Serial Killer Silently Pwning Your Java Endpoints

Recommendations

Info

Who Should Check for What? Check your endpoints for those accep;ng (untrusted) serialized data Check your code for poten;al gadgets, which could be used in deserializa@on aEacks where your library / framework is used Also the ClassPath of the app-server can host exploitable gadgets Problem: "Gadget Space" is too big Typical app-server based deployments have hundreds of JARs in ClassPath SAST tools might help for both checks… Such as HPE Security For@fy or the OpenSource FindSecBugs 32
Finding Direct Deserializa;on <strong>Endpoints</strong> Find calls (within your code and your dependencies’ code) to: ObjectInputStream.readObject() ObjectInputStream.readUnshared() Where InputStream is aEacker controlled. For example: 1 InputStream is = request.getInputStream(); 2 ObjectInputStream ois = new ObjectInputStream(is); 3 ois.readObject(); … and ObjectInputStream is or extends java.io.ObjectInputStream … but is not a safe one (eg: Commons-io Valida@ngObjectInputStream) 33
Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
Page 3 and 4: What is Java Serializa;on again? Ta
Page 5 and 6: Standing on the Shoulder of Giants
Page 7 and 8: Triggering Execu;on via "Magic Meth
Page 9 and 10: Exploi;ng "Magic Methods" But what
Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
Page 15 and 16: New RCE Gadget in Jython (CVE pendi
Page 17 and 18: Demo of aMack Let’s take a look a
Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
Page 23 and 24: Bypassing LookAhead Blacklists New
Page 25 and 26: Example (has been fixed) org.apache
Page 27 and 28: Demo of bypass Let’s take a look
Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
Page 31: #RSAC Finding Vulnerabili;es & Gadg
Page 35 and 36: Finding Gadgets for Fun & Profit Si
Page 37 and 38: Passive Deserializa;on Endpoint Det
Page 39 and 40: Hardening Advice #RSAC
Page 41 and 42: Apply What You Have Learned Today N

Serial Killer Silently Pwning Your Java Endpoints

Create successful ePaper yourself

Delete template?

Save as template?