Serial Killer Silently Pwning Your Java Endpoints

Recommendations

Info

High-Level Gadget Categories Gadget is a class (within target’s ClassPath) useable upon deserializa@on to facilitate an aEack, which ojen consists of mul@ple gadgets chained together as a "Gadget Chain". Trigger Gadget is a class with a "Magic Method" triggered during deserializa@on ac@ng upon proxy-able fields, which are aEacker controlled (serializable). Trigger Gadgets ini@ate the execu@on. Bypass Gadget is a class with (preferably) a "Magic Method" triggered during deserializa@on which leads to a "Nested Deserializa@on" with an unprotected OIS of aEacker-controllable bytes. Helper Gadget is a class with glues together other bonds of a gadget chain. Abuse Gadget is a class with a method implemen@ng dangerous func@onality, aEackers want to execute. Need for serializability is lijed when techniques like XStream are used by the target. 34
Finding Gadgets for Fun & Profit Sinks Sources Look for interes;ng method calls … java.lang.reflect.Method.invoke() java.io.File() java.io.ObjectInputStream() java.net.URLClassLoader() java.net.Socket() java.net.URL() javax.naming.Context.lookup() … reached by: java.io.Externalizable.readExternal() java.io.Serializable.readObject() java.io.Serializable.readObjectNoData() java.io.Serializable.readResolve() java.io.ObjectInputValida@on.validateObject() java.lang.reflect.Invoca@onHandler.invoke() javassist.u@l.proxy.MethodHandler.invoke() org.jboss.weld.bean.proxy.MethodHandler.invoke() java.lang.Object.finalize() (sta/c ini/alizer) 35
Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
Page 3 and 4: What is Java Serializa;on again? Ta
Page 5 and 6: Standing on the Shoulder of Giants
Page 7 and 8: Triggering Execu;on via "Magic Meth
Page 9 and 10: Exploi;ng "Magic Methods" But what
Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
Page 15 and 16: New RCE Gadget in Jython (CVE pendi
Page 17 and 18: Demo of aMack Let’s take a look a
Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
Page 23 and 24: Bypassing LookAhead Blacklists New
Page 25 and 26: Example (has been fixed) org.apache
Page 27 and 28: Demo of bypass Let’s take a look
Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
Page 33: Finding Direct Deserializa;on Endpo
Page 37 and 38: Passive Deserializa;on Endpoint Det
Page 39 and 40: Hardening Advice #RSAC
Page 41 and 42: Apply What You Have Learned Today N

Serial Killer Silently Pwning Your Java Endpoints

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?