Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities

Please, use #javadeser hash tag for tweets.

Table of content

• Overview
• Main talks & presentaions
• Payload generators
• Exploits
• Detect
• Vulnerable apps (without public sploits/need more info)
• Protection
• For Android
• Other serialization types

Overview

• From Foxgloves Security

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

• Video
• Slides
• Other stuff

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

• Video

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

• Slides
• White Paper

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

• Slides

Deserialization for other languages

by @pwntester

• PoC for Scala, Grovy

Payload generators

yososerial

https://github.com/frohoff/ysoserial

Lastest release of ysoserial

RCE via:

• Apache Commons Collections <= 3.1
• Apache Commons Collections <= 4.0
• Groovy <= 2.3.9
• Spring Core <= 4.1.4 (?)
• JDK <=7u21
• Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?)

Additional tools:

• JavaSerialKiller - access to ysoserial in Burp extension

How it works:

• https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
• http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

• Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40

JNDI RCE

https://github.com/zerothoughts/jndipoc

How it works:

• JNDI remote code injection

RCE via JNDI:

• When we control an adrress for lookup of JNDI (context.lookup(address))

Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

• Java Deserialization DoS - payloads

Won't fix DoS via default Java classes

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI

• Protocol
• Default - 1099/tcp for rmiregistry

yososerial (works only against a RMI registry service)

JMX

• Protocol based on RMI

yososerial

T3 of Oracle Weblogic

• Protocol
• Default - 7001/tcp on localhost interface
• CVE-2015-4852

JavaUnserializeExploits (doesn't work for all Weblogic versions)

Websphere

• wsadmin
• Default port - 8880/tcp
• CVE-2015-7450

JavaUnserializeExploits

serialator

JBoss

• http://jboss_server/invoker/JMXInvokerServlet
• Default port - 8080/tcp
• CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

Jenkins

• Jenkins CLI
• Default port - High number/tcp
• CVE-2015-8103

JavaUnserializeExploits

Restlet

• <= 2.1.2
• When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

OpenNMS

• RMI

yososerial

Progress OpenEdge RDBMS

• RMI

yososerial

Commvault Edge Server

• CVE-2015-7253
• Serialized object in cookie

no spec tool

Symantec Endpoint Protection Manager

• /servlet/ConsoleServlet?ActionType=SendStatPing
• CVE-2015-6555

serialator

Detect

Code review

• ObjectInputStream.readObject
• ObjectInputStream.readUnshared
• Tool: Find Security Bugs

Traffic

• Magic bytes 'ac ed 00 05' bytes
• 'rO0' for Base64

Burp plugins

• Java Deserialization Scanner
• SuperSerial
• SuperSerial-Active

Vulnerable apps (without public sploits/need more info)

JSF ViewState

JMS (Java Messaging System)

Spring Service Invokerts (HTTP, JMS, RMI...)

Apache SOLR

• SOLR-8262
• 5.1 <= version <=5.4
• /stream handler uses Java serialization for RPC

Apache Shiro

• SHIRO-550
• encrypted cookie (with the hardcoded key)

ActiveMQ

• CVE-2015-5254
• <= 5.12.1
• Explanation of the vuln

Atlassian Bamboo 1

• CVE-2015-6576
• 2.2 <= version < 5.8.5
• 5.9.0 <= version < 5.9.7

Atlassian Bamboo 2

• CVE-2015-8360
• 2.3.1 <= version < 5.9.9
• Bamboo JMS port (port 54663 by default)

Jenkins 2

• CVE-2016-0788

Apache HBase

• HBASE-14799

Apache Camel

• CVE-2015-5348

Red Hat JBoss BPM Suite

• RHSA-2016-0539
• CVE-2016-2510

VMWare vCenter/vRealize (various)

• CVE-2015-6934

Cisco (various)

• List of vulnerable products
• CVE-2015-6420

Lexmark Markvision Enterprise

• CVE-2016-1487

McAfee ePolicy Orchestrator

• CVE-2015-8765

HP Operations Orchestration

• CVE-2016-1997

HP Asset Manager

• CVE-2016-2000

HP Service Manager

• CVE-2016-1998

HP Operations Manager

• CVE-2016-1985

HP Release Control

• CVE-2016-1999

HP Continuous Delivery Automation

• CVE-2016-1986

Adobe Experience Manager

• CVE-2016-0958

Unify OpenScape (various)

• CVE-2015-8237
• RMI (30xx/tcp)
• CVE-2015-8238
• js-soc protocol (4711/tcp)

Apache TomEE

• CVE-2015-8581
• CVE-2016-0779

IBM Congnos BI

• CVE-2012-4858

ForgeRock OpenAM

• 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
• 201505-01

F5 (various)

• sol30518307

Hitachi (various)

• HS16-010
• 0328_acc

Apache OFBiz

• CVE-2016-2170

NetApp (various)

• CVE-2015-8545

Apache Tomcat

Apache Batchee

Apache JCS

Apache OpenJPA

Apache OpenWebBeans

Protection

• Look-ahead Java deserialization
• NotSoSerial
• SerialKiller
• ValidatingObjectInputStream
• Some protection bypasses

For Android

• One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android
• Android Serialization Vulnerabilities Revisited

Other serialization types

XMLEncoder

• http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html

XStream

• http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
• http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream

Kryo

• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo