SlideShare uma empresa Scribd logo

Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)

CODE WHITE GmbH
CODE WHITE GmbH

Slides from our RuhrSec '16 talk

Internet
1 de 61
Baixar para ler offline
Java Deserialization Vulnerabilities – The Forgotten Bug Class Matthias Kaiser (@matthias_kaiser)
About me  Head of Vulnerability Research at Code White in Ulm, Germany  Specialized on (server-side) Java  Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, etc.  Recently looking more into the Windows world and client-side stuff 28.04.2016 @matthias_kaiser
Agenda  Introduction  Java’s Object Serialization  What’s the problem with it  A history of bugs  Finding and exploiting  Code White’s bug parade + a RuhrSec special  More to come? 28.04.2016
Should you care?  If your client is running server products of 28.04.2016 you SHOULD!
Some facts  The bug class exists for more than 10 years  Most ignored bug class in the server-side Java world until 2015  A easy way to get reliable RCE on a server  Architecture independent exploitation  With Java deserialization vulnerabilities you can pwn a corp easily! 28.04.2016
Where is it used  Several J2EE/JEE core technologies rely on serialization  Remote Method Invocation (RMI)  Java Management Extension (JMX)  Java Message Service (JMS)  Java Server Faces implementations (ViewState)  Communication between JVMs in general (because devs are lazy :-)  Custom application protocols running on top of http, etc. 28.04.2016
What is serialization? 28.04.2016 Object File Network Database ObjectStream of bytes Stream of bytes Serialization Deserialization
Overview of Java’s Object Serialization Protocol 28.04.2016 Magic class name field type class field Class description info TC_OBJECT TC_CLASSDESC classdata[]
There is protocol spec and a grammar 28.04.2016 https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
Deserializing an object What could possibly go wrong here? 28.04.2016
What’s the problem  ObjectInputStream doesn’t include validation features in its API  All serializable classes that the current classloader can locate and load can get deserialized  Although a class cast exception might occur in the end, the object will be created! 28.04.2016
What’s the problem #2  A developer can customize the (de)-serialization of a serializable class  Implement methods writeObject(), writeReplace(), readObject() and readResolve()  ObjectInputStream invokes readObject() and readResolve() 28.04.2016 Under our control!
What’s the problem #3  Further methods can be triggered by using certain classes as a "trampoline"  Object.toString() using e.g. javax.management.BadAttributeValueExpException  Object.hashCode() using e.g. java.util.HashMap  Comparator.compare() using e.g. java.util.PriorityQueue  etc. 28.04.2016 Trampoline class Target class
What’s the problem #3 28.04.2016 javax.management.BadAttributeValueExpException 1. Reading the field "val" 2. Calling "toString()" on "val"
History of Java deserialization vulnerabilities JRE vulnerabilities (DoS) Mark Schönefeld 2006 JSF Viewstate XSS/DoS Sun Java Web Console Luca Carretoni 2008 CVE-2011-2894 Spring Framework RCE Wouter Coekaerts CVE-2012-4858 IBM Cognos Business Intelligence RCE Pierre Ernst 2011 2012 28.04.2016
History of Java deserialization vulnerabilities CVE-2013-1768 Apache OpenJPA RCE CVE-2013-1777 Apache Geronimo 3 RCE CVE-2013-2186 Apache commons-fileupload RCE Pierre Ernst CVE-2015-3253 Groovy RCE CVE-2015-7501 Commons-Collection RCE Gabriel Lawrence and Chris Frohoff CVE-2013-2165 JBoss RichFaces RCE Takeshi Terada 2013 2015 28.04.2016
Finding is trivial  Do the "grep" thing on "readObject()" 28.04.2016
Finding is trivial  Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject() 28.04.2016
Exploitation  Exploitation requires a chain of serialized objects triggering interesting functionality e.g.  writing files  dynamic method calls using Java’s Reflection API  etc.  For such a chain the term "gadget" got established  Chris Frohoff and others found several gadgets in standard libs  Let’s look at an example gadget 28.04.2016
Javassist/Weld Gadget  Gadget utilizes JBoss’ Javassist and Weld framework  Reported to Oracle with the Weblogic T3 vulnerability  Works in Oracle Weblogic and JBoss EAP  Allows us to call a method on a deserialized object 28.04.2016
Javassist/Weld Gadget InterceptorMethodHandler 28.04.2016
Javassist/Weld Gadget summary  During deserialization a "POST_ACTIVATE" interception will be executed  We can create an "interceptorHandlerInstances" that defines our deserialized target object as a handler for a "POST_ACTIVATE" interception  We can create an "interceptionModel" that defines a method to be executed on our handler for a "POST_ACTIVATE" interception 28.04.2016
Javassist/Weld Gadget call chain InterceptorMethodHandler.readObject(ObjectInputStream) InterceptorMethodHandler.executeInterception(Object, Method, Method, …) SimpleInterceptionChain.invokeNextInterceptor(InvocationContext) SimpleMethodInvocation<T>.invoke(InvocationContext) 28.04.2016
Javassist/Weld Gadget SimpleMethodInvocation 28.04.2016
"Return of the Rhino"-Gadget  Gadget utilizes Rhino Script Engine of Mozilla  Works with latest Rhino in the classpath  Oracle applied some hardening to its Rhino version  So only works Oracle JRE <= jre7u13   Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu)   Allows us to call a method on a deserialized object  Will be released on our blog soon 28.04.2016
What to look for?  Look for methods in serializable classes  working on files  triggering reflection (invoking methods, getting/setting properties on beans)  doing native calls  etc. AND being called from  readObject()  readResolve()  toString()  hashCode()  finalize()  any other method being called from a "Trampoline" class 28.04.2016
What to look for?  Look at serializable classes used in Java reflection proxies  java.lang.reflect.InvocationHandler implementations  javassist.util.proxy.MethodHandler implementations 28.04.2016 InvocationHandlerInterface Proxy toString() invoke (…) // do smth invoke (target, toString, args)
What to look for? 28.04.2016 Prints out method being called
What to look for? 28.04.2016 What if InvocationHandler.invoke() does "scary" things using values from the serialized object input stream? Proxy
Making gadget search easier  Chris Frohoff released a tool for finding gadgets using a graph database  Using object graph queries for gadget search 28.04.2016
Exploitation tricks  Adam Gowdiak’s TemplatesImpl  com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable  Allows to define new classes from your byte[ ][ ]  Calling TemplatesImpl.newTransformer() on deserialized object  Code Execution 28.04.2016
Exploitation tricks  InitialContext.lookup()  @zerothoughts published a gadget in Spring’s JtaTransactionManager recently  Triggers InitialContext.lookup(jndiName)  Uses "rmi://yourFakeRmiServer/…" as jndiName  Loads classes from your fake RMI server  Calling JdbcRowSetImpl.execute() on a deserialized object will do the same  28.04.2016
Payload generation  Chris Frohoff released the great tool "ysoserial"  Makes creation of payloads easy  Includes gadgets for  Commons Collection 3 & 4  Spring  Groovy  JRE7 (<= jre7u21)  Commons BeanUtils  and even more! 28.04.2016
Custom payloads  I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons  Most of the gadgets don’t touch the disk   With scripting languages your life gets even easier  Use what’s in the classpath  Javascript (Rhino, Nashorn)  Groovy  Beanshell  etc. 28.04.2016
Code White’s Bug Parade  CVE-2015-6554 - Symantec Endpoint Protection Manager RCE  CVE-2015-6576 - Atlassian Bamboo RCE  CVE-2015-7253 - Commvault Edge Server RCE  CVE-2015-7253 - Apache ActiveMQ RCE  CVE-2015-4582 - Oracle Weblogic RCE  CVE-2016-1998 - HP Service Manager RCE  CVE-2016-2173 - Spring AMQP  NO-CVE-YET - Oracle Hyperion RCE  NO-CVE-YET - SAP NW AS Java  Others I can’t talk about (now) 28.04.2016
Oracle Weblogic 28.04.2016
Oracle Weblogic  Oracle’s Application Server (acquired from BEA)  Middleware for core products of Oracle  Oracle Enterprise Manager  Oracle VM Manager  Oracle ESB  Oracle Hyperion  Oracle Peoplesoft  And many more 28.04.2016
CVE-2015-4852 - Oracle Weblogic  Reported on 21st of July 2015 to Oracle as "Oracle Weblogic T3 Deserialization Remote Code Execution Vulnerability"  Detailed advisory with POCs  Using Chris Frohoff’s Commons Collection Gadget  Using my Javassist/Weld Gadget  I recommended to implement "Look-ahead Deserialization" by Pierre Ernst  Yeah, the one @foxglovesec dropped … 28.04.2016
CVE-2015-4852 - Oracle Weblogic  Weblogic uses multi-protocol listener architecture  Channels can be defined listening for several protocols  The "interesting" protocols are t3 and t3s 28.04.2016
CVE-2015-4852 - T3 Protocol  Weblogic has its own RMI protocol called T3  Exists since the early days of Weblogic  Used for JEE remoting (e.g. Session Beans)  Used for JMX (e.g. by Weblogic Scripting Tool)  Can also be tunneled over HTTP (if enabled)  Check http://target:port/bea_wls_internal/HTTPClntLogin/a.tun 28.04.2016
CVE-2015-4852 - How I found the bug  Found during my daughter’s midday nap ;-)  Remembered the time when I was Dev and writing software for NATO systems  We used to deploy software on Weblogic using T3  Just wrote some lines to create a T3 connection 28.04.2016
CVE-2015-4852 - How I found the bug 28.04.2016 I haven’t specified any user, right?
T3Client CVE-2015-4852 - Oracle Weblogic 28.04.2016 1. Checking the protocol 2. Create "RJVM" object 4. Call a RMI method on on the stub 3. Create a RMI stub
BootServicesStub CVE-2015-4852 - Oracle Weblogic 28.04.2016 Method id 2 Serializing a UserInfo object
CVE-2015-4852 - Triggering the bug 28.04.2016 Stacktrace of the Weblogic Server while triggering the bug
CVE-2015-4852 - I’m in your UserInfo BootServicesImpl 28.04.2016 Method id 2
CVE-2015-4852 - I’m in your UserInfo BootServicesStubImpl 28.04.2016 calls readObject()
CVE-2015-4852 - POC 28.04.2016
Oracle Weblogic "Patch" #1: CPU January 2016 28.04.2016
CVE-2015-4852 - "Patch" #1  Fixing this doesn’t look easy, serialization is used in the core protocol  You can find a lot of gadgets in the classpath of Weblogic  Oracle "patched" it by implementing "Look-ahead" deserialization (by Pierre Ernst)  But they check against a blacklist in "resolveClass()": 28.04.2016
CVE-2015-4852 - Bypassing "Patch" #1  Alvaro Muñoz and Christian Schneider released "SerialKiller" at RSA 2016  collection of gadgets to bypass "Look-ahead" deserialization  triggering additional call to "readObject()" on an unfilterted "ObjectInputStream" instance  allows to bypass the "patch" using gadget e.g. "Weblogic1"  Jacob Baines found another bypass gadget  utilizes JMS classes from package "weblogic.jms.common"  e.g. "TextMessageImpl", "XMLMessageImpl", "ObjectMessageImpl", etc.  I also found it and wanted to drop it here   btw. JMS is another external entry point for deserialization  28.04.2016
Oracle Weblogic "Patch" #2: CPU April 2016 28.04.2016
CVE-2015-4852 - "Patch" #2  Blacklist unchanged, although new gadgets were available!  The JMS bypass gadgets/entry points were fixed.  Couple of other changes I need to look at … 28.04.2016
CVE-2015-4852 - Bypassing "Patch" #2  Alvaro‘s / Christian‘s bypass gadget still works, but I want to show you something new   So I started to  look at "patch" #1  look for bypass gadgets  You can imagine what’s coming  28.04.2016
CVE-2015-4852 - Bypassing "Patch" #2  com.oracle.sender.provider.standard.Conversation 28.04.2016
CVE-2015-4852 - Bypassing "Patch" #2  Blacklist implemented in "ClassFilter" blocks classes from package "javassist"  The only class from "javassist" which is used by gadget is the interface "MethodHandler"  Interfaces are not checked by the "Look-ahead" deserialization technique  Javassist/Weld gadget still works, but the "TemplatesImpl" technique is blocked  As you have seen before you can also use the "JdbcRowSetImpl" technique 28.04.2016
Oracle Weblogic 12.2.1 (fully patched) 28.04.2016 DEMO
More to come?  Sure! Bugs & Gadgets  I already mentioned that Java Messaging is using Serialization heavily  Currently I’m working on the Java Messaging Exploitation Tool (JMET)  Integrates Chris Frohoff’s ysoserial  Pwns your queues/topics like a boss!  Planned to be released around summer ‘16 28.04.2016
Conclusion  Java Deserialization is no rocket science  Finding bugs is trivial, exploitation takes more  So many products affected by it  Research has started, again …  This will never end! 28.04.2016
Q&A 28.04.2016
Java Deserialization Vulnerabilities – The forgotten bug class Matthias Kaiser

Recomendados

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Spring Core
Spring CoreSpring Core
Spring CorePushan Bhattacharya
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 

Recomendados

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Spring Core
Spring CoreSpring Core
Spring CorePushan Bhattacharya
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Collections - Maps
Collections - Maps Collections - Maps
Collections - Maps Hitesh-Java
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Spring Boot
Spring BootSpring Boot
Spring BootPei-Tang Huang
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Implementing the IO Monad in Scala
Implementing the IO Monad in ScalaImplementing the IO Monad in Scala
Implementing the IO Monad in ScalaHermann Hueck
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in javaRaghu nath
 
L11 array list
L11 array listL11 array list
L11 array listteach4uin
 
sets and maps
sets and maps sets and maps
sets and mapsRajkattamuri
 
JUnit & Mockito, first steps
JUnit & Mockito, first stepsJUnit & Mockito, first steps
JUnit & Mockito, first stepsRenato Primavera
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentationadamcookeuk
 
The Functional Programming Triad of Map, Filter and Fold
The Functional Programming Triad of Map, Filter and FoldThe Functional Programming Triad of Map, Filter and Fold
The Functional Programming Triad of Map, Filter and FoldPhilip Schwarz
 
Method overloading and constructor overloading in java
Method overloading and constructor overloading in javaMethod overloading and constructor overloading in java
Method overloading and constructor overloading in javabaabtra.com - No. 1 supplier of quality freshers
 
Introduction into ES6 JavaScript.
Introduction into ES6 JavaScript.Introduction into ES6 JavaScript.
Introduction into ES6 JavaScript.boyney123
 
Java String class
Java String classJava String class
Java String classDrRajeshreeKhande
 
Java Annotations
Java AnnotationsJava Annotations
Java AnnotationsSerhii Kartashov
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with SpringJoshua Long
 
Java program structure
Java program structureJava program structure
Java program structureshalinikarunakaran1
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsBrian Huff
 

Mais conteúdo relacionado

Mais procurados

Collections - Maps
Collections - Maps Collections - Maps
Collections - Maps Hitesh-Java
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Implementing the IO Monad in Scala
Implementing the IO Monad in ScalaImplementing the IO Monad in Scala
Implementing the IO Monad in ScalaHermann Hueck
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in javaRaghu nath
 
L11 array list
L11 array listL11 array list
L11 array listteach4uin
 
JUnit & Mockito, first steps
JUnit & Mockito, first stepsJUnit & Mockito, first steps
JUnit & Mockito, first stepsRenato Primavera
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentationadamcookeuk
 
The Functional Programming Triad of Map, Filter and Fold
The Functional Programming Triad of Map, Filter and FoldThe Functional Programming Triad of Map, Filter and Fold
The Functional Programming Triad of Map, Filter and FoldPhilip Schwarz
 
Introduction into ES6 JavaScript.
Introduction into ES6 JavaScript.Introduction into ES6 JavaScript.
Introduction into ES6 JavaScript.boyney123
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with SpringJoshua Long
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 

Mais procurados (20)

Collections - Maps
Collections - Maps Collections - Maps
Collections - Maps
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Implementing the IO Monad in Scala
Implementing the IO Monad in ScalaImplementing the IO Monad in Scala
Implementing the IO Monad in Scala
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Multithreading in java
Multithreading in javaMultithreading in java
Multithreading in java
 
L11 array list
L11 array listL11 array list
L11 array list
 
sets and maps
sets and maps sets and maps
sets and maps
 
JUnit & Mockito, first steps
JUnit & Mockito, first stepsJUnit & Mockito, first steps
JUnit & Mockito, first steps
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentation
 
The Functional Programming Triad of Map, Filter and Fold
The Functional Programming Triad of Map, Filter and FoldThe Functional Programming Triad of Map, Filter and Fold
The Functional Programming Triad of Map, Filter and Fold
 
Method overloading and constructor overloading in java
Method overloading and constructor overloading in javaMethod overloading and constructor overloading in java
Method overloading and constructor overloading in java
 
Introduction into ES6 JavaScript.
Introduction into ES6 JavaScript.Introduction into ES6 JavaScript.
Introduction into ES6 JavaScript.
 
Java String class
Java String classJava String class
Java String class
 
Java Annotations
Java AnnotationsJava Annotations
Java Annotations
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
 
Java program structure
Java program structureJava program structure
Java program structure
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 

Destaque

Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsBrian Huff
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Brian Huff
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Brian Huff
 
Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterBrian Huff
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersBrian Huff
 

Destaque (6)

Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile Applications
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
 
Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenter
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio Developers
 

Semelhante a Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)

Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsDror Bereznitsky
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. ASumanth krishna
 
比XML更好用的Java Annotation
比XML更好用的Java Annotation比XML更好用的Java Annotation
比XML更好用的Java Annotationjavatwo2011
 
CLR Exception Handing And Memory Management
CLR Exception Handing And Memory ManagementCLR Exception Handing And Memory Management
CLR Exception Handing And Memory ManagementShiny Zhu
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSPVS-Studio
 
JavaScript Miller Columns
JavaScript Miller ColumnsJavaScript Miller Columns
JavaScript Miller ColumnsJonathan Fine
 
Java programming basics
Java programming basicsJava programming basics
Java programming basicsHamid Ghorbani
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)Netcetera
 
Orchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache MahoutOrchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache Mahoutaneeshabakharia
 
2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layer2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layerandreasmartin
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Java interview questions and answers
Java interview questions and answersJava interview questions and answers
Java interview questions and answersKrishnaov
 
Repository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkRepository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkAkhil Mittal
 

Semelhante a Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition) (20)

Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Servlets
ServletsServlets
Servlets
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. A
 
Java Basics
Java BasicsJava Basics
Java Basics
 
比XML更好用的Java Annotation
比XML更好用的Java Annotation比XML更好用的Java Annotation
比XML更好用的Java Annotation
 
CLR Exception Handing And Memory Management
CLR Exception Handing And Memory ManagementCLR Exception Handing And Memory Management
CLR Exception Handing And Memory Management
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMS
 
JavaScript Miller Columns
JavaScript Miller ColumnsJavaScript Miller Columns
JavaScript Miller Columns
 
JavaSecure
JavaSecureJavaSecure
JavaSecure
 
Java programming basics
Java programming basicsJava programming basics
Java programming basics
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)
 
Orchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache MahoutOrchestrating the Intelligent Web with Apache Mahout
Orchestrating the Intelligent Web with Apache Mahout
 
2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layer2014 Pre-MSc-IS-3 Persistence Layer
2014 Pre-MSc-IS-3 Persistence Layer
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Java interview questions and answers
Java interview questions and answersJava interview questions and answers
Java interview questions and answers
 
backend
backendbackend
backend
 
backend
backendbackend
backend
 
Tomcat + other things
Tomcat + other thingsTomcat + other things
Tomcat + other things
 
Repository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkRepository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity Framework
 

Último

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.soniya singh
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...SUHANI PANDEY
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubaikojalkojal131
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 

Último (20)

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 

Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)

  • 1. Java Deserialization Vulnerabilities – The Forgotten Bug Class Matthias Kaiser (@matthias_kaiser)
  • 2. About me  Head of Vulnerability Research at Code White in Ulm, Germany  Specialized on (server-side) Java  Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, etc.  Recently looking more into the Windows world and client-side stuff 28.04.2016 @matthias_kaiser
  • 3. Agenda  Introduction  Java’s Object Serialization  What’s the problem with it  A history of bugs  Finding and exploiting  Code White’s bug parade + a RuhrSec special  More to come? 28.04.2016
  • 4. Should you care?  If your client is running server products of 28.04.2016 you SHOULD!
  • 5. Some facts  The bug class exists for more than 10 years  Most ignored bug class in the server-side Java world until 2015  A easy way to get reliable RCE on a server  Architecture independent exploitation  With Java deserialization vulnerabilities you can pwn a corp easily! 28.04.2016
  • 6. Where is it used  Several J2EE/JEE core technologies rely on serialization  Remote Method Invocation (RMI)  Java Management Extension (JMX)  Java Message Service (JMS)  Java Server Faces implementations (ViewState)  Communication between JVMs in general (because devs are lazy :-)  Custom application protocols running on top of http, etc. 28.04.2016
  • 7. What is serialization? 28.04.2016 Object File Network Database ObjectStream of bytes Stream of bytes Serialization Deserialization
  • 8. Overview of Java’s Object Serialization Protocol 28.04.2016 Magic class name field type class field Class description info TC_OBJECT TC_CLASSDESC classdata[]
  • 9. There is protocol spec and a grammar 28.04.2016 https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
  • 10. Deserializing an object What could possibly go wrong here? 28.04.2016
  • 11. What’s the problem  ObjectInputStream doesn’t include validation features in its API  All serializable classes that the current classloader can locate and load can get deserialized  Although a class cast exception might occur in the end, the object will be created! 28.04.2016
  • 12. What’s the problem #2  A developer can customize the (de)-serialization of a serializable class  Implement methods writeObject(), writeReplace(), readObject() and readResolve()  ObjectInputStream invokes readObject() and readResolve() 28.04.2016 Under our control!
  • 13. What’s the problem #3  Further methods can be triggered by using certain classes as a "trampoline"  Object.toString() using e.g. javax.management.BadAttributeValueExpException  Object.hashCode() using e.g. java.util.HashMap  Comparator.compare() using e.g. java.util.PriorityQueue  etc. 28.04.2016 Trampoline class Target class
  • 14. What’s the problem #3 28.04.2016 javax.management.BadAttributeValueExpException 1. Reading the field "val" 2. Calling "toString()" on "val"
  • 15. History of Java deserialization vulnerabilities JRE vulnerabilities (DoS) Mark Schönefeld 2006 JSF Viewstate XSS/DoS Sun Java Web Console Luca Carretoni 2008 CVE-2011-2894 Spring Framework RCE Wouter Coekaerts CVE-2012-4858 IBM Cognos Business Intelligence RCE Pierre Ernst 2011 2012 28.04.2016
  • 16. History of Java deserialization vulnerabilities CVE-2013-1768 Apache OpenJPA RCE CVE-2013-1777 Apache Geronimo 3 RCE CVE-2013-2186 Apache commons-fileupload RCE Pierre Ernst CVE-2015-3253 Groovy RCE CVE-2015-7501 Commons-Collection RCE Gabriel Lawrence and Chris Frohoff CVE-2013-2165 JBoss RichFaces RCE Takeshi Terada 2013 2015 28.04.2016
  • 17. Finding is trivial  Do the "grep" thing on "readObject()" 28.04.2016
  • 18. Finding is trivial  Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject() 28.04.2016
  • 19. Exploitation  Exploitation requires a chain of serialized objects triggering interesting functionality e.g.  writing files  dynamic method calls using Java’s Reflection API  etc.  For such a chain the term "gadget" got established  Chris Frohoff and others found several gadgets in standard libs  Let’s look at an example gadget 28.04.2016
  • 20. Javassist/Weld Gadget  Gadget utilizes JBoss’ Javassist and Weld framework  Reported to Oracle with the Weblogic T3 vulnerability  Works in Oracle Weblogic and JBoss EAP  Allows us to call a method on a deserialized object 28.04.2016
  • 22. Javassist/Weld Gadget summary  During deserialization a "POST_ACTIVATE" interception will be executed  We can create an "interceptorHandlerInstances" that defines our deserialized target object as a handler for a "POST_ACTIVATE" interception  We can create an "interceptionModel" that defines a method to be executed on our handler for a "POST_ACTIVATE" interception 28.04.2016
  • 23. Javassist/Weld Gadget call chain InterceptorMethodHandler.readObject(ObjectInputStream) InterceptorMethodHandler.executeInterception(Object, Method, Method, …) SimpleInterceptionChain.invokeNextInterceptor(InvocationContext) SimpleMethodInvocation<T>.invoke(InvocationContext) 28.04.2016
  • 25. "Return of the Rhino"-Gadget  Gadget utilizes Rhino Script Engine of Mozilla  Works with latest Rhino in the classpath  Oracle applied some hardening to its Rhino version  So only works Oracle JRE <= jre7u13   Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu)   Allows us to call a method on a deserialized object  Will be released on our blog soon 28.04.2016
  • 26. What to look for?  Look for methods in serializable classes  working on files  triggering reflection (invoking methods, getting/setting properties on beans)  doing native calls  etc. AND being called from  readObject()  readResolve()  toString()  hashCode()  finalize()  any other method being called from a "Trampoline" class 28.04.2016
  • 27. What to look for?  Look at serializable classes used in Java reflection proxies  java.lang.reflect.InvocationHandler implementations  javassist.util.proxy.MethodHandler implementations 28.04.2016 InvocationHandlerInterface Proxy toString() invoke (…) // do smth invoke (target, toString, args)
  • 28. What to look for? 28.04.2016 Prints out method being called
  • 29. What to look for? 28.04.2016 What if InvocationHandler.invoke() does "scary" things using values from the serialized object input stream? Proxy
  • 30. Making gadget search easier  Chris Frohoff released a tool for finding gadgets using a graph database  Using object graph queries for gadget search 28.04.2016
  • 31. Exploitation tricks  Adam Gowdiak’s TemplatesImpl  com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable  Allows to define new classes from your byte[ ][ ]  Calling TemplatesImpl.newTransformer() on deserialized object  Code Execution 28.04.2016
  • 32. Exploitation tricks  InitialContext.lookup()  @zerothoughts published a gadget in Spring’s JtaTransactionManager recently  Triggers InitialContext.lookup(jndiName)  Uses "rmi://yourFakeRmiServer/…" as jndiName  Loads classes from your fake RMI server  Calling JdbcRowSetImpl.execute() on a deserialized object will do the same  28.04.2016
  • 33. Payload generation  Chris Frohoff released the great tool "ysoserial"  Makes creation of payloads easy  Includes gadgets for  Commons Collection 3 & 4  Spring  Groovy  JRE7 (<= jre7u21)  Commons BeanUtils  and even more! 28.04.2016
  • 34. Custom payloads  I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons  Most of the gadgets don’t touch the disk   With scripting languages your life gets even easier  Use what’s in the classpath  Javascript (Rhino, Nashorn)  Groovy  Beanshell  etc. 28.04.2016
  • 35. Code White’s Bug Parade  CVE-2015-6554 - Symantec Endpoint Protection Manager RCE  CVE-2015-6576 - Atlassian Bamboo RCE  CVE-2015-7253 - Commvault Edge Server RCE  CVE-2015-7253 - Apache ActiveMQ RCE  CVE-2015-4582 - Oracle Weblogic RCE  CVE-2016-1998 - HP Service Manager RCE  CVE-2016-2173 - Spring AMQP  NO-CVE-YET - Oracle Hyperion RCE  NO-CVE-YET - SAP NW AS Java  Others I can’t talk about (now) 28.04.2016
  • 37. Oracle Weblogic  Oracle’s Application Server (acquired from BEA)  Middleware for core products of Oracle  Oracle Enterprise Manager  Oracle VM Manager  Oracle ESB  Oracle Hyperion  Oracle Peoplesoft  And many more 28.04.2016
  • 38. CVE-2015-4852 - Oracle Weblogic  Reported on 21st of July 2015 to Oracle as "Oracle Weblogic T3 Deserialization Remote Code Execution Vulnerability"  Detailed advisory with POCs  Using Chris Frohoff’s Commons Collection Gadget  Using my Javassist/Weld Gadget  I recommended to implement "Look-ahead Deserialization" by Pierre Ernst  Yeah, the one @foxglovesec dropped … 28.04.2016
  • 39. CVE-2015-4852 - Oracle Weblogic  Weblogic uses multi-protocol listener architecture  Channels can be defined listening for several protocols  The "interesting" protocols are t3 and t3s 28.04.2016
  • 40. CVE-2015-4852 - T3 Protocol  Weblogic has its own RMI protocol called T3  Exists since the early days of Weblogic  Used for JEE remoting (e.g. Session Beans)  Used for JMX (e.g. by Weblogic Scripting Tool)  Can also be tunneled over HTTP (if enabled)  Check http://target:port/bea_wls_internal/HTTPClntLogin/a.tun 28.04.2016
  • 41. CVE-2015-4852 - How I found the bug  Found during my daughter’s midday nap ;-)  Remembered the time when I was Dev and writing software for NATO systems  We used to deploy software on Weblogic using T3  Just wrote some lines to create a T3 connection 28.04.2016
  • 42. CVE-2015-4852 - How I found the bug 28.04.2016 I haven’t specified any user, right?
  • 43. T3Client CVE-2015-4852 - Oracle Weblogic 28.04.2016 1. Checking the protocol 2. Create "RJVM" object 4. Call a RMI method on on the stub 3. Create a RMI stub
  • 44. BootServicesStub CVE-2015-4852 - Oracle Weblogic 28.04.2016 Method id 2 Serializing a UserInfo object
  • 45. CVE-2015-4852 - Triggering the bug 28.04.2016 Stacktrace of the Weblogic Server while triggering the bug
  • 46. CVE-2015-4852 - I’m in your UserInfo BootServicesImpl 28.04.2016 Method id 2
  • 47. CVE-2015-4852 - I’m in your UserInfo BootServicesStubImpl 28.04.2016 calls readObject()
  • 49. Oracle Weblogic "Patch" #1: CPU January 2016 28.04.2016
  • 50. CVE-2015-4852 - "Patch" #1  Fixing this doesn’t look easy, serialization is used in the core protocol  You can find a lot of gadgets in the classpath of Weblogic  Oracle "patched" it by implementing "Look-ahead" deserialization (by Pierre Ernst)  But they check against a blacklist in "resolveClass()": 28.04.2016
  • 51. CVE-2015-4852 - Bypassing "Patch" #1  Alvaro Muñoz and Christian Schneider released "SerialKiller" at RSA 2016  collection of gadgets to bypass "Look-ahead" deserialization  triggering additional call to "readObject()" on an unfilterted "ObjectInputStream" instance  allows to bypass the "patch" using gadget e.g. "Weblogic1"  Jacob Baines found another bypass gadget  utilizes JMS classes from package "weblogic.jms.common"  e.g. "TextMessageImpl", "XMLMessageImpl", "ObjectMessageImpl", etc.  I also found it and wanted to drop it here   btw. JMS is another external entry point for deserialization  28.04.2016
  • 52. Oracle Weblogic "Patch" #2: CPU April 2016 28.04.2016
  • 53. CVE-2015-4852 - "Patch" #2  Blacklist unchanged, although new gadgets were available!  The JMS bypass gadgets/entry points were fixed.  Couple of other changes I need to look at … 28.04.2016
  • 54. CVE-2015-4852 - Bypassing "Patch" #2  Alvaro‘s / Christian‘s bypass gadget still works, but I want to show you something new   So I started to  look at "patch" #1  look for bypass gadgets  You can imagine what’s coming  28.04.2016
  • 55. CVE-2015-4852 - Bypassing "Patch" #2  com.oracle.sender.provider.standard.Conversation 28.04.2016
  • 56. CVE-2015-4852 - Bypassing "Patch" #2  Blacklist implemented in "ClassFilter" blocks classes from package "javassist"  The only class from "javassist" which is used by gadget is the interface "MethodHandler"  Interfaces are not checked by the "Look-ahead" deserialization technique  Javassist/Weld gadget still works, but the "TemplatesImpl" technique is blocked  As you have seen before you can also use the "JdbcRowSetImpl" technique 28.04.2016
  • 57. Oracle Weblogic 12.2.1 (fully patched) 28.04.2016 DEMO
  • 58. More to come?  Sure! Bugs & Gadgets  I already mentioned that Java Messaging is using Serialization heavily  Currently I’m working on the Java Messaging Exploitation Tool (JMET)  Integrates Chris Frohoff’s ysoserial  Pwns your queues/topics like a boss!  Planned to be released around summer ‘16 28.04.2016
  • 59. Conclusion  Java Deserialization is no rocket science  Finding bugs is trivial, exploitation takes more  So many products affected by it  Research has started, again …  This will never end! 28.04.2016
  • 61. Java Deserialization Vulnerabilities – The forgotten bug class Matthias Kaiser