Serial Killer Silently Pwning Your Java Endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints asd-f03-serial-killer-silently-pwning-your-java-endpoints
AMack Surface Usages of Java serializa@on in protocols/formats/products: RMI (Remote Method Invoca@on) JMX (Java Management Extension) JMS (Java Messaging System) Spring Service Invokers HTTP, JMS, RMI, etc. Android AMF (Ac@on Message Format) JSF ViewState WebLogic T3 … … 4
Standing on the Shoulder of Giants… Spring AOP (by Wouter Coekaerts, public exploit: @pwntester in 2011) AMF DoS (by Wouter Coekaerts in 2011) Commons-fileupload (by Arun Babu NeelicaEu in 2013) Groovy (by cpnrodzc7 / @frohoff in 2015) Commons-Collec;ons (by @frohoff and @gebl in 2015) Spring Beans (by @frohoff and @gebl in 2015) Serial DoS (by Wouter Coekaerts in 2015) SpringTx (by @zerothinking in 2016) JDK7 (by @frohoff in 2016) Probably more we are forge7ng and more to come in few minutes … 5
- Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
- Page 3: What is Java Serializa;on again? Ta
- Page 7 and 8: Triggering Execu;on via "Magic Meth
- Page 9 and 10: Exploi;ng "Magic Methods" But what
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Demo of aMack Let’s take a look a
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
- Page 23 and 24: Bypassing LookAhead Blacklists New
- Page 25 and 26: Example (has been fixed) org.apache
- Page 27 and 28: Demo of bypass Let’s take a look
- Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
- Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
- Page 33 and 34: Finding Direct Deserializa;on Endpo
- Page 35 and 36: Finding Gadgets for Fun & Profit Si
- Page 37 and 38: Passive Deserializa;on Endpoint Det
- Page 39 and 40: Hardening Advice #RSAC
- Page 41 and 42: Apply What You Have Learned Today N
AMack Surface<br />
Usages of <strong>Java</strong> serializa@on in protocols/formats/products:<br />
RMI (Remote Method Invoca@on)<br />
JMX (<strong>Java</strong> Management Extension)<br />
JMS (<strong>Java</strong> Messaging System)<br />
Spring Service Invokers<br />
HTTP, JMS, RMI, etc.<br />
Android<br />
AMF (Ac@on Message Format)<br />
JSF ViewState<br />
WebLogic T3<br />
…<br />
…<br />
4