[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Java Deserialization continued, Analysis Tooling and (potentially) bypassing Applicat
From:       Moritz Bechler <mbechler () eenterphace ! org>
Date:       2016-02-29 19:30:52
Message-ID: 56D49C6C.9090201 () eenterphace ! org
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hi,

sharing some results from my research on deserialization
(vulnerabilities, or rather gadgets):

- a static bytecode analyzer that traces invocations reachable
from deserialization that helps (high FP rate, obviously) with finding
gadget chains even when more complex interactions are involved:
<https://github.com/mbechler/serianalyzer>

- through it discovered a few more RCE gadgets most notably ones in
Hibernate

- and MyFaces (actually that's RCE via EL injection via deserialization)
that one is only usable in a JSF context - but MyFaces also performs
unsafe deserization when org.apache.myfaces.USE_ENCRYPTION=3Dfalse (yes,
also with server side state saving, and while being totally unnecessary
they are unwilling to fix this:
<https://issues.apache.org/jira/browse/MYFACES-4021>).

- and a method for bypassing application level filtering. Basically you
can open up JRMP (RMI) listeners and connections via various gadgets
(in the standard library) which then again use a standard
ObjectInputStream and can be used to exploit otherwise filtered gadgets.
Jenkins just fixed this sepecific vector (CVE-2016-0788) but this
potentially affects anybody that is using application level filters
(i.e. filtering ObjectInputStreams) and either is using blacklisting or
a too broad whitelist.

These are all now available in my ysoserial branch
<https://github.com/mbechler/ysoserial>


regards

Moritz



["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]