Serial Killer Silently Pwning Your Java Endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints asd-f03-serial-killer-silently-pwning-your-java-endpoints
Is this for real or is this just fantasy? Currently we found many bypass gadgets: JRE: 3 Third Party Libraries: Apache libraries: 6 Spring libraries: 1 Other popular libraries: 2 Applica@on Servers: IBM WebSphere: 13 Oracle WebLogic: 3 Apache TomEE: 3 … 24
Example (has been fixed) org.apache.commons.scxml2.env.groovy.GroovyContext 1 @SuppressWarnings("unchecked") 2 private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { 3 this.scriptBaseClass = (String)in.readObject(); 4 this.evaluator = (GroovyEvaluator)in.readObject(); 5 this.binding = (GroovyContextBinding)in.readObject(); 6 byte[] bytes = (byte[])in.readObject(); 7 if (evaluator != null) { 8 this.vars = (Map) 9 new ObjectInputStream(new ByteArrayInputStream(bytes)) { 10 protected Class resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException { 11 return Class.forName(osc.getName(), true, evaluator.getGroovyClassLoader()); 12 } 13 }.readObject(); 14 } 15 else { 16 this.vars = (Map)new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject(); 17 } 18 } 25
- Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
- Page 3 and 4: What is Java Serializa;on again? Ta
- Page 5 and 6: Standing on the Shoulder of Giants
- Page 7 and 8: Triggering Execu;on via "Magic Meth
- Page 9 and 10: Exploi;ng "Magic Methods" But what
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Demo of aMack Let’s take a look a
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
- Page 23: Bypassing LookAhead Blacklists New
- Page 27 and 28: Demo of bypass Let’s take a look
- Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
- Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
- Page 33 and 34: Finding Direct Deserializa;on Endpo
- Page 35 and 36: Finding Gadgets for Fun & Profit Si
- Page 37 and 38: Passive Deserializa;on Endpoint Det
- Page 39 and 40: Hardening Advice #RSAC
- Page 41 and 42: Apply What You Have Learned Today N
Is this for real or is this just fantasy?<br />
Currently we found many bypass gadgets:<br />
JRE: 3<br />
Third Party Libraries:<br />
Apache libraries: 6<br />
Spring libraries: 1<br />
Other popular libraries: 2<br />
Applica@on Servers:<br />
IBM WebSphere: 13<br />
Oracle WebLogic: 3<br />
Apache TomEE: 3<br />
…<br />
24