Serial Killer Silently Pwning Your Java Endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints asd-f03-serial-killer-silently-pwning-your-java-endpoints
How did vendors handle this recently? Vendor / Product Atlassian Bamboo Apache ActiveMQ Apache Batchee Apache JCS Apache openjpa Apache Owb Apache TomEE Type of Protection Removed Usage of Serialization LAOIS Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist ********** (still to be fixed) LAOIS Blacklist 22
Bypassing LookAhead Blacklists New gadget type to bypass ad-hoc look-ahead ObjectInputStream blacklist protec@ons: Can we find a class like: 1 public class NestedProblems implements Serializable { 2 byte[] bytes … ; 3 … 4 private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { 5 ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes)); 6 ois.readObject(); 7 } 8 } During deserializa@on of the object graph, a new immaculate unprotected ObjectInputStream will be instan@ated AEacker can provide any arbitrary bytes for unsafe deserializa@on Bypass does not work for cases where ObjectInputStream is instrumented 23
- Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
- Page 3 and 4: What is Java Serializa;on again? Ta
- Page 5 and 6: Standing on the Shoulder of Giants
- Page 7 and 8: Triggering Execu;on via "Magic Meth
- Page 9 and 10: Exploi;ng "Magic Methods" But what
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Demo of aMack Let’s take a look a
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21: Exis;ng Mi;ga;on Advice Simply remo
- Page 25 and 26: Example (has been fixed) org.apache
- Page 27 and 28: Demo of bypass Let’s take a look
- Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
- Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
- Page 33 and 34: Finding Direct Deserializa;on Endpo
- Page 35 and 36: Finding Gadgets for Fun & Profit Si
- Page 37 and 38: Passive Deserializa;on Endpoint Det
- Page 39 and 40: Hardening Advice #RSAC
- Page 41 and 42: Apply What You Have Learned Today N
How did vendors handle this recently?<br />
Vendor / Product<br />
Atlassian Bamboo<br />
Apache ActiveMQ<br />
Apache Batchee<br />
Apache JCS<br />
Apache openjpa<br />
Apache Owb<br />
Apache TomEE<br />
Type of Protection<br />
Removed Usage of <strong>Serial</strong>ization<br />
LAOIS Whitelist<br />
LAOIS Blacklist + optional Whitelist<br />
LAOIS Blacklist + optional Whitelist<br />
LAOIS Blacklist + optional Whitelist<br />
LAOIS Blacklist + optional Whitelist<br />
LAOIS Blacklist + optional Whitelist<br />
********** (still to be fixed) LAOIS Blacklist<br />
22