Serial Killer Silently Pwning Your Java Endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints asd-f03-serial-killer-silently-pwning-your-java-endpoints
Exploi;ng "Magic Methods" Abusing "magic methods" of gadgets which have dangerous code: AEacker controls member fields’ values of serialized object Upon deserializa@on .readObject() / .readResolve() is invoked Implementa@on of this method in gadget class uses aMacker-controlled fields Aside from the classic ones also lesser-known "magic methods" help: .validateObject() as part of valida@on (which does not prevent aEacks) .readObjectNoData() upon deserializa@on conflicts .finalize() as part of GC (even ajer errors) with deferred execu@on bypassing ad-hoc SecurityManagers at deserializa@on Works also for Externalizable’s .readExternal() 8
Exploi;ng "Magic Methods" But what if there are no "Magic Methods" on the target’s ClassPath that have "dangerous code" for the aEacker to influence? 9
- Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
- Page 3 and 4: What is Java Serializa;on again? Ta
- Page 5 and 6: Standing on the Shoulder of Giants
- Page 7: Triggering Execu;on via "Magic Meth
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Demo of aMack Let’s take a look a
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
- Page 23 and 24: Bypassing LookAhead Blacklists New
- Page 25 and 26: Example (has been fixed) org.apache
- Page 27 and 28: Demo of bypass Let’s take a look
- Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
- Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
- Page 33 and 34: Finding Direct Deserializa;on Endpo
- Page 35 and 36: Finding Gadgets for Fun & Profit Si
- Page 37 and 38: Passive Deserializa;on Endpoint Det
- Page 39 and 40: Hardening Advice #RSAC
- Page 41 and 42: Apply What You Have Learned Today N
Exploi;ng "Magic Methods"<br />
Abusing "magic methods" of gadgets which have dangerous code:<br />
AEacker controls member fields’ values of serialized object<br />
Upon deserializa@on .readObject() / .readResolve() is invoked<br />
Implementa@on of this method in gadget class uses aMacker-controlled fields<br />
Aside from the classic ones also lesser-known "magic methods" help:<br />
.validateObject() as part of valida@on (which does not prevent aEacks)<br />
.readObjectNoData() upon deserializa@on conflicts<br />
.finalize() as part of GC (even ajer errors)<br />
with deferred execu@on bypassing ad-hoc SecurityManagers at deserializa@on<br />
Works also for Externalizable’s .readExternal()<br />
8