A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities
Please, use #javadeser hash tag for tweets.
- Overview
- Main talks & presentations & docs
- Payload generators
- Exploits
- Detect
- Vulnerable apps (without public sploits/need more info)
- Protection
- For Android
- Other serialization types
by @pwntester & @cschneider4711
by @cschneider4711 & @pwntester
by @pwntester and O. Mirosh
https://github.com/frohoff/ysoserial
RCE (or smth else) via:
- Apache Commons Collections <= 3.1
- Apache Commons Collections <= 4.0
- Groovy <= 2.3.9
- Spring Core <= 4.1.4 (?)
- JDK <=7u21
- Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?)
- BeanShell 2.0
- Groovy 2.3.9
- Jython 2.5.2
- C3P0 0.9.5.2
- Apache Commons Fileupload <= 1.3.1 (File uploading)
- ROME 1.0
- MyFaces
- JRMPClient/JRMPListener
- JSON
- Hibernate
Additional tools (access to ysoserial in Burp extension):
How it works:
- https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
- http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html
https://github.com/GrrrDog/ACEDcup
File uploading via:
- Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Won't fix DoS via default Java classes
https://github.com/topolik/ois-dos/
How it works:
Won't fix DoS via default Java classes
no spec tool - You don't need a special tool (just Burp/ZAP + payload)
- Protocol
- Default - 1099/tcp for rmiregistry
ysoserial (works only against a RMI registry service)
- Protocol based on RMI
- partially patched in JRE
- When we control an adrress for lookup of JNDI (context.lookup(address))
- Full info
- JNDI remote code injection
https://github.com/zerothoughts/jndipoc
- if no encryption or good mac
- Protocol
- Default - 7001/tcp on localhost interface
- CVE-2015-4852
loubia (tested on 11g and 12c, supports t3s)
JavaUnserializeExploits (doesn't work for all Weblogic versions)
- wsadmin
- Default port - 8880/tcp
- CVE-2015-7450
- http://jboss_server/invoker/JMXInvokerServlet
- Default port - 8080/tcp
- CVE-2015-7501
https://github.com/njfox/Java-Deserialization-Exploit
- Jenkins CLI
- Default port - High number/tcp
- CVE-2015-8103
- CVE-2015-3253
- patch "bypass" for Jenkins
- CVE-2016-0788
- Details of exploit
- <= 2.1.2
- When Rest API accepts serialized objects (uses ObjectRepresentation)
no spec tool
- *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
- Details and examples
no spec tool
- RMI
- all versions
- RMI
- CVE-2015-7253
- Serialized object in cookie
no spec tool
- /servlet/ConsoleServlet?ActionType=SendStatPing
- CVE-2015-6555
- https://[target]:18443/v3/dataflow/0/0
- CVE-2016-3461
no spec tool
- custom(?) protocol (1337/tcp)
- MSA-2016-01
- <= 6.3.1
- RMI
- CVE-2016-3642
- https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
- <= 2.2.3 Update 4
- <= 3.0.2
- CVE-2016-1291
CoalfireLabs/java_deserialization_exploits
- all version, no fix (the project is not supported)
- POST XML request with ex:serializable element
- Details and examples
no spec tool
- because it uses Apache XML-RPC
- CVE-2016-5004
- Details and examples
no spec tool
- admin panel for Solaris
- < v3.1.
- old DoS sploit
no spec tool
- ObjectInputStream.readObject
- ObjectInputStream.readUnshared
- Tool: Find Security Bugs
- Tool: Serianalyzer
- Magic bytes 'ac ed 00 05' bytes
- 'rO0' for Base64
- 'application/x-java-serialized-object' for Content-Type header
- Nmap >=7.10 has more java-related probes
- use nmap --all-version to find JMX/RMI on non-standart ports
- SOLR-8262
- 5.1 <= version <=5.4
- /stream handler uses Java serialization for RPC
- SHIRO-550
- encrypted cookie (with the hardcoded key)
- CVE-2015-6576
- 2.2 <= version < 5.8.5
- 5.9.0 <= version < 5.9.7
- CVE-2015-8360
- 2.3.1 <= version < 5.9.9
- Bamboo JMS port (port 54663 by default)
- CVE-2016-2173
- *1.0.0 <= version < 1.5.5
- custom(?) protocol(60024/tcp)
- article
- CVE-2015-8237
- RMI (30xx/tcp)
- CVE-2015-8238
- js-soc protocol (4711/tcp)
- 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
- 201505-01
- requires local access
- CVE-2016-0714
- Article
- Look-ahead Java deserialization
- NotSoSerial
- SerialKiller
- ValidatingObjectInputStream
- Some protection bypasses
- Tool: Serial Whitelist Application Trainer
- One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
- Android Serialization Vulnerabilities Revisited