Permalink
Switch branches/tags
Nothing to show
Find file Copy path
1205 lines (859 sloc) 42.4 KB

Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

Table of content

Java Native Serialization (binary)

Overview

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

Surviving the Java serialization apocalypse

by @cschneider4711 & @pwntester

Java Deserialization Vulnerabilities - The Forgotten Bug Class

by @matthias_kaiser

Pwning Your Java Messaging With Deserialization Vulnerabilities

by @matthias_kaiser

Defending against Java Deserialization Vulnerabilities

by @lucacarettoni

A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

by @pwntester and O. Mirosh

Fixing the Java Serialization mess

by @e_rnst

Blind Java Deserialization

by deadcode.me

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)

by @joaomatosf

Payload generators

ysoserial

https://github.com/frohoff/ysoserial

ysoserial 0.6 payloads:

payload author dependencies impact (if not RCE)
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Clojure @JackOfMostTrades clojure:1.8.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4 file uploading
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler
JRMPListener @mbechler
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS @gebl jre only vuln detect
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4

Additional tools (detetection, integration ysoserial with Burp Suite):

Additional tool to test RMI:

Full shell (pipes, redirects and other stuff):

How it works:

JRE8u20_RCE_Gadget

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

  • Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40
Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes (JRE)

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

Won't fix DoS using default Java classes (JRE)

DoS against Serialization Filtering (JEP-290)
Tool to search gadgets

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI
  • Protocol
  • Default - 1099/tcp for rmiregistry

ysoserial (works only against a RMI registry service)

JMX

ysoserial

JexBoss

JNDI/LDAP

https://github.com/zerothoughts/jndipoc

JMS

JMET

JSF ViewState
  • if no encryption or good mac

no spec tool

JexBoss

T3 of Oracle Weblogic

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

WLT3Serial

CVE-2018-2628 sploit

Oracle Weblogic
IBM Websphere (1)

JavaUnserializeExploits

serialator

CoalfireLabs/java_deserialization_exploits

IBM Websphere (2)
  • When using custom form authentication
  • WASPostParam cookie
  • Full info

no spec tool

Red Hat JBoss (1)
  • http://jboss_server/invoker/JMXInvokerServlet
  • Default port - 8080/tcp
  • CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

JexBoss

Red Hat JBoss 6.X
  • http://jboss_server/invoker/readonly
  • Default port - 8080/tcp
  • CVE-2017-12149
  • JBoss 6.X and EAP 5.X
  • Details

no spec tool

Red Hat JBoss 4.x
  • http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
  • <= 4.x
  • CVE-2017-7504

no spec tool

Jenkins (1)

JavaUnserializeExploits

JexBoss

Jenkins (2)

ysoserial

Jenkins (s)
  • Jenkins CLI LDAP
  • *Default port - High number/tcp
  • <= 2.32
  • <= 2.19.3 (LTS)
  • CVE-2016-9299
CloudBees Jenkins

Sploit

Restlet
  • <= 2.1.2
  • When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

RESTEasy
  • *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
  • Details and examples

no spec tool

OpenNMS
  • RMI

ysoserial

Progress OpenEdge RDBMS
  • all versions
  • RMI

ysoserial

Commvault Edge Server

no spec tool

Symantec Endpoint Protection Manager

serialator

Oracle MySQL Enterprise Monitor

no spec tool

serialator

PowerFolder Business Enterprise Suite

powerfolder-exploit-poc

Solarwinds Virtualization Manager

ysoserial

Cisco Prime Infrastructure
  • https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
  • <= 2.2.3 Update 4
  • <= 3.0.2
  • CVE-2016-1291

CoalfireLabs/java_deserialization_exploits

Cisco ACS

ysoserial

Apache XML-RPC
  • all version, no fix (the project is not supported)
  • POST XML request with ex:serializable element
  • Details and examples

no spec tool

Apache Archiva

no spec tool

SAP NetWeaver
  • https://[target]/developmentserver/metadatauploader
  • CVE-2017-9844

PoC

Sun Java Web Console

no spec tool

Apache MyFaces Trinidad
  • 1.0.0 <= version < 1.0.13
  • 1.2.1 <= version < 1.2.14
  • 2.0.0 <= version < 2.0.1
  • 2.1.0 <= version < 2.1.1
  • it does not check MAC
  • CVE-2016-5019

no spec tool

Apache Tomcat JMX

JexBoss

OpenText Documentum D2

exploit

Liferay
  • /api/spring
  • /api/liferay
  • <= 7.0-ga3
  • if IP check works incorrectly
  • Details

no spec tool

ScrumWorks Pro

PoC

ManageEngine Applications Manager

ysoserial

Apache Shiro
Apache ActiveMQ - Client lib

JMET

Redhat/Apache HornetQ - Client lib

JMET

Oracle OpenMQ - Client lib

JMET

IBM WebSphereMQ - Client lib

JMET

Oracle Weblogic - Client lib

JMET

Pivotal RabbitMQ - Client lib

JMET

IBM MessageSight - Client lib

JMET

IIT Software SwiftMQ - Client lib

JMET

Apache ActiveMQ Artemis - Client lib

JMET

Apache QPID JMS - Client lib

JMET

Apache QPID - Client lib

JMET

Amazon SQS Java Messaging - Client lib

JMET

Axis/Axis2 SOAPMonitor

java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001

ysoserial

Apache Synapse

ysoserial

Apache Jmeter
  • <= 3.0.1
  • RMI
  • When using Distributed Test only
  • Exploit

ysoserial

Jolokia
  • <= 1.4.0
  • JNDI injection
  • /jolokia/
  • Exploit
RichFaces
Apache James

ysoserial

Detect

Code review
Traffic
  • Magic bytes 'ac ed 00 05' bytes
  • 'rO0' for Base64
  • 'application/x-java-serialized-object' for Content-Type header
Network
  • Nmap >=7.10 has more java-related probes
  • use nmap --all-version to find JMX/RMI on non-standart ports
Burp plugins

Vulnerable apps (without public sploits/need more info)

Spring Service Invokers (HTTP, JMS, RMI...)
SAP P4
Apache SOLR
  • SOLR-8262
  • 5.1 <= version <=5.4
  • /stream handler uses Java serialization for RPC
Apache ActiveMQ (2)
Atlassian Bamboo (1)
Atlassian Bamboo (2)
  • CVE-2015-8360
  • 2.3.1 <= version < 5.9.9
  • Bamboo JMS port (port 54663 by default)
Atlassian Jira
  • only Jira with a Data Center license
  • RMI (port 40001 by default)
  • JRA-46203
Akka
Spring AMPQ
Apache Tika
  • CVE-2016-6809
  • 1.6 <= version < 1.14
  • Apache Tika’s MATLAB Parser
Apache HBase
Apache Camel
Apache Log4j
Gradle (gui)
  • custom(?) protocol(60024/tcp)
  • article
Oracle Hyperion
Oracle Application Testing Suite
Red Hat JBoss BPM Suite
VMWare vRealize Operations
VMWare vCenter/vRealize (various)
Cisco (various)
Lexmark Markvision Enterprise
McAfee ePolicy Orchestrator
HP iMC
HP Operations Orchestration
HP Asset Manager
HP Service Manager
HP Operations Manager
HP Release Control
HP Continuous Delivery Automation
HP P9000, XP7 Command View Advanced Edition (CVAE) Suite
HP Network Automation
Adobe Experience Manager
Unify OpenScape (various)
Apache OFBiz
Apache Tomcat
Apache TomEE
IBM Congnos BI
Novell NetIQ Sentinel
ForgeRock OpenAM
  • 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
  • 201505-01
F5 (various)
Hitachi (various)
NetApp (various)
Zimbra Collaboration
Adobe ColdFusion (1)
Adobe ColdFusion (2)
Code42 CrashPlan
Apache OpenJPA
Apache Batchee
Apache JCS
Apache OpenWebBeans

Protection

For Android

Main talks & presentations & docs

Tools

XMLEncoder (XML)

How it works:

Detect

Code review
  • java.beans.XMLDecoder
  • readObject
Burp plugins

Exploits

Oracle Weblogic

Exploit

Oracle RDBMS

XStream (XML/JSON/various)

How it works:

Payload generators

Exploits

Apache Struts (S2-052)

Exploit

Detect

Code review
  • com.thoughtworks.xstream.XStream
  • xs.fromXML(data)
Burp plugins

Vulnerable apps (without public sploits/need more info):

Atlassian Bamboo
Jenkins

Kryo (binary)

How it works:

Payload generators

Detect

Code review
  • com.esotericsoftware.kryo.io.Input
  • SomeClass object = (SomeClass)kryo.readClassAndObject(input);
  • SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);
  • SomeClass someObject = kryo.readObject(input, SomeClass.class);
Burp plugins

Hessian/Burlap (binary/XML)

How it works:

Payload generators

Detect

Code review
  • com.caucho.hessian.io
  • AbstractHessianInput
  • com.caucho.burlap.io.BurlapInput;
  • com.caucho.burlap.io.BurlapOutput;
  • BurlapInput in = new BurlapInput(is);
  • Person2 p1 = (Person2) in.readObject();
Burp plugins

Castor (XML)

How it works:

Payload generators

Detect

Code review
  • org.codehaus.castor
  • org.exolab.castor.xml.Unmarshaller
  • org.springframework.oxm.Unmarshaller
  • Unmarshaller.unmarshal(Person.class, reader)
  • unmarshaller = context.createUnmarshaller();
  • unmarshaller.unmarshal(new StringReader(data));
Burp plugins

Vulnerable apps (without public sploits/need more info):

OpenNMS

json-io (JSON)

How it works:

Exploitation examples:

Payload generators

Detect

Code review
  • com.cedarsoftware.util.io.JsonReader
  • JsonReader.jsonToJava
Burp plugins

Jackson (JSON)

vulnerable in specific configuration

How it works:

Payload generators

Detect

Code review
  • com.fasterxml.jackson.databind.ObjectMapper
  • ObjectMapper mapper = new ObjectMapper();
  • objectMapper.enableDefaultTyping();
  • @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
  • public Object message;
  • mapper.readValue(data, Object.class);
Burp plugins

Vulnerable apps (without public sploits/need more info):

Apache Camel

Fastjson (JSON)

How it works (in Chinese):

Detect

Code review
  • com.alibaba.fastjson.JSON
  • JSON.parseObject
Burp plugins

Payload generators

Genson (JSON)

How it works:

Detect

Code review
  • com.owlike.genson.Genson
  • useRuntimeType
  • genson.deserialize
Burp plugins

Red5 IO AMF (AMF)

How it works:

Payload generators

Detect

Code review
  • org.red5.io
  • Deserializer.deserialize(i, Object.class);
Burp plugins

Vulnerable apps (without public sploits/need more info):

Apache OpenMeetings

Apache Flex BlazeDS (AMF)

How it works:

Payload generators

Detect

Code review
Burp plugins

Vulnerable apps (without public sploits/need more info):

Adobe ColdFusion
Apache BlazeDS
VMWare VCenter

Flamingo AMF (AMF)

How it works:

Detect

Burp plugins

GraniteDS (AMF)

How it works:

Detect

Burp plugins

WebORB for Java (AMF)

How it works:

Detect

Burp plugins

SnakeYAML (YAML)

How it works:

Payload generators

Detect

Code review
  • org.yaml.snakeyaml.Yaml
  • yaml.load
Burp plugins

Vulnerable apps (without public sploits/need more info):

Resteasy
Apache Camel
Apache Brooklyn

jYAML (YAML)

How it works:

Payload generators

Detect

  • org.ho.yaml.Yaml
  • Yaml.loadType(data, Object.class);
Burp plugins

YamlBeans (YAML)

How it works:

Payload generators

Detect

  • com.esotericsoftware.yamlbeans
  • YamlReader r = new YamlReader(data, yc);
Burp plugins

"Safe" deserialization

Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec

However, it's not a recommendation, but just a list of other libs that has been researched by someone:

  • JAXB
  • XmlBeans
  • Jibx
  • Protobuf
  • GSON
  • GWT-RPC