Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization OWASPBNL_Java_Deserialization
Finding Direct Deserializa;on Endpoints Find calls (within your code and your dependencies’ code) to: ObjectInputStream.readObject() ObjectInputStream.readUnshared() Where InputStream is aEacker controlled. For example: 1 InputStream is = request.getInputStream(); 2 ObjectInputStream ois = new ObjectInputStream(is); 3 ois.readObject(); … and ObjectInputStream is or extends java.io.ObjectInputStream … but is not a safe one (eg: Commons-io Valida@ngObjectInputStream) 32
High-Level Gadget Categories Gadget is a class (within target’s ClassPath) useable upon deserializa@on to facilitate an aEack, which ojen consists of mul@ple gadgets chained together as a "Gadget Chain". Trigger Gadget is a class with a "Magic Method" triggered during deserializa@on ac@ng upon proxy-able fields, which are aEacker controlled. Trigger Gadgets ini@ate the execu@on. Bypass Gadget is a class with (preferably) a "Magic Method" triggered during deserializa@on which leads to a "Nested Deserializa@on" with an unprotected OIS of aEacker-controllable bytes. Helper Gadget is a class with glues together other bonds of a gadget chain. Abuse Gadget is a class with a method implemen@ng dangerous func@onality, aEackers want to execute. Need for gadget serializability is liEed when techniques like XStream are used by the target. 33
- Page 1 and 2: Chris;an Schneider Serial Killer: S
- Page 3 and 4: Standing on the Shoulder of Giants
- Page 5 and 6: AWack Surface Usages of Java serial
- Page 7 and 8: Triggering Execu;on via "Magic Meth
- Page 9 and 10: Exploi;ng "Magic Methods" But what
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Exis;ng Mi;ga;on Advice Simply remo
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: How did vendors handle this recentl
- Page 23 and 24: Is this for real or is this just fa
- Page 25 and 26: Now with home delivery javax.media.
- Page 27 and 28: Is it just Java Serializa;on? XStre
- Page 29 and 30: XStream, can you run readObject()?
- Page 31: Who Should Check for What? 1. Check
- Page 35 and 36: What to Check During Pentests? DAST
- Page 37 and 38: Ac;ve Vulnerability Scanning Some B
- Page 39 and 40: How to Harden Your Applica;ons? DO
- Page 41: Chris;an Schneider @cschneider4711
Finding Direct Deserializa;on <strong>Endpoints</strong><br />
Find calls (within your code and your dependencies’ code) to:<br />
ObjectInputStream.readObject()<br />
ObjectInputStream.readUnshared()<br />
Where InputStream is aEacker controlled. For example:<br />
1 InputStream is = request.getInputStream();<br />
2 ObjectInputStream ois = new ObjectInputStream(is);<br />
3 ois.readObject();<br />
… and ObjectInputStream is or extends java.io.ObjectInputStream<br />
… but is not a safe one (eg: Commons-io Valida@ngObjectInputStream)<br />
32