Serial Killer Silently Pwning Your Java Endpoints

More documents

Recommendations

Info

Exis;ng Mi;ga;on Advice Simply remove gadget classes from ClassPath Not feasible given more and more gadgets becoming available Blacklist & Whitelist based check at ObjectInputStream.resolveClass Different implementa@ons of this "Lookahead"-Deserializa@on exist: Use of ObjectInputStream subclass in applica@on’s deserializa@on code Agent-based (AOP-like) hooking of calls to ObjectInputStream.resolveClass() Blacklists: Bypasses might exist (in your dependencies or your own code) Whitelists: Difficult to get right & DoS though JDK standard classes possible Ad hoc SecurityManager sandboxes during deserializa@on Execu@on can be deferred a]er deserializa@on: we’ll show later how… 20
How did vendors handle this recently? Vendor / Product Atlassian Bamboo Apache ActiveMQ Apache Batchee Apache JCS Apache openjpa Apache Owb Apache TomEE Type of Protection Removed Usage of <strong>Serial</strong>ization LAOIS Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist LAOIS Blacklist + optional Whitelist ********** (still to be fixed) LAOIS Blacklist 21
Page 1 and 2: Chris;an Schneider Serial Killer: S
Page 3 and 4: Standing on the Shoulder of Giants
Page 5 and 6: AWack Surface Usages of Java serial
Page 7 and 8: Triggering Execu;on via "Magic Meth
Page 9 and 10: Exploi;ng "Magic Methods" But what
Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
Page 15 and 16: New RCE Gadget in Jython (CVE pendi
Page 17 and 18: Exis;ng Mi;ga;on Advice Simply remo
Page 19: Exis;ng Mi;ga;on Advice Simply remo
Page 23 and 24: Is this for real or is this just fa
Page 25 and 26: Now with home delivery javax.media.
Page 27 and 28: Is it just Java Serializa;on? XStre
Page 29 and 30: XStream, can you run readObject()?
Page 31 and 32: Who Should Check for What? 1. Check
Page 33 and 34: High-Level Gadget Categories Gadget
Page 35 and 36: What to Check During Pentests? DAST
Page 37 and 38: Ac;ve Vulnerability Scanning Some B
Page 39 and 40: How to Harden Your Applica;ons? DO
Page 41: Chris;an Schneider @cschneider4711

Serial Killer Silently Pwning Your Java Endpoints

Create successful ePaper yourself

Delete template?

Save as template?