Serial Killer Silently Pwning Your Java Endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints asd-f03-serial-killer-silently-pwning-your-java-endpoints
Why this talk? Java deserializa@on aEacks have been known for years Rela@vely new gadget in Apache Commons-Collec/ons made the topic also available to mainstream (dev) audience in 2015 Some inaccurate advice to protect your applica@ons is making the rounds In this talk we’ll demonstrate the weakness of this advice by … … showing you new RCE gadgets … showing you bypasses We’ll give advice how to spot this vulnerability and its gadgets during … … code reviews (i.e. showing you what to look for) … pentests (i.e. how to generically test for such issues) 2
What is Java Serializa;on again? Taking a snapshot of an object graph as a byte stream that can be used to reconstruct the object graph to its original state Only object data is serialized, not the code The code sits on the ClassPath of the deserializing end Developers can customize this serializa@on/deserializa@on process Individual object/state serializa@on via .writeObject() / .writeReplace() / .writeExternal() methods Individual object/state re-construc@on on deserializing end via .readObject() / .readResolve() / .readExternal() methods (and more) 3
- Page 1: SESSION ID: ASD-F03 Alvaro Muñoz S
- Page 5 and 6: Standing on the Shoulder of Giants
- Page 7 and 8: Triggering Execu;on via "Magic Meth
- Page 9 and 10: Exploi;ng "Magic Methods" But what
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Demo of aMack Let’s take a look a
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
- Page 23 and 24: Bypassing LookAhead Blacklists New
- Page 25 and 26: Example (has been fixed) org.apache
- Page 27 and 28: Demo of bypass Let’s take a look
- Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
- Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
- Page 33 and 34: Finding Direct Deserializa;on Endpo
- Page 35 and 36: Finding Gadgets for Fun & Profit Si
- Page 37 and 38: Passive Deserializa;on Endpoint Det
- Page 39 and 40: Hardening Advice #RSAC
- Page 41 and 42: Apply What You Have Learned Today N
What is <strong>Java</strong> <strong>Serial</strong>iza;on again?<br />
Taking a snapshot of an object graph as a byte stream that can be<br />
used to reconstruct the object graph to its original state<br />
Only object data is serialized, not the code<br />
The code sits on the ClassPath of the deserializing end<br />
Developers can customize this serializa@on/deserializa@on process<br />
Individual object/state serializa@on <br />
via .writeObject() / .writeReplace() / .writeExternal() methods<br />
Individual object/state re-construc@on on deserializing end<br />
via .readObject() / .readResolve() / .readExternal() methods (and more)<br />
3