A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities
Please, use #javadeser hash tag for tweets.
- Overview
- Main talks & presentaions
- Payload generators
- Exploits
- Detect
- Vulnerable apps (without public sploits/need more info)
- Protection
- For Android
- Other serialization types
by @pwntester & @cschneider4711
by @pwntester
https://github.com/frohoff/ysoserial
RCE via:
- Apache Commons Collections <= 3.1
- Apache Commons Collections <= 4.0
- Groovy <= 2.3.9
- Spring Core <= 4.1.4 (?)
- JDK <=7u21
- Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?)
Additional tools:
- JavaSerialKiller - access to ysoserial in Burp extension
How it works:
- https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
- http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html
https://github.com/GrrrDog/ACEDcup
File uploading via:
- Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
https://github.com/zerothoughts/jndipoc
How it works:
RCE via JNDI:
- When we control an adrress for lookup of JNDI (context.lookup(address))
https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Won't fix DoS via default Java classes
https://github.com/topolik/ois-dos/
How it works:
Won't fix DoS via default Java classes
no spec tool - You don't need a special tool (just Burp/ZAP + payload)
- Protocol
- Default - 1099/tcp for rmiregistry
yososerial (works only against a RMI registry service)
- Protocol based on RMI
- Protocol
- Default - 7001/tcp on localhost interface
- CVE-2015-4852
JavaUnserializeExploits (doesn't work for all Weblogic versions)
- wsadmin
- Default port - 8880/tcp
- CVE-2015-7450
- http://jboss_server/invoker/JMXInvokerServlet
- Default port - 8080/tcp
- CVE-2015-7501
https://github.com/njfox/Java-Deserialization-Exploit
- Jenkins CLI
- Default port - High number/tcp
- CVE-2015-8103
- <= 2.1.2
- When Rest API accepts serialized objects (uses ObjectRepresentation)
no spec tool
- RMI
- RMI
- CVE-2015-7253
- Serialized object in cookie
no spec tool
- ObjectInputStream.readObject
- ObjectInputStream.readUnshared
- Tool: Find Security Bugs
- Magic bytes 'ac ed 00 05' bytes
- 'rO0' for Base64
- SOLR-8262
- 5.1 <= version <=5.4
- /stream handler uses Java serialization for RPC
- SHIRO-550
- encrypted cookie (with the hardcoded key)
- CVE-2015-5254
- <= 5.12.1
- Explanation of the vuln
- CVE-2015-6576
- 2.2 <= version < 5.8.5
- 5.9.0 <= version < 5.9.7
- CVE-2015-8360
- 2.3.1 <= version < 5.9.9
- Bamboo JMS port (port 54663 by default)
- CVE-2015-8237
- RMI (30xx/tcp)
- CVE-2015-8238
- js-soc protocol (4711/tcp)
- Look-ahead Java deserialization
- NotSoSerial
- SerialKiller
- ValidatingObjectInputStream
- Some protection bypasses
- One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
- Android Serialization Vulnerabilities Revisited