
It stands out in 3D modeling and animation by offering a unique technology known as "Meta mesh." This innovation allows you to seamlessly merge tree trunks and branches into a single surface, ensuring smooth transitions at their contact points. Additionally, Meta Mesh provides the freedom to craft tree trunks of any desired shape, giving you unparalleled control over the realism of your creations.
Create Grass and Woodland
One of the plugin's standout features is its ability to create both individual and entire groups of plants with remarkable ease. You can distribute them using predefined start points or directly onto the surface of an object. Texture maps can control various parameters, such as plant density and height, facilitating the creation of lush grasslands and dense woodlands that breathe life into your scenes.
Launch your on-demand handyman business using a customized TaskRabbit clone. Earn through commissions.
For more information visit: https://www.v3cube.com/taskrabbit-clone/
Latest FL Studio Crack 24 Free Serial Keysweeram786g
Copy and paste link here >> https://drapk.net/after-verification-click-go-to-download-page/
Start creating music with FL Studio today - All features and plugins unlocked free for 21 days! Make projects, export audio files, try all instruments
🌍📱👉COPY LINK & PASTE ON GOOGLE https://9to5mac.org/after-verification-click-go-to-download-page
It is a powerful software that allows users to download videos from various websites, offering exceptional quality up to 4K resolution. Whether you're looking to save stunning travel videos, mesmerizing music clips, insightful tutorials, or funny moments, this tool has got you covered. Unlike online video downloaders, it provides a seamless and uninterrupted experience, free from annoying ads or limitations.
Choosing the Right Online Survey Tool Made SimpleSambodhi
Explore features, pricing, and use cases of top online survey tools. Find the perfect fit for your needs with this expert guide and comparison checklist.
Application Modernization with Choreo for the BFSI SectorWSO2
In this slide deck, we explore the application modernization challenges in the BFSI industry and how Choreo - an AI-native internal developer platform as a service - can help in the modernization journey.
Edge AI: Bringing Intelligence to Embedded DevicesSpeck&Tech
ABSTRACT: Artificial intelligence is no longer confined to the cloud. Thanks to Edge AI, we can now run AI models directly on embedded devices with limited power and resources. This session will explore the full pipeline of developing a Tiny Machine Learning (TinyML) model, from data collection to deployment, addressing key challenges such as dataset preparation, model training, quantization, and optimization for embedded systems. We’ll explore real-world use cases where AI-powered embedded systems enable smart decision-making in applications like predictive maintenance, anomaly detection, and voice recognition. The talk will include a live hands-on demonstration on how to train and deploy a model using popular tools like Google Colab and TensorFlow, and then run real-time inference on an Arduino board.
BIO: Leonardo Cavagnis is an experienced embedded software engineer, interested in IoT and AI applications. At Arduino, he works as a firmware engineer, developing libraries and core functionalities for boards while also focusing on communication and engaging with the community.
🌍📱👉COPY LINK & PASTE ON GOOGLE https://9to5mac.org/after-verification-click-go-to-download-page
Powerful 3D Modeling Tools:
Maya provides advanced 3D modeling features that let you easily create complex models. Whether you're designing characters, environments, or assets for games or animation, the tools in Maya offer precision and flexibility, allowing you to create intricate and highly detailed designs.
Advanced Animation Capabilities:
The software excels at animating characters and objects with its robust set of tools. With features like rigging, motion paths, and keyframing, Maya helps bring static models to life. Its animation system is powerful enough to produce complex animations with high-quality results.
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...OnePlan Solutions
Microsoft 365 includes a wide range of project management tools, including Project, Planner, Teams, and more, designed to support how teams plan, execute, and collaborate. But with so many tools available, the challenge is no longer access. It’s integration. Teams are often left working in silos, struggling to align their efforts and deliver consistent results.
In this webinar, we’ll explore what’s next for Microsoft project management tools and how organizations can shift from fragmented tool use to a unified model for planning and delivery. You will see how OnePlan extends Microsoft 365 by unifying planning, work management, and reporting across the tools your teams already use, helping you create a more seamless and intelligent project and portfolio management environment.
👉👉👉COPY & PASTE LINK👉👉👉👉👉👉 https://crack4pro.net/download-latest-windows-softwaresz/
Illustrators and artists can combine their traditional art practices with CorelDRAW's state-of-the-art vector-illustration technology to create beautiful, sophisticated works of art.
HeadSpin Alternatives with Better ROI: Top Tools ComparedShubham Joshi
Pricing is often a dealbreaker. If you're looking for better cost-efficiency without compromising on capabilities, these HeadSpin alternatives are worth exploring. This article compares their pricing models, feature-to-cost ratio, and customer support responsiveness. It helps QA leads and decision-makers find tools that align with their budgets while maximizing ROI on testing efforts.
Vivaldi Web Browser 6.8.3381.50 Crack Freealihamzakpa071
🌍📱👉COPY LINK & PASTE ON GOOGLE https://9to5mac.org/after-verification-click-go-to-download-page👈
In a retractable side panel, Vivaldi offers various handy tools to enhance your browsing experiences while providing one-click access to its 'Settings' window, enabling you to customize its usage to suit your needs. These are also accessible by clicking on the utility's icon in the upper left corner, revealing a series of menus and submenus.
Jotform AI Agents: Real User Success StoriesJotform
Imagine a world where you can respond instantly to any customer, anytime, anywhere.
Improve user satisfaction on every channel. With Jotform AI Agents, you can streamline your customer service processes. Easily train your agent with your company data, identify the common questions you receive and your answers. Let your agent handle the rest.
Learn more about the real user success stories of Jotform AI Agents in this slideshow. For more information, visit https://www.jotform.com/ai/agents/
Adobe Master Collection CC Crack 2025 FREEarslanyounus93
➡️ 🌍📱👉COPY & PASTE LINK👉👉👉 https://drfiles.net/
Adobe Creative Cloud All Apps, formerly known as the Master Collection, is a subscription plan that gives users access to a wide range of Adobe software applications, including Photoshop, Illustrator, InDesign, Premiere Pro, and many others. This bundled offering provides access to a comprehensive suite of creative tools for various industries, such as graphic design, video editing, and digital publishing.
The Master Collection comprises several software programs that are essential to editors, effects artists, graphic designers, and digital publishing professionals: Premiere Pro CS6, After Effects CS6, SpeedGrade CS6, Prelude CS6, Photoshop CS6, Audition CS6, InDesign CS6, Illustrator CS6, Flash Professional CS6 & Flash .
Software Architecture and Design in the Age of Code Assist tools.pdfManu Pk
Code Assist tools, powered by advanced AI and machine learning algorithms, provide developers with real-time suggestions, code completions, and even automated refactoring. This has led to more efficient and error-free coding practices. We see more and more adoption of these tools by developers, they are faster and more productive in what they do. In this session I would like to explore the evolving role of Software Architects in future scenarios.
I looks at following topics,
-Bird eye view of developer assist tools across SDLC lifecycle
-Claims vs actual impact - Early feedback from real world data
-Future development & Architectural landscape
-What should I start do today to ride this powerful technology?
2. About me
Head of Vulnerability Research at Code White in Ulm, Germany
Dev for defense company in the past
Spent a lot of time on (server-side) Java Security
Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, HP, etc.
Recently looking more into the Windows world and client-side stuff
@matthias_kaiser
11.11.2016 2
3. Agenda
Introduction
Java’s Object Serialization
What’s the problem with it
A history of bugs
Finding and exploiting
Code White’s bug parade
A hands-on example
More to come?
11.11.2016 3
4. Should you care?
If your client is running server products of
you SHOULD!
11.11.2016 4
5. Some facts
The bug class exists for more than 10 years
Most ignored bug class in the server-side Java world until 2015
A easy way to get reliable RCE on a server
Architecture independent exploitation
With Java deserialization vulnerabilities you can pwn a corp easily!
11.11.2016 5
6. Where is it used
Several J2EE/JEE core technologies rely on serialization
Remote Method Invocation (RMI)
Java Management Extension (JMX)
Java Message Service (JMS)
Java Server Faces implementations (ViewState)
Communication between JVMs in general (because devs are lazy :-)
Custom application protocols running on top of http, etc.
11.11.2016 6
8. Overview of Java’s Object Serialization Protocol
Magic
class name
field type
class field
Class description info
TC_OBJECT
TC_CLASSDESC
classdata[]
11.11.2016 8
9. There is protocol spec and a grammar
https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
11.11.2016 9
11. What’s the problem
ObjectInputStream doesn’t include validation features in its API
All serializable classes that the current classloader can locate and load can get deserialized
Although a class cast exception might occur in the end, the object will be created!
11.11.2016 11
12. What’s the problem #2
A developer can customize the (de)-serialization of a serializable class
Implement methods writeObject(), writeReplace(), readObject() and readResolve()
ObjectInputStream invokes readObject() and readResolve()
Under our control!
11.11.2016 12
13. What’s the problem #3
Further methods can be triggered by using certain classes as a "trampoline"
Object.toString() using e.g. javax.management.BadAttributeValueExpException
Object.hashCode() using e.g. java.util.HashMap
Comparator.compare() using e.g. java.util.PriorityQueue
etc.
Trampoline
class
Target
class
11.11.2016 13
14. What’s the problem #3
javax.management.BadAttributeValueExpException
1. Reading the field "val"
2. Calling "toString()" on "val"
11.11.2016 14
15. History of Java deserialization vulnerabilities
JRE vulnerabilities
(DoS)
Mark Schönefeld
2006
JSF Viewstate
XSS/DoS
Sun Java Web Console
Luca Carretoni
2008
CVE-2011-2894
Spring Framework RCE
Wouter Coekaerts
CVE-2012-4858
IBM Cognos Business
Intelligence RCE
Pierre Ernst
2011 2012
11.11.2016 15
16. History of Java deserialization vulnerabilities
CVE-2013-1768 Apache OpenJPA RCE
CVE-2013-1777 Apache Geronimo 3 RCE
CVE-2013-2186 Apache commons-fileupload RCE
Pierre Ernst
CVE-2015-3253 Groovy RCE
CVE-2015-7501 Commons-Collection RCE
Gabriel Lawrence and Chris Frohoff
CVE-2013-2165 JBoss RichFaces RCE
Takeshi Terada
2013 2015
11.11.2016 16
19. Finding is trivial
Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject()
11.11.2016 19
20. Exploitation
Exploitation requires a chain of serialized objects triggering interesting functionality e.g.
writing files
dynamic method calls using Java’s Reflection API
etc.
For such a chain the term "gadget" got established
Chris Frohoff and others found several gadgets in standard libs
11.11.2016 20
21. Javassist/Weld Gadget
Gadget utilizes JBoss’ Javassist and Weld framework
Reported to Oracle with the Weblogic T3 vulnerability
Works in Oracle Weblogic and JBoss EAP
Allows us to call a method on a deserialized object
11.11.2016 21
22. "Return of the Rhino"-Gadget
Gadget utilizes Rhino Script Engine of Mozilla
Works with latest Rhino in the classpath
Oracle applied some hardening to its Rhino version
So only works Oracle JRE <= jre7u13
Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu)
Allows us to call a method on a deserialized object
JRE Gadget
11.11.2016 22
23. What to look for?
Look for methods in serializable classes
working on files
triggering reflection (invoking methods, getting/setting properties on beans)
doing native calls
etc.
AND being called from
readObject()
readResolve()
toString()
hashCode()
finalize()
any other method being called from a "Trampoline" class
11.11.2016 23
24. What to look for?
Look at serializable classes used in Java reflection proxies
java.lang.reflect.InvocationHandler implementations
javassist.util.proxy.MethodHandler implementations
InvocationHandlerInterface
Proxy
toString() invoke (…) // do smth
invoke (target, toString, args)
11.11.2016 24
25. What to look for?
Prints out method being called
11.11.2016 25
26. What to look for?
What if InvocationHandler.invoke()
does "insecure stuff" using values from
the serialized object input stream?
Proxy
11.11.2016 26
27. Making gadget search easier
Chris Frohoff released a tool for finding gadgets using a graph database
Using object graph queries for gadget search
11.11.2016 27
28. Exploitation tricks
Adam Gowdiak’s TemplatesImpl
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable
Allows to define new classes from your byte[ ][ ]
Calling TemplatesImpl.newTransformer() on deserialized object Code Execution
11.11.2016 28
29. Exploitation tricks
InitialContext.lookup()
@benmmurphy used it for a sandbox escape (CVE-2013-5830)
@zerothoughts published a gadget in Spring’s JtaTransactionManager recently
Triggers InitialContext.lookup(jndiName)
Uses "rmi://yourFakeRmiServer/Object" as jndiName
Loads classes from your fake RMI server
Calling JdbcRowSetImpl.execute() on a deserialized object will do the same
11.11.2016 29
30. Payload generation
Chris Frohoff released the great tool "ysoserial"
Makes creation of payloads easy
Includes gadgets for
Commons Collection 3 & 4
Spring
Groovy
JRE7 (<= jre7u21)
Commons BeanUtils
and even more!
11.11.2016 30
31. Custom payloads
I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons
Most of the gadgets don’t touch the disk
With scripting languages your life gets even easier
Use what’s in the classpath
Javascript (Rhino, Nashorn)
Groovy
Beanshell
etc.
11.11.2016 31
37. Jenkins
Open Source Automation Server / Continous Integration Server / "Build"-Server
Created by Kohsuke Kawaguchi (Ex-Oracle, now CTO of CloudBees)
Fork of Oracle’s Hudson CI server
Supports Subversion, Git, Mecurial, etc.
Runs Maven, Ant, etc.
More than 1200 plugins! (see https://updates.jenkins-ci.org/download/plugins/)
11.11.2016 37
38. Jenkins
Nice target because Jenkins
has access to Source Code repositories
creates deployment artefacts (Jar, War, Ear, etc.)
can deploy artefacts on target servers
stores credentials (user/password, SSH keys)
11.11.2016 38
39. Jenkins Internals
Jenkins uses an extra port for the Command Line Interface (CLI)
Can be configured to a fixed or random port
11.11.2016 39
40. Jenkins Internals
Jenkins uses an own RMI protocol for it’s Command Line Interface (CLI)
Base64-encoded serialized objects (rO0 0xac,0xed)
11.11.2016 40
41. Jenkins under Attack
Jenkins CLI endpoint suffered from several vulnerabilities
CVE-2015-8103 of Steven Breen using Commons Collections gadget
Jenkins introduced a blacklist to filter gadget classes
CVE-2016-0788 of Moritz Bechler bypassing the blacklist (see ERNW blog post
https://insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/)
As we all know blacklisting is hard because you never know …
11.11.2016 41
43. Finding a blacklist filter bypass
How to bypass a gadget blacklist filter?
a) Find a new gadget
b) Find a bypass gadget (see Alvaro’s and Christian’s Research)
c) Look for partially fixed gadget
After looking at all gadgets of ysoserial and matching them with Jenkin’s third-party libs and
the blacklist I found one interesting gadget discovered by Moritz Bechler:
11.11.2016 43
44. The JSON1 gadget
"Code execution step"
filtered by blacklist
"Trigger step"
invokes all "getter" methods on
a serialized object
Not filtered by blacklist
"Init step"
11.11.2016 44
45. Finding a blacklist filter bypass #1
Initial idea was to use the JDBCRowSetImpl trick as code execution step
"Getter"-methods trigger JNDI call:
But net.sf.json.JSONObject.containsValue(JDBCRowSetImpl-instance) fails because several
"Getter"-methods trigger Exceptions
11.11.2016 45
46. Finding a blacklist filter bypass #2
Next idea was to look for other serializable classes with "Getter"-Methods leading to code
execution
Recent research FTW:
11.11.2016 46
47. Finding a blacklist filter bypass #2
JNDI lookups can lead to RCE (see JDBCRowSetImpl)
Exploitation using RMI, LDAP and CORBA
LDAP queries can lead to RCE
LDAP server needs to be under your control
data from LDAPresponse is deserialized using ObjectInputStream
data (URLs) from LDAP response is used to load classes using URLClassLoader -> RCE
I found some nice classes in package „com.sun.jndi.ldap"
One of it is the serializable class "com.sun.jndi.ldap.LdapAttribute"
11.11.2016 47
49. Putting all together for the new JSON2 gadget
11.11.2016 49
With LdapAttribute.getAttributeDefinition() we get Code Execution using a custom LDAP server
The "Init-Step" shown before doesn’t work, so we need something else
By using Eclipse an alternative code path can be easily found
50. Some "updates" with regards to exploitation …
Previous research only mentioned the CLI port!
If you have Jenkins running on the internet with firewall / reverse proxy, you can’t connect
But the Jenkins Wiki has some hidden gems for us:
Connection mechanism
1. Jenkins CLI clients and Jenkins server establishes the communication in the following fashion.
Jenkins listens on a TCP/IP port configured under "TCP port for JNLP agents" in the system
configuration page. This single port is used for both agents and CLI.
…
5. If that fails (for example, if there's a reverse proxy and Jenkins runs on a different host, or if a
firewall blocks access to this TCP/IP port), or if the header is not found, it will fall back to the
communication mechanism that uses two simultaenous HTTP connections.
11.11.2016 50
51. Jenkins CLI HTTP "fallback"
11.11.2016 51
HTTP Connection #1
Server Client channel
Client reads from InputStream
UUID as identifier
Blocks until #2 connects
HTTP Connection #2
Client Server channel
Client writes to OutputStream
UUID as identifier
55. Conclusion
Java Deserialization is no rocket science
Finding bugs is trivial, exploitation takes more
So many products affected by it
Research has started, again …
This will never end!
11.11.2016 55