Serial Killer Silently Pwning Your Java Endpoints

04.03.2016 Views
#RSAC Q & A / Thank You ! Alvaro Muñoz @pwntester alvaro.munoz@hpe.com Chris;an Schneider @cschneider4711 mail@Chris@an-Schneider.net

Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S

Page 3 and 4: What is Java Serializa;on again? Ta

Page 5 and 6: Standing on the Shoulder of Giants

Page 7 and 8: Triggering Execu;on via "Magic Meth

Page 9 and 10: Exploi;ng "Magic Methods" But what

Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad

Page 13 and 14: New RCE Gadget in BeanShell (CVE-20

Page 15 and 16: New RCE Gadget in Jython (CVE pendi

Page 17 and 18: Demo of aMack Let’s take a look a

Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo

Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo

Page 23 and 24: Bypassing LookAhead Blacklists New

Page 25 and 26: Example (has been fixed) org.apache

Page 27 and 28: Demo of bypass Let’s take a look

Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja

Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg

Page 33 and 34: Finding Direct Deserializa;on Endpo

Page 35 and 36: Finding Gadgets for Fun & Profit Si

Page 37 and 38: Passive Deserializa;on Endpoint Det

Page 39 and 40: Hardening Advice #RSAC

Page 41: Apply What You Have Learned Today N

gadget

gadgets

objectinputstream

whitelist

apache

blacklist

xstream

aeacker

classpath

laois

silently

pwning

endpoints

Serial Killer Silently Pwning Your Java Endpoints

asd-f03-serial-killer-silently-pwning-your-java-endpoints ... View more asd-f03-serial-killer-silently-pwning-your-java-endpoints

Delete template?

Save as template ?

asd-f03-serial-killer-silently-pwning-your-java-endpoints asd-f03-serial-killer-silently-pwning-your-java-endpoints