Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization OWASPBNL_Java_Deserialization
Java Deserializa;on in a Nutshell ObjectInputStream Serializable Class Application Code Garbage Collector 4. Resolve classes of stream resolveClass() 5. Deserialize objects 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object 11.Call finalize() on GC 6
Triggering Execu;on via "Magic Methods" ObjectInputStream Serializable Class Application Code Garbage Collector 4. Resolve classes of stream resolveClass() 5. Deserialize objects 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object 11.Call finalize() on GC 7
- Page 1 and 2: Chris;an Schneider Serial Killer: S
- Page 3 and 4: Standing on the Shoulder of Giants
- Page 5: AWack Surface Usages of Java serial
- Page 9 and 10: Exploi;ng "Magic Methods" But what
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Exis;ng Mi;ga;on Advice Simply remo
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: How did vendors handle this recentl
- Page 23 and 24: Is this for real or is this just fa
- Page 25 and 26: Now with home delivery javax.media.
- Page 27 and 28: Is it just Java Serializa;on? XStre
- Page 29 and 30: XStream, can you run readObject()?
- Page 31 and 32: Who Should Check for What? 1. Check
- Page 33 and 34: High-Level Gadget Categories Gadget
- Page 35 and 36: What to Check During Pentests? DAST
- Page 37 and 38: Ac;ve Vulnerability Scanning Some B
- Page 39 and 40: How to Harden Your Applica;ons? DO
- Page 41: Chris;an Schneider @cschneider4711
<strong>Java</strong> Deserializa;on in a Nutshell<br />
ObjectInputStream <strong>Serial</strong>izable Class Application Code Garbage Collector<br />
4. Resolve classes of stream<br />
resolveClass()<br />
5. Deserialize objects<br />
1. Get bytes<br />
2. Initialize ObjectInputStream<br />
3. Read object from stream<br />
• ois.readObject()<br />
6. Restore object member fields<br />
• readObject(ObjectInputStream)<br />
• readObjectNoData()<br />
7. Eventually replace restored object<br />
• readResolve()<br />
8. Optionally validate object<br />
• validateObject()<br />
9. Cast deserialized object to expected type<br />
10.Use deserialized object<br />
11.Call finalize() on GC<br />
6